summaryrefslogtreecommitdiffstats
path: root/API.txt
Commit message (Collapse)AuthorAgeFilesLines
* Allow anonymous and all permissionsPetr Viktorin2014-01-071-3/+3
| | | | | | | Disallow adding permissions with non-default bindtype to privileges Ticket: https://fedorahosted.org/freeipa/ticket/4032 Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
* Add OTP support to ipalib CLINathaniel McCallum2013-12-181-4/+97
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Remove default from the ipapermlocation optionPetr Viktorin2013-12-131-3/+3
| | | | | | | The value from my machine ended up wired into API.txt, so builds on other machines would fail. Correct the mistake.
* Verify ACIs are added correctly in testsPetr Viktorin2013-12-131-1/+2
| | | | | | | To double-check the ACIs are correct, this uses different code than the new permission plugin: the aci_show command. A new option, location, is added to the command to support these checks.
* Rewrite the Permission pluginPetr Viktorin2013-12-131-38/+57
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-7/+88
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-1/+2
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* Add userClass attribute for usersAna Krivokapic2013-11-191-3/+6
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Add automember rebuild commandAna Krivokapic2013-11-151-0/+9
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-081-4/+8
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Remove AllowLMhash from the allowed IPA config stringsSumit Bose2013-11-011-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3795
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-0/+88
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+4
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-1/+1
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Add new command compat-is-enabledAna Krivokapic2013-08-071-0/+4
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Limit pwpolicy maxlife to 20000 daysTomas Babej2013-08-051-3/+3
| | | | | | | | | | | | Since krbMaxPwdLife attribute is represented as number of seconds, setting maxlife to high values such as 999 999 days (~2739 years) would result to overflow when parsing this attribute in kdb plugin, and hence default maxlife of 90 days would be applied. Limit the maximum value of maxlife that can be set through the framework to 20 000 days (~ 54 years). https://fedorahosted.org/freeipa/ticket/3817
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-231-1/+1
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-116/+232
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-111-1/+2
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
* Remove entitlement supportMartin Kosek2013-06-261-65/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-installAna Krivokapic2013-06-241-0/+4
| | | | | | | | | | | | | Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
* Extend idrange commands to support new range origin typesTomas Babej2013-06-101-4/+3
| | | | | | | | | | | | | | Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647
* Deprecate options --dom-sid and --dom-name in idrange-modAna Krivokapic2013-05-311-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3636
* Resolve SIDs in Web UIAlexander Bokovoy2013-05-061-0/+7
| | | | | | | | | | | | | | | | | Introduce new command, 'trust-resolve', to aid resolving SIDs to names in the Web UI. The command uses new SSSD interface, nss_idmap, to resolve actual SIDs. SSSD caches resolved data so that future requests to resolve same SIDs are returned from a memory cache. Web UI code is using Dojo/Deferred to deliver result of SID resolution out of band. Once resolved names are available, they replace SID values. Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved at the same time. They all sent within the single request to the server. https://fedorahosted.org/freeipa/ticket/3302
* Add userClass attribute for hostsMartin Kosek2013-04-261-3/+6
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-121-7/+13
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Fix output for some CLI commandsAna Krivokapic2013-04-111-8/+14
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Filter groups by type (POSIX, non-POSIX, external)Petr Vobornik2013-04-091-1/+4
| | | | | | | | | | | Added flag for each groups type: --posix, --nonposix, --external to group-find command. Group types: * non-POSIX: not posix, not external * POSIX: with objectclass posixgroup * external: with objectclass ipaexternalgroup https://fedorahosted.org/freeipa/ticket/3483
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-4/+12
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-6/+7
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Allow 'nfs:NONE' in global configurationSumit Bose2013-03-081-1/+1
| | | | | | | | | | | | This patch adds 'nfs:NONE' as an allowed entry for the global authorization data type in the CLI and WebUI. This is an ad-hoc solution to make sure that the new default value for the NFS service is not removed by chance. This patch should be removed if a more generic solution is implemented to modify service:TYPE style values of the authorization data type. https://fedorahosted.org/freeipa/ticket/2960
* Rename the "messages" Output of the i18n_messages command to "texts"Petr Viktorin2013-02-211-1/+1
| | | | | | | This is to prevent a fatal name clash wih the new common "messages" Output. Since i18n_messages is an internal plugin, the change does not affect our public API.
* Add client capabilities, enable messagesPetr Viktorin2013-02-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The API version the client sends can now be used to check what the client expects or is capable of. All version tests IPA does will be be named and listed in one module, ipalib.capabilities, which includes a function to test a specific capability against an API version. Similarly to Python's __future__ module, capabilities.py also serves as documentation of backwards-incompatible changes to the API. The first capability to be defined is "messages". Recent enough clients can accept a list of warnings or other info under the "messages" key in the result dict. If a JSON client does not send the API version, it is assumed this is a testing client (e.g. curl from the command line). Such a client "has" all capabilities, but it will always receive a warning mentioning that forward compatibility is not guaranteed. If a XML client does not send the API version, it is assumed it uses the API version before capabilities were introduced. (This is to keep backwards compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294) Whenever a capability is added, the API version must be incremented. To ensure that, capabilities are written to API.txt and checked by `makeapi --validate`. Design page: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732
* Add the version option to all CommandsPetr Viktorin2013-02-211-68/+136
| | | | | | | | | | | | | | | | | | | | | | | | | Several Commands were missing the 'version' option. Add it to those that were missing it. Do not remove the version option before calling commands. This means methods such as execute(), forward(), run() receive it. Several of these needed `**options` added to their signatures. Commands in the Cert plugin passed any unknown options to the underlying functions, these are changed to pass what's needed explicitly. Some commands in DNS and Batch plugins now pass version to commands they call. When the option is not given, fill it in automatically. (In a subsequent commit, a warning will be added in this case). Note that the public API did not change: all RPC calls already accepted a version option. There's no need for an API version bump (even though API.txt changes substantially). Design page: http://freeipa.org/page/V3/Messages Tickets: https://fedorahosted.org/freeipa/ticket/2732 https://fedorahosted.org/freeipa/ticket/3294
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-0/+23
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-191-0/+25
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add option to specify SID using domain name to idrange-add/modTomas Babej2013-02-181-2/+4
| | | | | | | | | | When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133
* Add SID blacklist attributesMartin Kosek2013-02-121-2/+8
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-0/+24
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
* Sort Options and Outputs in API.txtPetr Viktorin2012-12-121-1266/+1266
| | | | | | | | | Python does not guarantee dict order. Our reliance on it in `makeapi` is technically incorrect, even if it doesn't matter yet in any of our developers' environments. This patch sorts the options by name instead of relying on dict order. As an added benefit, future API.txt diffs should be be neater.
* Relax restriction for leading/trailing whitespaces in *-find commandsTomas Babej2012-12-111-3/+3
| | | | | | | | All *-find commands now enable leading/trailing whitespaces in the search phrase. Behaviour has been implemented directly into crud.Search class. IPA_API_VERSION_MINOR incremented to 45. https://fedorahosted.org/freeipa/ticket/2981
* Disable global forwarding per-zoneMartin Kosek2012-11-091-4/+4
| | | | | | | | | | | bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
* Process relative nameserver DNS record correctlyMartin Kosek2012-11-061-1/+2
| | | | | | | | | | | | | | | | | | | | | | | Nameserver hostname passed to dnszone_add command was always treated as FQDN even though it was a relative DNS name to the new zone. All relative names were being rejected as unresolvable. Modify --name-server option processing in dnszone_add and dnszone_mod to respect FQDN/relative DNS name and do the checks accordingly. With this change, user can add a new zone "example.com" and let dnszone_add to create NS record "ns" in it, when supplied with its IP address. IP address check is more strict so that it is not entered when no forward record is created. Places misusing the option were fixed. Nameserver option now also accepts zone name, which means that NS and A record is placed to DNS zone itself. Also "@" is accepted as a nameserver name, BIND understand it also as a zone name. As a side-effect of this change, other records with hostname part (MX, KX, NS, SRV) accept "@" as valid hostname. BIND replaces it with respective zone name as well. Unit tests were updated to test the new format. https://fedorahosted.org/freeipa/ticket/3204
* Only use service PAC type as an overrideMartin Kosek2012-10-031-3/+3
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-061-4/+4
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* IDRange CLI: allow to work without argumentsSumit Bose2012-09-071-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2999
* Rename range CLI to idrangeSumit Bose2012-09-071-73/+73
|
* Cast DNS SOA serial maximum boundary to longMartin Kosek2012-09-071-3/+3
| | | | | | This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type.
* Fix DNS SOA serial parameters boundariesMartin Kosek2012-09-061-18/+18
| | | | | | | Set correct boundaries for DNS SOA serial parameters (see RFC 1035, 2181). https://fedorahosted.org/freeipa/ticket/2568
* trust CLI: add ID range for new trusted domainSumit Bose2012-08-151-1/+3
|
generated by cgit (git 2.34.1) at 2024-11-11 03:00:42 +0000