Commit Graph

37 Commits

Author SHA1 Message Date
Christian Heimes
f0a1f084b6 Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Alexander Bokovoy
5a83eea20b Add altSecurityIdentities attribute from MS-WSPP schema definition
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:50:07 +03:00
François Cami
dd0490e1d8 Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
Alexander Bokovoy
2de1aa27f9 ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-19 08:59:45 -04:00
Alexander Bokovoy
34d06b2be7 Allow anonymous access to parentID attribute
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.

As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.

While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.

Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-28 15:29:00 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Babinsky
7e803aa462 replace an ACI relying on presence of deprecated objectclass
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
d1517482b5 Add ACI for admins to modify principal attributes
This is required for admins to utilize the APIs that enable them to add/remove
principal aliases to entities.

https://fedorahosted.org/freeipa/ticket/3864
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Fraser Tweedale
b584ffa4ac Add ACIs for Dogtag custodia client
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys.  Add an ACI to permit this.

Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Martin Basti
bba2355631 fix permission: Read Replication Agreements
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.

As side effect, the particular ACI has not been created on all replicas.

This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.

https://fedorahosted.org/freeipa/ticket/5631

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-25 14:30:01 +01:00
Martin Babinsky
e7a4faab81 IPA upgrade: move replication ACIs to the mapping tree entry
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.

This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.

https://fedorahosted.org/freeipa/ticket/5575

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-01-18 14:10:08 +01:00
Jan Cholasta
6ea868e172 aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.

https://fedorahosted.org/freeipa/ticket/5399

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-14 14:40:17 +01:00
Martin Babinsky
e130d35687 add ACIs for custodia container to its parent during IPA upgrade
This fixes the situation when LDAPUpdater tries to add ACIs for storing
secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually
created leading to creation of container without any ACI and subsequent
erroneous behavior.

https://fedorahosted.org/freeipa/ticket/5524

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-12-11 12:25:26 +01:00
Jan Cholasta
e137f305ed aci: allow members of ipaservers to set up replication
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.

A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:14:13 +01:00
Alexander Bokovoy
3692a1c57f trusts: harden trust-fetch-domains oddjobd-based script
When ipa-getkeytab is used to fetch trusted domain object credentials,
the fetched entry has always kvno 1. ipa-getkeytab always adds a key to
keytab which means older key versions will be in the SSSD keytab and
will confuse libkrb5 ccache initialization code as all kvno values are
equal to 1. Wrong key is picked up then and kinit fails.

To solve this problem, always remove existing
/var/lib/sss/keytabs/forest.keytab before retrieving a new one.

To make sure script's input cannot be used to define what should be
removed (by passing a relative path), make sure we retrieve trusted
forest name from LDAP. If it is not possible to retrieve, the script
will issue an exception and quit. If abrtd is running, this will be
recorded as a 'crash' and an attempt to use script by malicious user
would be recorded as well in the abrtd journal.

Additionally, as com.redhat.idm.trust-fetch-domains will create
ID ranges for the domains of the trusted forest if they don't exist,
it needs permissions to do so. The permission should be granted only
to cifs/ipa.master@IPA.REALM services which means they must have
krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of
cn=adtrust agents,cn=sysaccounts,... group.

Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190

Ticket https://fedorahosted.org/freeipa/ticket/5182

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-18 18:48:12 +02:00
Rob Crittenden
ce50630d5e Add ACI to allow hosts to add their own services
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.

Set required version of 389-ds-base to 1.3.4.0 GA.

https://fedorahosted.org/freeipa/ticket/4567

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 13:41:52 +02:00
Fraser Tweedale
979947f7f2 Add usercertificate attribute to user plugin
Part of: https://fedorahosted.org/freeipa/tickets/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Martin Kosek
1537ac8138 Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.

To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.

https://fedorahosted.org/freeipa/ticket/4836

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:52:55 +01:00
Petr Viktorin
23feb4e027 Allow read access to services in cn=masters to auth'd users
https://fedorahosted.org/freeipa/ticket/4425

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-04 15:58:14 +02:00
Petr Viktorin
d1ede20680 Allow admins to write krbLoginFailedCount
Without write access to this attribute, admins could not unlock users.

https://fedorahosted.org/freeipa/ticket/4409

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-01 10:02:02 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-20 22:18:43 +02:00
Petr Viktorin
18744d1833 Fix: Allow read access to masters, but not their services, to auth'd users
Fixes commit b243da415e

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-19 17:13:03 +02:00
Petr Viktorin
b243da415e Allow read access to masters, but not their services, to auth'd users
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-19 16:46:29 +02:00
Petr Viktorin
93ad23912e Add read permissions for automember tasks
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-02 13:04:59 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Petr Viktorin
99691d1171 aci-update: Add ACI for read-only admin attributes
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.

https://fedorahosted.org/freeipa/ticket/4319

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
223e6dc3f7 aci-update: Trim the admin write blacklist
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
1389567ec5 Extend anonymous read ACI for containers
- Allow cn=etc,$SUFFIX with these exceptions:
  - cn=masters,cn=ipa,cn=etc,$SUFFIX
  - virtual operations
  - cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Petr Viktorin
5c8548a4ad Allow anonymous read access to Kerberos containers
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-16 16:10:43 +02:00
Petr Viktorin
0e659983a6 Allow anonymous read access to containers
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.

Also, $SUFFIX itself can now be read anonymously.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-08 10:34:16 +02:00
Jan Cholasta
9b6baf9bee Add LDAP ACIs for SSH public key schema.
https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:20:23 -05:00
Rob Crittenden
109b79a7ac Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-24 14:12:01 +02:00
Rob Crittenden
496ab3f738 Add aci to make managed netgroups immutable.
ticket 962
2011-02-18 15:29:51 -05:00