| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.
ticket #11
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.
The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.
We use a lot of made-up host names in the test system, all of which require
the force flag now.
ticket #25
|
|
|
|
| |
ticket #113
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().
Added a test case for this situation to ensure that re-issuing a certificate
works.
ticket #88
|
|
|
|
|
|
| |
It returns the user prinicpal.
This is required by the webui, as the Kerberos credential mechanism in http
does not expose the cleartext prinicpal to the web browser.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
|
|
|
|
|
|
|
|
|
| |
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.
I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
|
|
|
|
|
|
|
|
| |
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
|
|
|
|
|
|
|
|
| |
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.
Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
|
|
|
|
| |
I used pylint to identify a bunch of unnecessary and too-broad imports
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.
I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
|
| |
|
|
|
|
| |
Also fix the memberOf attribute for the HBAC services
|
| |
|
| |
|
|
|
|
| |
461325
|
|
|
|
| |
Fix deletion of policy when a group is removed.
|
|
|
|
|
|
|
| |
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.
588574
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.
This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
|
|
|
|
|
|
| |
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
|
| |
|
| |
|
|
|
|
| |
583023
|
|
|
|
| |
Based on initial patch from Pavel Zuna.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
had the has_output attribute in place
- --all: this is related to the output definitions as
Command.get_options() adds the --all and --raw options automatically
if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
overwritten everytime a new one was added from the CLI
|
| |
|
| |
|
| |
|
|
|
|
|
| |
We were being left with orphan services if the host entry was not removed
using the FQDN.
|
| |
|
| |
|
|
|
|
| |
Fixes #572423.
|
|
|
|
|
|
|
| |
This will alert the user that nothing was done and is handy when used
with --attr=''. This can be used to delete a non-required attribute but
can be set to any valid attribute, present or not. We should alert the
user if they attempt to delete a non-existant value.
|
|
|
|
|
|
| |
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
|
|
|
|
|
|
|
|
|
|
| |
This fixes:
- Consistent usage of priority vs cospriority in options
- Fixes bug introduced with recent patch where global policy couldn't be
updated
- Doesn't allow cospriority to be removed for groups (#570536)
- returns the priority with group policy so it can be displayed
- Properly unicode encode group names for display
|
|
|
|
| |
569848
|
|
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
|
|
|
|
|
| |
Update the po to pick up this change too.
573979
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()
Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.
Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
|
|
|
|
|
|
|
|
| |
None is passed if the option is set with --minlife=''. This is a valid
use case to delete a non-required attribute. In this case we simply
don't do the math on None and things work as expected.
569847
|
| |
|
|
|
|
|
| |
We get a bit of an unusual error message back from dogtag when trying
to revoke a revoked cert so check its status first.
|
| |
|
| |
|
| |
|