summaryrefslogtreecommitdiffstats
path: root/install/updates
Commit message (Collapse)AuthorAgeFilesLines
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-152-1/+14
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Add memberHost and memberUser to default indexesJr Aquino2011-04-081-0/+16
| | | | https://fedorahosted.org/freeipa/ticket/1138
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-052-0/+23
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Allow a client to enroll using principal when the host has a OTPRob Crittenden2011-03-301-0/+18
| | | | | | | | | If the host has a one-time password but krbPrincipalName wasn't set yet then the enrollment would fail because writing the principal is not allowed. This creates an ACI that only lets it be written if it is not already set. ticket 1075
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-022-0/+10
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-012-40/+40
| | | | ticket 1005
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-223-1/+316
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Add aci to make managed netgroups immutable.Rob Crittenden2011-02-182-1/+6
| | | | ticket 962
* Updated default Kerberos password policyJan Zeleny2011-02-162-0/+5
| | | | https://fedorahosted.org/freeipa/ticket/930
* Add permission/privilege for updating IPA configuration.Rob Crittenden2011-02-142-0/+19
| | | | ticket 950
* Move automount, default HBAC services, netgroup and hostgroup bootstrapping.Rob Crittenden2010-12-175-121/+0
| | | | | There is no need for these to be done as updates, just add these entries to the bootstrapping.
* Re-implement access control using an updated model.Rob Crittenden2010-12-014-746/+0
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-301-2/+2
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
* Add additional default HBAC login servicesRob Crittenden2010-11-081-0/+21
| | | | ticket 307
* Remove hardcoded domain value and replace with $SUFFIXRob Crittenden2010-11-041-3/+3
|
* Use correct attribute name, nshostlocation, not location.Rob Crittenden2010-11-031-1/+1
|
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-281-8/+8
| | | | merge in remove uuid
* Use correct description in hostgroup acis.Rob Crittenden2010-10-061-3/+3
| | | | This also corrects a duplication problem in acis.
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-1/+1
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Enabling SUDO supportDmitri Pal2010-09-161-7/+26
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Allow decoupling of user-private groups.Rob Crittenden2010-08-101-8/+8
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Add hbac service for su-l, su with a login shellRob Crittenden2010-08-061-0/+6
|
* Add container and initial ACIs for entitlement supportRob Crittenden2010-07-291-0/+37
| | | | | | | | The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27
* Add separate role group for enrolling hosts, enrollhostRob Crittenden2010-06-221-0/+8
|
* Include missing update file 30-hbacsvc.updateRob Crittenden2010-05-271-0/+35
|
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-271-0/+1
| | | | Also fix the memberOf attribute for the HBAC services
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-272-2/+1
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Use GSSAPI auth for the ipa-replica-manage list and del commands.Rob Crittenden2010-03-191-0/+37
| | | | | | | | | | | | This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the ipaldap.py module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
* Set proper dn in default automount locationNalin Dahyabhai2010-02-231-1/+1
|
* Add default automount location. Auto-create auto.direct in new locations.Pavel Zuna2010-02-121-6/+10
|
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-211-5/+37
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Fix ACI for host delegationRob Crittenden2009-10-171-2/+2
| | | | | We had changed the DN format, I must have missed these ACIs the first go around.
* Fix an oops where I forgot to replace a string with a templateRob Crittenden2009-10-171-6/+6
|
* Use nestedgroup instead of groupofnames for rolegroups so we have memberofRob Crittenden2009-10-121-50/+50
|
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-5/+26
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.Rob Crittenden2009-07-101-0/+139
| | | | | | | | | | | | There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
* Basic changes to get a default principal for DNSSimo Sorce2009-07-101-0/+20
| | | | | | | | Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
* Fix quoting to work with new csv handler in ldapupdateRob Crittenden2009-05-192-112/+113
|
* Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)Rob Crittenden2009-05-191-0/+15
|
* Fill in the ACIs and taskgroups for most of the plugins.Rob Crittenden2009-04-011-13/+311
| | | | | | | | | | | This adds: group administration host administration host group administration delegation administration service administration automount administration netgroup administration
* Name update files so they can be easily sorted.Rob Crittenden2009-03-2516-24/+162
| | | | | We want to process some updates in a particular order (schema, structural). Using an init-inspired ordering mechanism.
* Modify the taskgroup plugin to use the new group baseclass and add testsRob Crittenden2009-03-201-1/+1
|
* New plugin to handle role groupsRob Crittenden2009-03-201-0/+5
| | | | | | Role groups will be part of the ACI system. It will let one create broad categories of permissions. Things like: helpdesk, user admin, group admin, whatever.
* Fix build breakage and install rolegroup.updateRob Crittenden2009-03-201-1/+2
|
* Add taskgroups pluginRob Crittenden2009-03-172-0/+6
| | | | Taskgroups are what we grant permission to with the new ACI system.
* Install policy schemaJakub Hrozek2009-02-132-0/+45
|
* Remove schema for automount and hosts, this is now added separately Include ↵Rob Crittenden2009-02-123-62/+1
| | | | netgroups
* Incorporate new schema for IPAv2Rob Crittenden2009-02-111-0/+9
| | | | | | | | Loading this via LDIF is a temporary measure until we can load it online. This requires removing the dNSRecord declarations from 05rfc2247.ldif so a replacement copy is included for now. Also add the netgroups container.
* Consolidate all update files into one locationRob Crittenden2009-02-064-4/+91
|
* Mass tree reorganization for IPAv2. To view previous history of files use:Rob Crittenden2009-02-037-0/+300
% git log --follow -- <file> renamed: ipa-server/autogen.sh -> autogen.sh renamed: ipa-server/ipa-kpasswd/Makefile.am -> daemons/ipa-kpasswd/Makefile.am renamed: ipa-server/ipa-kpasswd/README -> daemons/ipa-kpasswd/README renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.c -> daemons/ipa-kpasswd/ipa_kpasswd.c renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.init -> daemons/ipa-kpasswd/ipa_kpasswd.init renamed: ipa-server/ipa-slapi-plugins/Makefile.am -> daemons/ipa-slapi-plugins/Makefile.am renamed: ipa-server/ipa-slapi-plugins/README -> daemons/ipa-slapi-plugins/README renamed: ipa-server/ipa-slapi-plugins/dna/Makefile.am -> daemons/ipa-slapi-plugins/dna/Makefile.am renamed: ipa-server/ipa-slapi-plugins/dna/dna-conf.ldif -> daemons/ipa-slapi-plugins/dna/dna-conf.ldif renamed: ipa-server/ipa-slapi-plugins/dna/dna.c -> daemons/ipa-slapi-plugins/dna/dna.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am -> daemons/ipa-slapi-plugins/ipa-memberof/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif -> daemons/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am -> daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/README -> daemons/ipa-slapi-plugins/ipa-pwd-extop/README renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif -> daemons/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/Makefile.am -> daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/README -> daemons/ipa-slapi-plugins/ipa-winsync/README renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h renamed: ipa-server/xmlrpc-server/ipa-rewrite.conf -> install/conf/ipa-rewrite.conf renamed: ipa-server/xmlrpc-server/ipa.conf -> install/conf/ipa.conf renamed: ipa-server/xmlrpc-server/ssbrowser.html -> install/html/ssbrowser.html renamed: ipa-server/xmlrpc-server/unauthorized.html -> install/html/unauthorized.html renamed: ipa-server/ipa-install/share/60ipaconfig.ldif -> install/share/60ipaconfig.ldif renamed: ipa-server/ipa-install/share/60kerberos.ldif -> install/share/60kerberos.ldif renamed: ipa-server/ipa-install/share/60radius.ldif -> install/share/60radius.ldif renamed: ipa-server/ipa-install/share/60samba.ldif -> install/share/60samba.ldif renamed: ipa-server/ipa-install/share/Makefile.am -> install/share/Makefile.am renamed: ipa-server/ipa-install/share/bind.named.conf.template -> install/share/bind.named.conf.template renamed: ipa-server/ipa-install/share/bind.zone.db.template -> install/share/bind.zone.db.template renamed: ipa-server/ipa-install/share/bootstrap-template.ldif -> install/share/bootstrap-template.ldif renamed: ipa-server/ipa-install/share/certmap.conf.template -> install/share/certmap.conf.template renamed: ipa-server/ipa-install/share/default-aci.ldif -> install/share/default-aci.ldif renamed: ipa-server/ipa-install/share/default-keytypes.ldif -> install/share/default-keytypes.ldif renamed: ipa-server/ipa-install/share/dna-posix.ldif -> install/share/dna-posix.ldif renamed: ipa-server/ipa-install/share/encrypted_attribute.ldif -> install/share/encrypted_attribute.ldif renamed: ipa-server/ipa-install/share/fedora-ds.init.patch -> install/share/fedora-ds.init.patch renamed: ipa-server/ipa-install/share/indices.ldif -> install/share/indices.ldif renamed: ipa-server/ipa-install/share/kdc.conf.template -> install/share/kdc.conf.template renamed: ipa-server/ipa-install/share/kerberos.ldif -> install/share/kerberos.ldif renamed: ipa-server/ipa-install/share/krb.con.template -> install/share/krb.con.template renamed: ipa-server/ipa-install/share/krb5.conf.template -> install/share/krb5.conf.template renamed: ipa-server/ipa-install/share/krb5.ini.template -> install/share/krb5.ini.template renamed: ipa-server/ipa-install/share/krbrealm.con.template -> install/share/krbrealm.con.template renamed: ipa-server/ipa-install/share/master-entry.ldif -> install/share/master-entry.ldif renamed: ipa-server/ipa-install/share/memberof-task.ldif -> install/share/memberof-task.ldif renamed: ipa-server/ipa-install/share/ntp.conf.server.template -> install/share/ntp.conf.server.template renamed: ipa-server/ipa-install/share/ntpd.sysconfig.template -> install/share/ntpd.sysconfig.template renamed: ipa-server/ipa-install/share/preferences.html.template -> install/share/preferences.html.template renamed: ipa-server/ipa-install/share/referint-conf.ldif -> install/share/referint-conf.ldif renamed: ipa-server/ipa-install/share/schema_compat.uldif -> install/share/schema_compat.uldif renamed: ipa-server/ipa-install/share/unique-attributes.ldif -> install/share/unique-attributes.ldif renamed: ipa-server/ipa-install/Makefile.am -> install/tools/Makefile.am renamed: ipa-server/ipa-install/README -> install/tools/README renamed: ipa-server/ipa-compat-manage -> install/tools/ipa-compat-manage renamed: ipa-server/ipa-fix-CVE-2008-3274 -> install/tools/ipa-fix-CVE-2008-3274 renamed: ipa-server/ipa-ldap-updater -> install/tools/ipa-ldap-updater renamed: ipa-server/ipa-install/ipa-replica-install -> install/tools/ipa-replica-install renamed: ipa-server/ipa-install/ipa-replica-manage -> install/tools/ipa-replica-manage renamed: ipa-server/ipa-install/ipa-replica-prepare -> install/tools/ipa-replica-prepare renamed: ipa-server/ipa-install/ipa-server-certinstall -> install/tools/ipa-server-certinstall renamed: ipa-server/ipa-install/ipa-server-install -> install/tools/ipa-server-install renamed: ipa-server/ipa-upgradeconfig -> install/tools/ipa-upgradeconfig renamed: ipa-server/ipa-install/ipactl -> install/tools/ipactl renamed: ipa-server/man/Makefile.am -> install/tools/man/Makefile.am renamed: ipa-server/man/ipa-compat-manage.1 -> install/tools/man/ipa-compat-manage.1 renamed: ipa-server/man/ipa-ldap-updater.1 -> install/tools/man/ipa-ldap-updater.1 renamed: ipa-server/man/ipa-replica-install.1 -> install/tools/man/ipa-replica-install.1 renamed: ipa-server/man/ipa-replica-manage.1 -> install/tools/man/ipa-replica-manage.1 renamed: ipa-server/man/ipa-replica-prepare.1 -> install/tools/man/ipa-replica-prepare.1 renamed: ipa-server/man/ipa-server-certinstall.1 -> install/tools/man/ipa-server-certinstall.1 renamed: ipa-server/man/ipa-server-install.1 -> install/tools/man/ipa-server-install.1 renamed: ipa-server/man/ipa_kpasswd.8 -> install/tools/man/ipa_kpasswd.8 renamed: ipa-server/man/ipa_webgui.8 -> install/tools/man/ipa_webgui.8 renamed: ipa-server/man/ipactl.8 -> install/tools/man/ipactl.8 renamed: ipa-server/ipa-install/updates/Makefile.am -> install/updates/Makefile.am renamed: ipa-server/ipa-install/updates/RFC2307bis.update -> install/updates/RFC2307bis.update renamed: ipa-server/ipa-install/updates/RFC4876.update -> install/updates/RFC4876.update renamed: ipa-server/ipa-install/updates/indices.update -> install/updates/indices.update renamed: ipa-server/ipa-install/updates/nss_ldap.update -> install/updates/nss_ldap.update renamed: ipa-server/ipa-install/updates/replication.update -> install/updates/replication.update renamed: ipa-server/ipa-install/updates/winsync_index.update -> install/updates/winsync_index.update renamed: ipa-server/ipaserver/Makefile.am -> ipaserver/install/Makefile.am renamed: ipa-server/ipaserver/__init__.py -> ipaserver/install/__init__.py renamed: ipa-server/ipaserver/bindinstance.py -> ipaserver/install/bindinstance.py renamed: ipa-server/ipaserver/certs.py -> ipaserver/install/certs.py renamed: ipa-server/ipaserver/dsinstance.py -> ipaserver/install/dsinstance.py renamed: ipa-server/ipaserver/httpinstance.py -> ipaserver/install/httpinstance.py renamed: ipa-server/ipaserver/installutils.py -> ipaserver/install/installutils.py renamed: ipa-server/ipaserver/ipaldap.py -> ipaserver/install/ipaldap.py renamed: ipa-server/ipaserver/krbinstance.py -> ipaserver/install/krbinstance.py renamed: ipa-server/ipaserver/ldapupdate.py -> ipaserver/install/ldapupdate.py renamed: ipa-server/ipaserver/ntpinstance.py -> ipaserver/install/ntpinstance.py renamed: ipa-server/ipaserver/replication.py -> ipaserver/install/replication.py renamed: ipa-server/ipaserver/service.py -> ipaserver/install/service.py renamed: ipa-server/selinux/Makefile -> selinux/Makefile renamed: ipa-server/selinux/ipa-server-selinux.spec.in -> selinux/ipa-server-selinux.spec.in renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc -> selinux/ipa_kpasswd/ipa_kpasswd.fc renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te -> selinux/ipa_kpasswd/ipa_kpasswd.te renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.fc -> selinux/ipa_webgui/ipa_webgui.fc renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.te -> selinux/ipa_webgui/ipa_webgui.te renamed: ipa-server/version.m4.in -> version.m4.in
generated by cgit (git 2.34.1) at 2024-11-13 00:09:52 +0000