freeipa/install/share
Simo Sorce 5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
..
advise Add ipa-advise plugins for nss-pam-ldapd legacy clients 2013-10-18 16:15:12 +02:00
05rfc2247.ldif Make schema files conform to new updater 2013-11-18 16:54:21 +01:00
15rfc2307bis.ldif Add formerly update-only schema 2013-11-18 16:54:21 +01:00
15rfc4876.ldif Add formerly update-only schema 2013-11-18 16:54:21 +01:00
60basev2.ldif Make schema files conform to new updater 2013-11-18 16:54:21 +01:00
60basev3.ldif keytab: Add new extended operation to get a keytab. 2014-06-26 10:30:53 +02:00
60ipaconfig.ldif Unify capitalization of attribute names in schema files 2013-11-18 16:54:22 +01:00
60ipadns.ldif DNSSEC: DLVRecord type added 2014-06-20 16:46:02 +02:00
60kerberos.ldif Add support for account unlocking 2011-01-28 10:23:02 -05:00
60policyv2.ldif Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
60samba.ldif Make schema files conform to new updater 2013-11-18 16:54:21 +01:00
61kerberos-ipav3.ldif Perform case-insensitive searches for principals on TGS requests 2012-06-07 09:39:10 +02:00
65ipasudo.ldif sudorule: Allow using external groups as groups of runAsUsers 2014-06-25 20:14:49 +02:00
70ipaotp.ldif Add support for managedBy to tokens 2014-06-16 10:13:59 +02:00
anonymous-vlv.ldif Let anonymous users browse the VLV index 2009-07-10 16:45:45 -04:00
automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
bind.named.conf.template Remove --no-serial-autoincrement 2013-10-11 09:47:59 +02:00
bind.zone.db.template Use A/AAAA records instead of CNAME records in ipa-ca. 2013-04-15 21:12:36 +02:00
bootstrap-template.ldif Remove entitlement support 2013-06-26 14:11:42 +02:00
caJarSigningCert.cfg.template Add signing profile to CA installation so we can sign the firefox jar file. 2009-05-04 16:54:42 -04:00
certmap.conf.template Fix selected minor issues in the spec file and license 2013-08-13 15:31:46 +02:00
copy-schema-to-ca.py ipaplatform: Change service code in freeipa to use ipaplatform services 2014-06-16 19:48:19 +02:00
default-aci.ldif keytab: Add new extended operation to get a keytab. 2014-06-26 10:30:53 +02:00
default-hbac.ldif Remove sourcehostcategory from the default HBAC rule. 2014-02-06 16:46:24 +01:00
default-smb-group.ldif Change DNA magic value to -1 to make UID 999 usable 2013-03-11 17:07:07 +01:00
delegation.ldif Convert Service default permissions to managed 2014-06-24 13:53:41 +02:00
disable-betxn.ldif Explicitly disable betxn plugins for the time being. 2012-10-10 20:24:10 -04:00
dna.ldif Change DNA magic value to -1 to make UID 999 usable 2013-03-11 17:07:07 +01:00
dns.ldif DNSSEC: DLVRecord type added 2014-06-20 16:46:02 +02:00
ds-nfiles.ldif Autotune directory server to use a greater number of files 2010-11-22 12:42:16 -05:00
encrypted_attribute.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
entryusn.ldif Address entryusn initialization on replica installation 2011-01-28 13:58:43 -05:00
fedora-ds.init.patch Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
host_nis_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
indices.ldif Add missing equality index for ipaUniqueId. 2013-07-11 12:39:26 +03:00
kdc_extensions.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc_req.conf.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc.conf.template ipa-kdb: Change install to use the new ipa-kdb kdc backend 2011-08-26 08:24:50 -04:00
kerberos.ldif Add Camellia ciphers to allowed list. 2013-07-18 10:49:38 +03:00
key_escrow_schema.ldif Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
krb5.conf.template Allow kernel keyring CCACHE when supported 2013-12-09 12:21:22 +01:00
krb5.ini.template Set master_kdc and dns_lookup_kdc to true 2012-09-19 20:47:12 -04:00
krb.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krb.js.template Build and installation of Kerberos authentication extension 2012-10-04 18:08:04 -04:00
krbrealm.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
ldapi.ldif Enable ldapi connections in the management framework. 2009-08-27 13:36:58 -04:00
Makefile.am Use LDAP API to upload CA certificate instead of ldapmodify command. 2014-03-25 16:54:54 +01:00
managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
master-entry.ldif Use FQDN in place of FQHN for consistency in sub_dict. 2012-02-15 20:27:34 -05:00
memberof-conf.ldif Display user and host membership in netgroups. 2010-11-24 08:38:41 -05:00
memberof-task.ldif Wait for memberof task and DS to start before proceeding in installation. 2011-04-22 11:43:50 +02:00
modrdn-krbprinc.ldif The precendence on the modrdn plugin was set in the wrong location. 2011-09-13 17:36:59 +02:00
nis.uldif Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
preferences.html.template Set network.http.sendRefererHeader to 2 on browser config 2012-06-22 10:44:45 +02:00
referint-conf.ldif Expand Referential Integrity checks 2012-09-16 17:59:27 -04:00
replica-acis.ldif Replace "replica admins read access" ACI with a permission 2014-05-21 09:57:16 +02:00
replica-automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
replica-s4u2proxy.ldif Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install 2012-10-09 18:15:01 -04:00
repoint-managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
root-autobind.ldif Remove root autobind search restriction, fix upgrade logging & error handling. 2011-06-13 09:51:05 +02:00
sasl-mapping-fallback.ldif Enable SASL mapping fallback. 2013-06-27 17:06:51 +02:00
schema_compat.uldif sudorule: Enforce category ALL checks on dirsrv level 2014-06-25 20:14:51 +02:00
schema-update.ldif Fix nsslapdPlugin object class after initial replication. 2013-09-10 09:49:43 +02:00
smb.conf.empty Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
smb.conf.template ipa-adtrust-install: configure host netbios name by default 2014-01-20 10:35:03 +01:00
sudobind.ldif Create default disabled sudo bind user 2011-02-23 15:32:24 -05:00
unique-attributes.ldif Add uniqueness plugin configuration for sudorule cn 2012-10-08 18:32:41 -04:00
user_private_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
uuid-ipauniqueid.ldif UUIDs: remove uuid python plugin and let DS always autogenerate 2010-10-28 07:58:31 -04:00
wsgi.py Tweak the session auth to reflect developer consensus. 2012-02-27 05:54:29 -05:00