freeipa.git/ipaserver/install, branch getkeytab FreeIPA patches Add mechanism for updating permissions to managed 2014-06-04T15:34:17+00:00 Petr Viktorin pviktori@redhat.com 2014-05-14T14:08:28+00:00 acb2ca47d68becca8c7385899c9107d5b6a13a1a Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Modified dns related global functions 2014-06-03T13:55:32+00:00 Martin Basti mbasti@redhat.com 2014-05-16T10:21:04+00:00 b964d2130a15d7b1561c66c721e3257ce0d24305 * Modified functions to use DNSName type * Removed unused functions Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa recursively adds old backups 2014-05-30T06:15:22+00:00 Gabe redhatrises@gmail.com 2014-05-28T23:16:04+00:00 9f2c4705d7e2fa83be95f005a78f83a399acfa72 - Added exclude for the ipa backup folder to the files tar https://fedorahosted.org/freeipa/ticket/4331 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Call generate-rndc-key.sh during ipa-server-install 2014-05-27T11:05:53+00:00 Adam Misnyovszki amisnyov@redhat.com 2014-04-18T13:44:11+00:00 71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa Since systemd has by default a 2 minute timeout to start a service, the end of ipa-server-install might fail because starting named times out. This patch ensures that generate-rndc-key.sh runs before named service restart. Also, warning message is displayed before KDC install and generate-rndc-key.sh, if there is a lack of entropy, to notify the user that the process could take more time than expected. Modifications done by Martin Kosek: - removed whitespace at the end of installutils.py - the warning in krbinstance.py moved right before the step requiring entropy - slightly reworded the warning message https://fedorahosted.org/freeipa/ticket/4210 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Remove the global anonymous read ACI 2014-05-26T10:14:55+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:46:26+00:00 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:32:29+00:00 63becae88c6c270b98f0432dc474b661b82f3119 When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
update_managed_permissions: Pass around anonymous ACI rather than its blacklist 2014-05-26T10:12:35+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:15:05+00:00 993c1c8557aafb890199b1c443ebd2d895ae6ba6 It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Replace "replica admins read access" ACI with a permission 2014-05-21T07:57:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-28T12:23:19+00:00 86f943ca180a72c4cfa3a8a03226f2471a97981b Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fixed typo how to create an example gpg key 2014-05-06T11:20:17+00:00 Thorsten Scherf tscherf@redhat.com 2014-05-02T07:51:55+00:00 3f3c8eee24f98807ff8a95dd0f6a022b2b3a5bf5 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Add several managed read permissions under cn=etc 2014-04-24T12:36:41+00:00 Petr Viktorin pviktori@redhat.com 2014-03-26T16:11:23+00:00 d893b77fb69ef2e0aedf823e7cd82ca86a2971af This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>