| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
Previously all plugin modules imported from anywhere were added to the API.
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This change removes the automatic plugins sub-package magic and allows
specifying modules in addition to packages.
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Each API object now maintains its own view of registered plugins. This change
removes the need to register plugin base classes.
This reverts commit 2db741e847c60d712dbc8ee1cd65a978a78eb312.
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
For IPA users and groups we are able to trigger a removal of
any relevant ID overrides in user-del and group-del commands.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.
Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The availability of dcerpc bindings is being checked on the client
side as well, hence we need to define it properly.
https://fedorahosted.org/freeipa/ticket/5025
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream PyKerberos uses a different argument ordering than
from the patch that Fedora/RHEL was carrying for
authGSSClientInit().
Using named arguments provides forwards and backwards
compatibility.
https://fedorahosted.org/freeipa/ticket/5085
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Checks done:
1. check if the topology is not disconnected. In other words if
there are replication paths between all servers.
2. check if servers don't have more than a recommended number of
replication agreements(4)
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ipa-replica-manage del now:
- checks the whole current topology(before deletion), reports issues
- simulates deletion of server and checks the topology again, reports issues
Asks admin if he wants to continue with the deletion if any errors are found.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add permission to delete an entry from Delete container
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In user_del, flags 'permanently' and 'preserve' were replaced with single
bool option 'preserve'
part of: https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Rename --permanently to --no-preserve.
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
defintion of UnknownRecord attributetype
https://fedorahosted.org/freeipa/ticket/4939
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Google Authenticator fails if the algorithm is not uppercase.
https://fedorahosted.org/freeipa/ticket/5047
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
| |
this command is internal and is supposed to be used by ipa-replica-managed to
delete replica.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
| |
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the
right node and not the left node. This patch fixes API to match the
behavior.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
direction
- downgrade of direction
These situations are now forbidden in API.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mod of segment end will be disallowed in topology plugin.
Reasoning (by Ludwig): if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5056
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds CA ACL enforcement to the cert-request command and
uses the pyhbac machinery.
It is planned to implement ACL enforcement in Dogtag in a future
release, and remove certificate issuance privileges and CA ACL
enforcement responsibility from the framework. See
https://fedorahosted.org/freeipa/ticket/5011 for more information.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Suffices are created on installation/upgrade. Users should not
modify them.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
New commands have been added to archive and retrieve
data into and from a vault, also to retrieve the
transport certificate.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree]
which allows the user to specify LDAP search depth for users and groups.
'onelevel' was the hard-coded level before this patch and is still
default. Specify 'subtree' to search nested OUs for users and groups.
https://fedorahosted.org/freeipa/ticket/2547
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4997
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
refactoring for:
https://fedorahosted.org/freeipa/ticket/4997
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipalib part of topology management
Design:
- http://www.freeipa.org/page/V4/Manage_replication_topology
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4938
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/tickets/4938
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There exist methods to split user or service/host principals, but
there is no method to split any kind of principal and allow the
caller to decide what to do.
Generalize ``ipalib.plugins.service.split_principal`` to return a
service of ``None`` if the principal is a user principal, rename it
``split_any_principal`` and reimplement ``split_principal`` to
preserve existing behaviour.
Part of: https://fedorahosted.org/freeipa/ticket/4938
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adding or removing certificates from a service via --addattr or
--delattr is broken. Get certificates from entry_attrs instead of
options.
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Test failures:
* wrong error message
* mod operation always delete usercertificates
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.
https://fedorahosted.org/freeipa/ticket/3644
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the framework to support multiple host and service
certificates.
host-mod and service-mod revoke existing certificates that are not
included in the modified entry. Using addattr=certificate=... will
result in no certificates being revoked.
The existing behaviour of host-disable, host-del, service-disable
and service-del (revoke existing certificate) is preserved but now
applies to all certificates in the host or service entry.
Also update host-show and service-show to write all the principal's
certificates to the file given by the ``--out=FILE`` option.
Part of: http://www.freeipa.org/page/V4/User_Certificates
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2284
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
