summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/user.py
Commit message (Collapse)AuthorAgeFilesLines
* Enforce sizelimit in permission-find, post_callback returns truncatedRob Crittenden2012-05-301-1/+2
| | | | | | | | | | | | | | | We actually perform two searches in permission-find. The first looks for matches within the permission object itself. The second looks at matches in the underlying aci. We need to break out in two places. The first is if we find enough matches in the permission itself. The second when we are appending matches from acis. The post_callback() definition needed to be modified to return the truncated value so a plugin author can modify that value. https://fedorahosted.org/freeipa/ticket/2322
* Disallow setattr on no_update/no_create paramsPetr Viktorin2012-05-291-1/+1
| | | | | | | | | | | | | Make --{set,add,del}attr fail on parameters with the no_update/no_create flag for the respective command. For attributes that can be modified, but we just don't want to display in the CLI, use the 'no_option' flag. These are "locking" attributes (ipaenabledflag, nsaccountlock) and externalhost. Document the 'no_option' flag. Add some tests. https://fedorahosted.org/freeipa/ticket/2580
* Update docs for user-status, always show disabled, time for each server.Rob Crittenden2012-04-231-2/+31
| | | | | | | | | | | | Provide some guidance on how to read and understand the output. Some manual work is needed to identify which master the user is locked on. Always display the enabled/disabled status. Include the time that the master was contacted in the output for each master as lockout is very time sensitive. https://fedorahosted.org/freeipa/ticket/2162
* Fix internal error when renaming user with an empty string.Jan Cholasta2012-04-181-1/+1
| | | | ticket 2629
* Check configured maximum user login length on user rename.Jan Cholasta2012-04-081-0/+10
| | | | ticket 2587
* Check whether the default user group is POSIX when adding new user with ↵Jan Cholasta2012-04-051-4/+8
| | | | | | --noprivate. ticket 2572
* Add status command to retrieve user lockout statusRob Crittenden2012-03-021-1/+112
| | | | | | | This information is not replicated so pull from all IPA masters and display the status across all servers. https://fedorahosted.org/freeipa/ticket/2162
* Only apply validation rules when adding and updating.Rob Crittenden2012-02-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There may be cases, for whatever reason, that an otherwise illegal entry gets created that doesn't match the criteria for a valid user/host/group name. If this happens (i.e. migration) there is no way to remove this using the IPA tools because we always applied the name pattern. So you can't, for example, delete a user with an illegal name. Primary keys are cloned with query=True in PKQuery which causes no rules to be applied on mod/show/find. This reverts a change from commit 3a5e26a0 which applies class rules when query=True (for enforcing no white space). Replace rdnattr with rdn_is_primary_key. This was meant to tell us when an RDN change was necessary to do a rename. There could be a disconnect where the rdnattr wasn't the primary key and in that case we don't need to do an RDN change, so use a boolean instead so that it is clear that RDN == primary key. Add a test to ensure that nowhitespace is actually enforced. https://fedorahosted.org/freeipa/ticket/2115 Related: https://fedorahosted.org/freeipa/ticket/2089 Whitespace tickets: https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* Add gidnumber minvalueMartin Kosek2012-02-231-0/+1
| | | | | | Do not accept invalid GID values in IPA user/group plugins. https://fedorahosted.org/freeipa/ticket/2335
* Add support for SSH public keys to user and host objects.Jan Cholasta2012-02-131-6/+31
| | | | | | | | | | | This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754
* Honor default home directory and login shell in user_addPetr Viktorin2012-02-091-9/+6
| | | | | | | | | | | | | | | | The homedirectory argument had a default_from '/home/<name>', ignoring the ipahomesrootdir config setting. This patch removes that default, and adds a test case for ipahomesrootdir. https://fedorahosted.org/freeipa/ticket/2332 The login shell had the same problem. Again this patch removes the client-side default and adds a test. Building the home directory from the default is changed to use posixpath.join instead of string formatting and ad-hoc cleanup, and to use '/home' instead of failing when the ipahomesrootdir setting is not present for some reason.
* User-add random password supportOndrej Hamada2011-12-121-0/+36
| | | | | | | | | | | | | | | | | | | | | | I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. https://fedorahosted.org/freeipa/ticket/1979
* Mark some attributes required to match the schema.Rob Crittenden2011-12-051-5/+7
| | | | | | | | | This makes no changes to the functionality in the command-line or GUI because these all have defaults anyway. This is mostly to show them properly in the UI and prevent someone from trying to erase the value (and getting a nasty schema error in response). https://fedorahosted.org/freeipa/ticket/2015
* Misleading Keytab fieldOndrej Hamada2011-11-101-0/+14
| | | | | | | | | | | | The 'Keytab' field in output of all 'user-*' commands was changed to 'Kerberos keys available'. In order to do this change for 'user-*' commands only, the flag 'has_keytab' had to be removed from common output parametrs in ipalib/baseldap.py. This change also affected the host.py and service.py, where the 'has_keytab' flag was added to their local output params. Both host.py and service.py holds the old field caption - 'Keytab' - because of compatibility with older clients. https://fedorahosted.org/freeipa/ticket/1961
* Create pkey-only option for find commandsMartin Kosek2011-10-271-0/+2
| | | | | | | | | | | | New option --pkey-only is available for all LDAPSearch based classes with primary key visible in the output. This option makes LDAPSearch commands search for primary attribute only. This may be useful when manipulating large data sets. User can at first retrieve all primary keys in a relatively small data package and then run further commands with retrieved primary keys. https://fedorahosted.org/freeipa/ticket/1262
* Normalize uid in user principal to lower-case and do validationRob Crittenden2011-09-221-2/+45
| | | | | | | Use same normalization and validation in passwd plugin and add some tests for invalid principals https://fedorahosted.org/freeipa/ticket/1778
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+3
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* ticket 1669 - improve i18n docstring extractionJohn Dennis2011-08-241-34/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts the use of pygettext for i18n string extraction. It was originally introduced because the help documentation for commands are in the class docstring and module docstring. Docstrings are a Python construct whereby any string which immediately follows a class declaration, function/method declaration or appears first in a module is taken to be the documentation for that object. Python automatically assigns that string to the __doc__ variable associated with the object. Explicitly assigning to the __doc__ variable is equivalent and permitted. We mark strings in the source for i18n translation by embedding them in _() or ngettext(). Specialized extraction tools (e.g. xgettext) scan the source code looking for strings with those markers and extracts the string for inclusion in a translation catalog. It was mistakingly assumed one could not mark for translation Python docstrings. Since some docstrings are vital for our command help system some method had to be devised to extract docstrings for the translation catalog. pygettext has the ability to locate and extract docstrings and it was introduced to acquire the documentation for our commands located in module and class docstrings. However pygettext was too large a hammer for this task, it lacked any fined grained ability to extract only the docstrings we were interested in. In practice it extracted EVERY docstring in each file it was presented with. This caused a large number strings to be extracted for translation which had no reason to be translated, the string might have been internal code documentation never meant to be seen by users. Often the superfluous docstrings were long, complex and likely difficult to translate. This placed an unnecessary burden on our volunteer translators. Instead what is needed is some method to extract only those strings intended for translation. We already have such a mechanism and it is already widely used, namely wrapping strings intended for translation in calls to _() or _negettext(), i.e. marking a string for i18n translation. Thus the solution to the docstring translation problem is to mark the docstrings exactly as we have been doing, it only requires that instead of a bare Python docstring we instead assign the marked string to the __doc__ variable. Using the hypothetical class foo as an example. class foo(Command): ''' The foo command takes out the garbage. ''' Would become: class foo(Command): __doc__ = _('The foo command takes out the garbage.') But which docstrings need to be marked for translation? The makeapi tool knows how to iterate over every command in our public API. It was extended to validate every command's documentation and report if any documentation is missing or not marked for translation. That information was then used to identify each docstring in the code which needed to be transformed. In summary what this patch does is: * Remove the use of pygettext (modification to install/po/Makefile.in) * Replace every docstring with an explicit assignment to __doc__ where the rhs of the assignment is an i18n marking function. * Single line docstrings appearing in multi-line string literals (e.g. ''' or """) were replaced with single line string literals because the multi-line literals were introducing unnecessary whitespace and newlines in the string extracted for translation. For example: ''' The foo command takes out the garbage. ''' Would appear in the translation catalog as: "\n The foo command takes out the garbage.\n " The superfluous whitespace and newlines are confusing to translators and requires us to strip leading and trailing whitespace from the translation at run time. * Import statements were moved from below the docstring to above it. This was necessary because the i18n markers are imported functions and must be available before the the doc is parsed. Technically only the import of the i18n markers had to appear before the doc but stylistically it's better to keep all the imports together. * It was observed during the docstring editing process that the command documentation was inconsistent with respect to the use of periods to terminate a sentence. Some doc had a trailing period, others didn't. Consistency was enforced by adding a period to end of every docstring if one was missing.
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+6
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-191-0/+5
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Fixed label capitalizationEndi S. Dewata2011-07-141-1/+1
| | | | | | | | The CSS text-transform sometimes produces incorrect capitalization, so the code has been modified to use translated labels that already contain the correct capitalization. Ticket #1424
* Convert nsaccountlock to always work as bool towards Python codeAlexander Bokovoy2011-07-131-11/+16
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 Python code will see nsaccountlock as bool. JavaScript code will also see it as bool. This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-121-2/+2
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Added singular entity labels.Endi S. Dewata2011-06-271-0/+1
| | | | | | | | | | | | | | | A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249
* Missing krbprincipalname when uid is not setMartin Kosek2011-06-151-0/+1
| | | | | | | | When user_add command is executed without uid parameter filled, user account is created without 'krbprincipalname' attribute. This renders the user account unusable. https://fedorahosted.org/freeipa/ticket/1279
* Add UID, GID and e-mail to the user default attributes.Rob Crittenden2011-06-081-1/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1265
* Add sudorule and hbacrule to memberof and indirectmemberof attributesJr Aquino2011-06-061-2/+2
| | | | | | | | Add Add tests for users, groups, hosts and hostgroups to verify membership Update API to version 2.3 https://fedorahosted.org/freeipa/ticket/1170
* Add option to limit the attributes allowed in an entry.Rob Crittenden2011-05-271-0/+2
| | | | | | | | | | | | | | | | Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744
* A new flag to disable creation of UPGMartin Kosek2011-05-251-12/+41
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Modify the default attributes shown in user-find to match the UI design.Rob Crittenden2011-04-221-0/+5
| | | | | | | | | | | | | | | This change means the UI can stop using the --all option and have to retrieve significantly less information from the server. It also speeds up user-find as it doesn't have to calculate membership. This adds a new baseclass parameter, search_display_attributes, which can provide a separate list from default_attributes just for find commands. The UI will need to be changed to switch from using cn to using givenname and sn. ticket 1136
* Convert manager from userid to dn for storage and back for displaying.Rob Crittenden2011-04-221-0/+43
| | | | ticket 1151
* postalCode should be a string not an integer.Rob Crittenden2011-04-051-1/+1
| | | | | | | | | | | | postalCode is defined as an Int. This means you can't define one that has a leading zero nor can you have dashes, letters, etc. This changes the data type on the server. It will still accept an int value if provided and convert it into a string. Bump the API version to 2.1. ticket 1150
* Change default gecos from uid to first and last name.Rob Crittenden2011-04-051-1/+1
| | | | ticket 1146
* Inconsistent error message for duplicate userMartin Kosek2011-03-291-1/+1
| | | | | | | | When duplicate user is added an inconsistent error message to the rest of the framework is printed. This patch changes this to standard duplicate error message. https://fedorahosted.org/freeipa/ticket/1116
* Fix gidnumber option of user-add command.Pavel Zuna2011-03-291-14/+16
| | | | Ticket #1127
* Fix style and grammatical issues in built-in command help.Rob Crittenden2011-03-041-6/+8
| | | | | | | There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
* Fix error in user plugin email normalizer for empty --setattr=email=.Pavel Zuna2011-03-031-1/+1
| | | | ticket 1048
* Fix translatable strings in ipalib plugins.Pavel Zuna2011-03-011-4/+3
| | | | Needed for xgettext/pygettext processing.
* Add handling for indirect memberof other entries.Rob Crittenden2011-02-211-0/+2
| | | | | | | | | | | | | | | This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. ticket 966
* Fixed parameter for user city.Endi S. Dewata2011-02-181-2/+2
| | | | | | | Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute.
* Special handling for nsaccountlock attribute in user.Rob Crittenden2011-02-171-0/+8
| | | | | | | | nsaccountlock doesn't have a visible Param but we want do so some basic validation to be sure garbage doesn't get in there so do it in the pre_callback of add and mod. ticket 968
* Fixed user-add helpJan Zeleny2011-02-171-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/735
* Fix typo in rewording of help for the user module.Rob Crittenden2011-02-161-4/+4
| | | | I was too quick on the patch push and didn't see a nack on the wording.
* Reword help for the user moduleJan Zeleny2011-02-161-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/351
* Fix setattr mail bug in user plugin.Pavel Zuna2011-02-151-0/+2
| | | | | The email normalizer expects a list or tuple, but when using setattr it gets a string and interates on it as if it was a list/tuple.
* Support of user default email domainMartin Kosek2011-02-141-0/+24
| | | | | | | | | | | | | This patch fixes the default domain functionality for user email(s). This setting may be configured via: ipa config-mod --emaildomain=example.com Then, when user is added/modified and --mail option is passed, the default domain is appended if the passed attribute does not contain another domain already. https://fedorahosted.org/freeipa/ticket/598
* Add default success/failure output logging.Rob Crittenden2011-02-141-1/+0
| | | | | | | | | | Request logging on the server only happened if you added verbose=True or debug=True to the IPA config file. We should log the basics at least: who, what, result. Move a lot of entries from info to debug logging as well. Related to ticket 873
* Use correct LDAP attributes for city and state.Rob Crittenden2011-02-021-5/+9
| | | | | | Also add a unit test for address. Ticket 889
* Add support for account unlockingJan Zeleny2011-01-281-0/+24
| | | | | | | | This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344
* Modified description of nsaccountlock attributeJan Zeleny2011-01-181-1/+1
| | | | | | | The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741
generated by cgit (git 2.34.1) at 2024-06-01 17:22:17 +0000