summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Added current password field.Endi S. Dewata2011-11-071-0/+2
| | | | | | | | The reset password dialog for user has been modified to provide a field to specify the current password when changing the user's own password. Ticket #2065
* Create pkey-only option for find commandsMartin Kosek2011-10-277-1/+23
| | | | | | | | | | | | New option --pkey-only is available for all LDAPSearch based classes with primary key visible in the output. This option makes LDAPSearch commands search for primary attribute only. This may be useful when manipulating large data sets. User can at first retrieve all primary keys in a relatively small data package and then run further commands with retrieved primary keys. https://fedorahosted.org/freeipa/ticket/1262
* Fixed "enroll" labels.Endi S. Dewata2011-10-271-5/+4
| | | | | | | | | | Labels using the word "enroll" (except for host enrollment) have been modified to use more relevant words. The IPA.add_dialog has been renamed into IPA.entity_adder_dialog for clarity. Ticket #1642
* Removed HBAC deny rule warning.Endi S. Dewata2011-10-261-2/+0
| | | | | | | The HBAC deny rule is no longer supported so it's no longer necessary to show the warning. Ticket #1444
* Add --zonemgr/--admin-mail validatorMartin Kosek2011-10-262-0/+39
| | | | | | | | | | | Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as the SOA record stores this value without it and people may be used to configure it that way. '@' is always removed by the installer/dns plugin before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966
* Fixed inconsistent required/optional attributes.Endi S. Dewata2011-10-251-1/+0
| | | | | | | | | The dialogs and details pages have been modified to use the * symbol to mark required fields. The automount map and the DNS zone dialogs have been modified to update the required fields according to the input type. Ticket #1696, #1973
* Fix problems in help systemmasterRob Crittenden2011-10-201-0/+8
| | | | | | | | | | Fixes 3 issues: - If a topic has all its commands disabled, it should be disabled - If a command is disabled its help should be disabled - The show-mappings help was missing a doc string so no help was displayed https://fedorahosted.org/freeipa/ticket/1998
* hbactest fails while you have svcgroup in hbacruleAlexander Bokovoy2011-10-201-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/1988
* Improve hostgroup/netgroup collision checksMartin Kosek2011-10-172-2/+32
| | | | | | | | | | | | | | | When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914
* Fix typo in invalid PTR record error messageRob Crittenden2011-10-131-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1982
* Improve handling of GIDs when migrating groupsMartin Kosek2011-10-111-11/+62
| | | | | | | | | | | | Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866
* Disallow deletion of global password policy.Jan Cholasta2011-10-121-0/+8
| | | | ticket 1936
* Include indirect membership and canonicalize hosts during HBAC rules testingAlexander Bokovoy2011-10-101-7/+23
| | | | | | | | | | | | | | | | | | | | | | When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: <user <name foobar groups [hbacusers,ipausers]> service <name sshd groups []> targethost <name vm-101.ipa.local groups []> srchost <name vm-101.ipa.local groups []> > Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949
* Fix i18n in config pluginMartin Kosek2011-10-111-2/+2
|
* Improve default user/group object class validationMartin Kosek2011-10-111-0/+23
| | | | | | | | | | | | When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893
* split metadata callAdam Young2011-10-091-14/+18
| | | | | | | | | | | | | The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this: {"method":"json_metadata","params":[["all",""],{}],"id":0} And just the methods call it like this: {"method":"json_metadata","params":[["","all"],{}],"id":0} Note the difference in the positional parameters. To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter. THis is not ideal, but we are constrained by the existing API.
* Prevent collisions of hostgroup and netgroupMartin Kosek2011-10-061-0/+11
| | | | | | | | For every hostgroup a managed netgroup is created (if this is allowed). Make sure that if a stand-alone netgroup exists, a hostgroup with the same name cannot be created to prevent collisions. https://fedorahosted.org/freeipa/ticket/1914
* Added confirmation when adding multiple entries.Endi S. Dewata2011-10-051-0/+1
| | | | | | | The adder dialog has been modified to show a confirmation message after each successful addition. Ticket #1786
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-2/+2
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Unroll StrEnum values when displaying helpAlexander Bokovoy2011-10-031-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1848
* Require current password when using passwd to change your own password.Rob Crittenden2011-10-044-5/+44
| | | | | | | | | | | | | | | | | | Add a new required parameter, current_password. In order to ask this first I added a new parameter option, sortorder. The lower the value the earlier it will be prompted for. I also changed the way autofill works. It will attempt to get the default and if it doesn't get anything will continue prompting interactively. Since current_password is required I'm passing a magic value that means changing someone else's password. We need to pass something since current_password is required. The python-ldap passwd command doesn't seem to use the old password at all so I do a simple bind to validate it. https://fedorahosted.org/freeipa/ticket/1808
* Validate name_from_ip parameter of dnszone.Jan Cholasta2011-10-041-1/+22
| | | | ticket 1627
* I18n clean-up.Endi S. Dewata2011-10-031-0/+2
| | | | | | | The hard-coded 'undo' and 'undo all' labels have been moved into internal.py to allow translation. Ticket #1897
* migrate process cannot handle multivalued pkey attributeMartin Kosek2011-10-031-1/+17
| | | | | | | | When group/user is migrated, the attribute used for RDN may be multivalued. Make sure that we pick the value used in the RDN which should be the unique one and not just the first one. https://fedorahosted.org/freeipa/ticket/1892
* Fix LDAPCreate search failureMartin Kosek2011-09-301-1/+6
| | | | | | | | | | | | LDAPCreate reports "search criteria was not specific enough" when LDAP object created in LDAPCreate shares its container with other LDAP objects and there is one with the same name and RDN attribute. Pass objectclass to find_entry_by_attr() function used to retrieve newly created object for POST_CALLBACK to identify correct LDAP object. https://fedorahosted.org/freeipa/ticket/1864
* Add regular expression pattern to host names.Rob Crittenden2011-09-271-0/+3
| | | | | | Limit hostnames to letters, digits and - with a maximum length of 255 https://fedorahosted.org/freeipa/ticket/1780
* Include failed service and service groups in hbac rule managementRob Crittenden2011-09-271-0/+3
| | | | | | | | hbacrule-service-add/remove failures weren't being displayed because no label was defined. https://fedorahosted.org/freeipa/ticket/1863 https://fedorahosted.org/freeipa/ticket/1865
* Fix error messages in hbacruleMartin Kosek2011-09-271-4/+16
| | | | | | | Fix NotFound error messages in hbacrule commands so that the text is consistent with the rest of the framework. https://fedorahosted.org/freeipa/ticket/1861
* Normalize uid in user principal to lower-case and do validationRob Crittenden2011-09-222-10/+48
| | | | | | | Use same normalization and validation in passwd plugin and add some tests for invalid principals https://fedorahosted.org/freeipa/ticket/1778
* Fix /usr/bin/ipa dupled server listMartin Kosek2011-09-221-1/+9
| | | | | | | | | Fix get_url_list() so that the configured master server is there just once. This fix lets /usr/bin/ipa try connecting to all IPA masters just once and not print confusing server list with dupled master. https://fedorahosted.org/freeipa/ticket/1817
* Suppress managed netgroups as indirect members of hosts.Rob Crittenden2011-09-191-0/+34
| | | | | | | By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738
* Skip the cert validator if the csr we are passed in is a valid filenameRob Crittenden2011-09-141-0/+7
| | | | | | | | | The validator will still fire, just after the load_files() call. Basically it will hit the validator twice. The first time it will exit because the value of csr is a filename. The second time it will run the validator against the contents of the file. ticket https://fedorahosted.org/freeipa/ticket/1777
* Fixed labels for run-as users and groups.Endi S. Dewata2011-09-132-11/+12
| | | | | | | The labels for the run-as users and groups tables in sudo rule details page have been modified to improve the clarity. Ticket #1752
* Remove normalizer that made role, privilege and permission names lower-caseRob Crittenden2011-09-123-3/+0
| | | | https://fedorahosted.org/freeipa/ticket/1747
* Fix pylint false positive in hbactest moduleMartin Kosek2011-09-131-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1763
* When external host is specified in HBAC rule, allow its use in simulationAlexander Bokovoy2011-09-131-1/+4
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1763 When external host is specified in HBAC rule, it needs to be added to the set of source hosts this rule applies to. Add (list of external hosts) explicitly when converting FreeIPA rules to PyHBAC objects.
* Cleanup whitespaceAlexander Bokovoy2011-09-131-3/+3
|
* Unroll groups when testing HBAC rulesAlexander Bokovoy2011-09-111-5/+34
| | | | Fixes https://fedorahosted.org/freeipa/ticket/1740
* Incorrect name in examples of ipa help hbactestAlexander Bokovoy2011-09-111-7/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/1741 HBAC rules address PAM services, thus service names should correspond to proper PAM names.
* Don't allow a OTP to be set on an enrolled hostRob Crittenden2011-09-101-0/+8
| | | | | | Setting a password invalidates the existing keytab https://fedorahosted.org/freeipa/ticket/1719
* Fix typosYuri Chornoivan2011-09-073-5/+5
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* Fixed hard-coded UI message in entity.js.Endi S. Dewata2011-09-011-0/+1
| | | | | | | The hard-coded label in IPA.facet has been moved into internal.py to allow translation. Ticket #1701
* Fixed hard-coded UI messages.Endi S. Dewata2011-08-311-322/+332
| | | | | | | | | | | Some hard-coded messages in ipa.js have been moved into internal.py. The messages in internal.py have been rearranged to match the output (ipa_init.json). A new method IPA.get_message() has been added to take a message ID and return the translated message or a default message if not found. Ticket #1701
* Let Bind track data changesMartin Kosek2011-08-311-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* Suppress managed netgroups from showing as memberof hostgroups.Rob Crittenden2011-08-311-4/+46
| | | | | | | By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-313-0/+591
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add netgroup as possible memberOf for hostgroupsRob Crittenden2011-08-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1563
* Fix sudo help and summariesMartin Kosek2011-08-293-43/+55
| | | | | | | | | | | | | | | | 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596
* Add external source hosts to HBAC.Rob Crittenden2011-08-292-1/+57
| | | | | | | | When adding/removing source hosts if the host isn't found in IPA it is considered external. The attribute externalhost is used to store external hosts. ticket https://fedorahosted.org/freeipa/ticket/1574
* enable proxy for dogtagAdam Young2011-08-291-3/+7
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-28 21:33:40 +0000