freeipa.git/ipalib, branch adwork

Add support for external group members

2012-06-27T14:13:42+00:00

When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664

Add CLI for ID ranges

2012-06-26T07:04:31+00:00

Trust Web UI

2012-06-25T16:17:06+00:00

This patch adds Web UI for trusts.

Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.

Adder dialog supports two ways if adding a trust:
1)  adding with domain name, admin name and admin password.
2) adding with domain name, shared secret

Search page shows only list of realm names which are trusts' cns.

Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)

trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.

Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.

https://fedorahosted.org/freeipa/ticket/2829

Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad'

2012-06-25T16:16:15+00:00

Use correct SID attribute for trusted domains

2012-06-25T16:15:35+00:00

We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.

Added password reset capabilities to unauthorized dialog

2012-06-21T11:23:44+00:00

Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.

If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.

https://fedorahosted.org/freeipa/ticket/2755

Fail on unknown Command options

2012-06-20T13:18:42+00:00

When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509

Decimal parameter conversion and normalization

2012-06-18T01:59:54+00:00

Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.

Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
 * exponential: when False, decimal number is normalized to its
                non-exponential form
 * numberclass: a set of allowed decimal number classes
                (e.g. +Infinity, -Normal, ...) that are enforced
                for every Decimal parameter value

https://fedorahosted.org/freeipa/ticket/2705

Store session cookie in ccache for cli users

2012-06-14T12:02:26+00:00

Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331

Rework the CallbackInterface

2012-06-14T09:09:43+00:00

Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674