| Age | Commit message (Collapse) | Author |
|---|
|
Conflicts:
NEWS
|
|
|
|
When adding a new ACL, if creation of the verifier failed, we
reported a pretty minimal error message claiming that the
identifier was the problem. It can't possibly be the problem
when the constructor fails. Report the actual failure more
directly.
|
|
We need a fake NetDB server to test this stuff properly, but until
then, just avoid running the tests.
|
|
|
|
Changes so far for 1.3
|
|
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
|
|
Added a version of the LDAP attribute ACL. Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.
Change-Id: I23119ef9c9ce3e0556f5d71a509815f2efc1bbe6
|
|
Change-Id: I842a7335a4b50c9c20b921ae2efc63aab571635e
|
|
Since we now check to see if something is a valid netdb node entry for
the ACL verifiers, we need to have a valid netdb setup to run.
Change-Id: Ic2651f8b8b306dfa1f426d91f329b5100a9a1d64
|
|
We needed a way to report on where all a specific ACL might be nested,
since we can't destroy an ACL until it's no longer being nested. For
the immediate this is part of wallet-report.
Change-Id: I41c11b73325d1eb3a28289eac3505bf965877be1
|
|
When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested. That's more in line with how we handle trying to destroy ACLs
that own things.
Change-Id: I8bc0530e37c54369ec52d9b369f8fabe98def77a
|
|
Removed some default text and explained why we grab the database handle
for future use.
Change-Id: I50b3ae06c1761453de3140d501830c245d550c04
|
|
There was an older mistake in sorting ACLs and entries, using && instead
of || when sorting.
Problem and fix pointed out to Chris Law.
Change-Id: Iab46b4bcbd842978f88a7d9f63958ebea4806413
|
|
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
|
|
All error messages should now use the ACL name rather than the ADL id,
for readability.
Change-Id: I2d1cfe806b459ef083293df4fa0b83cb4cef673b
|
|
The email sending will only replace the To: field with the contacts and
do no other template parsing, so it is currently limited.
Change-Id: I4c653cf7bfe3ed2d9ca16299a4f937e015966554
|
|
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Change-Id: If9c9a0a3e77923354f31d8f9c98a519c93df200b
|
|
Change-Id: I9e4632f3ff81f916f9157ef8128b20915ecded08
|
|
"wallet-report objects host <hostname>" reports on all objects that
belong to the given host. This can be used to query things for retiring
systems.
Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
|
|
Change-Id: I4bcc9c318ab3ec09add026e14204d929125302b7
|
|
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Change-Id: I96a84416c5e50278eb29fe07052dde6e063bc071
|
|
Two new reports, 'types' and 'schemes'. These will print out all
configured types and acl schemes.
Change-Id: Ib06d37755fe80c168a6f723c9a1e683fdf5dfcde
|
|
Added for SSL files including the root cert as well, used in splunk.
Change-Id: I1faaa840d309ae4370ae26da5b51c0cee84d7558
|
|
Change-Id: Icb894b4b52e6b5c07a7c12251b1f4c79025c7bc6
|
|
Commerzbank offered a script for searching and editing the wallet
history. The coding style is very different from our own, so I'm
including this as a contrib script for now.
Change-Id: I20516d63ad6f633ad0efc3977d990fa1e7a5ebd9
|
|
Added to the password object type a new naming set for service/*,
specifically for things that belong to a non-host-specific service.
Change-Id: I1481d48319a5833f00eae940a6d2ca912874bb01
|
|
The documentation now includes information about the Duo file types, and
the new password types. This is both the general information, and the
Stanford-specific naming docs.
Change-Id: Iae256224a063ce42f22cd933ef7bb3ab402e0e2d
|
|
Took code from Commerzbank AG and refactored to add to wallet-report.
This does a complete dump of all object history for searching on.
Change-Id: Id22c51d2938ad90e0c6a19aaa016501a1ba333b3
|
|
Change-Id: I6198f4247f589e94beced128504dd086194b1983
|
|
The password type inherits almost everything from the file object, but
if you try to get a password object that has never been stored, we
generate a random string to put in the object rather than just
erroring out. The maximum and minimum length of the string can be set
in the wallet config.
If a password object was stored earlier and then cleared out, we don't
generate another random string.
Change-Id: I17a65ca7dac9d4430e8a731f417297890ee612bb
|
|
New command for replacing the ownership of anything owned by a specific
ACL with another ACL. This differs from acl rename in that it's to be
used when the destination ACL already exists and potentially already
owns some objects.
Change-Id: I765bebf499fe0f861abc2ffe1873990590beed36
|
|
Report on all file objects that have never had data stored in them.
Also clean up the text around the 'objects unused' report which said
that it did this plus things that were never gotten, but in reality only
reported on the objects that were never gotten.
Change-Id: I30c9585ac6f3744fbea2f94b3d6874a64c0109ad
|
|
Change-Id: Ic575c22c741c29e814749d334e9ed40eb83014e5
|
|
|
|
|
|
|
|
Change-Id: Ie1d2bcee19ace444f6f7083814133593b160d97d
|
|
Change-Id: I2180daf5055a90ae52b8a851f514993004da5303
|
|
If the Test library directory already exists, we previously failed.
Use mkdir -p and probe for it in Autoconf to avoid this.
Change-Id: I1ad9f1a83af1f2ebfe1b2337aaab99913b4edeea
|
|
Change-Id: I4157db0f690542db0eb1bfbcb7e15bfee890cd65
|
|
Duo and rename updates
|
|
Change-Id: Ica75f6614476088a9952cd7d97749d27811aed7e
|
|
Change-Id: I7730b4779180d7ad85dd4d1b6e71d8576a27a662
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
|
File objects now support a rename command, which will rename the object
and move the file to the right spot in the file store under its new
name.
Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418
|
|
Duo object types currently all assume that the name of the object is the
hostname of the server it's for.
Change-Id: Ieb5ba144cd39d6aeb3a20466c75a2836a170744f
|
|
Make all the searches and creations for the Duo table add or search for
the type field as well. This avoids one Duo type clobbering another
for the same object name.
Change-Id: I62192c3616f43c7acd8ce3f94db8a0e43e77e317
|
|
Change-Id: Ic728297fa830ffdd40c1580e32a81f8c5123f66a
|
