summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Add per-service option to store the types of PAC it supportsRob Crittenden2012-08-012-1/+5
| | | | | | Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184
* Use certmonger to renew CA subsystem certificatesRob Crittenden2012-07-302-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
* Enable SOA serial autoincrementMartin Kosek2012-07-131-0/+1
| | | | | | | | | | | | | | | | | | SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is "serial_autoincrement". From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. Minimum number of connections for bind-dyndb-ldap has been rised to 4 connections, the setting will be updated during package upgrade. https://fedorahosted.org/freeipa/ticket/2554
* Add automount map/key update permissionsMartin Kosek2012-07-101-2/+20
| | | | | | | | | | | | | Add missing permissions that can be used to delegate write access to existing automount maps or keys. Since automount key RDN has been changed in the past from "automountkey" to "description" and there can be LDAP entries with both RDNs, structure of relevant ACI need to be changed to different scheme. Now, it rather targets a DN of parent automount map object and uses targetfilter to limit the target to automount key objects only. https://fedorahosted.org/freeipa/ticket/2687
* ipasam: improve SASL bind callbackAlexander Bokovoy2012-07-061-1/+0
| | | | | | | | SASL bind callback due to refactoring was referencing local variable which didn't exist all the time. Fix that by including a copy of service principals into ipasam long term private struct. Rework ccache handling to avoid re-initing every time callback is called
* Create default range entry after upgradeMartin Kosek2012-07-021-2/+2
| | | | | | | | | | Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891
* Add objects for initial ID rangeSumit Bose2012-06-291-0/+14
|
* Extend LDAP schemaSumit Bose2012-06-291-0/+8
| | | | | | | | | | | The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well.
* Per-domain DNS record permissionsMartin Kosek2012-06-282-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511
* Defer adding ipa-cifs-delegation-targets until the Updates phase.Rob Crittenden2012-06-271-3/+5
| | | | | | | It was likely that this would fail being in an LDIF so let an update file add this potentially conflicting entry instead. https://fedorahosted.org/freeipa/ticket/2837
* Remove ipaNTHash from global allow ACIMartin Kosek2012-06-261-4/+4
| | | | | | | | ipaNTHash contains security sensitive information, it should be hidden just like other password attributes. As a part of preparation for ticket #2511, the ACI allowing global access is also updated to hide DNS zones. https://fedorahosted.org/freeipa/ticket/2856
* Set network.http.sendRefererHeader to 2 on browser configPetr Vobornik2012-06-221-9/+15
| | | | | | | | | | IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader https://fedorahosted.org/freeipa/ticket/2778
* Add trust-related ACIsAlexander Bokovoy2012-06-071-1/+1
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-072-0/+4
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-073-1/+4
|
* Use dedicated keytab for SambaAlexander Bokovoy2012-06-071-1/+3
| | | | | | | | Samba just needs the cifs/ key on the ipa server. Configure samba to use a different keytab file so that we do not risk samba commands (net, or similar) to mess up the system keytab. https://fedorahosted.org/freeipa/ticket/2168
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-073-1/+19
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* permission-find missed some results with --pkey-only optionMartin Kosek2012-06-011-0/+4
| | | | | | | | | | | | | When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
* - add a pair of ethers maps for computers with hardware addresses on fileNalin Dahyabhai2012-04-261-0/+23
|
* - create a "cn=computers" compat area populated with ieee802Device entries ↵Nalin Dahyabhai2012-04-261-0/+14
| | | | corresponding to computers with fqdn and macAddress attributes
* - index the fqdn and macAddress attributes for the sake of the compat pluginNalin Dahyabhai2012-04-261-0/+19
|
* Use mixed-case for Read DNS Entries permissionRob Crittenden2012-04-231-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/2569
* Fix installation when server hostname is not in a default domainMartin Kosek2012-04-081-1/+1
| | | | | | | | | | | | | | | | | | | When IPA server is configured with DNS and its hostname is not located in a default domain, SRV records are not valid. Additionally, httpd does not serve XMLRPC interface because it IPA server domain-realm mapping is missing in krb5.conf. All CLI commands were then failing. This patch amends this configuration. It fixes SRV records in served domain to include full FQDN instead of relative hostname when the IPA server hostname is not located in served domain. IPA server forward record is also placed to correct zone. When IPA server is not in a served domain a proper domain-realm mapping is configured to krb5.conf. The template was improved in order to be able to hold this information. https://fedorahosted.org/freeipa/ticket/2602
* Return consistent value when hostcat and usercat is all.Rob Crittenden2012-04-081-1/+1
| | | | | | | | | | We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192
* Forbid public access to DNS treeMartin Kosek2012-04-011-0/+12
| | | | | | | | | | | | | | | | | | | With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
* Amend permissions for new DNS attributesMartin Kosek2012-03-251-1/+11
| | | | | | | | | | | | New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
* Add support for sudoOrderRob Crittenden2012-03-012-2/+2
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Fix nested netgroups in NIS.Rob Crittenden2012-02-291-1/+1
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Global DNS optionsMartin Kosek2012-02-241-0/+1
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-241-2/+10
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-1/+1
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-1/+1
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-152-0/+10
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-132-0/+21
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-132-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/754
* Remove delegation from browser configAdam Young2012-02-071-1/+0
|
* Configure s4u2proxy during installation.Rob Crittenden2012-01-101-0/+22
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Add SELinux user mapping framework.Rob Crittenden2011-12-093-1/+20
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* ipa-kdb: Delegation ACL schemaSimo Sorce2011-12-081-0/+5
|
* Remove extraneous trailing single quote in nis.uldifRob Crittenden2011-12-051-1/+1
|
* Add ipasam samba passdb backendSumit Bose2011-12-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1874
* Add trust objectclass and attributes to v3 schemaSumit Bose2011-12-061-0/+10
|
* Add NT domain GUID attribute.Simo Sorce2011-11-211-1/+2
| | | | | We need this to be able to re-set it, as ipaUniqueID cannot be arbitraily set to a value. Only needed for the domain object.
* Fix nis netgroup config entry so users appear in netgroup triple.Rob Crittenden2011-10-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2028
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-23/+23
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
generated by cgit (git 2.34.1) at 2024-11-19 09:32:37 +0000