IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
db69855646
freeipa/install/updates
History
Rob Crittenden db69855646 Clean up the PKI securitydomain when removing a server 
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.

Removing entries is straightforward using the PKI REST API.

In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.

Related commits are b3c2197b7e
and ba4df6449a.

These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.

In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-16 09:12:55 +02:00
..
05-pre_upgrade_plugins.update Issue 8407 - Support changelog integration into main database 2020-08-04 10:54:57 +03:00
10-config.update Disable password schema update on LDAP bind 2020-05-11 14:36:39 +02:00
10-db-locks.update Fix nsslapd-db-lock tuning of BDB backend 2020-09-24 17:03:00 +02:00
10-enable-betxn.update ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
10-ipapwd.update Make sure ipapwd_extop takes precedence over passwd_modify_extop 2016-06-20 19:09:45 +02:00
10-rootdse.update Set the default attributes for RootDSE 2014-09-24 10:02:44 +02:00
10-selinuxusermap.update Remove schema modifications from update files 2013-11-18 16:54:21 +01:00
10-uniqueness.update Redesign subid feature 2021-07-09 09:47:30 -04:00
19-managed-entries.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
20-aci.update Accept 389-ds JSON replication status messages 2020-12-01 08:45:07 +01:00
20-autobind.update LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
20-default_password_policy.update Define default password policy for sysaccounts 2020-04-28 11:28:29 +02:00
20-dna.update Moved update of DNA plugin among update plugins 2016-11-11 12:13:56 +01:00
20-enable_dirsrv_plugins.update ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-indices.update Add index for sudoorder 2021-08-04 14:20:19 +02:00
20-ipaservers_hostgroup.update aci: add IPA servers host group 'ipaservers' 2015-12-07 08:13:23 +01:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
20-sslciphers.update Configure 389ds with "default" cipher suite 2016-03-09 10:04:58 +01:00
20-syncrepl.update ldap: limit the retro changelog to dns subtree 2017-10-26 12:40:28 +02:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-uuid.update DNSSEC: DNS key synchronization daemon 2014-10-21 12:23:03 +02:00
20-whoami.update Adds whoami DS plugin in case that plugin is missing 2017-09-05 14:07:02 +02:00
21-ca_renewal_container.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
21-certstore_container.update Add container for certificate store. 2014-07-30 16:04:21 +02:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
25-referint.update Redesign subid feature 2021-07-09 09:47:30 -04:00
30-ipservices.update Add index and container for RFC 2307 IP services 2018-12-11 12:16:00 +01:00
30-provisioning.update ACI: grant access to admins group instead of admin user 2018-02-19 15:51:44 +01:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
37-locations.update DNS Locations: location-* commands 2016-06-03 15:58:21 +02:00
40-automember.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-certprofile.update Add certprofile plugin 2015-06-04 08:27:33 +00:00
40-delegation.update Issue 8456 - Add new aci's for the new replication changelog entries 2020-08-17 10:44:03 +02:00
40-dns.update Allow hosts to read DNS records for IP SAN 2020-03-16 13:04:17 +01:00
40-otp.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-realm_domains.update Add list of domains associated to our realm to cn=etc 2013-02-19 14:15:46 +02:00
40-replication.update Update ACIs with the correct syntax 2020-05-04 20:49:23 +02:00
40-vault.update vault: fix private service vault creation 2015-10-13 14:34:00 +02:00
41-caacl.update Add CA ACL plugin 2015-06-11 10:50:31 +00:00
41-lightweight-cas.update Add 'ca' plugin 2016-06-15 07:13:38 +02:00
45-roles.update Add Role 'Enrollment Administrator' 2017-06-09 16:37:40 +02:00
49-autobind-services.update LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
50-7_bit_check.update Do not check userPassword with 7-bit plugin 2013-06-06 18:12:50 +02:00
50-dogtag10-migration.update Clean up the PKI securitydomain when removing a server 2021-08-16 09:12:55 +02:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add crond as a default HBAC service 2013-01-17 09:50:48 -05:00
50-ipaconfig.update Fix test_webui.test_selinuxusermap 2019-07-15 14:41:23 +03:00
50-krbenctypes.update Block camellia in krbenctypes update in FIPS 2019-11-05 11:48:28 -05:00
50-nis.update Upgrade: Fix upgrade of NIS Server configuration 2016-01-11 09:45:54 +01:00
55-pbacmemberof.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
59-trusts-sysacount.update Upgrade: fix trusts objectclass violationi 2014-11-13 13:31:17 +01:00
60-trusts.update ipasam: implement PASSDB getgrnam call 2021-01-22 12:21:33 -05:00
61-trusts-s4u2proxy.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
62-ranges.update Remove changetype attribute from update plugin 2014-10-17 12:02:25 +02:00
71-idviews-sasl-mapping.update adtrust: support GSSAPI authentication to LDAP as Active Directory user 2016-06-10 13:39:02 +02:00
71-idviews.update idviews: Create container for ID views under cn=accounts 2014-09-30 10:42:06 +02:00
72-domainlevels.update Add Domain Level feature 2015-05-26 11:59:47 +00:00
73-certmap.update Support for Certificate Identity Mapping 2017-03-02 15:09:42 +01:00
73-custodia.update Setup lightweight CA key retrieval on install/upgrade 2016-06-09 09:04:27 +02:00
73-subid.update Fix ipa-server-upgrade 2021-07-09 09:47:30 -04:00
73-winsync.update winsync: Add inetUser objectclass to the passsync sysaccount 2015-09-16 17:13:42 +02:00
75-user-trust-attributes.update Add SMB attributes for users 2019-07-01 13:21:21 +02:00
80-schema_compat.update compat plugin: Update link to slapi-nis project 2017-04-24 17:11:51 +02:00
81-externalmembers.update install/updates: move external members past schema compat update 2020-02-12 11:45:39 +01:00
90-post_upgrade_plugins.update Add ipwpwdpolicy objectclass to all policies on upgrade 2020-11-06 16:29:41 -05:00
Makefile.am Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00
README Remove schema modifications from update files 2013-11-18 16:54:21 +01:00

README 

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

Updates are applied in blocks of ten so that any entries that are dependant
on another can be added successfully without having to rely on the length
of the DN to get the sorting correct.

The file names should use the format #-<description>.update where # conforms
to this:

10 - 19: Configuration
20 - 29: 389-ds configuration, new indices
30 - 39: Structual elements of the DIT
40 - 49: Pre-loaded data
50 - 59: Cleanup existing data
60 - 69: AD Trust
70 - 79: Reserved
80 - 89: Reserved

These numbers aren't absolute, there may be reasons to put an update
into one place or another, but by adhereing to the scheme it will be
easier to find existing updates and know where to put new ones.