Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
These entries are the same in all IPA installations, so there's
no need to hide them.
Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These attributes are removed from the blacklist, which means
high-level admins can now modify them:
- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName
The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.
Also, move the admin ACIs from ldif and trusts.update to aci.update.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.
Part of: https://fedorahosted.org/freeipa/ticket/3306
Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly
if they use inconsistent capitalization.
This patch works around the bug in IPA schema files.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Note: git's --word-diff option is recommended for viewing these changes
The new schema updater only compares textual representations of schema
elements, as formatted by python-ldap.
This works well, but it is too strict for the current schema files in two ways:
- For attribute names in MAY and MUST, the correct letter case must be used
- AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if
they are the same as its supertype's.
When these restrictions are not followed, the updater will always overwrite
the schema element. This is harmless but it fills up the log unnecessarily.
Modify the schema files to conform to these restrictions.
Part of the work for https://fedorahosted.org/freeipa/ticket/3454
Note: git's --word-diff option is recommended for viewing these changes
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:
* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd
https://fedorahosted.org/freeipa/ticket/3672
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files
https://fedorahosted.org/freeipa/ticket/3855
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.
Also make sure that this value is preserved on upgrades.
https://fedorahosted.org/freeipa/ticket/3783
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671https://fedorahosted.org/freeipa/ticket/3672
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
This schema addition will be useful for future commits. It allows us to
define permitted external authentication methods on both the user and
global config. The implementation is generic, but the immediate usage
is for otp support.
https://fedorahosted.org/freeipa/ticket/3365http://freeipa.org/page/V3/OTP
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update
This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.
The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).
https://fedorahosted.org/freeipa/ticket/3578
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Rangeshttps://fedorahosted.org/freeipa/ticket/3321
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074https://fedorahosted.org/freeipa/ticket/1431
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.
This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.
This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.
https://fedorahosted.org/freeipa/ticket/3041
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.
https://fedorahosted.org/freeipa/ticket/3017
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.
https://fedorahosted.org/freeipa/ticket/3147
Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.
Fixes https://fedorahosted.org/freeipa/ticket/3147
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.
Add both indexes to new and updated IPA installs.
https://fedorahosted.org/freeipa/ticket/3020https://fedorahosted.org/freeipa/ticket/3025
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv
list-ruv can be use to list the update vectors the master has
configugured
clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.
https://fedorahosted.org/freeipa/ticket/2303
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
Attribute types of attributes designed to hold DN values are not
supposed to hold own ORDERING or SUBSTR matching rules (which were
even not correct in this case).
Update these attributes to only define an EQUALITY rule just like
other DN attribute types in IPA.
https://fedorahosted.org/freeipa/ticket/2866
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.
Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.
https://fedorahosted.org/freeipa/ticket/2687
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.
Rework ccache handling to avoid re-initing every time callback is called
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.
Default range LDIF entry for new install was fixed so that new
installation does not crash.
https://fedorahosted.org/freeipa/ticket/2891
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.
The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaDomainIDRange) or the ranges reserved
for AD domains (ipaTrustedADDomainRange). To be able to map the Posix
IDs to a RID and back the corresponding ranges can be saved here as
well.
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.
https://fedorahosted.org/freeipa/ticket/2856
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.
https://fedorahosted.org/freeipa/ticket/2168
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.
This requires slapi-nis 0.40+
https://fedorahosted.org/freeipa/ticket/2192
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.
https://fedorahosted.org/freeipa/ticket/2359
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
https://fedorahosted.org/freeipa/ticket/2238
It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.
This is for new installs only.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.
https://fedorahosted.org/freeipa/ticket/755
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
The samba LDAP schema is updated to the lastest version available from the
samba source code to be able to use the new trust related object class and
attributes.
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils
https://fedorahosted.org/freeipa/ticket/1708
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).
It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.
https://fedorahosted.org/freeipa/ticket/1370
This fixes a regression.
We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.
https://fedorahosted.org/freeipa/ticket/302
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.
The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.
Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.
https://fedorahosted.org/freeipa/ticket/1243https://fedorahosted.org/freeipa/ticket/1254
The Managed Entries plugin configurations weren't being created on
replica installs. The templates were there but the cn=config
portions were not.
This patch adds them as updates. The template portion will be added
in the initial replication.
ticket 1222
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
This was causing a replica DS instance to crash if the task was not
completed when we attempted a shutdown to do a restart.
In replication.py we were restarting the DS instance without waiting
for the ports to become available.
It is unlikely that the dn of the memberof task will change but just in
case I noted it in the two places it is referenced.
ticket 1188
This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.
ticket 1177
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.
This requires 389-ds-base-1.2.8.0-1+
ticket 1153
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.
https://fedorahosted.org/freeipa/ticket/997
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.
I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.
ticket 585
Support of navigator.preferences that is used to access browser
configuration was dropped in Firefox 4. This disables automatic
configuration of user preferences in this browser that is needed
to use Kerberos single sign-on.
This patch detectes a lack of this interface and tries to
configure the browser using new Services module introduced in
Gecko 2 (used in Firefox 4, SeaMonkey 2.1).
https://fedorahosted.org/freeipa/ticket/975
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
The group.upg NIS map was an experiment in providing UPG groups
dynamically, and is not one of the maps that I'd ever expect a NIS
client to "know" to search. We should probably just drop it.
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.
Ticket:
https://fedorahosted.org/freeipa/ticket/344
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.
This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.
Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.
Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.
This change requires an IPA server reinstall since the default ACI
set has been changed.
https://fedorahosted.org/freeipa/ticket/764
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.
ticket 811
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
Now that we can setup GSSAPI authenticated replication we are not
tied to use the Directory Manager password to set up replication
agreements.
Fixes: https://fedorahosted.org/freeipa/ticket/644
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.
ticket 416
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
Disable any services when its host is disabled.
This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.
ticket 297