IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 00:41:25 -06:00
Code Issues Packages Projects Releases Wiki Activity
52f69aaa8a
freeipa/install/updates
History
Martin Kosek 52f69aaa8a Per-domain DNS record permissions 
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
..
10-60basev2.update Disallow direct modifications to enrolledBy. 2011-07-14 19:11:49 -04:00
10-60basev3.update Perform case-insensitive searches for principals on TGS requests 2012-06-07 09:39:10 +02:00
10-bind-schema.update Per-domain DNS record permissions 2012-06-28 15:21:21 +02:00
10-config.update Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. 2012-03-26 14:26:10 +02:00
10-RFC2307bis.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
10-RFC4876.update Fix quoting to work with new csv handler in ldapupdate 2009-05-19 11:50:39 -06:00
10-schema_compat.update - create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-26 09:00:17 +02:00
10-selinuxusermap.update Add update files for SELinuxUserMap 2012-02-15 12:28:37 +01:00
10-ssh.update Add LDAP schema for SSH public keys. 2012-02-13 22:20:18 -05:00
10-sudo.update Add support for sudoOrder 2012-03-01 21:02:33 -05:00
19-managed-entries.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-aci.update Add LDAP ACIs for SSH public key schema. 2012-02-13 22:20:23 -05:00
20-dna.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-indices.update - index the fqdn and macAddress attributes for the sake of the compat plugin 2012-04-26 09:00:11 +02:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-winsync_index.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
30-policy.update Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
40-automember.update Enable automember for upgraded servers 2011-11-29 09:02:06 +01:00
40-delegation.update Don't allow "Modify Group membership" permission to manage admins 2012-02-23 11:05:52 +01:00
40-dns.update Per-domain DNS record permissions 2012-06-28 15:21:21 +02:00
45-roles.update Reorder privileges so that memberof for permissions are generated properly. 2011-12-08 10:08:10 +01:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add additional pam ftp services to HBAC, and a ftp HBAC service group 2011-08-24 15:21:41 -04:00
50-ipaconfig.update Add update files for SELinuxUserMap 2012-02-15 12:28:37 +01:00
50-lockout-policy.update Disallow direct modifications to enrolledBy. 2011-07-14 19:11:49 -04:00
50-nis.update - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
55-pbacmemberof.update Reorder privileges so that memberof for permissions are generated properly. 2011-12-08 10:08:10 +01:00
60-trusts.update Remove ipaNTHash from global allow ACI 2012-06-26 21:28:25 +02:00
61-trusts-s4u2proxy.update Add separate attribute to store trusted domain SID 2012-06-07 09:39:09 +02:00
Makefile.am Add separate attribute to store trusted domain SID 2012-06-07 09:39:09 +02:00
README Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00

README 

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

10 - 20: Schema
20 - 30: FDS Configuration, new indices
30 - 40: Structual elements of the DIT
40 - 50: Pre-loaded data