| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2487
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.
This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.
As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.
https://fedorahosted.org/freeipa/ticket/2420
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.
This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.
https://fedorahosted.org/freeipa/ticket/2384
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.
This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):
ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse
This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).
Few modification were done to new DNS API to support this feature:
- Refactor --ip-address option handling from host-add and place it
to dns.py to be used by both modules
- Add support for "extra" per-type options
- Hide DNS record part options in dnsrecord_find command as they
have no effect for this command
https://fedorahosted.org/freeipa/ticket/2009
|
| |
|
|
|
|
|
|
|
| |
Deleting these would cause the IPA master to blow up.
For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.
https://fedorahosted.org/freeipa/ticket/2425
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
|
| |
|
|
|
|
|
|
|
|
|
| |
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
--man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
--not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
in HOSTS are returned
https://fedorahosted.org/freeipa/ticket/1675
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.
It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>
I tested nslcd and it only returned one macaddress value.
https://fedorahosted.org/freeipa/ticket/1132
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
host-add command allows to add a host and its IP address via
--ip-address option. When the address is invalid, it throws
an error and refuses to operate. However, the invalid IP address
error message is always the same which is not right as it forces
a user to guess the reason of rejection (loopback address,
link-local address or invalid address at all was passed, etc.).
This patch changes host-add validator to print the error message.
https://fedorahosted.org/freeipa/ticket/2229
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parameters in LDAP objects missed an information if they are real
LDAP attributes or not. Real LDAP attributes are written to
entry_attrs dictionary in plugin callbacks and are being encoded.
This causes issues when plugin callbacks does not expect that
the parameters values are already encoded for submission to LDAP.
This patch introduces a new flag "noattribute" used to mark that
a parameter is not an LDAP attribute and thus should not be encoded
or added to entry_attrs. Param documentation is improved to describe
the meaning of this and other Param flags or attributes.
https://fedorahosted.org/freeipa/ticket/2097
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The 'Keytab' field in output of all 'user-*' commands was changed
to 'Kerberos keys available'. In order to do this change for 'user-*'
commands only, the flag 'has_keytab' had to be removed from common
output parametrs in ipalib/baseldap.py. This change also affected the
host.py and service.py, where the 'has_keytab' flag was added to their
local output params. Both host.py and service.py holds the old field
caption - 'Keytab' - because of compatibility with older clients.
https://fedorahosted.org/freeipa/ticket/1961
|
| |
|
|
|
|
|
|
|
|
|
|
| |
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.
This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.
https://fedorahosted.org/freeipa/ticket/1262
|
| |
|
|
|
|
| |
Limit hostnames to letters, digits and - with a maximum length of 255
https://fedorahosted.org/freeipa/ticket/1780
|
| |
|
|
|
|
|
| |
By design these managed netgroups are not supposed to show unless you
specifically want to see them.
https://fedorahosted.org/freeipa/ticket/1738
|
| |
|
|
|
|
| |
Setting a password invalidates the existing keytab
https://fedorahosted.org/freeipa/ticket/1719
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.
Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.
We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.
It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.
However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.
Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.
class foo(Command):
'''
The foo command takes out the garbage.
'''
Would become:
class foo(Command):
__doc__ = _('The foo command takes out the garbage.')
But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.
In summary what this patch does is:
* Remove the use of pygettext (modification to install/po/Makefile.in)
* Replace every docstring with an explicit assignment to __doc__ where
the rhs of the assignment is an i18n marking function.
* Single line docstrings appearing in multi-line string literals
(e.g. ''' or """) were replaced with single line string literals
because the multi-line literals were introducing unnecessary
whitespace and newlines in the string extracted for translation. For
example:
'''
The foo command takes out the garbage.
'''
Would appear in the translation catalog as:
"\n
The foo command takes out the garbage.\n
"
The superfluous whitespace and newlines are confusing to translators
and requires us to strip leading and trailing whitespace from the
translation at run time.
* Import statements were moved from below the docstring to above
it. This was necessary because the i18n markers are imported
functions and must be available before the the doc is
parsed. Technically only the import of the i18n markers had to
appear before the doc but stylistically it's better to keep all the
imports together.
* It was observed during the docstring editing process that the
command documentation was inconsistent with respect to the use of
periods to terminate a sentence. Some doc had a trailing period,
others didn't. Consistency was enforced by adding a period to end of
every docstring if one was missing.
|
| |
|
|
| |
ticket https://fedorahosted.org/freeipa/ticket/1714
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
|
| |
|
|
|
|
|
|
| |
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.
Ticket #1424
|
| |
|
|
|
|
|
|
|
| |
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.
Ticket #1435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.
The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.
Ticket #1249
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
|
| |
|
|
| |
updated label triggered an API change
|
| |
|
|
|
|
|
| |
IP addresses are more strictly checked. Netmasks can be specified
and are used in DNS PTR record creation.
ticket 1234
|
| |
|
|
|
|
|
|
|
|
| |
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
|
| |
|
|
|
|
|
|
| |
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.
https://fedorahosted.org/freeipa/ticket/993
|
| |
|
|
|
|
|
|
| |
Add Add tests for users, groups, hosts and hostgroups to verify membership
Update API to version 2.3
https://fedorahosted.org/freeipa/ticket/1170
|
| |
|
|
| |
ticket 910
|
| |
|
|
|
|
|
| |
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.
ticket 729
|
| |
|
|
| |
Needed for xgettext/pygettext processing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
|
| |
|
|
|
|
| |
The json_metadata() has been updated to return ipa.Objects and
ipa.Methods. The i18n_messages() has been updated to include other
messages that are not available from the metadata.
|
| |
|
|
|
|
|
| |
We are required by LDAP schema to have a cn value. Don't let
users change it thinking they are actually doing something.
tickets 706 and 707
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a service/host is disabled, the resulting summary message states
that a Kerberos key was disabled. However, Kerberos key may not have
been enabled before this command at all, which makes this information
confusing for some users. Also, the summary message didn't state
that an SSL certificate was disabled too.
This patch rather changes the summary message to a standard phrase
known from other plugins disable command and states all disable
command steps in a respective command help.
https://fedorahosted.org/freeipa/ticket/872
|
| |
|
|
| |
ticket 964
|
| |
|
|
| |
Fix #830
|
| |
|
|
|
|
|
| |
* Make host-add, host-del and reverse zone creation IPv6 aware
* Make Bind listen on IPv6 interfaces, too
https://fedorahosted.org/freeipa/ticket/398
|
| |
|
|
| |
Ticket #798
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/866
|
| | |
|
| |
|
|
|
|
| |
In the host plugin we may change the default objectclasses based on
the options selected. This was affecting it globally and causing
subsequent calls to fail.
|
| |
|
|
| |
Fix #798
|
| |
|
|
| |
Fix #799
|
| |
|
|
| |
Fix #797
|
| | |
|
| |
|
|
|
|
| |
* move ipa dns-resolve to the new plugin
* port the installer and the host plugin to the new interface
* remove the old plugin
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
|
