| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Previously the user's city parameter is defined to use the 'locality'
attribute. This was a problem because the attribute would be returned
as 'l' by the directory server causing a mismatch. Now the parameter
has been changed to use the 'l' attribute.
|
| |
|
|
|
|
|
|
| |
nsaccountlock doesn't have a visible Param but we want do so
some basic validation to be sure garbage doesn't get in there so
do it in the pre_callback of add and mod.
ticket 968
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/735
|
| |
|
|
| |
I was too quick on the patch push and didn't see a nack on the wording.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/351
|
| |
|
|
|
| |
The email normalizer expects a list or tuple, but when using setattr
it gets a string and interates on it as if it was a list/tuple.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the default domain functionality for user email(s).
This setting may be configured via:
ipa config-mod --emaildomain=example.com
Then, when user is added/modified and --mail option is passed,
the default domain is appended if the passed attribute does not
contain another domain already.
https://fedorahosted.org/freeipa/ticket/598
|
| |
|
|
|
|
|
|
|
|
| |
Request logging on the server only happened if you added verbose=True
or debug=True to the IPA config file. We should log the basics at
least: who, what, result.
Move a lot of entries from info to debug logging as well.
Related to ticket 873
|
| |
|
|
|
|
| |
Also add a unit test for address.
Ticket 889
|
| |
|
|
|
|
|
|
| |
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.
Ticket:
https://fedorahosted.org/freeipa/ticket/344
|
| |
|
|
|
|
|
| |
The original one was misleading, giving the value exactly opposite
meaning than it actually was.
https://fedorahosted.org/freeipa/ticket/741
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
|
| |
|
|
|
|
|
|
|
|
| |
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
|
| |
|
|
| |
ticket 578
|
| |
|
|
| |
Change the label for the account status field IAW https://fedorahosted.org/freeipa/ticket/677
|
| |
|
|
| |
Ticket #436
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
| |
ticket 559
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.
We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added
ticket 567
|
| |
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
| |
|
|
|
|
|
| |
Some fields were missing from user object, this change adds them
along with their l10n
https://fedorahosted.org/freeipa/ticket/305
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
| |
|
|
| |
recent changes to the scope mechanism weren't propigated to the whoami call
|
| |
|
|
| |
Add the opportunity to change base DN and scope in the callback.
|
| | |
|
| |
|
|
| |
ticket 434
|
| |
|
|
| |
Ticket #452
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Always display the account enable/disable status.
Don't ignore the exceptions when a user is already enabled or disabled.
Fix the exception error messages to use the right terminology.
In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.
ticket 392
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.
The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.
This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup
ticket 296
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do a change right now you have to perform a setattr like:
ipa user-mod --setattr uid=newuser olduser
The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.
ticket 323
|
| |
|
|
| |
ticket 182
|
| |
|
|
| |
ticket 226
|
| |
|
|
| |
Ticket #165
|
| |
|
|
| |
Added in params for phone number types: phone, fax, mobile ,pager
|
| |
|
|
|
|
|
| |
And move it to the group 'admins' instead. This way the admin user can
be removed/renamed.
ticket 197
|
| | |
|
| |
|
|
| |
ticket 227
|
| |
|
|
|
|
| |
Now no longer breaks user-find with a filter
Uses the corrected Params for getting option
printf style strings
|
| |
|
|
| |
This reverts commit bef0690a2ff9cccf7de132e5e64b4ba631482764.
|
| |
|
|
| |
Added a whoami option to the user, allows the user to query their own information based on their Kerberos principal
|
| |
|
|
| |
ticket #158
|
| |
|
|
|
|
|
|
|
| |
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.
ticket #11
|
| |
|
|
|
|
|
|
| |
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.
Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
| | |
|
| | |
|
| | |
|
