summaryrefslogtreecommitdiffstats
path: root/install/updates
Commit message (Collapse)AuthorAgeFilesLines
* Amend permissions for new DNS attributesMartin Kosek2012-03-251-0/+4
| | | | | | | | | | | | New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
* Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.Rob Crittenden2012-03-261-0/+4
| | | | | | | | If minssf is set in configuration and this is not set then clients won't be able to detect the available namingContexts, defaultNamingContext, capabilities, etc. https://fedorahosted.org/freeipa/ticket/2542
* Fix nsslapd-anonlimitsdn dn in cn=configRob Crittenden2012-03-131-1/+1
| | | | | | | | | The dn value needs to be quoted otherwise it is interpreted to be a multi-value. This will replace whatever value is currently set. https://fedorahosted.org/freeipa/ticket/2452
* Add support for sudoOrderRob Crittenden2012-03-011-0/+2
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Fix nested netgroups in NIS.Rob Crittenden2012-02-291-0/+5
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-291-0/+6
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Global DNS optionsMartin Kosek2012-02-241-0/+3
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-242-0/+72
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-0/+4
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-0/+5
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-151-1/+1
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-151-1/+1
|
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-132-0/+31
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-133-0/+23
| | | | https://fedorahosted.org/freeipa/ticket/754
* Use correct template variable for hosts, FQDN.Rob Crittenden2012-01-171-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/2268
* Configure s4u2proxy during installation.Rob Crittenden2012-01-102-0/+19
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Add SELinux user mapping framework.Rob Crittenden2011-12-093-0/+43
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* Reorder privileges so that memberof for permissions are generated properly.Rob Crittenden2011-12-084-21/+34
| | | | | | | | | | | | The privilege was added after the permission causing the memberof to not be generated. Add a new task to regenerate memberof for existing PBAC to fix upgrades. https://fedorahosted.org/freeipa/ticket/2058 https://fedorahosted.org/freeipa/ticket/2059 https://fedorahosted.org/freeipa/ticket/2060 https://fedorahosted.org/freeipa/ticket/2061
* Enable automember for upgraded serversMartin Kosek2011-11-292-0/+23
| | | | | | | | | automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992
* Add plugin framework to LDAP updates.Rob Crittenden2011-11-221-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
* Fix nis netgroup config entry so users appear in netgroup triple.Rob Crittenden2011-10-272-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2028
* updates: Change default limits on ldap searchesSimo Sorce2011-10-121-0/+20
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/1867 https://fedorahosted.org/freeipa/ticket/1888
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-093-0/+29
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* The precendence on the modrdn plugin was set in the wrong location.Rob Crittenden2011-09-131-1/+5
| | | | https://fedorahosted.org/freeipa/ticket/1370
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-125-13/+49
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Add additional pam ftp services to HBAC, and a ftp HBAC service groupRob Crittenden2011-08-242-0/+44
| | | | | | This adds proftpd, pure-ftpd, vsftpd and gssftp. https://fedorahosted.org/freeipa/ticket/1703
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+4
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Correct sudo runasuser and runasgroup attributes in schemaJr Aquino2011-07-192-0/+41
| | | | https://fedorahosted.org/freeipa/ticket/1309
* Correct behavior for sudorunasgroup vs sudorunasuserJr Aquino2011-07-192-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1309
* Set the ipa-modrdn plugin precedence to 60 so it runs lastRob Crittenden2011-07-171-0/+5
| | | | | | | | The default precedence for plugins is 50 and the run in more or less alphabetical order (but not guaranteed). This plugin needs to run after the others have already done their work. https://fedorahosted.org/freeipa/ticket/1370
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-144-23/+27
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Configure Managed Entries on replicas.Rob Crittenden2011-05-253-0/+28
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* A new flag to disable creation of UPGMartin Kosek2011-05-252-0/+3
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-202-0/+6
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-152-1/+14
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Add memberHost and memberUser to default indexesJr Aquino2011-04-081-0/+16
| | | | https://fedorahosted.org/freeipa/ticket/1138
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-052-0/+23
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Allow a client to enroll using principal when the host has a OTPRob Crittenden2011-03-301-0/+18
| | | | | | | | | If the host has a one-time password but krbPrincipalName wasn't set yet then the enrollment would fail because writing the principal is not allowed. This creates an ACI that only lets it be written if it is not already set. ticket 1075
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-022-0/+10
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-012-40/+40
| | | | ticket 1005
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-223-1/+316
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Add aci to make managed netgroups immutable.Rob Crittenden2011-02-182-1/+6
| | | | ticket 962
* Updated default Kerberos password policyJan Zeleny2011-02-162-0/+5
| | | | https://fedorahosted.org/freeipa/ticket/930
* Add permission/privilege for updating IPA configuration.Rob Crittenden2011-02-142-0/+19
| | | | ticket 950
* Move automount, default HBAC services, netgroup and hostgroup bootstrapping.Rob Crittenden2010-12-175-121/+0
| | | | | There is no need for these to be done as updates, just add these entries to the bootstrapping.
* Re-implement access control using an updated model.Rob Crittenden2010-12-014-746/+0
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-301-2/+2
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
generated by cgit (git 2.34.1) at 2024-11-13 00:28:54 +0000