freeipa.git/install, branch getkeytab FreeIPA patches keytab: Add new extended operation to get a keytab. 2014-06-09T18:49:42+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 aa785cf1ce101382c2adbc4a3c70361d1e7a27e0 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 
This new extended operation allow to create new keys or retrieve
existing ones.
The new set of keys is returned as a ASN.1 structure similar to the one
that is passed in by the 'set keytab' extended operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute
named ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Convert Sudo rule default permissions to managed 2014-06-04T15:34:18+00:00 Petr Viktorin pviktori@redhat.com 2014-05-14T12:57:35+00:00 91a5aecd4892700cf1468a9ac5608227d06d21db Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add read permissions for automember tasks 2014-06-02T11:04:59+00:00 Petr Viktorin pviktori@redhat.com 2014-05-30T12:03:13+00:00 93ad23912e3bb73fc3e54d2b6734748a55fc933a Permission to read all tasks is given to high-level admins. Managed permission for automember tasks is given to automember task admins. "targetattr=*" is used because tasks are extensibleObject with attributes that aren't in the schema. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone 2014-05-28T13:58:24+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T17:42:41+00:00 8b7daf675e77d7a5e2de6eadb26ca3b682c0d67f Part of the work for: https://fedorahosted.org/freeipa/ticket/3801 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Martin Kosek <mkosek@redhat.com>
admin tools: Log IPA version 2014-05-27T10:08:55+00:00 Petr Viktorin pviktori@redhat.com 2014-03-19T12:54:20+00:00 d6a4da30de37b2a3f1a3b4b8f8dd6dc0da3e1b50 Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.

https://fedorahosted.org/freeipa/ticket/4219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove the global anonymous read ACI 2014-05-26T10:14:55+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:46:26+00:00 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Replace "replica admins read access" ACI with a permission 2014-05-21T07:57:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-28T12:23:19+00:00 86f943ca180a72c4cfa3a8a03226f2471a97981b Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fixed typo in ipa-replica-manage man page 2014-05-12T16:43:07+00:00 Thorsten Scherf tscherf@redhat.com 2014-05-09T13:21:10+00:00 37c238a6ef8f825f85351a5974b4270998bc0661 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
webui static site delete command fixed 2014-05-07T14:55:01+00:00 Adam Misnyovszki amisnyov@redhat.com 2014-05-05T14:31:55+00:00 23302645aa70613dd1ecc6eb45b6c2ad07588270 When the static test site called batch delete, it always referred to batch.json. This patch fixes it, by referring entityname + '_batch_del.json' Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
When the static test site called batch delete,
it always referred to batch.json. This patch
fixes it, by referring entityname + '_batch_del.json'

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
webui OTP token test data added 2014-05-07T14:55:01+00:00 Adam Misnyovszki amisnyov@redhat.com 2014-05-07T13:10:32+00:00 1ef91701e984c5c9717803a0d3c2e52c81386676 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>