Commit Graph

73 Commits

Author SHA1 Message Date
Mark Reynolds
b9ae7c45b8 Issue 8456 - Add new aci's for the new replication changelog entries
Description:  We need a read and a write aci for the new changelog location,
              which was moved from cn=changelog5,cn=config to
              cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config

              The read aci allows the replica hostgroup entry to find and
              read the changelog confguration, and the write allows the replica
              to update the changelog with a proper trimming settings.

Fixes: https://pagure.io/freeipa/issue/8456

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:44:03 +02:00
Viktor Ashirov
273ed1535d Update ACIs with the correct syntax
The value of the first character in target* keywords
is expected to be a double quote.

Fixes: https://pagure.io/freeipa/issue/8301

Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-04 20:49:23 +02:00
Fraser Tweedale
bdbb1c34a2 Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-21 17:04:18 +01:00
Martin Basti
29a8615cf3 DNS Locations: Always create DNS related privileges
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Jan Cholasta
7b9a97383c aci: replace per-server ACIs with ipaserver-based ACIs
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Jan Cholasta
0dfcf1d9db vault: add permissions and administrator privilege
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Fraser Tweedale
6fa14fd21e Add permission for bypassing CA ACL enforcement
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.

Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.

Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-14 14:02:05 +02:00
Fraser Tweedale
300b74fc7f Add certprofile plugin
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.

Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Martin Kosek
1537ac8138 Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.

To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.

https://fedorahosted.org/freeipa/ticket/4836

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:52:55 +01:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00
Jan Cholasta
586373cf07 Add permissions for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
73d8db6d92 Allow IPA master hosts to update CA certificate in LDAP.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Jan Cholasta
d6fb110b77 Support requests with SAN in cert-request.
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.

https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:32 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-20 22:18:43 +02:00
Petr Viktorin
49e83256b4 Convert Password Policy default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7 Convert COSTemplate default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Petr Viktorin
53a63ae346 Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
91a5aecd48 Convert Sudo rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:18 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
baa72b68b1 Add a new ipaVirtualOperation objectClass to virtual operations
The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Petr Viktorin
1e46c0a361 Add managed read permissions to automember
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 12:38:50 +02:00
Petr Viktorin
b53f2d28fd Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.

Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-04-16 16:10:43 +02:00
Petr Viktorin
f10ec17c03 Add managed read permissions to pwpolicy and cosentry
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-14 12:05:40 +02:00
Petr Viktorin
a185d45d87 Add managed read permissions to RBAC objects
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-04-11 10:17:41 +02:00
Ana Krivokapic
dfea5989f7 Add a privilege and a permission needed for automember rebuild command
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Ana Krivokapic
4cff518517 Add missing permissions to Host Administrators privilege
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585
2013-04-24 14:35:22 -04:00
Petr Viktorin
981c9f10ee Update sudocmd ACIs to use targetfilter
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
2013-02-20 17:35:20 +01:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Martin Kosek
4760c15cb2 Add automount map/key update permissions
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.

Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.

https://fedorahosted.org/freeipa/ticket/2687
2012-07-10 20:41:14 -04:00
Rob Crittenden
960baaebf4 Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.

https://fedorahosted.org/freeipa/ticket/2416
2012-02-23 11:05:52 +01:00
Rob Crittenden
ffd39503c1 Limit the change password permission so it can't change admin passwords
We don't want those in the helpdesk role to be able to reset
administrators passwords.

https://fedorahosted.org/freeipa/ticket/2271
2012-02-20 19:38:49 +01:00
Jan Cholasta
9b6baf9bee Add LDAP ACIs for SSH public key schema.
https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:20:23 -05:00
Rob Crittenden
55512dc938 Add SELinux user mapping framework.
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.

https://fedorahosted.org/freeipa/ticket/755
2011-12-09 16:46:25 +02:00
Rob Crittenden
373e9d1cf8 Reorder privileges so that memberof for permissions are generated properly.
The privilege was added after the permission causing the memberof to not
be generated.

Add a new task to regenerate memberof for existing PBAC to fix upgrades.

https://fedorahosted.org/freeipa/ticket/2058
https://fedorahosted.org/freeipa/ticket/2059
https://fedorahosted.org/freeipa/ticket/2060
https://fedorahosted.org/freeipa/ticket/2061
2011-12-08 10:08:10 +01:00
Rob Crittenden
7bd3b3e121 Fix DNS permissions and membership in privileges
This resolves two issues:

1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
   values weren't calculated properly

For updates we need to add in the members and recalculate memberof via
a DS task.

https://fedorahosted.org/freeipa/ticket/1898
2011-10-09 23:44:22 -04:00
Rob Crittenden
37e3bf2a60 Disallow direct modifications to enrolledBy.
This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
2011-07-14 19:11:49 -04:00
Rob Crittenden
8719336652 Allow a client to enroll using principal when the host has a OTP
If the host has a one-time password but krbPrincipalName wasn't set yet
then the enrollment would fail because writing the principal is not
allowed. This creates an ACI that only lets it be written if it is not
already set.

ticket 1075
2011-03-30 10:03:44 -04:00
Rob Crittenden
07ba40f33e Use Sudo rather than SUDO as a label.
ticket 1005
2011-03-01 16:48:35 -05:00