freeipa.git/tests/test_xmlrpc/test_group_plugin.py, branch hbactest FreeIPA project Optionally wait for 389-ds postop plugins to complete 2011-07-19T11:06:16+00:00 Rob Crittenden rcritten@redhat.com 2011-07-01T19:32:31+00:00 1dd9e1407361bdd6ed337c70dcb1d209ce034cb6 Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144 
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.

This is controlled by a new booleon option, wait_for_attr, defaulting
to False.

https://fedorahosted.org/freeipa/ticket/1144
Add UID, GID and e-mail to the user default attributes. 2011-06-08T23:30:11+00:00 Rob Crittenden rcritten@redhat.com 2011-06-08T17:43:20+00:00 4ef8b58c26a2b7fde7d4f1ae98053f56ad2823b7 ticket https://fedorahosted.org/freeipa/ticket/1265 
ticket https://fedorahosted.org/freeipa/ticket/1265
A new flag to disable creation of UPG 2011-05-25T06:39:47+00:00 Martin Kosek mkosek@redhat.com 2011-05-16T10:56:04+00:00 dea578a357b2ebc68f56ef31f841cfe056f73303 Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131 
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
Sort entries returned by *-find by the primary key (if any). 2011-04-13T15:29:16+00:00 Rob Crittenden rcritten@redhat.com 2011-04-13T14:48:07+00:00 9cac1d88fcffcce65018869827eadcfc0ff157f1 Do a server-side sort if there is a primary key. Fix a couple of tests that were failing due to the new sorting. ticket 794 
Do a server-side sort if there is a primary key.

Fix a couple of tests that were failing due to the new sorting.

ticket 794
Change default gecos from uid to first and last name. 2011-04-05T18:18:55+00:00 Rob Crittenden rcritten@redhat.com 2011-04-01T19:53:56+00:00 deaf029023e4037ad53d17b9e48562845b3c1197 ticket 1146 
ticket 1146
Display the entries that failed when deleting with --continue. 2011-01-10T15:32:10+00:00 Rob Crittenden rcritten@redhat.com 2011-01-07T16:17:55+00:00 6f58f38748085e6a104de6f9e992469d3b685d5a We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687 
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.

This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.

ticket 687
Change FreeIPA license to GPLv3+ 2010-12-20T22:19:53+00:00 Jakub Hrozek jhrozek@redhat.com 2010-12-09T12:59:11+00:00 7493d781dfcaa7995f7864a09ad39ba6a89f1a9c The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
Fix a slew of tests. 2010-12-17T22:01:57+00:00 Rob Crittenden rcritten@redhat.com 2010-12-09T19:57:34+00:00 ffc967b47ab0c38c361ce7a60283ed0b8c618d81 - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests 
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
Re-implement access control using an updated model. 2010-12-02T01:42:31+00:00 Rob Crittenden rcritten@redhat.com 2010-12-01T16:23:52+00:00 4ad8055341b9f12c833abdf757755ed95f1b375e The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445 
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
Use kerberos password policy. 2010-11-01T18:15:42+00:00 Rob Crittenden rcritten@redhat.com 2010-10-25T21:58:37+00:00 813dfe501348a671eeb3655cc7406c8e37a3860c This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51 
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51