freeipa/install/updates
Nathaniel McCallum 98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
..
10-config.update Increase default SASL buffer size 2013-08-07 14:13:56 +02:00
10-enable-betxn.update Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
10-schema_compat.update schema-compat: set precedence to 49 to allow OTP binds over compat tree 2014-04-04 08:45:43 +02:00
10-selinuxusermap.update Remove schema modifications from update files 2013-11-18 16:54:21 +01:00
10-uniqueness.update Add uniqueness plugin configuration for sudorule cn 2012-10-08 18:32:41 -04:00
19-managed-entries.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-aci.update Add read permissions for automember tasks 2014-06-02 13:04:59 +02:00
20-dna.update Change DNA magic value to -1 to make UID 999 usable 2013-03-11 17:07:07 +01:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-indices.update Add RADIUS proxy support to ipalib CLI 2013-12-03 14:49:10 +01:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update Don't add another nsDS5ReplicaId on updates if one already exists 2013-02-06 12:22:00 +01:00
20-syncrepl.update Limit memberOf and refInt DS plugins to main IPA suffix. 2014-01-27 14:40:36 +01:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-winsync_index.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
21-ca_renewal_container.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
25-referint.update Add RADIUS proxy support to ipalib CLI 2013-12-03 14:49:10 +01:00
30-policy.update Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
40-automember.update Enable automember for upgraded servers 2011-11-29 09:02:06 +01:00
40-delegation.update Convert User default permissions to managed 2014-06-10 13:55:56 +02:00
40-dns.update Remove faulty DNS memberOf Task 2013-10-04 14:30:13 +02:00
40-otp.update Add support for managedBy to tokens 2014-06-16 10:13:59 +02:00
40-realm_domains.update Add list of domains associated to our realm to cn=etc 2013-02-19 14:15:46 +02:00
40-replication.update Extend ipa-replica-manage to be able to manage DNA ranges. 2013-03-13 10:32:36 -04:00
45-roles.update Convert User default permissions to managed 2014-06-10 13:55:56 +02:00
50-7_bit_check.update Do not check userPassword with 7-bit plugin 2013-06-06 18:12:50 +02:00
50-dogtag10-migration.update Update Dogtag 9 database during replica installation 2014-03-14 14:26:38 +01:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add crond as a default HBAC service 2013-01-17 09:50:48 -05:00
50-ipaconfig.update Add support for managing user auth types 2013-11-08 12:48:15 +01:00
50-krbenctypes.update Add Camellia ciphers to allowed list. 2013-07-18 10:49:38 +03:00
50-lockout-policy.update Disallow direct modifications to enrolledBy. 2011-07-14 19:11:49 -04:00
50-nis.update - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
55-pbacmemberof.update Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
60-trusts.update Remove the global anonymous read ACI 2014-05-26 12:14:55 +02:00
61-trusts-s4u2proxy.update Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install 2012-10-09 18:15:01 -04:00
62-ranges.update Remove schema modifications from update files 2013-11-18 16:54:21 +01:00
Makefile.am Update Dogtag 9 database during replica installation 2014-03-14 14:26:38 +01:00
README Remove schema modifications from update files 2013-11-18 16:54:21 +01:00

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

Updates are applied in blocks of ten so that any entries that are dependant
on another can be added successfully without having to rely on the length
of the DN to get the sorting correct.

The file names should use the format #-<description>.update where # conforms
to this:

10 - 19: Configuration
20 - 29: 389-ds configuration, new indices
30 - 39: Structual elements of the DIT
40 - 49: Pre-loaded data
50 - 59: Cleanup existing data
60 - 69: AD Trust
70 - 79: Reserved
80 - 89: Reserved

These numbers aren't absolute, there may be reasons to put an update
into one place or another, but by adhereing to the scheme it will be
easier to find existing updates and know where to put new ones.