summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/idviews.py
Commit message (Collapse)AuthorAgeFilesLines
* idviews: Enforce objectclass check in idoverride*-delTomas Babej2015-07-231-0/+19
| | | | | | | | | | | | | Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Restrict anchor to name and name to anchor conversionsTomas Babej2015-07-231-4/+46
| | | | | | | | | | | | | When converting the ID override anchor from AD SID representation to the object name, we need to properly restrict the type of the object that is being resolved. The same restriction applies for the opposite direction, when converting the object name to it's SID. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Check for the Default Trust View only if applying the viewTomas Babej2015-07-221-6/+8
| | | | | | | | | | Currently, the code wrongly validates the idview-unapply command. Move check for the forbidden application of the Default Trust View into the correct logical branch. https://fedorahosted.org/freeipa/ticket/4969 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-2/+2
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-3/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Do not abort the find & show commands on conversion errorsTomas Babej2015-07-021-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Remove ID overrides for permanently removed users and groupsTomas Babej2015-07-011-0/+25
| | | | | | | | | For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Allow users specify the raw anchor directly as identifierTomas Babej2015-07-011-11/+31
| | | | | | | | | | | | | | For various reasons, it can happen that the users or groups that have overrides defined in a given ID view are no longer resolvable. Since user and group names are used to specify the ID override objects too by leveraging the respective user's or group's ipaUniqueID, we need to provide a fallback in case these user or group entries no longer exist. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Set dcerpc detection flag properlyTomas Babej2015-07-011-1/+3
| | | | | | | | | The availability of dcerpc bindings is being checked on the client side as well, hence we need to define it properly. https://fedorahosted.org/freeipa/ticket/5025 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Use case-insensitive detection of Default Trust ViewTomas Babej2015-02-231-6/+9
| | | | | | | | | The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Allow setting ssh public key on ipauseroverride-addDavid Kupka2015-01-271-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4868 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Ignore host or hostgroup options set to NoneTomas Babej2014-12-121-0/+6
| | | | | | | | | Since passing --hosts= or --hostsgroups= to idview-apply or unapply commands does not make sense, ignore it. https://fedorahosted.org/freeipa/ticket/4806 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Complain if host is already assigned the ID View in idview-applyTomas Babej2014-12-121-4/+5
| | | | | | | | | | | When running a idview-apply command, the hosts that were already assigned the desired view were silently ignored. Make sure such hosts show up in the list of failed hosts. https://fedorahosted.org/freeipa/ticket/4743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overridesAlexander Bokovoy2014-10-241-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* idviews: error out if appling Default Trust View on hostsPetr Vobornik2014-10-171-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4615 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow override of gecos field in ID viewsAlexander Bokovoy2014-10-131-2/+5
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify GID of the userAlexander Bokovoy2014-10-131-1/+6
| | | | | | Resolves https://fedorahosted.org/freeipa/ticket/4617 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify SSH public keysAlexander Bokovoy2014-10-131-0/+44
| | | | | | | | | | | | | Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Support overridding user shell in ID viewsAlexander Bokovoy2014-10-131-2/+6
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Make sure only regular IPA objects are allowed to be overridenTomas Babej2014-09-301-1/+17
| | | | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Display the list of hosts when using --allTomas Babej2014-09-301-1/+8
| | | | | | | | | | | | | | Enumerating hosts is a potentially expensive operation (uses paged search to list all the hosts the ID view applies to). Show the list of the hosts only if explicitly asked for (or asked for --all). Do not display with --raw, since this attribute does not exist in LDAP. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Catch errors on unsuccessful AD object lookup when resolving object ↵Tomas Babej2014-09-301-8/+13
| | | | | | | | | | | | | name to anchor When resolving non-existent objects, domain validator will raise ValidationError. We need to anticipate and properly handle this case. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make sure the dict.get method is not abused for MUST attributesTomas Babej2014-09-301-4/+4
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Handle Default Trust View properly in the frameworkTomas Babej2014-09-301-0/+39
| | | | | | | | | | | | Make sure that: 1.) IPA users cannot be added to the Default Trust View 2.) Default Trust View cannot be deleted or renamed Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make description optional for the ID View objectTomas Babej2014-09-301-1/+1
| | | | | | | | | | Description of any object should not be required. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Fix casing of ID Views to be consistentTomas Babej2014-09-301-35/+35
| | | | | | | | | | Replace all occurences of "ID view(s)" with "ID View(s)". Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipaOriginalUidTomas Babej2014-09-301-2/+29
| | | | | | | | | | | For slapi-nis plugin, we need to cache the original uid value of the user in the override object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Resolve anchors to object names in idview-showTomas Babej2014-09-301-111/+128
| | | | | | | | | | | When running idview-show, users will expect a proper object name instead of a object anchor. Make sure the anchors are resolved to the object names unless --raw option was passed. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Raise NotFound errors if object to override could not be foundTomas Babej2014-09-301-0/+7
| | | | | | | | | | | If the object user wishes to override cannot be found, we should properly raise a NotFound error. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Change format of IPA anchor to include domainTomas Babej2014-09-301-2/+14
| | | | | | | | | | | | | | The old format of the IPA anchor, :IPA:<object_uuid> does not contain for the actual domain of the object. Once IPA-IPA trusts are introduced, we will need this information to be kept to be able to resolve the anchor. Change the IPA anchor format to :IPA:<domain>:<object_uuid> Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Alter idoverride methods to work with splitted objectsTomas Babej2014-09-301-40/+28
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride commands into iduseroverride and idgroupoverrideTomas Babej2014-09-301-10/+66
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride object into iduseroverride and idgroupoverrideTomas Babej2014-09-301-54/+103
| | | | | | | | | | | | To be able to better deal with the conflicting user / group names, we split the idoverride objects in the two types. This simplifies the implementation greatly, as we no longer need to set proper objectclasses on each idoverride-mod operation. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Support specifying object names instead of raw anchors onlyTomas Babej2014-09-301-0/+119
| | | | | | | | | | | | Improve usability of the ID overrides by allowing user to specify the common name of the object he wishes to override. This is subsequently converted to the ipaOverrideAnchor, which serves as a stable reference for the object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Extend idview-show command to display assigned idoverrides and hostsTomas Babej2014-09-301-40/+129
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipa idview-apply and idview-unapply commandsTomas Babej2014-09-301-3/+176
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idvies: Add managed permissions for idview and idoverride objectsTomas Babej2014-09-301-0/+23
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Create basic idview plugin structureTomas Babej2014-09-301-0/+191
Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-08 23:13:14 +0000