User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.
Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.
A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Upgrade failed because entry 'dn: cn=Stage User
Administrators,cn=privileges,cn=pbac,$SUFFIX' doesnt exist.
Now upgrade will create the privilege if it does not exist.
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
CSV values are not supported in upgrade files anymore
Instead of
add:attribute: 'first, part', second
please use
add:attribute: firts, part
add:attribute: second
Required for ticket: https://fedorahosted.org/freeipa/ticket/4984
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.
I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.
ticket 585