Commit Graph

94 Commits

Author SHA1 Message Date
Martin Basti
d3f5d5d1ff Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
This is not used anymore.

Ticket: https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:33:22 +01:00
Martin Basti
52b7101c11 Fix uniqueness plugins
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid

* remove unneded update plugins -> update was moved to .update file

* add uniqueness-across-all-subtrees required by user lifecycle
management

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Basti
4b2ec5468f Migrate uniquess plugins configuration to new style
New configuration style contains options required for user lifecycle
management.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Kosek
0a7a8d6604 Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients.

https://fedorahosted.org/freeipa/ticket/4850

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-21 07:47:22 +00:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00
Martin Basti
af6aece39b Fix zone find during forwardzone upgrade
https://fedorahosted.org/freeipa/ticket/4818

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
Martin Basti
bb405bd972 Fix: Upgrade forwardzones zones after adding newer replica
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.

Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
Gabe
6d3403edac Remove usage of app_PYTHON in ipaserver Makefiles
- Remove ChangeLog from ipa-client/Makefile.am

https://fedorahosted.org/freeipa/ticket/4700

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-12-10 15:42:39 +01:00
Martin Basti
f62c7843ff Fix upgrade referint plugin
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 13:26:34 +01:00
Martin Basti
40ea328a78 Fix: DNS policy upgrade raises asertion error
Ticket: https://fedorahosted.org/freeipa/ticket/4708
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 12:12:28 +00:00
Petr Vobornik
61d98bdc59 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges
New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-11 10:56:16 +01:00
Martin Basti
730f33680b Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-06 10:45:16 +01:00
Alexander Bokovoy
eb4d559f3b updater: enable uid uniqueness plugin for posixAccounts
https://fedorahosted.org/freeipa/ticket/4636

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 13:46:55 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00
Tomas Babej
00457a9c10 idviews: Fix typo in upgrade handling of the Default Trust View
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-30 11:49:53 +02:00
Tomas Babej
2a230b6cc1 idviews: Create Default Trust View for upgraded servers
For upgraded servers with enabled AD trust support, we want to
ensure that Default Trust View entry is created.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Jan Cholasta
f680a63158 Fix certmonger code causing the ca_renewal_master update plugin to fail
https://fedorahosted.org/freeipa/ticket/4547

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-09-23 16:25:15 +02:00
Petr Viktorin
4fac4f4cf6 Allow deleting obsolete permissions; remove operational attribute permissions
https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 18:22:17 +02:00
Petr Viktorin
68d656f80a Fix: Add managed read permissions for compat tree and operational attrs
This is a fix for an earlier version, which was committed by mistake as:
master: 418ce870bf
ipa-4-0: 3e2c86aeab
ipa-4-1: 9bcd88589e

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
2014-09-05 15:40:13 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Jan Cholasta
5f29a71bd7 Upload CA chain from DS NSS database to certificate store on server update.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Martin Basti
00309f8e42 Fix DNS upgrade plugin should check if DNS container exists
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-28 17:42:38 +02:00
Martin Basti
f8b6595f49 Restore privileges after forward zones update
Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 12:48:50 +02:00
Martin Basti
eea1015441 Fix upgrade to forward zones
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-03 14:04:57 +02:00
Martin Basti
aa2ef07b8c Upgrade special master zones to forward zones
This upgrade is executed only if IPA version is older than 4.0
Requires detection if 'idnsforwardzone' objectclass is presented in
schema before schema is upgraded

Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Martin Basti
c1f3fd6831 Added upgrade step executed before schmema is upgraded
Class PreSchemaUpdate is executed before ldap schema update

This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:51 +02:00
Petr Viktorin
16ee6847e4 managed permission updater: Add mechanism to replace SYSTEM permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.

Add a mechanism for the updater to replace old SYSTEM permissions.

This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Petr Viktorin
2f3cdba546 Make 'permission' the default bind type for managed permissions
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
13bcd03fcf Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
e0cafea374 managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
acb2ca47d6 Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:17 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
63becae88c Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
993c1c8557 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
81b0e7466d Do not ask for memberindirect when updating managed permissions
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 10:04:16 +02:00
Jan Cholasta
50c7f3b236 Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 16:40:10 +02:00
Petr Viktorin
41607774bc Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 14:49:16 +02:00
Petr Viktorin
c58d6b2689 Allow overriding all attributes of default permissions
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Petr Viktorin
fb2f0ae8d5 Document the managed permission updater operation
The method was explained on the [Design] page, but as the updater
is extended the design page would become obsolete.
Document the operation in the docstring of the plugin itself.

Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Jan Cholasta
c3169add3b Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00