summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
* trusts: Do not create ranges for subdomains in case of POSIX trustTomas Babej2013-10-141-11/+39
| | | | | | For the AD trusts where the ID range for the root level domain is of ipa-ad-trust-posix type, do not create a separate ranges for the subdomains, since POSIX attributes provide global mapping.
* Add IntEnum parameter to ipalibNathaniel McCallum2013-10-092-25/+43
|
* Allow multiple types in Param type validationNathaniel McCallum2013-10-091-35/+18
| | | | | Int already needed to take both int and long. This makes the functionality available for all Param classes.
* Add optional_create flagNathaniel McCallum2013-10-082-5/+12
|
* Don't special case the Password class in Param.__init__()Nathaniel McCallum2013-10-081-11/+6
|
* Document no_search in Param flagsNathaniel McCallum2013-10-071-1/+3
|
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-0/+6
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-3/+20
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-1/+0
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* frontend: report arguments errors with better detailAlexander Bokovoy2013-10-041-1/+2
| | | | | When reporting argument errors, show also a context -- what is processed, what is the name of the command.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-51/+278
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Do not add trust to AD in case of IPA realm-domain mismatchTomas Babej2013-10-031-0/+13
| | | | | | | | Make sure that trust-add command fails when admin attempts to add an Active Directory trust when the realm name and the domain name of the IPA server do not match. https://fedorahosted.org/freeipa/ticket/3923
* Use correct super-calls in get_args() methodsPetr Viktorin2013-10-022-24/+21
| | | | | | | | | | The get_args methods in ipalib.crud and ipalib.plugins.baseldap used super() calls that skipped some of the classes in the inheritance chain, and contained code that reimplemented some of the skipped functionality. This made it difficult to customize the get_args behavior. Use proper super() calls.
* Don't exclude symlinks when loading pluginsNick Hatch2013-09-161-1/+1
|
* Fix service-disable in CA-less install.Jan Cholasta2013-08-291-20/+21
| | | | https://fedorahosted.org/freeipa/ticket/3886
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+44
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Add base-id, range-size and range-type options to trust-add dialogPetr Vobornik2013-08-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3049
* Allow API plugin registration via a decoratorPetr Viktorin2013-08-142-3/+32
| | | | | | | | | | | | This makes plugin registration easier to read, less error-prone, and, for many Plugins in a single module, faster to write. Functionally, the decorator is equivalent to current plugin registration. However, in the future this style will allow cleaner semantics. As an example, and to exercise the new syntax to prevent regressions, the ping plugin is converted to this style.
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-6/+4
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Add new command compat-is-enabledAna Krivokapic2013-08-071-0/+44
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Enable running API commands in ipa-advise pluginsAna Krivokapic2013-08-071-2/+2
| | | | | https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Add a word wrapping for comment log messages to AdviceLoggerTomas Babej2013-08-061-2/+7
| | | | | The comments logged through AdviceLogger are now wrapped up to 70 characters. This change has been documented in the docstrings.
* Improve help entry for ipa hostTomas Babej2013-08-061-5/+7
| | | | | | | | Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
* Limit pwpolicy maxlife to 20000 daysTomas Babej2013-08-051-0/+1
| | | | | | | | | | | | Since krbMaxPwdLife attribute is represented as number of seconds, setting maxlife to high values such as 999 999 days (~2739 years) would result to overflow when parsing this attribute in kdb plugin, and hence default maxlife of 90 days would be applied. Limit the maximum value of maxlife that can be set through the framework to 20 000 days (~ 54 years). https://fedorahosted.org/freeipa/ticket/3817
* Expose ipaRangeType in Web UIAna Krivokapic2013-07-291-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3759
* Refactor the interactive prompt logic in idrange_addTomas Babej2013-07-261-27/+34
| | | | | | | | | | | | | | | | Make the interactive prompts interpret the following logic: - AD range (dom-sid/dom-name set): require RID base if not set - local range(dom-sid/dom-name not set): a) server with adtrust support: require both RID base and secondary RID base b) server without adtrust support: if any of RID base, secondary RID base set, require both of them https://fedorahosted.org/freeipa/ticket/3786
* Use valid LDAP search base in migration pluginMartin Kosek2013-07-261-1/+2
| | | | | | One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP.
* Remove word 'field' from GECOS param labelPetr Vobornik2013-07-231-1/+1
| | | | No other param/field has 'field' in a label.
* ipaserver/dcerpc: attempt to resolve SIDs through SSSD firstAlexander Bokovoy2013-07-231-6/+3
| | | | | | | | Attempt to resolve SIDs through SSSD first to avoid using trust account password. This makes possible to run HBAC test requests without being in 'trusted admins' group. https://fedorahosted.org/freeipa/ticket/3803
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-231-12/+99
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-18/+50
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Fix internal error in idrange-addAna Krivokapic2013-07-221-1/+1
| | | | | | | Fix internal error in idrange-add, caused by a missing 'name' argument of ValidationError. https://fedorahosted.org/freeipa/ticket/3781
* Provide ipa-advise toolTomas Babej2013-07-173-2/+52
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig. https://fedorahosted.org/freeipa/ticket/3670
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-112-4/+40
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
* Use LDAP search instead of *group_show to check for a group objectclass.Jan Cholasta2013-07-113-37/+41
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Use LDAP search instead of *group_show to check if a group exists.Jan Cholasta2013-07-116-9/+15
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Skip cert issuer validation in service and host commands in CA-less install.Jan Cholasta2013-07-091-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3736
* Remove entitlement supportMartin Kosek2013-06-263-772/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-installAna Krivokapic2013-06-242-5/+62
| | | | | | | | | | | | | Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
* Fail when adding a trust with a different rangeAna Krivokapic2013-06-241-69/+148
| | | | | | | | When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635
* Return ipaRangeType as a list in idrange commandsTomas Babej2013-06-191-1/+1
| | | | | | | To be consistent with the rest of the LDAP commands, return ipaRangeType as a list of unicode strings. Regression caused by https://fedorahosted.org/freeipa/ticket/3647
* PEP8 fixes in idrange.pyTomas Babej2013-06-101-8/+17
|
* Extend idrange commands to support new range origin typesTomas Babej2013-06-101-14/+54
| | | | | | | | | | | | | | Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647
* Prevent error when running IPA commands with su/sudoAna Krivokapic2013-06-071-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/3685
* Remove redundant u'' characterMartin Kosek2013-06-062-2/+2
| | | | | | One Python's unicode marking character was being printed by RPC plugin which then appeared in ipa-client-install output. This patch removes it.
* Incorporate interactive prompts in idrange-addTomas Babej2013-06-051-3/+38
| | | | | | | | | | | In idrange-add command, ensure that RID base is prompted for in the interactive mode if domain SID or domain name was specified. If domain name nor SID was specified, make sure rid base is prompted for if secondary rid base was specified and vice versa. https://fedorahosted.org/freeipa/ticket/3602
* Add prompt_param method to avoid code duplicationTomas Babej2013-06-053-42/+55
| | | | | | | | | | Extracted common code from ipalib/plugins/cli.py and ipalib/plugins/dns.py that provided way to prompt user for the value of specific attribute. Added prompt_param method to Command class in ipalib/frontend.py Done as part of https://fedorahosted.org/freeipa/ticket/3602
generated by cgit (git 2.34.1) at 2024-06-09 15:48:04 +0000