Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.
https://fedorahosted.org/freeipa/ticket/4433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These entries are the same in all IPA installations, so there's
no need to hide them.
Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.
https://fedorahosted.org/freeipa/ticket/4319
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These attributes are removed from the blacklist, which means
high-level admins can now modify them:
- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName
The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.
Also, move the admin ACIs from ldif and trusts.update to aci.update.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Allow cn=etc,$SUFFIX with these exceptions:
- cn=masters,cn=ipa,cn=etc,$SUFFIX
- virtual operations
- cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.
Also, $SUFFIX itself can now be read anonymously.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.
Add an update file to do the database update. Content is based on
recommendation from PKI team:
* https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9
This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
* https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
* https://fedorahosted.org/pki/ticket/906 (checking database version)
Also make sure that PKI service is restarted in the end of the installation
as the other services to make sure it picks changes done during LDAP
updates.
https://fedorahosted.org/freeipa/ticket/4243
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
