summaryrefslogtreecommitdiffstats
path: root/API.txt
Commit message (Collapse)AuthorAgeFilesLines
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+113
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add netgroup as possible memberOf for hostgroupsRob Crittenden2011-08-291-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/1563
* Add option to only prompt once for passwords, use in entitle_registerRob Crittenden2011-08-241-1/+1
| | | | | | | | | A Password param always prompted to confirm the entered password. This doesn't make sense if you want to prompt for a password to another system like we do with entitlements. This adds a new boolean option to control the Password prompt parameter. https://fedorahosted.org/freeipa/ticket/1695
* Fix automountkey-modMartin Kosek2011-08-181-4/+4
| | | | | | | | | | | | | Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. Make automountkey required for automountkey-mod, otherwise it would cause internal server error. Make --newinfo optional so that automountkey may be just renamed without changing its info attribute. https://fedorahosted.org/freeipa/ticket/1528
* Hide continue option from automountkey-delMartin Kosek2011-08-021-1/+1
| | | | | | | This option makes no sense for automount keys. This should be removed in future versions. https://fedorahosted.org/freeipa/ticket/1529
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-291-9/+9
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Autofill the default revocation reasonRob Crittenden2011-07-221-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1514
* Hide the HBAC access type attribute now that deny is deprecated.Rob Crittenden2011-07-211-3/+3
| | | | | | | It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. https://fedorahosted.org/freeipa/ticket/1495
* Add ability to specify DNS reverse zone name by IP network address.Jan Cholasta2011-07-151-10/+13
| | | | | | | In order for this to work, chaining of parameters through default_from is made possible. ticket 1474
* Remove the ability to create new HBAC deny rules.Rob Crittenden2011-07-141-3/+3
| | | | | | | | | | New rules will all be allow type. Existing rules cannot be changed to deny. The type attribute now defaults to allow with autofill so it won't be prompted in interactive mode in the cli. https://fedorahosted.org/freeipa/ticket/1432
* In sudo labels we should use RunAs and not Run As.Rob Crittenden2011-07-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/1328
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-1/+2
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-121-142/+142
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Add DNS record modification commandMartin Kosek2011-07-121-0/+44
| | | | | | | | | | | | | | | | | The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137
* Enforce class rules when query=True, continue to not run validators.ticket-hbac-testRob Crittenden2011-07-111-23/+23
| | | | | | | | | | | | | | | This started as a problem in allowing leading/trailing whitespaces on primary keys. In nearly every command other than add query is True so all rules were ignored on the primary key. This meant that to enforce whitespace we would need to define a validator for each one. I decided instead to set self.all_rules to just the class rules if query == True. So the minimum set of validators will be executed against each type but param-specific validators will only run on add. https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* password expiration labelAdam Young2011-07-051-1/+1
|
* Fixed object_name usage.Endi S. Dewata2011-07-051-44/+44
| | | | | | | | | | | The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217
* config widgets entity select default group checkbox for migrationAdam Young2011-06-301-1/+1
|
* Replace the 'private' option in netgroup-find with 'managed'.Jan Cholasta2011-06-281-2/+3
| | | | | | | The 'private' option is kept in to maintain API compatibility, but is hidden from the user. ticket 1120
* ipaddress for host addAdam Young2011-06-201-1/+1
| | | | updated label triggered an API change
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-1/+1
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Add ignore lists to migrate-ds commandMartin Kosek2011-06-151-1/+5
| | | | | | | | | | | | | | When user migrates users/groups from an old DS instance, the migration may fail on unsupported object classes and/or relevant LDAP object attributes. This patch implements a support for object class and attribute ignore lists that can be used to suppress these migration issues. Additionally, a redundant "dev/null" file is removed from git repo (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). https://fedorahosted.org/freeipa/ticket/1266
* Remove automountinformation as part of the DN for automount.Rob Crittenden2011-06-131-2/+2
| | | | | | | | | | | | | | | | To support multiple direct maps we added description to the DN of automount key entries. The downside of this is that to display a key you had to know the information as well, which was rather pointless if that is what you were trying to get. So now both modes are supported. It will first look for just a key in the description and fall back to including automountinformation if it needs to. Multiple direct maps are still supported and for those the info is always required. ticket 1229
* Add sudorule and hbacrule to memberof and indirectmemberof attributesJr Aquino2011-06-061-4/+20
| | | | | | | | Add Add tests for users, groups, hosts and hostgroups to verify membership Update API to version 2.3 https://fedorahosted.org/freeipa/ticket/1170
* Include the word 'member' with autogenerated optional member labels.Rob Crittenden2011-05-271-76/+76
| | | | | | | There were reports of confusion over what was being prompted for, hopefully adding member will make things clearer. ticket 1062
* A new flag to disable creation of UPGMartin Kosek2011-05-251-1/+2
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Remove doc from API.txtMartin Kosek2011-05-131-312/+312
| | | | | | | | | | | | | Doc parts are not removed from the API completely. This leads to unnecessary updates to API.txt when the option/argument documentation is changed. This patch replaces unreliable doc stripping function with a regular expression. It works for all current doc strings (simple string or GetText). The only limitation is that the RE supports only up to 2 levels of nested parentheses in doc string. https://fedorahosted.org/freeipa/ticket/1057
* Need force option in DNS zone adder dialogMartin Kosek2011-04-211-2/+2
| | | | | | | | | | | When adding a new DNS zone in the WebUI, IPA server will verify whether the nameserver is in DNS. Sometimes it is necessary to skip the verification. This patch adds a --force option already available in CLI which can skip this the verification. https://fedorahosted.org/freeipa/ticket/1105
* Always ask members in LDAP*ReverseMember commands.Rob Crittenden2011-04-151-4/+4
| | | | | | | This changes the API but alwaysask is enforced on the client only so doesn't change the wire API so I'm not updating the API version. ticket 1081
* Revert "Remove doc from API.txt"Martin Kosek2011-04-081-313/+313
| | | | | | | This commit accidentaly slipped in (it was not ready for the upstream). This reverts commit 9915b93737fe5e31a53f2fdb169427a0b4d7e002.
* Remove doc from API.txtMartin Kosek2011-04-081-313/+313
| | | | | | | | | | | | | Doc parts are not removed from the API completely. This leads to unnecessary updates to API.txt when the option/argument documentation is changed. This patch replaces unreliable doc stripping function with a regular expression. It works for all current doc strings (simple string or GetText). The only limitation is that the RE supports only up to 2 levels of nested parentheses in doc string. https://fedorahosted.org/freeipa/ticket/1057
* postalCode should be a string not an integer.Rob Crittenden2011-04-051-3/+3
| | | | | | | | | | | | postalCode is defined as an Int. This means you can't define one that has a leading zero nor can you have dashes, letters, etc. This changes the data type on the server. It will still accept an int value if provided and convert it into a string. Bump the API version to 2.1. ticket 1150
* Change default gecos from uid to first and last name.Rob Crittenden2011-04-051-3/+3
| | | | ticket 1146
* Update API to reflect doc change in force parameter in dnszone_addRob Crittenden2011-03-041-1/+1
|
* Fix style and grammatical issues in built-in command help.Rob Crittenden2011-03-041-59/+59
| | | | | | | There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
* update API.txtAdam Young2011-03-021-8/+8
|
* Sudo command groups are not supposed to allow nesting.Rob Crittenden2011-02-231-4/+2
| | | | | | | It was a design decision to not allow nesting sudo command groups, remove it. ticket 1004
* Validate NAPTR recordsJakub Hrozek2011-02-221-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/840
* Better doc for idnssoaminimumJakub Hrozek2011-02-181-15/+15
|
* Updated json_metadata and i18n_messages.Endi S. Dewata2011-02-181-4/+6
| | | | | | The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata.
* Fixed parameter for user city.Endi S. Dewata2011-02-181-6/+6
| | | | | | | Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute.
* Validate and convert certificate SNJakub Hrozek2011-02-161-3/+3
| | | | | | | | | | | | | The cert plugin only worked OK with decimal certificate serial numbers. This patch allows specifying the serial number in hexadecimal, too. The conversion now works such that: * with no explicit radix, a best-effort conversion is done using int(str, 0) in python. If the format is ambiguous, decimal takes precedence. * a hexadecimal radix can be specified explicitly with the traditional 0x prefix https://fedorahosted.org/freeipa/ticket/958 https://fedorahosted.org/freeipa/ticket/953
* 17-2 Managed netgroups should be invisible ↵Jr Aquino2011-02-161-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/963
* HBAC plugin inconsistent outputMartin Kosek2011-02-161-4/+8
| | | | | | | | This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596
* Validate MX recordsJakub Hrozek2011-02-161-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/967
* Fixed association facets.Endi S. Dewata2011-02-151-2/+2
| | | | | | | | The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960
* A privilege cannot be a member of a permission, remove it from metadataRob Crittenden2011-02-151-4/+2
| | | | ticket 970
* The --out option wasn't working at all with cert-show.Rob Crittenden2011-02-141-1/+1
| | | | | | | | Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954
* Remove obsolete record types from DNSJakub Hrozek2011-02-141-20/+4
| | | | https://fedorahosted.org/freeipa/ticket/923
generated by cgit (git 2.34.1) at 2024-04-19 04:28:19 +0000