freeipa.git/ipalib, branch systemd-master FreeIPA project Fix problems in help system 2011-10-20T22:25:27+00:00 Rob Crittenden rcritten@redhat.com 2011-10-18T17:32:36+00:00 f098b213eb3d2e8e5d47689a226f81a0d1b35262 Fixes 3 issues: - If a topic has all its commands disabled, it should be disabled - If a command is disabled its help should be disabled - The show-mappings help was missing a doc string so no help was displayed https://fedorahosted.org/freeipa/ticket/1998 
Fixes 3 issues:

- If a topic has all its commands disabled, it should be disabled
- If a command is disabled its help should be disabled
- The show-mappings help was missing a doc string so no help was displayed

https://fedorahosted.org/freeipa/ticket/1998
hbactest fails while you have svcgroup in hbacrule 2011-10-20T21:23:21+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-10-16T21:23:26+00:00 c9ef39918abc41f0f68c4e6c1b4495fb0a4c976b https://fedorahosted.org/freeipa/ticket/1988 
https://fedorahosted.org/freeipa/ticket/1988
Improve hostgroup/netgroup collision checks 2011-10-17T15:09:46+00:00 Martin Kosek mkosek@redhat.com 2011-10-17T12:26:13+00:00 99d938152fbef41f2d48d4088e5ba39bc820e9de When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914 
When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.

This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.

https://fedorahosted.org/freeipa/ticket/1914
Fix typo in invalid PTR record error message 2011-10-14T02:53:39+00:00 Rob Crittenden rcritten@redhat.com 2011-10-14T02:52:57+00:00 b607c5cc5ab34c007640011f299f358f190f6652 https://fedorahosted.org/freeipa/ticket/1982 
https://fedorahosted.org/freeipa/ticket/1982
Improve handling of GIDs when migrating groups 2011-10-12T03:24:00+00:00 Martin Kosek mkosek@redhat.com 2011-10-03T14:01:01+00:00 2aa63fe4a98f6bae755b4ede607adc2068103c42 Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866 
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.

Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.

https://fedorahosted.org/freeipa/ticket/1866
Disallow deletion of global password policy. 2011-10-12T08:12:49+00:00 Jan Cholasta jcholast@redhat.com 2011-10-11T12:28:17+00:00 c0879cd00b17b61de54b52cb24a61ce85374cae4 ticket 1936 
ticket 1936
Include indirect membership and canonicalize hosts during HBAC rules testing 2011-10-10T21:09:22+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-10-11T08:25:24+00:00 3e1c04f9333ac3f4333d5cf99579e85a44c9573b When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: <user <name foobar groups [hbacusers,ipausers]> service <name sshd groups []> targethost <name vm-101.ipa.local groups []> srchost <name vm-101.ipa.local groups []> > Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949 
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.

Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.

This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd

Request to evaluate:
 <user <name foobar groups [hbacusers,ipausers]>
  service <name sshd groups []>
  targethost <name vm-101.ipa.local groups []>
  srchost <name vm-101.ipa.local groups []>
 >

Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
Fix i18n in config plugin 2011-10-11T12:51:09+00:00 Martin Kosek mkosek@redhat.com 2011-10-11T09:30:48+00:00 2916ad4ac2ba8bee3cd66e6c6f30e3cdcb913b06 






Improve default user/group object class validation
2011-10-11T12:49:36+00:00

Martin Kosek
mkosek@redhat.com

2011-10-11T08:26:21+00:00

88e693a1a5b95e9da94b927a0b827b3a0e39b7b7

When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893





When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893







split metadata call
2011-10-10T03:32:52+00:00

Adam Young
ayoung@redhat.com

2011-10-06T20:38:01+00:00

1fef592892ab7e086ad8930f9fad1c9f671323c7

The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers.  TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past.  To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}

Note the difference in the positional parameters.

To get a specific object,  pass the object name as the first parameter.  To get a specific method, pass a blank first parameter and the method name in the second parameter.

THis is not ideal, but we are constrained by the existing API.





The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers.  TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past.  To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}

Note the difference in the positional parameters.

To get a specific object,  pass the object name as the first parameter.  To get a specific method, pass a blank first parameter and the method name in the second parameter.

THis is not ideal, but we are constrained by the existing API.