| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
ticket 1005
|
|
|
|
| |
Needed for xgettext/pygettext processing.
|
|
|
|
|
|
|
| |
It was a design decision to not allow nesting sudo command groups,
remove it.
ticket 1004
|
|
|
|
|
|
|
|
|
|
|
|
| |
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
|
|
|
|
|
|
| |
The json_metadata() has been updated to return ipa.Objects and
ipa.Methods. The i18n_messages() has been updated to include other
messages that are not available from the metadata.
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/563
https://fedorahosted.org/freeipa/ticket/588
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some attribute enforcement is done by schema, others should be done
by the required option in a Parameter. description, for example, is
required by many plugins but not the schema. We need to enforce in the
framework that required options are provided.
After all the setattr/addattr work is done run through the modifications
and ensure that no required values will be removed.
ticket 852
|
|
|
|
| |
Fix #830
|
|
|
|
|
|
|
|
| |
Lookup based on --filter wasn't implemented at all. It did't show until
now, because of bug sitting on top of it which was resulting in internal
error. This patch fixes the bug and adds the filtering functionality.
https://fedorahosted.org/freeipa/ticket/818
|
|
|
|
|
|
|
|
| |
So far it was possible to rename any object using LDAPUpdate to a name
with empty primary key. Since this can cause nasty problems, this patch
disables empty string in --rename argument.
https://fedorahosted.org/freeipa/ticket/827
|
|
|
|
|
|
| |
In the host plugin we may change the default objectclasses based on
the options selected. This was affecting it globally and causing
subsequent calls to fail.
|
|
|
|
|
|
|
|
|
|
|
| |
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
|
|
|
|
|
|
|
|
|
|
|
|
| |
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.
This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.
ticket 687
|
|
|
|
|
| |
correctly nest the facet groups
change 'parent' to 'member of' for facet group
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
|
|
|
|
|
|
|
|
|
|
|
|
| |
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/397
|
|
|
|
| |
Allow renaming of object that have a parent
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.
We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.
ticket 560
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.
I've added some simple tests for setattr and addattr.
ticket 565
|
|
|
|
| |
ticket 561
|
|
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
re-based got pushed for some reason.
Use better description for group names in help and always prompt for members
When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.
This will work via a shell if you want to echo too:
$ echo "" | ipa group-add-member g1
This returns 0 members because nothing is read for users or group members.
$ echo -e "g1\nadmin\n" | ipa group-add-member
This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.
ticket 415
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
|
|
|
|
|
|
|
| |
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
|
|
|
|
|
|
|
|
|
|
|
| |
This can occur if you do something like:
$ ipa hbac-add-host --hosts="" testrule
options will have an entry for 'host' but it will be None whcih is
not iterable.
ticket 486
|
|
|
|
| |
Ticket #530
|
|
|
|
| |
Add the opportunity to change base DN and scope in the callback.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/245
|
|
|
|
|
|
|
| |
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
|
|
|
|
|
|
| |
This also returns the rights for cospriority if the policy is for a group.
ticket 449
|
|
|
|
| |
ticket 437
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always display the account enable/disable status.
Don't ignore the exceptions when a user is already enabled or disabled.
Fix the exception error messages to use the right terminology.
In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.
ticket 392
|
|
|
|
|
|
|
| |
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.
ticket 209
|
|
|
|
|
|
|
|
|
|
|
| |
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.
Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.
ticket 270
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.
The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.
This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup
ticket 296
|
|
|
|
|
|
|
| |
The output is a pure python dict so is really only useful when used with
--all so it is required.
Updated to return a string for rights as opposed to a list. Terser, reducing the wire size by a factor of 3.5
|
|
|
|
|
|
|
|
|
|
|
|
| |
To do a change right now you have to perform a setattr like:
ipa user-mod --setattr uid=newuser olduser
The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.
ticket 323
|
| |
|
|
|
|
| |
merge in remove uuid
|
|
|
|
|
|
|
|
|
|
|
| |
When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.
Catch RDN mods and try to return a more reasonable error message.
Ticket #230
Ticket #246
|
|
|
|
| |
Ticket #321
|
| |
|
|
|
|
|
|
|
| |
In other words: make *-del commands accept 1 or more primary keys
of entries to be deleted.
Ticket #20
|
|
|
|
|
|
| |
Add test to verify that limit is honored and truncated flag set.
ticket #48
|