summaryrefslogtreecommitdiffstats
path: root/VERSION
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA 2.1.0release-2-1-0Rob Crittenden2011-08-151-2/+2
|
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Add ability to specify DNS reverse zone name by IP network address.Jan Cholasta2011-07-151-1/+1
| | | | | | | In order for this to work, chaining of parameters through default_from is made possible. ticket 1474
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-1/+1
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471
* Add DNS record modification commandMartin Kosek2011-07-121-1/+1
| | | | | | | | | | | | | | | | | The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137
* Replace the 'private' option in netgroup-find with 'managed'.Jan Cholasta2011-06-281-1/+1
| | | | | | | The 'private' option is kept in to maintain API compatibility, but is hidden from the user. ticket 1120
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-1/+1
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Add ignore lists to migrate-ds commandMartin Kosek2011-06-151-1/+1
| | | | | | | | | | | | | | When user migrates users/groups from an old DS instance, the migration may fail on unsupported object classes and/or relevant LDAP object attributes. This patch implements a support for object class and attribute ignore lists that can be used to suppress these migration issues. Additionally, a redundant "dev/null" file is removed from git repo (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). https://fedorahosted.org/freeipa/ticket/1266
* Remove automountinformation as part of the DN for automount.Rob Crittenden2011-06-131-1/+1
| | | | | | | | | | | | | | | | To support multiple direct maps we added description to the DN of automount key entries. The downside of this is that to display a key you had to know the information as well, which was rather pointless if that is what you were trying to get. So now both modes are supported. It will first look for just a key in the description and fall back to including automountinformation if it needs to. Multiple direct maps are still supported and for those the info is always required. ticket 1229
* Add sudorule and hbacrule to memberof and indirectmemberof attributesJr Aquino2011-06-061-1/+1
| | | | | | | | Add Add tests for users, groups, hosts and hostgroups to verify membership Update API to version 2.3 https://fedorahosted.org/freeipa/ticket/1170
* A new flag to disable creation of UPGMartin Kosek2011-05-251-1/+1
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Bump version to 2.0.90 to distinguish between 2.0.xRob Crittenden2011-05-031-1/+1
|
* postalCode should be a string not an integer.Rob Crittenden2011-04-051-1/+1
| | | | | | | | | | | | postalCode is defined as an Int. This means you can't define one that has a leading zero nor can you have dashes, letters, etc. This changes the data type on the server. It will still accept an int value if provided and convert it into a string. Bump the API version to 2.1. ticket 1150
* Become IPA 2.0.0release-2-0-0Rob Crittenden2011-03-241-1/+1
|
* Become IPA v2 RC 3 (2.0.0.rc3)rc_3-2-0-0Rob Crittenden2011-03-101-1/+1
|
* Become IPA v2 RC 2 (2.0.0.rc2)rc_2-2-0-0Rob Crittenden2011-02-231-1/+1
|
* Become IPA v2 RC 1 (2.0.0.rc1)rc_1-2-0-0Rob Crittenden2011-02-141-2/+2
|
* Become IPA v2 beta 2 (2.0.0.pre2)Rob Crittenden2011-02-101-1/+1
|
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-141-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
* Become IPA v2 beta 1 (2.0.0.pre1)beta_1-2-0-0Rob Crittenden2010-12-221-3/+3
|
* Become IPA v2 alpha 5 (1.9.0.pre5)alpha_5-1-9-0Rob Crittenden2010-11-091-1/+1
|
* Become IPA v2 alpha 4 (1.9.0.pre4)alpha_4-1-9-0Rob Crittenden2010-07-151-1/+1
|
* Replication version checking.Rob Crittenden2010-06-241-0/+13
| | | | | | | | Whenever we upgrade IPA such that any data incompatibilities might occur then we need to bump the DATA_VERSION value so that data will not replicate to other servers. The idea is that you can do an in-place upgrade of each IPA server and the different versions own't pollute each other with bad data.
* Become IPA v2 alpha 3 (1.9.0.pre3)alpha_3-1-9-0Rob Crittenden2010-05-071-1/+1
|
* Become IPA v2 alpha 2 (1.9.0.pre2)alpha_2-1-9-0Rob Crittenden2010-02-181-1/+1
|
* Back down to version 1.9.0 in preparation for release of first alpha.alpha-1-9-0Rob Crittenden2009-10-261-2/+2
| | | | | | | There was much back and forth and gnashing of teeth about what the version should actually be in these pre-releases. We decided it isn't 2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to declare 2.0.0.
* Bump version to 2.0.0pre1Rob Crittenden2009-05-111-3/+3
|
* Bump up version number to 1.2.0Simo Sorce2008-11-131-2/+2
|
* Fix versioning for configure.ac and ipa-python/setup.pySimo Sorce2008-08-111-1/+1
| | | | | | | | | | Fix make maintainer-clean Also make RPM naming consistent by using a temp RELEASE file. This one helps when testing builds using rpms. Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...) Version 1.1.0 was released some times ago, bump up to 1.1.1
* Move version to 1.1.0 in preparation for new patch releaserelease-1-1-0Simo Sorce2008-06-111-1/+1
|
* Redo the way versioning works in freeIPA.Rob Crittenden2008-05-051-0/+55
The file VERSION is now the sole-source of versioning. The generated .spec files will been removed in the maintainer-clean targets and have been removed from the repository. By default a GIT build is done. To do a non-GIT build do: $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no When updating the version you can run this to regenerate the version: $ make version-update The version can be determined in Python by using ipaserver.version.VERSION