IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,676 Commits 11 Branches 60 Tags
e7edac30a10c0da40d7cfd625e19bd4237b9e1f6
Commit Graph

51 Commits

Author SHA1 Message Date
Alexander Bokovoy
d6b28f29ec Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides 
https://fedorahosted.org/freeipa/ticket/4664

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-24 15:54:43 +02:00
Martin Basti
5556b7f50e DNSSEC: ACI 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-20 16:47:49 +02:00
Petr Vobornik
59ee6314af keytab manipulation permission management 
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-17 14:11:35 +02:00
Alexander Bokovoy
5ec23ccb5f Allow override of gecos field in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
63be2ee9f0 Support overridding user shell in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Tomas Babej
277b762d36 idviews: Add ipaOriginalUid 
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
cbf1ad84f1 idviews: Split the idoverride commands into iduseroverride and idgroupoverride 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
377ab0c4a6 idvies: Add managed permissions for idview and idoverride objects 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
be36525dc5 idviews: Add ipaAssignedIDVIew reference to the host object 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Petr Viktorin
4fac4f4cf6 Allow deleting obsolete permissions; remove operational attribute permissions 
https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-09-12 18:22:17 +02:00
Petr Viktorin
6ce44c4f05 permission plugin: Auto-add operational atttributes to read permissions 
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-09-12 18:22:17 +02:00
Petr Viktorin
68d656f80a Fix: Add managed read permissions for compat tree and operational attrs 
This is a fix for an earlier version, which was committed by mistake as:
master: 418ce870bf
ipa-4-0: 3e2c86aeab
ipa-4-1: 9bcd88589e

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
 2014-09-05 15:40:13 +02:00
Petr Viktorin
418ce870bf Add managed read permissions for compat tree 
https://fedorahosted.org/freeipa/ticket/4521

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-05 13:50:29 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Petr Viktorin
afe067b1ab makeaci: Use the DN where the ACI is stored, not the permission's DN 
Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-07-07 14:42:52 +02:00
Martin Kosek
ef83a0c678 Add Modify Realm Domains permission 
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.

https://fedorahosted.org/freeipa/ticket/4423

Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-07-04 12:17:04 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings 
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record 
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-02 14:54:41 +02:00
Martin Basti
c655aa2832 Fix ACI in DNS 
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-01 12:43:55 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-07-01 12:37:08 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers 
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 20:14:49 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Tomas Babej
8f9838c7ef trusts: Add more read attributes 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-25 15:01:52 +02:00
Petr Viktorin
175b19bbf8 Add several CRUD default permissions 
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
   no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)

Related to: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-24 13:53:40 +02:00
Petr Viktorin
61eeea9e69 netgroup: Add objectclass attribute to read permissions 
The entries were unreadable without this.

Additional fix for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 17:41:49 +02:00
Tomas Babej
ef5309d376 trusts: Allow reading ipaNTSecurityIdentifier in user and group objects 
https://fedorahosted.org/freeipa/ticket/4385

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-06-23 15:27:33 +02:00
Petr Viktorin
14e2eb9171 host permissions: Allow writing attributes needed for automatic enrollment 
- userclass
  added to existing Modify hosts permission
- usercertificate, userpassword
  added to a new permissions

https://fedorahosted.org/freeipa/ticket/4252

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:33 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 12:44:32 +02:00
Petr Viktorin
ac8539bd34 Add posixgroup to groups' permission object filter 
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-23 10:54:43 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type 
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-06-20 15:41:40 +02:00
Petr Viktorin
49e83256b4 Convert Password Policy default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7 Convert COSTemplate default permissions to managed 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:56:42 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed 
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-18 14:45:50 +02:00
Petr Viktorin
b6258d08d6 Make sure member* attrs are always granted together in read permissions 
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-06-11 13:21:30 +02:00