Commit Graph

542 Commits

Author SHA1 Message Date
Tomas Babej
3a56b155e8 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
Makes sure we dereference the correct attribute. Also adds object class
checking.

https://fedorahosted.org/freeipa/ticket/4324

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:32 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-20 22:18:43 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:40 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 13:14:45 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Petr Viktorin
53a63ae346 Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
8b7daf675e dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone
Part of the work for: https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-28 15:58:24 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Petr Viktorin
223e6dc3f7 aci-update: Trim the admin write blacklist
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
baa72b68b1 Add a new ipaVirtualOperation objectClass to virtual operations
The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Alexander Bokovoy
ad6480f845 schema-compat: set precedence to 49 to allow OTP binds over compat tree
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.

Note that this will only work if ticket 47699 is fixed in 389-ds.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-04-04 08:45:43 +02:00
Jan Cholasta
48539b35d7 Use LDAP API to upload CA certificate instead of ldapmodify command.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Nathaniel McCallum
adcd373931 Make all ipatokenTOTP attributes mandatory
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-21 16:07:39 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Nathaniel McCallum
a91c0972b9 Update ACIs to permit users to add/delete their own tokens
https://fedorahosted.org/freeipa/ticket/4087

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-13 19:43:29 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Jan Cholasta
4e207b4c88 Remove sourcehostcategory from the default HBAC rule.
https://fedorahosted.org/freeipa/ticket/4158

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-06 16:46:24 +01:00
Alexander Bokovoy
531ede2904 ipa-adtrust-install: configure host netbios name by default
Ensure we set host netbios name by default in smb.conf

https://fedorahosted.org/freeipa/ticket/4116
2014-01-20 10:35:03 +01:00
Tomas Babej
3e1386a57e acl: Remove krbPrincipalExpiration from list of admin's excluded attrs
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.

Part of: https://fedorahosted.org/freeipa/ticket/3306
2014-01-14 15:22:27 +01:00
Xiao-Long Chen
5e96fbc22a Use /usr/bin/python2
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
2014-01-03 09:46:05 +01:00
Petr Viktorin
445634d6ac Add new permission schema
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:51 +01:00
Martin Kosek
9677308caa Allow kernel keyring CCACHE when supported
Server and client installer should allow kernel keyring ccache when
supported.

https://fedorahosted.org/freeipa/ticket/4013
2013-12-09 12:21:22 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00
Petr Viktorin
2bc7803b69 Unify capitalization of attribute names in schema files
Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly
if they use inconsistent capitalization.

This patch works around the bug in IPA schema files.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820

Note: git's --word-diff option is recommended for viewing these changes
2013-11-18 16:54:22 +01:00
Petr Viktorin
ec1585f831 Add formerly update-only schema
Some schema was only delivered in updates. Add it back as ldif files.

https://fedorahosted.org/freeipa/ticket/3454
2013-11-18 16:54:21 +01:00
Petr Viktorin
a1eb71768c Make schema files conform to new updater
The new schema updater only compares textual representations of schema
elements, as formatted by python-ldap.
This works well, but it is too strict for the current schema files in two ways:
- For attribute names in MAY and MUST, the correct letter case must be used
- AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if
    they are the same as its supertype's.
When these restrictions are not followed, the updater will always overwrite
the schema element. This is harmless but it fills up the log unnecessarily.

Modify the schema files to conform to these restrictions.

Part of the work for https://fedorahosted.org/freeipa/ticket/3454

Note: git's --word-diff option is recommended for viewing these changes
2013-11-18 16:54:21 +01:00
Martin Kosek
cdd2e9caff Do not add kadmin/changepw ACIs on new installs
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.

The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.

https://fedorahosted.org/freeipa/ticket/3987
2013-10-25 15:26:51 +02:00
Ana Krivokapic
92cd987e0a Add ipa-advise plugins for nss-pam-ldapd legacy clients
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:

* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd

https://fedorahosted.org/freeipa/ticket/3672
2013-10-18 16:15:12 +02:00
Martin Kosek
cb9331ebfc Remove --no-serial-autoincrement
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.

https://fedorahosted.org/freeipa/ticket/3962
2013-10-11 09:47:59 +02:00
Jan Cholasta
e380acdc1c Fix nsslapdPlugin object class after initial replication.
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.

https://fedorahosted.org/freeipa/ticket/3915
2013-09-10 09:49:43 +02:00
Petr Spacek
0924177ab0 Add timestamps to named debug logs in /var/named/data/named.run 2013-09-06 15:39:36 +02:00
Martin Kosek
b1474a53c0 Fix selected minor issues in the spec file and license
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
  overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
  pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files

https://fedorahosted.org/freeipa/ticket/3855
2013-08-13 15:31:46 +02:00
Tomas Babej
69394bab5a Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
2013-08-09 12:14:42 +02:00
Ana Krivokapic
da2605c942 Handle --subject option in ipa-server-install
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.

Also make sure that this value is preserved on upgrades.

https://fedorahosted.org/freeipa/ticket/3783
2013-08-08 16:52:48 +02:00
Ana Krivokapic
fc3f3c90b9 Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:42 +02:00
Rob Crittenden
198d82d4ce Add Camellia ciphers to allowed list.
https://fedorahosted.org/freeipa/ticket/3749
2013-07-18 10:49:38 +03:00
Nathaniel McCallum
d5c1b18bcc Fix for small syntax error in OTP schema
https://fedorahosted.org/freeipa/ticket/3765
2013-07-11 12:39:29 +03:00
Nathaniel McCallum
4bbbc11029 Permit reads to ipatokenRadiusProxyUser objects
This fixes an outstanding permissions issue from the OTP work.

https://fedorahosted.org/freeipa/ticket/3693
2013-07-11 12:39:27 +03:00
Jan Cholasta
a209bb38aa Add missing equality index for ipaUniqueId.
https://fedorahosted.org/freeipa/ticket/3743
2013-07-11 12:39:26 +03:00
Jan Cholasta
a10521a1dc Add missing substring indices for attributes managed by the referint plugin.
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.

https://fedorahosted.org/freeipa/ticket/3706
2013-07-11 12:39:26 +03:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Martin Kosek
77ae4da706 Remove entitlement support
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739
2013-06-26 14:11:42 +02:00
Tomas Babej
ddb3957011 Add ipaRangeType attribute to LDAP Schema
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.

ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.

Part of https://fedorahosted.org/freeipa/ticket/3647
2013-06-10 12:27:33 +03:00
Nathaniel McCallum
cb68935435 Add IPA OTP schema and ACLs
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.

https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Nathaniel McCallum
bc26d87b34 Add ipaUserAuthType and ipaUserAuthTypeClass
This schema addition will be useful for future commits. It allows us to
define permitted external authentication methods on both the user and
global config. The implementation is generic, but the immediate usage
is for otp support.

https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Petr Viktorin
d4a0fa34af Fix syntax errors in schema files
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update

This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.

The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).

https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:15:16 -04:00
Petr Viktorin
e9863e3fe3 Fix syntax of the dc attributeType
dc syntax is changed from Directory String to IA5 String to conform
to RFC 2247.

Part of the work for https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:13:52 -04:00
Martin Kosek
5af2e1779a Add userClass attribute for hosts
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
2013-04-26 10:20:17 -04:00
Jan Cholasta
f684c6d6f8 Use A/AAAA records instead of CNAME records in ipa-ca.
https://fedorahosted.org/freeipa/ticket/3547
2013-04-15 21:12:36 +02:00
Petr Viktorin
74abb432fb Remove 'cn' attribute from idnsRecord and idnsZone objectClasses
A commonName attribute has no meaning in DNS records.

https://fedorahosted.org/freeipa/ticket/3514
2013-04-10 13:56:11 +02:00
Martin Kosek
81be28d6bd Change CNAME and DNAME attributes to single valued
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.

https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
2013-04-02 17:11:46 +02:00
Jan Cholasta
5f26d2c6db Add Kerberos ticket flags management to service and host plugins.
https://fedorahosted.org/freeipa/ticket/3329
2013-03-29 16:34:46 +01:00
Martin Kosek
48ba165576 Put pid-file to named.conf
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.

Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
2013-03-29 08:59:45 +01:00
Martin Kosek
7a2d3804af Use tkey-gssapi-keytab in named.conf
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.

Both new and current IPA installations are updated.

https://fedorahosted.org/freeipa/ticket/3429
2013-03-14 10:50:24 -04:00
Rob Crittenden
9005b9bc8a Extend ipa-replica-manage to be able to manage DNA ranges.
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.

If one cannot be found then it is reported as an error.

Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.

http://freeipa.org/page/V3/Recover_DNA_Ranges

https://fedorahosted.org/freeipa/ticket/3321
2013-03-13 10:32:36 -04:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Jan Cholasta
54080f46b0 Remove disabled entries from sudoers compat tree.
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.

https://fedorahosted.org/freeipa/ticket/3437
2013-03-06 16:08:20 +01:00
Martin Kosek
e2120c31c3 Fix includedir directive in krb5.conf template
We did not have the includedir directory with a trailing slash which made
rpm update add a redundant line.

https://fedorahosted.org/freeipa/ticket/3132
2013-02-28 15:25:14 +01:00
Martin Kosek
4a6f3cac29 Remove ORDERING for IA5 attributeTypes
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-27 12:47:04 +01:00
Rob Crittenden
49beb8cd3a Add missing v3 schema on upgrades, fix typo in schema.
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.

Replacing mis-spelled ORDERING value on new install and upgrades.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-22 13:30:59 +01:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Rob Crittenden
d5966bde80 Update anonymous access ACI to protect secret attributes.
Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.
2013-01-23 15:31:48 -05:00
Simo Sorce
18eea90ebb Upload CA cert in the directory on install
This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI
2013-01-23 14:26:41 -05:00
Martin Kosek
867f7691e9 Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
2012-12-07 11:00:17 -05:00
Jakub Hrozek
b64dc9362d Specify includedir in krb5.conf on new installs
https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:53:22 -05:00
Petr Viktorin
5fa3455764 Update certmap.conf on IPA upgrades
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.

This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
2012-11-23 12:19:19 +01:00
Petr Viktorin
1d3ddeff54 Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
2012-11-23 12:19:19 +01:00
Ade Lee
18a210996d Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
2012-11-23 12:19:19 +01:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Rob Crittenden
7c2eb48850 Set MLS/MCS for user_u context to what will be on remote systems.
The user_u context in the default list was broader than is actually
configured by default on systems.

https://fedorahosted.org/freeipa/ticket/3224
2012-11-02 10:17:51 -04:00
Rob Crittenden
ea4f60b15a Explicitly disable betxn plugins for the time being.
This should work with 389-ds-base 1.2.x and 1.3.0.

Without other plugin changes 389-ds-base can deadlock.

https://fedorahosted.org/freeipa/ticket/3046
2012-10-10 20:24:10 -04:00
Alexander Bokovoy
0840b588d7 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.

This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.

https://fedorahosted.org/freeipa/ticket/3041
2012-10-09 18:15:01 -04:00
Rob Crittenden
96decfea26 Add uniqueness plugin configuration for sudorule cn
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.

https://fedorahosted.org/freeipa/ticket/3017
2012-10-08 18:32:41 -04:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Sumit Bose
12f4584f57 ipa-adtrust-install: create fallback group with ldif file
Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.

Fixes https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 10:22:16 +02:00
Sumit Bose
e713b8dba2 Add new ipaIDobject to DNA plugin configuraton 2012-10-04 22:15:36 -04:00
Petr Vobornik
247a3a43b7 Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.

In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:08:04 -04:00
Martin Kosek
0e432d33fc Index ipakrbprincipalalias and ipaautomountkey attributes
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.

Add both indexes to new and updated IPA installs.

https://fedorahosted.org/freeipa/ticket/3020
https://fedorahosted.org/freeipa/ticket/3025
2012-10-01 22:37:59 -04:00
Sumit Bose
0d31833317 Set master_kdc and dns_lookup_kdc to true
https://fedorahosted.org/freeipa/ticket/2515
2012-09-19 20:47:12 -04:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00
Martin Kosek
c0630950a1 Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:27 -04:00
Martin Kosek
d8ba7d9145 Amend memberAllowCmd and memberDenyCmd attribute types
Attribute types of attributes designed to hold DN values are not
supposed to hold own ORDERING or SUBSTR matching rules (which were
even not correct in this case).

Update these attributes to only define an EQUALITY rule just like
other DN attribute types in IPA.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:12 -04:00
Rob Crittenden
79b90d1465 Set SELinux default context to unconfined_u:s0-s0:c0.c1023
Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.

https://fedorahosted.org/freeipa/ticket/3045
2012-09-13 12:35:43 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Martin Kosek
4760c15cb2 Add automount map/key update permissions
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.

Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.

https://fedorahosted.org/freeipa/ticket/2687
2012-07-10 20:41:14 -04:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Martin Kosek
d5fe02999c Create default range entry after upgrade
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.

Default range LDIF entry for new install was fixed so that new
installation does not crash.

https://fedorahosted.org/freeipa/ticket/2891
2012-07-02 16:27:33 +02:00
Sumit Bose
0350b5e8a1 Add objects for initial ID range 2012-06-29 16:21:20 -04:00
Sumit Bose
ab6097bc6a Extend LDAP schema
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.

The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaDomainIDRange) or the ranges reserved
for AD domains (ipaTrustedADDomainRange). To be able to map the Posix
IDs to a RID and back the corresponding ranges can be saved here as
well.
2012-06-29 16:21:17 -04:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Rob Crittenden
db4c946f47 Defer adding ipa-cifs-delegation-targets until the Updates phase.
It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.

https://fedorahosted.org/freeipa/ticket/2837
2012-06-27 16:50:02 +02:00
Martin Kosek
32ef4efaca Remove ipaNTHash from global allow ACI
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.

https://fedorahosted.org/freeipa/ticket/2856
2012-06-26 21:28:25 +02:00
Petr Vobornik
0948a9f91b Set network.http.sendRefererHeader to 2 on browser config
IPA web UI isn't functional when browser doesn't send http headers.

This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it.

Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader

https://fedorahosted.org/freeipa/ticket/2778
2012-06-22 10:44:45 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Alexander Bokovoy
dd244c02dd Use dedicated keytab for Samba
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.

https://fedorahosted.org/freeipa/ticket/2168
2012-06-07 09:39:09 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00
Martin Kosek
6ff5f28142 permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.

Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.

https://fedorahosted.org/freeipa/ticket/2658
2012-06-01 07:51:59 +02:00
Nalin Dahyabhai
856b9627be - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
Nalin Dahyabhai
74b42cc89c - create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-26 09:00:17 +02:00
Nalin Dahyabhai
1c26c06d61 - index the fqdn and macAddress attributes for the sake of the compat plugin 2012-04-26 09:00:11 +02:00
Rob Crittenden
0423213148 Use mixed-case for Read DNS Entries permission
https://fedorahosted.org/freeipa/ticket/2569
2012-04-23 10:00:40 +02:00
Martin Kosek
184a066f4a Fix installation when server hostname is not in a default domain
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602
2012-04-08 20:35:10 -04:00
Rob Crittenden
7471ba2237 Return consistent value when hostcat and usercat is all.
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.

This requires slapi-nis 0.40+

https://fedorahosted.org/freeipa/ticket/2192
2012-04-08 16:54:32 -04:00
Martin Kosek
df13cdcb97 Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569
2012-04-01 21:17:04 -04:00
Martin Kosek
b944ad44b5 Amend permissions for new DNS attributes
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510
2012-03-25 23:58:24 -04:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Rob Crittenden
c48d34fa43 Fix nested netgroups in NIS.
We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.

https://fedorahosted.org/freeipa/ticket/2359
2012-02-29 16:01:58 +01:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Martin Kosek
1816643a43 Update schema for bind-dyndb-ldap
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072
2012-02-24 09:40:36 +01:00
Rob Crittenden
960baaebf4 Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.

https://fedorahosted.org/freeipa/ticket/2416
2012-02-23 11:05:52 +01:00
Rob Crittenden
ffd39503c1 Limit the change password permission so it can't change admin passwords
We don't want those in the helpdesk role to be able to reset
administrators passwords.

https://fedorahosted.org/freeipa/ticket/2271
2012-02-20 19:38:49 +01:00
Petr Viktorin
af233fbda1 Make ipausers a non-posix group on new installs
https://fedorahosted.org/freeipa/ticket/2238

It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.

This is for new installs only.
2012-02-19 19:48:03 -05:00
Rob Crittenden
65f40aeb8d Use FQDN in place of FQHN for consistency in sub_dict.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
2012-02-15 20:27:34 -05:00
Rob Crittenden
af52c4d31e Update S4U2proxy delegation list when creating replicas 2012-02-15 17:24:16 +01:00
Rob Crittenden
2da6d6e746 Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
2012-02-15 17:08:33 +01:00
Jan Cholasta
9b6baf9bee Add LDAP ACIs for SSH public key schema.
https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:20:23 -05:00
Jan Cholasta
63ea0a304e Add LDAP schema for SSH public keys.
https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:20:18 -05:00
Adam Young
a2cc9b4282 Remove delegation from browser config 2012-02-07 15:51:44 +01:00
Rob Crittenden
c08296adff Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
2012-01-10 22:39:26 -05:00
Rob Crittenden
55512dc938 Add SELinux user mapping framework.
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.

https://fedorahosted.org/freeipa/ticket/755
2011-12-09 16:46:25 +02:00
Simo Sorce
7d744f82e2 ipa-kdb: Delegation ACL schema 2011-12-08 17:18:10 -05:00
Rob Crittenden
59721431d2 Remove extraneous trailing single quote in nis.uldif 2011-12-05 22:27:36 -05:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00
Sumit Bose
2d355da9e2 Add trust objectclass and attributes to v3 schema 2011-12-06 08:29:53 -05:00
Simo Sorce
b8f259e027 Add NT domain GUID attribute.
We need this to be able to re-set it, as ipaUniqueID cannot be arbitraily set
to a value. Only needed for the domain object.
2011-11-21 18:52:48 -05:00
Rob Crittenden
4322370942 Fix nis netgroup config entry so users appear in netgroup triple.
https://fedorahosted.org/freeipa/ticket/2028
2011-10-27 09:55:58 +02:00
Jan Cholasta
592bf62161 Remove more redundant configuration values from krb5.conf.
ticket 1358
2011-10-11 22:00:50 -04:00
Rob Crittenden
7bd3b3e121 Fix DNS permissions and membership in privileges
This resolves two issues:

1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
   values weren't calculated properly

For updates we need to add in the members and recalculate memberof via
a DS task.

https://fedorahosted.org/freeipa/ticket/1898
2011-10-09 23:44:22 -04:00
Nalin Dahyabhai
a16b5b4c00 list users from nested groups, too 2011-10-05 09:06:42 +02:00
Sumit Bose
c4e070c1fe Fix typo in v3 base schema 2011-09-21 08:29:58 -04:00
Sumit Bose
06ccb38c69 Update samba LDAP schema
The samba LDAP schema is updated to the lastest version available from the
samba source code to be able to use the new trust related object class and
attributes.
2011-09-20 17:27:40 -04:00
Simo Sorce
89c4e9362d schema: Add new attributes and objectclasses for AD Trusts 2011-09-20 10:41:12 -04:00
Sumit Bose
29a7a7e8ce Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
2011-09-14 18:45:13 -04:00
Rob Crittenden
5371c03c93 The precendence on the modrdn plugin was set in the wrong location.
https://fedorahosted.org/freeipa/ticket/1370
2011-09-13 17:36:59 +02:00
Jr Aquino
8b3336ef55 Move Managed Entries into their own container in the replicated space.
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils

https://fedorahosted.org/freeipa/ticket/1708
2011-09-12 16:28:27 -04:00
Martin Kosek
6a2dfde086 Let Bind track data changes
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch yes";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
2011-08-31 16:46:12 +02:00
Jr Aquino
d05ace8fba 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272
2011-08-31 09:49:43 +02:00
Simo Sorce
586e2eaf6c v3-schema: Add new ipaExternalGroup objectclass
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).

It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
2011-08-26 08:26:13 -04:00
Simo Sorce
19cb08e579 schema: Split ipadns definitions from basev2 ones 2011-08-26 08:26:13 -04:00
Simo Sorce
a60a71497b install: Use proper case for boolean values 2011-08-26 08:24:50 -04:00
Simo Sorce
8cb2aee626 install: Remove uid=kdc user
The ipadb DAL driver gets access to the ldap server as Directory Manager now so
this user is not needed anymore.
2011-08-26 08:24:50 -04:00
Simo Sorce
195a65d5c2 ipa-kdb: Change install to use the new ipa-kdb kdc backend
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
2011-08-26 08:24:50 -04:00
Rob Crittenden
109b79a7ac Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-24 14:12:01 +02:00
Endi S. Dewata
72a7e3ac2d Fixed browser configuration pages
The browser configuration pages have been modified to improve the
content and appearance.

Ticket #1624
2011-08-17 17:28:25 +00:00
Petr Vobornik
b936574672 Redirection after changing browser configuration
https://fedorahosted.org/freeipa/ticket/1502

Added redirection link.
CSS styling of configuration page.
Some CSS cleaning.
2011-08-08 13:49:26 -04:00
Rob Crittenden
a48a84a5ea Set the ipa-modrdn plugin precedence to 60 so it runs last
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.

https://fedorahosted.org/freeipa/ticket/1370
2011-07-17 22:24:30 -04:00
Rob Crittenden
37e3bf2a60 Disallow direct modifications to enrolledBy.
This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
2011-07-14 19:11:49 -04:00
Jan Cholasta
f05141e646 Remove redundant configuration values from krb5.conf.
ticket 1358
2011-06-28 01:10:06 -04:00
Martin Kosek
5f4c75eb28 Allow recursion by default
Update name server configuration file to allow any host to issue
recursive queries (allow-recursion statement).

https://fedorahosted.org/freeipa/ticket/1335
2011-06-27 23:14:16 -04:00
Rob Crittenden
7940270b9f Remove root autobind search restriction, fix upgrade logging & error handling.
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.

The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.

Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.

https://fedorahosted.org/freeipa/ticket/1243
https://fedorahosted.org/freeipa/ticket/1254
2011-06-13 09:51:05 +02:00
Rob Crittenden
201ffc07bd Configure Managed Entries on replicas.
The Managed Entries plugin configurations weren't being created on
replica installs. The templates were there but the cn=config
portions were not.

This patch adds them as updates. The template portion will be added
in the initial replication.

ticket 1222
2011-05-25 16:39:27 -04:00
Jr Aquino
5a4f77ac14 28 One Liner: Typo in host_nis_groups has been creating 2 CN's 2011-05-25 16:36:25 -04:00
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Rob Crittenden
46a3411420 Wait for memberof task and DS to start before proceeding in installation.
This was causing a replica DS instance to crash if the task was not
completed when we attempted a shutdown to do a restart.

In replication.py we were restarting the DS instance without waiting
for the ports to become available.

It is unlikely that the dn of the memberof task will change but just in
case I noted it in the two places it is referenced.

ticket 1188
2011-04-22 11:43:50 +02:00
Rob Crittenden
fe67680da5 The default groups we create should have ipaUniqueId set
This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.

ticket 1177
2011-04-15 13:02:17 +02:00
Rob Crittenden
b9a2c11d6f Fix ORDERING in some attributetypes and remove other unnecessary elements.
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.

This requires 389-ds-base-1.2.8.0-1+

ticket 1153
2011-04-05 21:46:32 -04:00
Simo Sorce
54b2627018 Store list of non-master replicas in DIT and provide way to list them
Fixes: https://fedorahosted.org/freeipa/ticket/1007
2011-03-02 09:46:46 -05:00
Rob Crittenden
07ba40f33e Use Sudo rather than SUDO as a label.
ticket 1005
2011-03-01 16:48:35 -05:00
Simo Sorce
b6ca0f210c Fix replica setup using replication admin kerberos credentials
Fixes: https://fedorahosted.org/freeipa/ticket/1022
2011-03-01 11:02:55 -05:00
Jr Aquino
1770750b8a Create default disabled sudo bind user
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.

https://fedorahosted.org/freeipa/ticket/998
2011-02-23 15:32:24 -05:00
Martin Kosek
744eb8ea74 Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.

https://fedorahosted.org/freeipa/ticket/997
2011-02-22 10:04:19 -05:00
Rob Crittenden
ac68ea3c6c Add default roles and permissions for HBAC, SUDO and pw policy
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.

I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.

ticket 585
2011-02-22 10:02:24 -05:00
Martin Kosek
dbc268d964 Browser configuration support for Firefox 4
Support of navigator.preferences that is used to access browser
configuration was dropped in Firefox 4. This disables automatic
configuration of user preferences in this browser that is needed
to use Kerberos single sign-on.

This patch detectes a lack of this interface and tries to
configure the browser using new Services module introduced in
Gecko 2 (used in Firefox 4, SeaMonkey 2.1).

https://fedorahosted.org/freeipa/ticket/975
2011-02-17 12:12:23 -05:00
Jan Zeleny
3f40f1492c Updated default Kerberos password policy
https://fedorahosted.org/freeipa/ticket/930
2011-02-16 22:28:08 -05:00
Endi S. Dewata
669c9d1180 Fixed cn attribute in ipaUniqueID uniqueness config. 2011-02-16 19:38:18 -05:00
Jakub Hrozek
22c3a681da Fine tuning DNS options
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.

On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.

Set rdns to false on both server and client.

https://fedorahosted.org/freeipa/ticket/931
2011-02-14 14:45:22 -05:00
Nalin Dahyabhai
4d85fb18a2 drop the group.upg NIS map
The group.upg NIS map was an experiment in providing UPG groups
dynamically, and is not one of the maps that I'd ever expect a NIS
client to "know" to search.  We should probably just drop it.
2011-02-14 11:35:03 -05:00
Rob Crittenden
d9eb19b0e8 Make main selfservice aci visible to the selfservice plugin.
ticket 934
2011-02-10 11:16:58 -05:00
Jakub Hrozek
bb56285f6b IPv6 enhancements
* Make host-add, host-del and reverse zone creation IPv6 aware
* Make Bind listen on IPv6 interfaces, too

https://fedorahosted.org/freeipa/ticket/398
2011-02-02 12:39:35 -05:00
Rob Crittenden
275998f6bd Add support for tracking and counting entitlements
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
2011-02-02 10:00:38 -05:00
Rob Crittenden
c6ef39b2c0 Add new schema to store information about permissions.
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.

ticket 853
2011-02-01 16:00:41 -05:00
Rob Crittenden
bf4f77d985 Rename permissions and privileges to be more readable.
This also drops description from permissions since it seems redundant and
fixes up the help text a little.

ticket 792
2011-01-31 13:17:38 -05:00
Simo Sorce
4486341c83 Address entryusn initialization on replica installation
Fixes: https://fedorahosted.org/freeipa/ticket/637
2011-01-28 13:58:43 -05:00
Simo Sorce
86209d5248 Put some safeguards against misconfiguration on the kdc account
Ticket: https://fedorahosted.org/freeipa/ticket/862
2011-01-28 13:55:57 -05:00
Martin Kosek
b9dbd693de modifyprivilegemembership permission has nestedgroup OC
modifyprivilegemembership permission object class in LDAP should be
groupofnames, not nestedgroup.

https://fedorahosted.org/freeipa/ticket/858
2011-01-28 10:28:37 -05:00
Jan Zeleny
884f43f0db Add support for account unlocking
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344
2011-01-28 10:23:02 -05:00
Jr Aquino
7b04b2240b block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865 2011-01-27 22:22:38 -05:00
Martin Kosek
65a146cdca ACI plugin supports prefixes
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.

This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.

Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.

Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.

This change requires an IPA server reinstall since the default ACI
set has been changed.

https://fedorahosted.org/freeipa/ticket/764
2011-01-26 17:55:17 -05:00
Jakub Hrozek
70a9e04f04 Enforce uniqueness on (key,info) pairs in automount keys
https://fedorahosted.org/freeipa/ticket/293
2011-01-25 11:13:10 -05:00
Rob Crittenden
6e7729726f Block anonymous access to HBAC, role and some member information.
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.

ticket 811
2011-01-24 14:33:21 -05:00
Simo Sorce
861aa9c1b8 Allow SASL/EXTERNAL authentication for the root user
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.

Fixes: https://fedorahosted.org/freeipa/ticket/795
2011-01-20 15:49:30 -05:00
Simo Sorce
5af80a7583 Make krb5kdc use the ldapi socket to talk to dirsrv
Fixes: https://fedorahosted.org/freeipa/ticket/812
2011-01-20 15:49:30 -05:00
Jan Zeleny
01f907c01b Move HBAC services and service groups to cn=hbac
https://fedorahosted.org/freeipa/ticket/762
2011-01-18 11:48:57 -05:00
Simo Sorce
25cfddcbe1 Move sudo related data all under cn=sudo
Fixes: https://fedorahosted.org/freeipa/ticket/773
2011-01-17 11:46:45 -05:00
Simo Sorce
7ee490e35c Remove radius options completely.
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.

Fixes: https://fedorahosted.org/freeipa/ticket/761
2011-01-14 14:06:56 -05:00
Simo Sorce
da7eb1155e Move mep templates under cn=etc
Fixes: https://fedorahosted.org/freeipa/ticket/760
2011-01-14 14:06:56 -05:00
Simo Sorce
5549dca50e Move Virtual Operations container under cn=etc
Fixes: https://fedorahosted.org/freeipa/ticket/759
2011-01-14 14:06:56 -05:00
Simo Sorce
cfa23b1c2a Allow using Kerberos credentials with the 'connect' command
Now that we can setup GSSAPI authenticated replication we are not
tied to use the Directory Manager password to set up replication
agreements.

Fixes: https://fedorahosted.org/freeipa/ticket/644
2011-01-14 14:06:56 -05:00
Simo Sorce
abf4dde3e3 Restrict anonymous tgts
Fixes: https://fedorahosted.org/freeipa/ticket/432
2011-01-12 17:20:09 -05:00
Jr Aquino
5a0c9371cb Bugfix for sudo compat cmdcat and deny commands https://fedorahosted.org/freeipa/ticket/742 2011-01-12 11:43:05 -05:00
Jr Aquino
1ea31a0cff fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570 2011-01-12 11:40:47 -05:00
Rob Crittenden
f0401a9127 Make ipaDefaultLoginShell use IA5String syntax to match POSIX schema.
ticket 739
2011-01-11 10:21:04 -05:00
Rob Crittenden
3f146d9622 Allow the kdc to write krbExtraData 2011-01-07 11:15:16 -05:00
Rob Crittenden
4f2a6e0a25 Don't use Class of Service for account activation, use attribute.
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.

Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.

ticket 568
2011-01-04 17:09:56 -05:00
Jr Aquino
9d9e15456b netgroups created by hostgroups lacked info https://fedorahosted.org/freeipa/ticket/653 2011-01-03 10:22:55 -05:00
Rob Crittenden
d84ffd9e54 Move permissions and privileges to their own container, cn=pbac,$SUFFIX
ticket 638
2010-12-22 11:26:49 -05:00
Simo Sorce
613f5feb0e Rework old init and synch commands and use better names.
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.

Fixes: https://fedorahosted.org/freeipa/ticket/626
2010-12-21 17:28:13 -05:00
Simo Sorce
91f3e79d81 Remove referrals when removing agreements
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.

Fixes: https://fedorahosted.org/freeipa/ticket/630
2010-12-21 17:28:13 -05:00
Simo Sorce
1cf67fe850 Remove common entries when deleting a master.
Fixes: https://fedorahosted.org/freeipa/ticket/550
2010-12-21 17:28:13 -05:00
Simo Sorce
5884fdf0f8 Add replication related acis to all replicas
Fixes: https://fedorahosted.org/freeipa/ticket/617
2010-12-21 17:28:13 -05:00
Rob Crittenden
4d6cd89258 In meta data make ACI attributes lower-case, sorted. Add possible attributes.
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).

To make the list easier to handle sort it and make it all lower-case.

Fix a couple of missed camel-case attributes in the default ACI list.

ticket 641
2010-12-21 13:00:15 -05:00
Nalin Dahyabhai
dd9615d189 sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done 2010-12-21 12:29:39 -05:00
Nalin Dahyabhai
e0c8be0c4c sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-12-21 12:29:33 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Jakub Hrozek
0e6962f710 Fix delegation.ldif typo 2010-12-20 10:41:25 -05:00
Rob Crittenden
34534a026f Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
2010-12-17 18:04:37 -05:00
Rob Crittenden
358b28398c Move automount, default HBAC services, netgroup and hostgroup bootstrapping.
There is no need for these to be done as updates, just add these entries
to the bootstrapping.
2010-12-17 17:31:19 -05:00
Rob Crittenden
1207a7c83f Fix the change_password permissions and the DNS access controls.
The change_password permission was too broad, limit it to users.

The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.

ticket 628
2010-12-17 17:16:25 -05:00
Rob Crittenden
ffc967b47a Fix a slew of tests.
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
2010-12-17 17:01:57 -05:00
Simo Sorce
fbe72a4521 Use nsContainer and not extensibleObject for masters entries 2010-12-15 10:58:03 -05:00
Jr Aquino
13139f2fd6 managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543 2010-12-13 17:56:12 -05:00
Rob Crittenden
1a20d75421 Set labels on all attributes in the config object.
Make the cert subject base read-only. This is here only so replicated servers
know their base.

ticket 466
2010-12-10 13:41:35 -05:00
Rob Crittenden
55015d9a05 ipaHomesRootDir was changes to an IA5 string, change the matching rule too 2010-12-08 17:10:17 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Rob Crittenden
8a63315ef3 Provide list of available attributes for use in ACI UI.
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.

ticket 446
2010-12-03 13:01:42 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Simo Sorce
20b1e0a75e Enable EntryUSN plugin by default, with global scope
This will allow clients to use entryusn values to track what changed in the
directory regardles of replication delays.

Fixes: https://fedorahosted.org/freeipa/ticket/526
2010-11-30 18:26:40 -05:00
Rob Crittenden
d644d17adf Reduce the number of attributes a host is allowed to write.
The list of attributes that a host bound as itself could write was
overly broad.

A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.

ticket 416
2010-11-30 14:30:52 -05:00
Rob Crittenden
88133ab43c Create user private groups with a uniqueid.
If we don't then we need to add it when a group is detached causing
aci issues.

I had to move where we create the UPG template until after the DS
restart so the schema is available.

ticket 542
2010-11-30 09:52:05 -05:00
Rob Crittenden
d824eee8fa Display user and host membership in netgroups.
This uses an enhanced memberof plugin that allows multiple attributes
to be configured to create memberOf attributes.

tickets 109 and 110
2010-11-24 08:38:41 -05:00
Simo Sorce
c53c0ca1ad Autotune directory server to use a greater number of files
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).

Fixes: https://fedorahosted.org/freeipa/ticket/464
2010-11-22 12:42:16 -05:00
Simo Sorce
6a5c4763af id ranges: change DNA configuration
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.

Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.

Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.

fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-22 12:42:16 -05:00
Jan Zeleny
61e2016ee3 Ensure that Apache is running with MPM=Prefork
Script wsgi.py checks if Apache is compiled with MPM=Prefork
and if not, it refuses to run.

https://fedorahosted.org/freeipa/ticket/252
2010-11-22 12:35:52 -05:00
Rob Crittenden
53d1553755 Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.

ticket 250
2010-11-19 13:47:09 -05:00
Rob Crittenden
d4f25453e1 Add managedby to Host entries
This will allow others to provision on behalf of the host.

ticket 280
2010-11-19 10:31:42 -05:00
Rob Crittenden
2046eddb7a Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.

This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.

ticket 297
2010-11-19 10:31:42 -05:00
Simo Sorce
59cf6f8619 pkinit: always configure pkinit_anchors in krb5.conf 2010-11-18 15:09:40 -05:00
Simo Sorce
52a46d121b Add support for configuring KDC certs for PKINIT
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
2010-11-18 15:09:36 -05:00
Rob Crittenden
25469cf4f1 Increase # of chars in users and groups to 255 and default username to 32.
ticket 434
2010-11-12 17:25:40 -05:00