freeipa.git/ipaserver/install/plugins, branch getkeytab FreeIPA patches Add mechanism for updating permissions to managed 2014-06-04T15:34:17+00:00 Petr Viktorin pviktori@redhat.com 2014-05-14T14:08:28+00:00 acb2ca47d68becca8c7385899c9107d5b6a13a1a Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Remove the global anonymous read ACI 2014-05-26T10:14:55+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:46:26+00:00 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:32:29+00:00 63becae88c6c270b98f0432dc474b661b82f3119 When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
update_managed_permissions: Pass around anonymous ACI rather than its blacklist 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:15:05+00:00 993c1c8557aafb890199b1c443ebd2d895ae6ba6 It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Replace "replica admins read access" ACI with a permission 2014-05-21T07:57:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-28T12:23:19+00:00 86f943ca180a72c4cfa3a8a03226f2471a97981b Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add several managed read permissions under cn=etc 2014-04-24T12:36:41+00:00 Petr Viktorin pviktori@redhat.com 2014-03-26T16:11:23+00:00 d893b77fb69ef2e0aedf823e7cd82ca86a2971af This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add support for non-plugin default permissions 2014-04-24T12:36:41+00:00 Petr Viktorin pviktori@redhat.com 2014-03-27T14:36:54+00:00 af3a4adc46368f736151c118ccb1dd0e9bb89144 Add support for managed permissions that are not tied to an object class and thus can't be defined in an Object plugin. A dict is added to hold templates for the non-plugin permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Do not ask for memberindirect when updating managed permissions 2014-04-17T08:04:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-11T10:09:32+00:00 81b0e7466d739a61b16c0e79c660a9f85d073c8c One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2, which is set when a permission is part of a role. When update_entry is called on an entry with memberofindirect, ipaldap tries to add the attribute to LDAP and fails with an objectclass violation. Do not ask for memberindirect when retrieving the entry. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fix update_ca_renewal_master plugin on CA-less installs. 2014-04-10T14:40:10+00:00 Jan Cholasta jcholast@redhat.com 2014-04-02T08:28:00+00:00 50c7f3b2366aa48a966a958a7f95941c917ad3fa This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add mechanism for adding default permissions to privileges 2014-04-10T12:49:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-10T10:24:41+00:00 41607774bc6146f83496bd469d59595261e314a7 Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>