IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,247 Commits 11 Branches 60 Tags
70224597a846cbe4cc7fe5f3b3cf3cec1e65ebd2
Commit Graph

1436 Commits

Author SHA1 Message Date
Martin Basti
70224597a8 Add DNSSEC experimental support warning message 
Ticket: https://fedorahosted.org/freeipa/ticket/4408
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-07-03 10:32:09 +02:00
Martin Basti
33cf958b98 Add warning about semantic change for zones 
--forwarder have different semantic since
forward zones support.
Add warning if zone contains forwarders.

Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-07-03 10:32:08 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings 
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record 
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
c655aa2832 Fix ACI in DNS 
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-01 12:43:55 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-01 12:37:08 +02:00
Petr Viktorin
fdef2e1bd8 permission plugin: Ignore unparseable ACIs 
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.

Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.

Workaround for: https://fedorahosted.org/freeipa/ticket/4376

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-01 09:35:38 +02:00
Martin Kosek
50c30c8401 Let Host Administrators use host-disable command 
Host Administrators could not write to service keytab attribute and
thus they could not run the host-disable command.

https://fedorahosted.org/freeipa/ticket/4284

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-30 14:59:27 +02:00
Petr Vobornik
35d3f03843 webui: support unlock user command 
Call user-unlock command from Web UI.

It will unlock displayed user on current master.

https://fedorahosted.org/freeipa/ticket/4407

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-30 13:11:53 +02:00
Petr Vobornik
72a107c9d7 webui: add link pointing to OTP sync page to login 
https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-30 12:27:04 +02:00
Petr Vobornik
30b1256b62 webui: add OTP token synchronization 
New SyncOTPScreen widget and related facet.

https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-30 12:27:03 +02:00
Petr Vobornik
8ca5793160 webui: add confirmation for dns zone permission actions 
All header actions should require confirmation.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-27 14:18:33 +02:00
Nathaniel McCallum
0d21937995 Add otptoken-sync command 
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.

https://fedorahosted.org/freeipa/ticket/4260

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-26 16:15:18 +02:00
Nathaniel McCallum
2767fb584a Add the otptoken-add-yubikey command 
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-26 16:10:16 +02:00
Petr Vobornik
e3de467676 webui: add placeholders to login screen 
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-26 12:37:39 +02:00
Petr Vobornik
2df6542232 ipa-passwd: add OTP support 
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-06-26 12:37:38 +02:00
Tomas Babej
af4518b728 sudorule: Refactor add and remove external_post_callback 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:53 +02:00
Tomas Babej
a1d6c9ab6b sudorule: Fix the order of the parameters to have less chaotic output 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:51 +02:00
Tomas Babej
9bb88a15e0 sudorule: Make sure all the relevant attributes are checked when setting category to ALL 
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:51 +02:00
Tomas Babej
af2eb4d695 sudorule: Allow adding deny commands when command category set to ALL 
https://fedorahosted.org/freeipa/ticket/4340

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:50 +02:00
Tomas Babej
c7da22c1e6 sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes 
The following attributes were missing from the list of default attributes:

* externalhost
* ipasudorunasextuser
* ipasudorunasextgroup

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:50 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers 
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:49 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts 
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:49 +02:00
Tomas Babej
5a1207cb6e sudorule: PEP8 fixes in sudorule.py 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:49 +02:00
Martin Basti
816007bdd9 Fix incompatible DNS permission 
dns(forward)zone-add/remove-permission can work with permissions with
relative zone name

Ticket:https://fedorahosted.org/freeipa/ticket/4383

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 18:31:27 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Tomas Babej
8f9838c7ef trusts: Add more read attributes 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Petr Viktorin
175b19bbf8 Add several CRUD default permissions 
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
   no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)

Related to: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Jan Cholasta
d6fb110b77 Support requests with SAN in cert-request. 
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.

https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 12:10:01 +02:00
Petr Viktorin
61eeea9e69 netgroup: Add objectclass attribute to read permissions 
The entries were unreadable without this.

Additional fix for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 17:41:49 +02:00
Tomas Babej
ef5309d376 trusts: Allow reading ipaNTSecurityIdentifier in user and group objects 
https://fedorahosted.org/freeipa/ticket/4385

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-23 15:27:33 +02:00
Petr Viktorin
14e2eb9171 host permissions: Allow writing attributes needed for automatic enrollment 
- userclass
  added to existing Modify hosts permission
- usercertificate, userpassword
  added to a new permissions

https://fedorahosted.org/freeipa/ticket/4252

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:33 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:32 +02:00
Petr Viktorin
ac8539bd34 Add posixgroup to groups' permission object filter 
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR 
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Nathaniel McCallum
cf8f143e98 Make otptoken use os.urandom() for random data 
This also fixes an error where the default value was not respecting
the KEY_LENGTH variable.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
 2014-06-20 21:27:50 +02:00
Martin Basti
2229e89bbb Digest part in DLV/DS records allows only heaxadecimal characters 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:03 +02:00