summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.xPetr Viktorin2014-05-261-0/+14
| | | | | | | | | | | | | | | When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* update_managed_permissions: Pass around anonymous ACI rather than its blacklistPetr Viktorin2014-05-261-17/+18
| | | | | | | | It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Replace "replica admins read access" ACI with a permissionPetr Viktorin2014-05-211-0/+61
| | | | | | | | | Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Trust add datetime fixAdam Misnyovszki2014-05-061-1/+1
| | | | | | | Fixes trust add, since now datetime object is returned for 'modifytimestamp', which cannot be split like a string. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fixed typo how to create an example gpg keyThorsten Scherf2014-05-061-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Add several managed read permissions under cn=etcPetr Viktorin2014-04-241-2/+77
| | | | | | | | | | | | | | This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support for non-plugin default permissionsPetr Viktorin2014-04-241-2/+12
| | | | | | | | | Add support for managed permissions that are not tied to an object class and thus can't be defined in an Object plugin. A dict is added to hold templates for the non-plugin permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support API version-specific RPC marshalling.Jan Cholasta2014-04-181-8/+13
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Do not ask for memberindirect when updating managed permissionsPetr Viktorin2014-04-171-1/+2
| | | | | | | | | | | | | One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2, which is set when a permission is part of a role. When update_entry is called on an entry with memberofindirect, ipaldap tries to add the attribute to LDAP and fails with an objectclass violation. Do not ask for memberindirect when retrieving the entry. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix update_ca_renewal_master plugin on CA-less installs.Jan Cholasta2014-04-101-26/+53
| | | | | | | | | This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for adding default permissions to privilegesPetr Viktorin2014-04-101-0/+11
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow overriding all attributes of default permissionsPetr Viktorin2014-04-091-12/+40
| | | | | | | | | | | | Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation, objectclass of default managed permissions. This allows defining permissions that are not tied to an object type. Default values are same as before. Also, do not reset ipapermbindruletype when updating an existing managed permission. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Document the managed permission updater operationPetr Viktorin2014-04-091-0/+34
| | | | | | | | | The method was explained on the [Design] page, but as the updater is extended the design page would become obsolete. Document the operation in the docstring of the plugin itself. Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix upload of CA certificate to LDAP in CA-less install.Jan Cholasta2014-04-081-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4300 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove unused method is_master of CAInstance.Jan Cholasta2014-03-251-15/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-92/+44
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_httpd functionality to renew_ra_cert.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.Jan Cholasta2014-03-251-4/+2
| | | | | | | On CA masters, a certificate is requested and stored to LDAP. On CA clones, the certificate is retrieved from LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-254-2/+97
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-14/+23
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.Jan Cholasta2014-03-251-10/+24
| | | | | | Before, this was done by dogtag-ipa-retrieve-agent-submit. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API to configure certmonger in CA install.Jan Cholasta2014-03-251-14/+24
| | | | | | Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-3/+12
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove unused method export_ca_cert of dsinstance.Jan Cholasta2014-03-251-5/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+4
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use LDAP API to upload CA certificate instead of ldapmodify command.Jan Cholasta2014-03-251-5/+18
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-259-11/+13
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix certificate renewal scripts to work with separate CA DS instance.Jan Cholasta2014-03-251-18/+42
| | | | | | https://fedorahosted.org/freeipa/ticket/3805 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-251-0/+160
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver.install.service: Fix estimated time displayPetr Viktorin2014-03-131-13/+17
| | | | | | | | | | Use basic math rather than timezone conversion to get minutes and seconds. Break out the message generation into a small tested function. https://fedorahosted.org/freeipa/ticket/4242 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaserver/dcerpc: make sure to always return unicode SID of the trust domainAlexander Bokovoy2014-03-121-1/+1
| | | | | | | | | | Trusted domain SID could be obtained through different means. When it is fetched from the AD DC via LDAP, it needs to be extracted from a default context and explicitly converted to unicode. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support OTP in form based authPetr Vobornik2014-03-121-6/+32
| | | | | | | | OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-112-7/+21
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* adtrustinstance: make sure to stop and disable winbind in uninstall()Alexander Bokovoy2014-02-281-2/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver/dcerpc: catch the case of insuffient permissions when establishing ↵Alexander Bokovoy2014-02-271-2/+5
| | | | | | | | | | | | | | trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Remove usage of deprecated LDAP APITomas Babej2014-02-271-2/+2
| | | | | | | | | Remove a reference to the old deprecated LDAP API invoked by the usage of trust_add method. https://fedorahosted.org/freeipa/ticket/4204 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* bindinstance: make sure zone manager is initialized in add_master_dns_recordsAlexander Bokovoy2014-02-261-0/+1
| | | | | | | | | Bind instance is configured using a short-circuited way when replica is set up. Make sure required properties are in place for that. https://fedorahosted.org/freeipa/ticket/4186 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Always use real entry DNs for memberOf in ldap2.Jan Cholasta2014-02-241-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-211-0/+4
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa tool: Print the name of the server we are connecting to with -vPetr Viktorin2014-02-051-0/+5
| | | | | | | | | | | | | The logging level for these messages was decreaed so that they do not show up in ipa-advise output. Reset the log level to INFO and configure ipa-advise to not display INFO messages from xmlclient by default. Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be https://fedorahosted.org/freeipa/ticket/4135 Reviewed-By: Tomáš Babej <tbabej@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-13/+0
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-9/+9
|
* Convert remaining update code to LDAPEntry API.Jan Cholasta2014-01-248-28/+25
|
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-243-21/+22
|
* Implement XML introspectionPetr Viktorin2014-01-141-6/+51
| | | | https://fedorahosted.org/freeipa/ticket/2937
* rpcserver: Consolidate __call__ in xmlclient and jsonclient_kerbPetr Viktorin2013-12-101-54/+34
| | | | | | | | | The two classes had very similar __call__ methods, but the JSON server lacked error handling. Create a common class for the __call__ method. https://fedorahosted.org/freeipa/ticket/4069
* httpd should destroy all CCACHEsMartin Kosek2014-01-221-1/+1
| | | | | | | | Use "kdestroy -A" command to destroy all CCACHEs, both the primary and the non-primary ones to make sure that the non-primary ones are not used later. https://fedorahosted.org/freeipa/ticket/4084
generated by cgit (git 2.34.1) at 2024-09-28 02:46:14 +0000