summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-131-0/+16
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-114-14/+33
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Allow 'nfs:NONE' in global configurationSumit Bose2013-03-081-1/+1
| | | | | | | | | | | | This patch adds 'nfs:NONE' as an allowed entry for the global authorization data type in the CLI and WebUI. This is an ad-hoc solution to make sure that the new default value for the NFS service is not removed by chance. This patch should be removed if a more generic solution is implemented to modify service:TYPE style values of the authorization data type. https://fedorahosted.org/freeipa/ticket/2960
* Mention PAC issue with NFS in service plugin docSumit Bose2013-03-081-1/+7
| | | | https://fedorahosted.org/freeipa/ticket/2960
* Fix internal error in output_for_cli method of sudorule_{enable,disable}.Jan Cholasta2013-03-061-4/+4
| | | | | | | Also fix incorrect super method call in output_for_cli method of sudorule_{add,remove}_option. https://fedorahosted.org/freeipa/ticket/3489
* Fix remove while iterating in suppress_netgroup_memberof.Jan Cholasta2013-03-062-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3464
* Web UI: configurable SID blacklistsPetr Vobornik2013-03-061-0/+1
| | | | | | | Added blacklists section, with ipantsidblacklistincoming and ipantsidblacklistoutgoing multivalued textbox fields, into trust details page. https://fedorahosted.org/freeipa/ticket/3289
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-3/+2
|
* Remove DN normalization from the baseldap plugin.Jan Cholasta2013-03-017-56/+27
|
* Use full DNs in plugin code.Jan Cholasta2013-03-0114-36/+55
|
* Support attributes with multiple names in LDAPEntry.Jan Cholasta2013-03-011-2/+0
|
* Preserve case of attribute names in LDAPEntry.Jan Cholasta2013-03-013-8/+11
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-017-33/+65
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove some unused importsPetr Viktorin2013-03-012-4/+1
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Add custom mapping object for LDAP entry data.Jan Cholasta2013-03-016-28/+28
|
* cli: Do interactive prompting after a context is createdPetr Viktorin2013-02-261-3/+3
| | | | | | | | | | Some commands require a connection for interactive prompting. Prompt after the connection is created. Option parsing is still done before connecting so that help can be printed out without a Kerberos ticket. https://fedorahosted.org/freeipa/ticket/3453
* Add trusted domain range objectclass when using idrange-modTomas Babej2013-02-261-0/+5
| | | | | | When modifing the idrange, one was able to add ipa NT trusted AD domain sid without objectclass ipatrustedaddomainrange being added. This patch fixes the issue.
* Make options checks in idrange-add/mod consistentTomas Babej2013-02-261-16/+46
| | | | | | | | | | | | Both now enforce the following checks: - dom_sid and secondary_rid_base cannot be used together - rid_base must be used together if dom_rid is set - secondary_rid_base and rid_base must be used together if dom_rid is not set Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170
* Update plugin docstrings (topic help) to reflect dropped CSV supportPetr Viktorin2013-02-2210-19/+21
| | | | https://fedorahosted.org/freeipa/ticket/3352
* Update argument docs to reflect dropped CSV supportPetr Viktorin2013-02-228-29/+27
| | | | https://fedorahosted.org/freeipa/ticket/3352
* Drop support for CSV in the CLI clientPetr Viktorin2013-02-223-81/+1
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3352 Design: http://freeipa.org/page/V3/Drop_CSV
* Remove csv_separator and csv_skipspace Param argumentsPetr Viktorin2013-02-221-11/+3
| | | | | | These were never set to anything but the defaults. Part of work for https://fedorahosted.org/freeipa/ticket/3352
* Fix permission validation and normalization in aci.pyPetr Viktorin2013-02-221-13/+10
| | | | | | | | | The code split the permission string on commas, essentially doing poor man's CSV parsing. So if a permission contained a comma-separated list of valid permissions, validation would pass but we'd get errors later. https://fedorahosted.org/freeipa/ticket/3420
* Rename the "messages" Output of the i18n_messages command to "texts"Petr Viktorin2013-02-211-3/+3
| | | | | | | This is to prevent a fatal name clash wih the new common "messages" Output. Since i18n_messages is an internal plugin, the change does not affect our public API.
* Add client capabilities, enable messagesPetr Viktorin2013-02-213-8/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The API version the client sends can now be used to check what the client expects or is capable of. All version tests IPA does will be be named and listed in one module, ipalib.capabilities, which includes a function to test a specific capability against an API version. Similarly to Python's __future__ module, capabilities.py also serves as documentation of backwards-incompatible changes to the API. The first capability to be defined is "messages". Recent enough clients can accept a list of warnings or other info under the "messages" key in the result dict. If a JSON client does not send the API version, it is assumed this is a testing client (e.g. curl from the command line). Such a client "has" all capabilities, but it will always receive a warning mentioning that forward compatibility is not guaranteed. If a XML client does not send the API version, it is assumed it uses the API version before capabilities were introduced. (This is to keep backwards compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294) Whenever a capability is added, the API version must be incremented. To ensure that, capabilities are written to API.txt and checked by `makeapi --validate`. Design page: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732
* Add ipalib.messagesPetr Viktorin2013-02-212-69/+162
| | | | | | | | | | | | | The messages module contains message classes that can be added to a RPC response to provide additional information or warnings. This patch adds only the module with a single public message, VersionMissing, and unit tests. Since message classes are very similar to public errors, some functionality and unit tests were shared. Design page: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732
* Add the version option to all CommandsPetr Viktorin2013-02-2114-51/+61
| | | | | | | | | | | | | | | | | | | | | | | | | Several Commands were missing the 'version' option. Add it to those that were missing it. Do not remove the version option before calling commands. This means methods such as execute(), forward(), run() receive it. Several of these needed `**options` added to their signatures. Commands in the Cert plugin passed any unknown options to the underlying functions, these are changed to pass what's needed explicitly. Some commands in DNS and Batch plugins now pass version to commands they call. When the option is not given, fill it in automatically. (In a subsequent commit, a warning will be added in this case). Note that the public API did not change: all RPC calls already accepted a version option. There's no need for an API version bump (even though API.txt changes substantially). Design page: http://freeipa.org/page/V3/Messages Tickets: https://fedorahosted.org/freeipa/ticket/2732 https://fedorahosted.org/freeipa/ticket/3294
* Avoid internal error when user is not Trust adminMartin Kosek2013-02-201-1/+1
| | | | | | | | | | | | | | | When user tries to perform any action requiring communication with trusted domain, IPA server tries to retrieve a trust secret on his behalf to be able to establish the connection. This happens for example during group-add-member command when external user is being resolved in the AD. When user is not member of Trust admins group, the retrieval crashes and reports internal error. Catch this exception and rather report properly formatted ACIError. Also make sure that this exception is properly processed in group-add-member post callback. https://fedorahosted.org/freeipa/ticket/3390
* Prevent a sudo command from being deleted if it is a member of a sudo rulePetr Viktorin2013-02-201-0/+26
| | | | Tests included.
* Use ipauniqueid for the RDN of sudo commandsPetr Viktorin2013-02-201-0/+1
| | | | | | | | | Since sudo commands are case-sensitive, we can't use 'sudocmd' as the RDN. Tests for case-sensitive behavior included https://fedorahosted.org/freeipa/ticket/2482
* Prevent changing protected group's name using --setattrTomas Babej2013-02-191-1/+1
| | | | | | | | The name of any protected group now cannot be changed by modifing the cn attribute using --setattr. Unit tests have been added to make sure there is no regression. https://fedorahosted.org/freeipa/ticket/3354
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-2/+135
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Run interactive_prompt callbacks after CSV values are split.Jan Cholasta2013-02-191-8/+8
| | | | https://fedorahosted.org/freeipa/ticket/3334
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-193-0/+163
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* In topic help text, mention how to get help for commandsPetr Viktorin2013-02-181-0/+3
| | | | | | | This should prevent user confusion when topic help is requested unintentionally, for example with `ipa help ping`. See https://fedorahosted.org/freeipa/ticket/3247
* Add tests for the help command & --help optionsPetr Viktorin2013-02-181-3/+6
| | | | | | | | | Move the parser setup from bootstrap_with_global_options to bootstrap, so all API objects have access to it. Add some CLI tests for the help system. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Parse command arguments before creating a contextPetr Viktorin2013-02-181-1/+1
| | | | | | | This allows users to run `ipa COMMAND --help` even without Kerberos credentials. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Mention `ipa COMMAND --help` as the preferred way to get command helpPetr Viktorin2013-02-182-2/+5
| | | | | | | | | This avoids the problem with ambiguous command/topic names. No functionality is changed; `ipa help <COMMAND>` still works as before if there's no topic with the same name. https://fedorahosted.org/freeipa/ticket/3247
* Add command summary to `ipa COMMAND --help` outputPetr Viktorin2013-02-181-2/+2
| | | | | | This makes the output identical to `ipa help COMMAND`. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Simplify `ipa help topics` outputPetr Viktorin2013-02-181-10/+3
| | | | | | | This brings the output closer to `ipa help commands` and removes extraneous information. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Store the OptionParser in the API, use it to print unified help messagesPetr Viktorin2013-02-182-7/+5
| | | | | | | | | Make `ipa -h` and `ipa help` output the same message. Since `ipa -h` output is generated by the OptionParser, we need to make the parser available. Store it in `api.parser`. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Print help to stderr on errorPetr Viktorin2013-02-181-30/+46
| | | | | | | | | | | Whenever a command is used incorrectly, it should output an error message (and possibly additional help) to stderr. This patch adds a parameter to a bunch of places to allow selecting either stdout or stderr for help output, and makes badly called commands output to stderr only. Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Improve `ipa --help` outputPetr Viktorin2013-02-181-7/+30
| | | | | | | | | | | | | | | Fix the usage string to match actual usage. Add command description. Put information about `ipa help topics` etc. to the epilog, instead of using empty option groups. Use a custom formatter to preserve newlines. Add the -h/--help option manually to ensure consistent case (capital S). Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
* Add option to specify SID using domain name to idrange-add/modTomas Babej2013-02-181-13/+81
| | | | | | | | | | When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133
* Fix hbachelp examples formattingMartin Kosek2013-02-141-23/+23
| | | | | | Add correct labeling of matched/nonmatched output attributes. Also make sure that "\" is not interpreted as newline escape character but really as a "\" character.
* Add support for AD users to hbactest commandMartin Kosek2013-02-141-10/+131
| | | | | | | | | | | | | | | | | | | | | How this works: 1. When a trusted domain user is tested, AD GC is searched for the user entry Distinguished Name 2. The user entry is then read from AD GC and its SID and SIDs of all its assigned groups (tokenGroups attribute) are retrieved 3. The SIDs are then used to search IPA LDAP database to find all external groups which have any of these SIDs as external members 4. All these groups having these groups as direct or indirect members are added to hbactest allowing it to perform the search LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link - List of group SIDs does not contain group memberships outside of the trusted domain https://fedorahosted.org/freeipa/ticket/2997
* Do not hide SID resolver error in group-add-memberMartin Kosek2013-02-141-3/+0
| | | | | | | | | When group-add-member does not receive any resolved trusted domain object SID, it raises an exception which hides any useful error message passed by underlying resolution methods. Remove the exception to reveal this error messages to user. https://fedorahosted.org/freeipa/ticket/2997
* Generalize AD GC searchMartin Kosek2013-02-141-4/+5
| | | | | | | | | | | | | | Modify access methods to AD GC so that callers can specify a custom basedn, filter, scope and attribute list, thus allowing it to perform any LDAP search. Error checking methodology in these functions was changed, so that it rather raises an exception with a desription instead of simply returning a None or False value which would made an investigation why something does not work much more difficult. External membership method in group-add-member command was updated to match this approach. https://fedorahosted.org/freeipa/ticket/2997
* Add SID blacklist attributesMartin Kosek2013-02-121-6/+38
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-7/+183
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
generated by cgit (git 2.34.1) at 2024-05-27 09:14:41 +0000