| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Change-Id: Ibdd2494106324f8e1077daa084a2468c0a5fe4ea
|
|
Change-Id: I6249d2ea983959bc6c5ec03c2035a271228d4721
|
|
Ubuntu precise and trusty don't have Net::Duo packages. Delay
loading to the constructor so that the modules will still pass
strictness tests. This also fixes Travis-CI testing.
Change-Id: I23f1fe6dbdddaac2040f459410a74be4a13b6755
|
|
Change-Id: I3a8b13a8b255522cff92910f8d99ec94dc020e6f
|
|
Change-Id: I2bcee71d36782c08f858e78712e9d92605a69ba3
|
|
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
|
|
Change-Id: I7a69a5bc425e16fbcf0a294d5e3aaf941bb2a453
|
|
Change-Id: I589c964895351c40e4b608925b055f97e6463d9a
|
|
Change-Id: I3b97807548638865987861979e73ae341e06f681
|
|
I'll probably bump this later, but for now that's the minimum
supported Perl version for wallet.
Change-Id: I97e36f850dcb3dcd3a78daf34d8a35bf597bdb43
|
|
Change-Id: If63ea5829252fda13b68d031fb9f48c93b71697a
|
|
Change-Id: I7e49c687e892e012051056bc9324d7a8a5b36d07
|
|
Change-Id: I0248c2bd36c063526c64e22c4d30f39464f69028
|
|
Change-Id: Ibff0602d5ff8bf4c625f3970130cce4c8c02720e
|
|
Change-Id: I714a6298c36e6fd7eca6ee3acb01637a96773647
|
|
Change-Id: I97f466b2221b71ffcc60dd4f1b48e5986496ff46
|
|
Change-Id: I9f8f986952510f6b2d326ccaab4bb7006a033b9d
|
|
Change-Id: I710de6a1df01ecd9aebd202288a9efb434c09054
|
|
Change-Id: Ib077a196ee5389d7ec6d90fcf411cae0a81e071d
|
|
Change-Id: Idd2e1038fc02dd51aab9a9ffdd5b3400db2b106f
|
|
|
|
The msktutil script does not always signal error conditions. This
change implements a check that examines the output from msktutil
and reports and error when the keytab creation fails to create
the keytab but does create a computer entry in the directory. If
an error is detected the directory entry is deleted leaving the
directory in a clean state.
Also, support has been added for output of debugging information
to syslog using the AD_DEBUG configuration variable.
Finally perltidy suggested changes were made to AD.pm.
|
|
Conflicts:
NEWS
|
|
|
|
When adding a new ACL, if creation of the verifier failed, we
reported a pretty minimal error message claiming that the
identifier was the problem. It can't possibly be the problem
when the constructor fails. Report the actual failure more
directly.
|
|
We need a fake NetDB server to test this stuff properly, but until
then, just avoid running the tests.
|
|
|
|
Changes so far for 1.3
|
|
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
|
|
Added a version of the LDAP attribute ACL. Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.
Change-Id: I23119ef9c9ce3e0556f5d71a509815f2efc1bbe6
|
|
Change-Id: I842a7335a4b50c9c20b921ae2efc63aab571635e
|
|
Since we now check to see if something is a valid netdb node entry for
the ACL verifiers, we need to have a valid netdb setup to run.
Change-Id: Ic2651f8b8b306dfa1f426d91f329b5100a9a1d64
|
|
We needed a way to report on where all a specific ACL might be nested,
since we can't destroy an ACL until it's no longer being nested. For
the immediate this is part of wallet-report.
Change-Id: I41c11b73325d1eb3a28289eac3505bf965877be1
|
|
When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested. That's more in line with how we handle trying to destroy ACLs
that own things.
Change-Id: I8bc0530e37c54369ec52d9b369f8fabe98def77a
|
|
Removed some default text and explained why we grab the database handle
for future use.
Change-Id: I50b3ae06c1761453de3140d501830c245d550c04
|
|
There was an older mistake in sorting ACLs and entries, using && instead
of || when sorting.
Problem and fix pointed out to Chris Law.
Change-Id: Iab46b4bcbd842978f88a7d9f63958ebea4806413
|
|
This verifier will allow embedding one ACL in another for more flexible
ACL handling. As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier. For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.
Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
|
|
All error messages should now use the ACL name rather than the ADL id,
for readability.
Change-Id: I2d1cfe806b459ef083293df4fa0b83cb4cef673b
|
|
The email sending will only replace the To: field with the contacts and
do no other template parsing, so it is currently limited.
Change-Id: I4c653cf7bfe3ed2d9ca16299a4f937e015966554
|
|
To handle local proliferation of Duo integration type requests, all Duo
types have been merged into one module that will pick up and decide
integration specifics off of the object type.
If you are using the Duo types locally already, you'll want to load
perl/sql/wallet-1.3-update-duo.sql to your database to update the old
object types to all use the Duo module.
All existing Duo integrations have been added to the module for
handling, but nothing new has been added to the wallet object types.
Since there are a lot of Duo integrations, sites should only manually
add the ones they're interested in to the wallet types table.
Change-Id: If9c9a0a3e77923354f31d8f9c98a519c93df200b
|
|
Change-Id: I9e4632f3ff81f916f9157ef8128b20915ecded08
|
|
"wallet-report objects host <hostname>" reports on all objects that
belong to the given host. This can be used to query things for retiring
systems.
Change-Id: Ib1c8e5978fed141d54ecc8504b56b43c037f9b17
|
|
Change-Id: I4bcc9c318ab3ec09add026e14204d929125302b7
|
|
update will work generally like get, but only for objects that have a
concept of updating content automatically, like keytabs and passwords.
For these, the content will be updated before sending to the client.
In a later release get for keytabs will be modified to never update the
kvno before sending to the user, and so the unchanging flag will be
phased out in lieu of explicitly using the method that does what you
want.
Change-Id: I96a84416c5e50278eb29fe07052dde6e063bc071
|
|
Two new reports, 'types' and 'schemes'. These will print out all
configured types and acl schemes.
Change-Id: Ib06d37755fe80c168a6f723c9a1e683fdf5dfcde
|
|
Added for SSL files including the root cert as well, used in splunk.
Change-Id: I1faaa840d309ae4370ae26da5b51c0cee84d7558
|
|
Change-Id: Icb894b4b52e6b5c07a7c12251b1f4c79025c7bc6
|
|
Commerzbank offered a script for searching and editing the wallet
history. The coding style is very different from our own, so I'm
including this as a contrib script for now.
Change-Id: I20516d63ad6f633ad0efc3977d990fa1e7a5ebd9
|
|
Added to the password object type a new naming set for service/*,
specifically for things that belong to a non-host-specific service.
Change-Id: I1481d48319a5833f00eae940a6d2ca912874bb01
|
