| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Always display the account enable/disable status.
Don't ignore the exceptions when a user is already enabled or disabled.
Fix the exception error messages to use the right terminology.
In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.
ticket 392
|
| |
|
|
|
|
| |
Also add validation to the List parameter type.
ticket 357
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
All ipa-* commands except for ipa-fix-CVE-2008-3274 were added to SEE
also section of ipa(1).
Ticket: #329
|
| |/
|
|
|
| |
Reference was removed from ipa-server-install(1) man page.
Ticket: #330
|
| |
|
|
| |
sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
|
| |
|
|
| |
meta data for testing and developmemt
|
| |
|
|
| |
http://fedorahosted.org/freeipa/ticket/328
|
| |
|
|
|
|
|
| |
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.
ticket 209
|
| |
|
|
|
|
|
| |
Uses code very similar to the search code for deleting associations
Had to modify how we were configuring for bulk so that the logic for delete matched the logic for enroll
Fixed unit test and removed the 'new' from the associator call
|
| |
|
|
|
|
|
|
|
|
|
| |
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.
Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.
ticket 270
|
| |
|
|
|
|
|
| |
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.
ticket 160
|
| |
|
|
| |
ticket 389
|
| |
|
|
|
|
|
| |
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).
If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.
ticket 187
|
| |
|
|
| |
ticket 228
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.
The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.
This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup
ticket 296
|
| |
|
|
|
|
|
| |
The output is a pure python dict so is really only useful when used with
--all so it is required.
Updated to return a string for rights as opposed to a list. Terser, reducing the wire size by a factor of 3.5
|
| |
|
|
|
|
|
| |
The ipa_cmd() has been modified to identity the type of the error
it has received and display the error using the right dialog box.
The dialog box can be customized further to display the appropriate
amount of information for each type of error.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new framework for implementing custom UI.
It consists of the following classes:
Main:
- IPA: global namespace and object repository
- ipa_entity: base class for entities
- ipa_facet: base class for facets
Add dialog:
- ipa_add_dialog: default add dialog
- ipa_add_field: the fields used in the dialog
Search facet:
- ipa_search_facet: default search facet
- ipa_search_column: the columns in the search result
Details facet:
- ipa_details_facet: default details facet
- ipa_details_section: the sections in the details facet
- ipa_details_field: the fields in the details facet
Association facet:
- ipa_association_facet: default association facet
- ipa_association_config: the association configurations
To use this framework, create a class extending the ipa_entity (e.g.
ipa_hbac). Use the create_* methods to create add dialog, search facet,
details facet, and association facet. The fields/columns for the dialog
and facets can be specified using the init() function. Custom UI can be
defined by overwriting the base methods (e.g. setup, save, load).
The entity must be added into the repository using IPA.add_entity().
The original ipa_entity_setup() has been generalized by moving facet-
specific codes into the corresponding facet. Some facet names are still
hard-coded. This will be fixed in follow-up patches.
Some global variables have been removed because their function has been
replaced by the object repository:
- ipa_entity_add_list
- ipa_entity_search_list
- ipa_entity_details_list
- window_hash_cache
Some functions and variables have been moved into IPA namespace:
- ipa_json_url -> IPA.json_url
- ipa_use_static_files -> IPA.use_static_files
- ipa_ajax_options -> IPA.ajax_options
- ipa_objs -> IPA.metadata
- ipa_messages -> IPA.messages
- ipa_dialog -> IPA.error_dialog
- ipa_init() -> IPA.init()
Initially the HBAC and Service entities have been rewritten to use the
new framework. The DNS is partially converted, the ipa_records_facet
is used to define custom records facet.
Other entities can still work using the old framework. The old framework
has been modified to be a wrapper for the new framework. Eventually all
entities will be converted to use the new framework.
Some unit tests have been modified to use the new framework.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do a change right now you have to perform a setattr like:
ipa user-mod --setattr uid=newuser olduser
The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.
ticket 323
|
| | |
|
| |
|
|
| |
merge in remove uuid
|
| |
|
|
|
|
|
| |
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
|
| | |
|
| |
|
|
|
|
|
| |
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
|
| |
|
|
|
|
| |
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
|
| |
|
|
|
| |
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
|
| |
|
|
|
| |
Avoid false positives if more than one uuid attribute is generated
in the same entry.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
for a given field is valid. If not, displays a red box with the contents of pattern_msg
To test this, I artificially modified the meta data for the Group description field
|
| |
|
|
| |
header was missing on the association pages.
|
| |
|
|
| |
ticket 315
|
| |
|
|
|
|
| |
* Fixed comments
* Added attribute
* Fixed objectclass
|
| |
|
|
| |
Removing the whoami plugin, as it has been wrapped up into the user plugin
|
| |
|
|
|
|
|
|
| |
without the details change
including changes from Reviewboard https://fedorahosted.org/reviewboard/r/96/
Fixed pages that use unspecified (krb ticket policy, config)
Facet name comes out of the facet, not hard coded.
|
| |
|
|
|
|
| |
Fixes a bug where find_entries was not passed a parameter for filter.
Instead of fixing the call point, this patch adds a defaulty value for the parameter,
so that they can all be passed by name.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The first test is a mismatch in the sample output of an exception.
The second test adds certificate information output to the service plugin.
|
| |
|
|
|
|
|
| |
Requires selinux-policy-3.6.32-123 on F12
Requires selinux-policy-3.7.19-40 on F13
ticket 73
|
