summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Update cert-request to support user certs and profilesFraser Tweedale2015-06-042-88/+133
| | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add usercertificate attribute to user pluginFraser Tweedale2015-06-042-3/+9
| | | | | | Part of: https://fedorahosted.org/freeipa/tickets/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add profile_id parameter to 'request_certificate'Fraser Tweedale2015-06-041-1/+1
| | | | | | | | | | | | Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add generic split_any_principal methodFraser Tweedale2015-06-041-8/+19
| | | | | | | | | | | | | | | There exist methods to split user or service/host principals, but there is no method to split any kind of principal and allow the caller to decide what to do. Generalize ``ipalib.plugins.service.split_principal`` to return a service of ``None`` if the principal is a user principal, rename it ``split_any_principal`` and reimplement ``split_principal`` to preserve existing behaviour. Part of: https://fedorahosted.org/freeipa/ticket/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add certprofile pluginFraser Tweedale2015-06-042-0/+254
| | | | | | | | | | | | | Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix certificate management with service-modFraser Tweedale2015-06-031-1/+1
| | | | | | | | | | Adding or removing certificates from a service via --addattr or --delattr is broken. Get certificates from entry_attrs instead of options. https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: regression in host and service pluginMartin Basti2015-06-032-7/+14
| | | | | | | | | | | Test failures: * wrong error message * mod operation always delete usercertificates https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Milan Kubik <mkubik@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Add plugin to manage service constraint delegationsRob Crittenden2015-06-031-0/+537
| | | | | | | | | | Service Constraints are the delegation model used by ipa-kdb to grant service A to obtain a TGT for a user against service B. https://fedorahosted.org/freeipa/ticket/3644 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Support multiple host and service certificatesFraser Tweedale2015-06-022-84/+117
| | | | | | | | | | | | | | | | | | | | | | Update the framework to support multiple host and service certificates. host-mod and service-mod revoke existing certificates that are not included in the modified entry. Using addattr=certificate=... will result in no certificates being revoked. The existing behaviour of host-disable, host-del, service-disable and service-del (revoke existing certificate) is preserved but now applies to all certificates in the host or service entry. Also update host-show and service-show to write all the principal's certificates to the file given by the ``--out=FILE`` option. Part of: http://www.freeipa.org/page/V4/User_Certificates https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not print traceback when pipe is brokenGabe2015-06-021-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/2284 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Allow ipa help command to run when ipa-client-install is not configuredGabe2015-06-021-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3584 Reviewed-By: Martin Basti <mbasti@redhat.com>
* server-find and server-show commandsPetr Vobornik2015-05-262-0/+90
| | | | | | | | | | | ipa server-find ipa server-show FQDN These commands display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add Domain Level featureTomas Babej2015-05-263-0/+157
| | | | | | | https://fedorahosted.org/freeipa/ticket/5018 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Added vault plugin.Endi S. Dewata2015-05-252-0/+322
| | | | | | | | | A new plugin has been added to manage vaults. Test scripts have also been added to verify the functionality. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* webui: option to not create user private groupPetr Vobornik2015-05-201-0/+1
| | | | | | | | | | | Web UI wa not able to create a user without a private group. New field added to user adder dialog to allow that. https://fedorahosted.org/freeipa/ticket/4986 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* webui: stageuser pluginPetr Vobornik2015-05-201-0/+11
| | | | | Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* User life cycle: Add 'Stage User Provisioning' permission/priviledgeThierry Bordaz2015-05-181-3/+14
| | | | | | | Add the ability for 'Stage user provisioning' priviledge to add stage users. Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: Stage user Administrators permission/priviledgeThierry Bordaz2015-05-182-1/+150
| | | | | | | | Creation of stage user administrator https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: support of user-undelThierry Bordaz2015-05-181-1/+46
| | | | | | | | | add user plugin commands : user-undel user-undel: moves a user from delete container to the active container https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: user-find support finding delete usersThierry Bordaz2015-05-181-3/+20
| | | | | | | | | change user plugin commands : user-find user-find support of --preserved option to show preserved (aka deleted) users https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: user-del supports --permanently, --preserve options and ↵Thierry Bordaz2015-05-181-12/+123
| | | | | | | | | | | | | ability to delete deleted user change user plugin commands : user-del - --permanently: deletes permanently an Active user (DEL) - --preserve: move an Active user to Delete user (MODRDN) - allows to delete Active user and Delete user https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: new stageuser commands activate (provisioning)Thierry Bordaz2015-05-181-7/+65
| | | | | | | | | Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by provisioning https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: new stageuser commands activateThierry Bordaz2015-05-182-1/+222
| | | | | | | | | Add plugin commands to stageuser plugin: stageuser_activate: activate entries created by IPA CLIs https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: new stageuser commands del/mod/find/showThierry Bordaz2015-05-183-77/+180
| | | | | | | | | | | | Add plugin commands to stageuser plugin: stageuser_del stageuser_mod stageuser_find stageuser_show https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* baseldap: Fix possible crash in LDAPObject.handle_duplicate_entryJan Cholasta2015-05-151-1/+1
|
* cli: differentiate Flag a Bool when autofill is setPetr Vobornik2015-05-121-2/+2
| | | | | | | | | | | With previous behavior there was no difference between Flag and Bool if - autofill == True - default = some value It prevented to have a boolean which is set by default to true, but could be set to False if users wants to without prompting in interactive shell. Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: log migrated group members only on debug levelPetr Vobornik2015-05-121-2/+2
| | | | | | It pollutes error_log. Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: optimize gid checks by utilizing dictionary nature of setPetr Vobornik2015-05-121-4/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: remove unused def_group_gid context propertyPetr Vobornik2015-05-121-3/+1
| | | | | | it's no longer used anywhere Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: skip default group optionPetr Vobornik2015-05-121-4/+14
| | | | | | | | | | | | | New option --use-default-group=False could be used to disable adding of migrated users into default group. By default, the default group is no longer POSIX therefore it doesn't fulfill the original idea of providing GID and therefore it could be skipped during migration. https://fedorahosted.org/freeipa/ticket/4950 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: optimize adding users to default groupPetr Vobornik2015-05-121-17/+12
| | | | | | | | | | | | | Migrate-ds searches for user without a group and adds them to default group. There is no point in checking if the user's selected by previous queary are not member of default group because they are not member of any group. The operation is also speeded up by not fetching the default group. Users are added right away. https://fedorahosted.org/freeipa/ticket/4950 Reviewed-By: Martin Basti <mbasti@redhat.com>
* use Connectible.disconnect() instead of .destroy_connection()Petr Vobornik2015-05-071-1/+1
| | | | | | | | | Destroy connection is an internal function of Connectible and therefore it should not be used directly. https://fedorahosted.org/freeipa/ticket/4991 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Unsaved changes dialog internally inconsistentGabe2015-05-071-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4926 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make lint work on Fedora 22.David Kupka2015-04-271-0/+1
| | | | | | | | | | | pylint added 'confidence' parameter to 'add_message' method of PyLinter. To be compatible with both, pre- and post- 1.4 IPALinter must accept the parameter but not pass it over. Also python3 checker was added and enabled by default. FreeIPA is still not ready for python3. Additionally few false-positives was marked. Reviewed-By: Martin Basti <mbasti@redhat.com>
* speed up indirect member processingPetr Vobornik2015-04-273-4/+78
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* speed up convert_attribute_membersPetr Vobornik2015-04-201-8/+28
| | | | | | | | A workaround to avoid usage of slow LDAPEntry._sync_attr #4946 https://fedorahosted.org/freeipa/ticket/4965 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Move schema handling from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* User life cycle: allows MODRDN from ldap2Thierry Bordaz2015-04-161-3/+5
| | | | | | | | | enhance update_entry_rdn so that is allows to move an entry a new superior https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Server Upgrade: specify order of plugins in update filesMartin Basti2015-04-141-3/+3
| | | | | | | | | | | | * add 'plugin' directive * specify plugins order in update files * remove 'run plugins' options * use ldapupdater API instance in plugins * add update files representing former PreUpdate and PostUpdate order of plugins https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: stageuser-add verbThierry bordaz (tbordaz)2015-04-084-401/+788
| | | | | | | | | | | | | | | Add a accounts plugin (accounts class) that defines variables and methods common to 'users' and 'stageuser'. accounts is a superclass of users/stageuser Add the stageuser plugin, with support of stageuser-add verb. Reviewed By: David Kupka, Martin Basti, Jan Cholasta https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix ldap2 shared connectionMartin Basti2015-04-021-1/+1
| | | | | | | | | Since API is not singleton anymore, ldap2 connections should not be shared by default. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use mod_auth_gssapi instead of mod_auth_kerb.David Kupka2015-03-301-10/+10
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* migrate-ds: print out failed attempts when no users/groups are migratedMartin Babinsky2015-03-231-9/+8
| | | | | | | This patch should fix both https://fedorahosted.org/freeipa/ticket/4846 and https://fedorahosted.org/freeipa/ticket/4952. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* certstore: Make certificate retrieval more robustJan Cholasta2015-03-191-22/+52
| | | | | | https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNS: remove NSEC3PARAM from recordsMartin Basti2015-03-091-7/+1
| | | | | | | | NSEC3PARAM is configurable only from zone commands. This patch removes this record type from DNS records. Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS fix: do not show part options for unsupported recordsMartin Basti2015-03-091-1/+2
| | | | | | | Do not show parts options in help output, if record is marked as unsupported. Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS fix: do not traceback if unsupported records are in LDAPMartin Basti2015-03-091-32/+32
| | | | | | | | | | Show records which are unsupported, if they are in LDAP. Those records are not editable, and web UI doesnt show them. Fixes traceback caused by --structured option Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* advise: Add separate API object for ipa-adviseJan Cholasta2015-03-052-56/+2
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Move plugin package setup to ipalib-specific API subclassJan Cholasta2015-03-052-9/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Allow multiple API instancesJan Cholasta2015-03-053-107/+110
| | | | | | | | | | | Merged the Registrar class into the Registry class. Plugins are now registered globally instead of in ipalib.api and are instantiated per-API instance. Different set of plugin base classes can be used in each API instance. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-28 18:32:03 +0000