This introduces two new CLI commands:
* otpconfig-show
* otpconfig-mod
https://fedorahosted.org/freeipa/ticket/4511
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.
https://fedorahosted.org/freeipa/ticket/4586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We need the referential plugin config to watch for changes in the ID view
objects, since hosts refer to them in ipaAssignedIDView attribute.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr
attribute to enumerate the list of attributes that should be returned
even if not specified explicitly. Use the behaviour to get the same attributes
returned from searches on rootDSE as in 1.3.1.
https://fedorahosted.org/freeipa/ticket/4288
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:
nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso
In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.
The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.
Convert IPA defaults to use referint-membership-attr.
https://fedorahosted.org/freeipa/ticket/4537
Reviewed-By: Martin Kosek <mkosek@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.
https://fedorahosted.org/freeipa/ticket/4433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These entries are the same in all IPA installations, so there's
no need to hide them.
Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
