Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.
https://fedorahosted.org/freeipa/ticket/4433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These attributes are removed from the blacklist, which means
high-level admins can now modify them:
- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName
The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.
Also, move the admin ACIs from ldif and trusts.update to aci.update.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.
Part of: https://fedorahosted.org/freeipa/ticket/3306
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.
https://fedorahosted.org/freeipa/ticket/3555
Since the hardcoded default fpr the NFS service was removed the default
authorization data type is now set in the global server configuration.
https://fedorahosted.org/freeipa/ticket/2960
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.
This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.
https://fedorahosted.org/freeipa/ticket/3041
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.
https://fedorahosted.org/freeipa/ticket/2856
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
