IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
8,371 Commits 11 Branches 60 Tags
cd3ca94ff2ef738cb3a9eae502193413058f976d
Commit Graph

67 Commits

Author SHA1 Message Date
Alexander Bokovoy
03c2d76186 ipa-adtrust-install: add IPA master host principal to adtrust agents 
Fixes https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2015-07-08 01:56:52 +02:00
root
ffd6b039a7 User life cycle: permission to delete a preserved user 
Add permission to delete an entry from Delete container

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-29 13:50:04 +02:00
Martin Basti
3ababb763b DNS: add UnknownRecord to schema 
defintion of UnknownRecord attributetype

https://fedorahosted.org/freeipa/ticket/4939

Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2015-06-18 14:37:28 +02:00
Petr Vobornik
4137f2a8ed regenerate ACI.txt after stage user permission rename 
./makeaci was not run
 2015-06-15 10:23:45 +02:00
Thierry Bordaz
44cced658b Stage User: Fix permissions naming and split them where apropriate. 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2015-06-15 09:52:42 +02:00
Fraser Tweedale
bc0c606885 Add CA ACL plugin 
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-11 10:50:31 +00:00
Fraser Tweedale
979947f7f2 Add usercertificate attribute to user plugin 
Part of: https://fedorahosted.org/freeipa/tickets/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-04 08:27:33 +00:00
Fraser Tweedale
300b74fc7f Add certprofile plugin 
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.

Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-04 08:27:33 +00:00
Rob Crittenden
a92328452d Add plugin to manage service constraint delegations 
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.

https://fedorahosted.org/freeipa/ticket/3644

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2015-06-03 09:47:40 +00:00
Tomas Babej
f3010498af Add Domain Level feature 
https://fedorahosted.org/freeipa/ticket/5018

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2015-05-26 11:59:47 +00:00
Thierry Bordaz
273fd057a3 User life cycle: Add 'Stage User Provisioning' permission/priviledge 
Add the ability for 'Stage user provisioning' priviledge to add
stage users.

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-05-18 09:37:21 +02:00
Thierry Bordaz
51937cc571 User life cycle: Stage user Administrators permission/priviledge 
Creation of stage user administrator

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-05-18 09:37:21 +02:00
Tomas Babej
72af5fd975 ipalib: Make sure correct attribute name is referenced for fax 
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2015-02-19 18:36:16 +01:00
Martin Kosek
0a7a8d6604 Add anonymous read ACI for DUA profile 
DUA profile(s) are consumed by Solaris clients.

https://fedorahosted.org/freeipa/ticket/4850

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2015-01-21 07:47:22 +00:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users 
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-01-19 16:49:27 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable 
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-12-05 13:42:19 +01:00
Alexander Bokovoy
d6b28f29ec Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides 
https://fedorahosted.org/freeipa/ticket/4664

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-24 15:54:43 +02:00
Martin Basti
5556b7f50e DNSSEC: ACI 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-20 16:47:49 +02:00
Petr Vobornik
59ee6314af keytab manipulation permission management 
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-17 14:11:35 +02:00
Alexander Bokovoy
5ec23ccb5f Allow override of gecos field in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
63be2ee9f0 Support overridding user shell in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Tomas Babej
277b762d36 idviews: Add ipaOriginalUid 
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
cbf1ad84f1 idviews: Split the idoverride commands into iduseroverride and idgroupoverride 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
377ab0c4a6 idvies: Add managed permissions for idview and idoverride objects 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
be36525dc5 idviews: Add ipaAssignedIDVIew reference to the host object 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Petr Viktorin
4fac4f4cf6 Allow deleting obsolete permissions; remove operational attribute permissions 
https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-09-12 18:22:17 +02:00
Petr Viktorin
6ce44c4f05 permission plugin: Auto-add operational atttributes to read permissions 
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-09-12 18:22:17 +02:00
Petr Viktorin
68d656f80a Fix: Add managed read permissions for compat tree and operational attrs 
This is a fix for an earlier version, which was committed by mistake as:
master: 418ce870bf
ipa-4-0: 3e2c86aeab
ipa-4-1: 9bcd88589e

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
 2014-09-05 15:40:13 +02:00
Petr Viktorin
418ce870bf Add managed read permissions for compat tree 
https://fedorahosted.org/freeipa/ticket/4521

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-05 13:50:29 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Petr Viktorin
afe067b1ab makeaci: Use the DN where the ACI is stored, not the permission's DN 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-07-07 14:42:52 +02:00
Martin Kosek
ef83a0c678 Add Modify Realm Domains permission 
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.

https://fedorahosted.org/freeipa/ticket/4423

Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-07-04 12:17:04 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings 
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record 
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
c655aa2832 Fix ACI in DNS 
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-01 12:43:55 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-01 12:37:08 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers 
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:49 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Tomas Babej
8f9838c7ef trusts: Add more read attributes 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Petr Viktorin
175b19bbf8 Add several CRUD default permissions 
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
   no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)

Related to: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00