This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
In preparation of adding another function to avoid code duplication.
Related:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
The newly created ipaplatform subdirectories base and fedora were
mentioned multiple times in the specfile, which produced build
warnings.
Part of: https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
As authconfig is a distro-specific tool there is no incentive for
implying that other platforms should implement any authconfig
implementation of their own.
Part of: https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Makes sure sudorules behave correctly both when adding new entries
with corresponding category set to ALL, and when setting the
category to all when corresponding entries exist.
The only exception of deny commands with cmdcategory ALL is
covered as well.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Covers functionality of external entries for:
* users
* runAsUsers
* groups of RunAsUsers
* runAsGroups
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The following attributes were missing from the list of default attributes:
* externalhost
* ipasudorunasextuser
* ipasudorunasextgroup
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
dns(forward)zone-add/remove-permission can work with permissions with
relative zone name
Ticket:https://fedorahosted.org/freeipa/ticket/4383
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Search for privileges was limited to bindruletype==permission. There
was no reason to do that.
This patch removes the restriction.
Related to:
https://fedorahosted.org/freeipa/ticket/4079
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fields with default value, such as DNS Zone's idnsforwardpolicy, were
marked as dirty when no value was loaded and when default value of
input control was other than empty.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This change has two motivations:
1. Clients don't have to parse the string.
2. Future token types may have new formats.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)
Related to: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
