summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* trust: support retrieving POSIX IDs with one-way trust during trust-addoneway-trustAlexander Bokovoy2015-07-071-14/+51
| | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-071-34/+107
| | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-071-1/+8
| | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-071-1/+2
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4951
* include more information in metadataPetr Vobornik2015-07-033-70/+24
| | | | | | | | | | | added to commands: doc, proper args, NO_CLI added to options: default_from, cli_name, cli_short_name and others https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-031-1/+1
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: make cn of new segment consistent with topology pluginPetr Vobornik2015-07-031-1/+1
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* topologysegment: hide direction and enable optionsPetr Vobornik2015-07-031-1/+2
| | | | | | | | These options should not be touched by users yet. https://fedorahosted.org/freeipa/ticket/5061 Reviewed-By: David Kupka <dkupka@redhat.com>
* new commands to manage user/host/service certificatesMartin Babinsky2015-07-023-2/+98
| | | | | | | | | | | | A new group of commands is introduced that simplifies adding and removing binary certificates to entries. A general form of the command is ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB] Part of http://www.freeipa.org/page/V4/User_Certificates and https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* reworked certificate normalization and revocationMartin Babinsky2015-07-023-146/+55
| | | | | | | | | | | Validation of certificate is now handled by `x509.validate_certificate'. Revocation of the host and service certificates was factored out to a separate function. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: add support for API commands managing only a single attributeMartin Babinsky2015-07-021-0/+114
| | | | | | | This patch extends the API framework with a set of classes which add/remove values to a single LDAPObject attribute. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-3/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Do not abort the find & show commands on conversion errorsTomas Babej2015-07-021-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Display the wrong attribute name when mandatory attribute is missingThierry Bordaz2015-07-021-1/+1
| | | | | | | When activating a stageuser, if 'sn' or 'cn' or 'uid' is missing it displays an error with 'cn' Reviewed-By: Tomas Babej <tbabej@redhat.com>
* DNS: Do not traceback if DNS is not installedMartin Basti2015-07-011-2/+11
| | | | | | | | | Instead of internal error show 'DNS is not configured' message, when a dns* command is executed. https://fedorahosted.org/freeipa/ticket/5017 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* plugable: Remove unused call method of PluginJan Cholasta2015-07-011-18/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugin base classes and modules using API propertiesJan Cholasta2015-07-012-16/+25
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Change is_production_mode to method of APIJan Cholasta2015-07-012-15/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Remove SetProxy, DictProxy and MagicDictJan Cholasta2015-07-011-110/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Lock API on finalization rather than on initializationJan Cholasta2015-07-011-10/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Do not use DictProxy for APIJan Cholasta2015-07-011-9/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-018-48/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Load plugins only from modules imported by APIJan Cholasta2015-07-013-7/+24
| | | | | | | | Previously all plugin modules imported from anywhere were added to the API. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugins to import in API by module namesJan Cholasta2015-07-012-45/+45
| | | | | | | | | This change removes the automatic plugins sub-package magic and allows specifying modules in addition to packages. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Move find_modules_in_dir from util to plugableJan Cholasta2015-07-012-24/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-014-6/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Move plugin base class and override logic to APIJan Cholasta2015-07-013-163/+122
| | | | | | | | | | | | Each API object now maintains its own view of registered plugins. This change removes the need to register plugin base classes. This reverts commit 2db741e847c60d712dbc8ee1cd65a978a78eb312. https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Remove ID overrides for permanently removed users and groupsTomas Babej2015-07-013-5/+40
| | | | | | | | | For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Allow users specify the raw anchor directly as identifierTomas Babej2015-07-011-11/+31
| | | | | | | | | | | | | | For various reasons, it can happen that the users or groups that have overrides defined in a given ID view are no longer resolvable. Since user and group names are used to specify the ID override objects too by leveraging the respective user's or group's ipaUniqueID, we need to provide a fallback in case these user or group entries no longer exist. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Set dcerpc detection flag properlyTomas Babej2015-07-011-1/+3
| | | | | | | | | The availability of dcerpc bindings is being checked on the client side as well, hence we need to define it properly. https://fedorahosted.org/freeipa/ticket/5025 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Don't rely on positional arguments for python-kerberos callsRob Crittenden2015-07-011-1/+2
| | | | | | | | | | | | | Upstream PyKerberos uses a different argument ordering than from the patch that Fedora/RHEL was carrying for authGSSClientInit(). Using named arguments provides forwards and backwards compatibility. https://fedorahosted.org/freeipa/ticket/5085 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* certprofile: fix doc errorFraser Tweedale2015-06-291-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Verify replication topology for a suffixPetr Vobornik2015-06-292-0/+87
| | | | | | | | | | | | Checks done: 1. check if the topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than a recommended number of replication agreements(4) https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: David Kupka <dkupka@redhat.com>
* topology: check topology in ipa-replica-manage delPetr Vobornik2015-06-291-0/+51
| | | | | | | | | | | | ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: permission to delete a preserved userroot2015-06-291-0/+10
| | | | | | | | Add permission to delete an entry from Delete container https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix for a typo in certprofile mod command.Milan KubĂ­k2015-06-231-1/+1
| | | | Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* webui: adjust user deleter dialog to new apiPetr Vobornik2015-06-181-0/+3
| | | | | | | | | In user_del, flags 'permanently' and 'preserve' were replaced with single bool option 'preserve' part of: https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: change user-del flags to be CLI-specificJan Cholasta2015-06-181-8/+24
| | | | | | | | Rename --permanently to --no-preserve. https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: add UnknownRecord to schemaMartin Basti2015-06-181-2/+2
| | | | | | | | defintion of UnknownRecord attributetype https://fedorahosted.org/freeipa/ticket/4939 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix OTP token URI generationNathaniel McCallum2015-06-171-1/+1
| | | | | | | | Google Authenticator fails if the algorithm is not uppercase. https://fedorahosted.org/freeipa/ticket/5047 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* User life cycle: provide preserved user virtual attributeJan Cholasta2015-06-151-30/+48
| | | | | | | https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* server: add "del" commandPetr Vobornik2015-06-151-0/+7
| | | | | | | this command is internal and is supposed to be used by ipa-replica-managed to delete replica. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Stage User: Fix permissions naming and split them where apropriate.Thierry Bordaz2015-06-151-42/+40
| | | | | Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* topology: fix swapped topologysegment-reinitialize behaviorPetr Vobornik2015-06-151-2/+4
| | | | | | | | | | setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the right node and not the left node. This patch fixes API to match the behavior. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* topology: restrict direction changesPetr Vobornik2015-06-151-1/+2
| | | | | | | | | | | | | topology plugin doesn't properly handle: - creation of segment with direction 'none' and then upgrade to other direction - downgrade of direction These situations are now forbidden in API. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.Petr Spacek2015-06-112-13/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* disallow mod of topology segment nodesPetr Vobornik2015-06-111-0/+2
| | | | | | | | | | | | | | | | | Mod of segment end will be disallowed in topology plugin. Reasoning (by Ludwig): if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios, like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: validate forward zone forwardersMartin Basti2015-06-113-3/+182
| | | | | | | | | | Show warning messages if DNSSEC validation is failing for particular FW zone or if the specified forwarders do not work https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: Improve global forwarders validationMartin Basti2015-06-113-52/+164
| | | | | | | | | | Validation now provides more detailed information and less false positives failures. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* rename topologysegment_refresh to topologysegment_reinitializePetr Vobornik2015-06-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5056 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-03 19:46:28 +0000