summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Fix idrange plugin helpMartin Kosek2012-09-201-4/+4
| | | | | range plugin was renamed to idrange. Update plugin help to reflect this change.
* Use default reverse zone consistentlyMartin Kosek2012-09-192-1/+28
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Add verification of the AD trustAlexander Bokovoy2012-09-171-5/+7
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-3/+6
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-3/+3
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-189-16/+16
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Fix addattr internal errorMartin Kosek2012-09-161-1/+11
| | | | | | | | | | | When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429
* JSON serialization of long typePetr Vobornik2012-09-131-1/+1
| | | | | | Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it. Discovered after "Cast DNS SOA serial maximum boundary to long"
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-131-3/+6
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Make sure selinuxusemap behaves consistently to HBAC ruleTomas Babej2012-09-121-18/+58
| | | | | | | | | Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-061-1/+1
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-064-47/+70
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Trust CLI: mark trust-mod for future useSumit Bose2012-09-071-1/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2968
* Trust CLI: return more details of added trustSumit Bose2012-09-071-0/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2971
* Trust CLI: Return more details when searching trustsSumit Bose2012-09-071-0/+13
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2970
* Do not create trust if murmur hash is not available and base-id not givenSumit Bose2012-09-071-6/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3018
* IDRange CLI: Add documentationSumit Bose2012-09-071-2/+127
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2969
* IDRange CLI: allow to work without argumentsSumit Bose2012-09-071-6/+16
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2999
* Rename range CLI to idrangeSumit Bose2012-09-073-17/+17
|
* Cast DNS SOA serial maximum boundary to longMartin Kosek2012-09-071-1/+1
| | | | | | This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type.
* Set the e-mail attribute using the default domain name by defaultRob Crittenden2012-09-071-6/+20
| | | | https://fedorahosted.org/freeipa/ticket/2810
* Add range safety check for range_mod and range_delMartin Kosek2012-09-061-0/+81
| | | | | | | | | | | | | range_mod and range_del command could easily create objects with ID which is suddenly out of specified range. This could cause issues in trust scenarios where range objects are used for computation of remote IDs. Add validator for both commands to check if there is any object with ID in the range which would become out-of-range as a pre_callback. Also add unit tests testing this new validator. https://fedorahosted.org/freeipa/ticket/2919
* Update of confirmation of actionsPetr Vobornik2012-09-061-0/+2
| | | | | | | | | | | This patch is changing confirmation of actions according to ticket #3035, see the ticket description. It does following changes: * Confirmation of update action was removed. * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry. * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations. https://fedorahosted.org/freeipa/ticket/3035
* Fix DNS SOA serial parameters boundariesMartin Kosek2012-09-061-1/+7
| | | | | | | Set correct boundaries for DNS SOA serial parameters (see RFC 1035, 2181). https://fedorahosted.org/freeipa/ticket/2568
* Transfer long numbers over XMLRPCMartin Kosek2012-09-062-8/+11
| | | | | | | | | | | | Numeric parameters in ipalib were limited by XMLRPC boundaries for integer (2^31-1) which is too low for some LDAP attributes like DNS SOA serial field. Transfer numbers which are not in XMLRPC boundary as a string and not as a number to workaround this limitation. Int parameter had to be updated to also accept Python's long type as valid int type. https://fedorahosted.org/freeipa/ticket/2568
* Allow localhost in zone ACIsMartin Kosek2012-09-061-6/+3
| | | | | Loopback address, "localhost" and "localnets" ACIs are no longer an issue for bind-dyndb-ldap. Allow them in our validators.
* Added decimal checks to metadata validatorPetr Vobornik2012-09-061-0/+1
| | | | | | Medatadata validator didn't have check for decimal values. It was added. https://fedorahosted.org/freeipa/ticket/3052
* Fixed metadata serialization of Numbers and DNsPetr Vobornik2012-09-063-4/+8
| | | | | | | | There were following problems: 1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string. 2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended. https://fedorahosted.org/freeipa/ticket/3052
* Notify success on add, delete and updatePetr Vobornik2012-09-061-1/+6
| | | | | | | | | | | Notification of success was added to: * details facet: update * association facet and association widget: add, delete items * attribute facet: delete items (notification of add should be handled in entity adder dialog) * sudo rule: add, remove option * dnsrecord: add, update, delete https://fedorahosted.org/freeipa/ticket/2977
* Sort policies numerically in pwpolicy-findTomas Babej2012-09-031-1/+1
| | | | | | | | Password policies in pwpolicy-find are now sorted in the expected numerical manner. Also tweaks one of the unit tests so that it tests this behaviour. https://fedorahosted.org/freeipa/ticket/3039
* Internationalization for public errorsPetr Viktorin2012-09-0322-79/+121
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
* prevent last admin from being disabledJohn Dennis2012-09-032-9/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We prevent the last member of the admin group from being deleted. The same check needs to be performed when disabling a user. * Moved the code in del_user to the common subroutine check_protected_member() and call it from both user_del and user_disable. Note, unlike user_del user_disable does not have a 'pre' callback therefore the check function is called in user_disable's execute routine. * Make check_protected_member() aware of disabled members. It's not sufficient to check which members of the protected group are present, one must only consider those members which are enabled. * Add tests to test_user_plugin.py. - verify you cannot delete nor disable the last member of the admin group - verify when the admin group contains disabled users in addition to enabled users only the enabled users are considered when determining if the last admin is about to be disabled or deleted. * Replace duplicated hardcoded values in the tests with variables or subroutines, this makes the individual tests a bit more succinct and easier to copy/modify. * Update error msg to reflect either deleting or disabling is an error. https://fedorahosted.org/freeipa/ticket/2979
* ipa user-find --manager does not find matchesJohn Dennis2012-09-031-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The manager LDAP attribute is a dn pointing inside the user container. When passed on the command it is typically a bare user uid. The search filter will only succeed if the bare uid is converted to a full dn because that is what is stored in the value for the manager attribute. The search failure is solved by calling _normalize_manager() which does the conversion to a dn (if not already a dn). It feels like this type of conversion should be performed in the pre callback which allows one to modify the filter. But when the pre callback is invoked it's complex string with the manager attribute already inserted. This is because the LDAPSearch.execute() method processes the options dict and constructs a filter component for each key/value in the options dict prior to invoking the pre callback. If we wanted to modify the manager value in the filter in the pre callback we would have to decompose the filter string, perform dn checking and then reassemble the filter. It's much cleaner to perform the dn operations on the manager value before it gets embedded into what otherwise might be a very complex filter. This is the reason why the normalization is perfored in the execute method as opposed to the pre callback. Other classes do similar things in their execute methods as opposed to their callbacks's, selinuxusermap_find is one example. Patch also introduces new unit test to verify. https://fedorahosted.org/freeipa/ticket/2264
* Fixes different behaviour of permission-mod and show.Tomas Babej2012-08-291-1/+3
| | | | | | | Both commands now produce the same output regarding the attributelevelrights. https://fedorahosted.org/freeipa/ticket/2875
* Successful action notificationPetr Vobornik2012-08-291-0/+8
| | | | | | | | | | | | | | | | | | | User was not notified about success of actions executed from action list, action panel or facet cotrol bar. This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation). This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked. This call is used(directly or indirectly) in: * search facets: delete, disable, enable actions * details facets: delete action * user details facet: reset password action * host details facet: unprovision, set OTP actions * service details facet: unprovision action * host and service details facet: request, revoke, restore certificates actions * group details facet: change to POSIX/external actions * dns zone details facet: add/remove permission actions https://fedorahosted.org/freeipa/ticket/2977
* Restrict the SELinux user map user MLS value to 0-1023Rob Crittenden2012-08-291-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/3001
* Improves deletion of PTR records in ipa host-delTomas Babej2012-08-281-1/+6
| | | | | | | Command ipa host-del with --updatedns now can deal both with hosts which zones are in FQDN form with or without a trailing dot. https://fedorahosted.org/freeipa/ticket/2809
* Fix managedBy label for DNS zoneMartin Kosek2012-08-263-3/+16
| | | | | | | | | | | | Even though managedBy output parameter was only used for failed host managedBy memberships, it was defined in global baseldap.py classes. Incorrect label was then being displayed also for DNS zone per-zone permission attribute with the same name. Move managedBy output parameter to host plugin. Define proper managedBy output parameter in DNS plugin to improve clarity of this attribute. https://fedorahosted.org/freeipa/ticket/2946
* Range Web UIPetr Vobornik2012-08-211-0/+11
| | | | | | | | | | | Range web UI was implemented. It consist of: * new menu item - 'ranges' in 'IPA Server' tab * new search page * new details page https://fedorahosted.org/freeipa/ticket/2894
* Ignore lint errors if pysssd_murmur and samba4 support not installed when ↵Alexander Bokovoy2012-08-151-2/+2
| | | | | | | building client code. Since ipalib.plugins.trust has both client-side and server-side code, this is the only way to properly handle linting errors.
* trust CLI: add ID range for new trusted domainSumit Bose2012-08-152-1/+63
|
* Validate default user in ordered list when using setattr, require MLSRob Crittenden2012-08-161-9/+12
| | | | | | The MLS was optional in the format, it should be required. https://fedorahosted.org/freeipa/ticket/2984
* Raise proper exception when given a bad DN attribute.Rob Crittenden2012-08-161-1/+4
|
* Raise Base64DecodeError instead of ConversionError when base64 decoding ↵Jan Cholasta2012-08-141-3/+3
| | | | | | fails in Bytes parameters. ticket 2962
* Corrects help description of selinuxusermap.Tomas Babej2012-08-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/2959
* Make group posixPetr Vobornik2012-08-141-0/+1
| | | | | | New option for creating plain user group posix group. External group can't be made posix. https://fedorahosted.org/freeipa/ticket/2338
generated by cgit (git 2.34.1) at 2024-11-16 02:18:37 +0000