summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Make LDAPObject classes JSON serializable.Pavel Zuna2010-08-122-0/+23
|
* Allow decoupling of user-private groups.Rob Crittenden2010-08-102-0/+74
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Properly show the members when an add/remove operation fails.Rob Crittenden2010-08-064-19/+20
| | | | | | | | | | | | The remove member function in baseldap was not returning failures at all. The add member function was only showing them in the group object. Most of the magic is handled in baseldap. Each plugin just needs to define object_name and object_name_plural. object_name must be all lower-case because fake-attributes are created so membership can be broken out per-object type. I left the plural name lower case as well. ticket 85
* Add optional error message to pattern validatorRob Crittenden2010-08-063-3/+15
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Require that hosts be resolvable in DNS. Use --force to ignore warnings.Rob Crittenden2010-08-065-16/+46
| | | | | | | | | | | | | This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
* Have the env plugin print all attributes by defaultRob Crittenden2010-08-061-0/+11
| | | | ticket #113
* Fix replacing a certificate in a service.Rob Crittenden2010-08-061-11/+14
| | | | | | | | | | | | When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
* whoami plugin.Adam Young2010-08-051-0/+41
| | | | | | It returns the user prinicpal. This is required by the webui, as the Kerberos credential mechanism in http does not expose the cleartext prinicpal to the web browser.
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-292-411/+55
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-2/+0
| | | | Javascript based ui.
* Fix netgroup plugin to use correct member attribute names.Rob Crittenden2010-07-151-31/+41
| | | | | | | | | When the netgroup plugin was rebased it ended up using the member attribute for its memberships and not memberuser/memberhost. I also fixed this same attribute problem in the tests and tried to beef them up a little. If nis/schema compat are enabled it will try to compare the generated triplets with a known-good value.
* Use newer API in ipalib/x509 and add missing import.Rob Crittenden2010-07-151-0/+1
| | | | The import was only used when running the in-tree lite-server
* Clean up crypto code, take advantage of new nss-python capabilitiesRob Crittenden2010-07-154-337/+147
| | | | | | | | This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-132-7/+127
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Include contents of has_output_params in get_output_paramsRob Crittenden2010-07-131-0/+2
|
* Add separate var for search attributes and config attribute for search fieldsRob Crittenden2010-07-133-1/+17
| | | | | | | | Add an optional search_attributes variable in case the attributes you want to display by default aren't what you want to search on. Also link in any cn=ipaconfig attributes that contain a comma-separated list of attributes to search on.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-123-3/+8
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Clean up imports of hbacsvc pluginRob Crittenden2010-07-061-6/+4
| | | | I used pylint to identify a bunch of unnecessary and too-broad imports
* Add support for User-Private GroupsRob Crittenden2010-07-062-10/+20
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Fix aci_mod command. It should handle more complex operations now.Rob Crittenden2010-06-241-12/+64
| | | | | | | | | | | The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation.
* First pass at per-command documentationRob Crittenden2010-06-2217-7/+432
|
* use NSS for SSL operationsJohn Dennis2010-06-151-126/+7
|
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-034-7/+7
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* Increase supported weeks per month from 4 to 6 in AccessTime() typeRob Crittenden2010-06-031-1/+1
|
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-272-4/+4
| | | | Also fix the memberOf attribute for the HBAC services
* Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroupRob Crittenden2010-05-201-18/+6
|
* Try to clear up that uid is a number, not the login nameRob Crittenden2010-05-171-1/+1
|
* Enforce that max password lifetime is greater than the min lifetimeRob Crittenden2010-05-171-3/+28
| | | | 461325
* Replace old pwpolicy plugin with new one using baseldap, fix tests.Rob Crittenden2010-05-173-718/+230
| | | | Fix deletion of policy when a group is removed.
* Add groups of services to HBACRob Crittenden2010-05-174-9/+305
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* Remove left-over debugging statementRob Crittenden2010-05-141-2/+0
|
* Correctly handle EmptyModlist exception in pwpolicy2-mod.Pavel Zuna2010-05-141-7/+15
| | | | | | | | | | | EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception.
* Add exception callback (exc_callback) to baseldap.py classes.Pavel Zuna2010-05-141-33/+150
| | | | | | It enables plugin authors to supply their own handlers for ExecutionError exceptions generated by calls to ldap2 made from the execute method of baseldap.py classes that extend CallbackInterface.
* Add new password policy plugin based on baseldap.py classes.root2010-05-051-0/+351
|
* Increase the attributes we display by default and fix up some labels.Rob Crittenden2010-05-051-2/+8
|
* Add weekly periodic schedule to AccessTime param type.root2010-05-041-0/+2
| | | | Fix bug #588414
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-031-1/+3
| | | | Also consolidate some duplicate code
* Add test cases for AccessTime param and fix some problems in AccessTimeRob Crittenden2010-05-031-4/+10
|
* Fix output of summary and embedded dictionariesRob Crittenden2010-05-031-3/+3
| | | | | | | Summaries were appearing as "Gettext(...") Embedded dictionaries, such as group membership failures, didn't have labels so were basically just being dumped.
* Add forgotten trailing dots in DNS recordsMartin Nagy2010-04-231-1/+8
| | | | 583023
* Use escapes in DNs instead of quoting.Rob Crittenden2010-04-191-15/+28
| | | | Based on initial patch from Pavel Zuna.
* Fix DNS plugin: proper output definitions, --all, dns-add-rr overwrittingPavel Zuna2010-04-191-14/+15
| | | | | | | | | | | | | | The DNS plugin is getting old, tired and already looking forward to his pension in the Carribean. It will be replaced soon by a younger, faster, safer, shorter (in terms of code) and more maintainable version. Until that happens, here's some medicine for the old guy: - proper output definitions: the DNS plugin was created before we had the has_output attribute in place - --all: this is related to the output definitions as Command.get_options() adds the --all and --raw options automatically if has_output contains entries - dns-add-rr overwritting: missing .lower() caused records to be overwritten everytime a new one was added from the CLI
* Enable LDAPObject subclasses to disable DN normalization in their methods.Pavel Zuna2010-04-161-11/+27
|
* Add interface for baseldap plugins to register additional callbacks.Pavel Zuna2010-04-161-27/+139
|
* Fix output of env plugin. It displayed more than it should.Pavel Zuna2010-04-161-0/+2
|
* XML-RPC signature changeJason Gerard DeRose2010-03-301-1/+1
|
* Deleting a non-fully-qualified hostname should still delete its servicesRob Crittenden2010-03-301-3/+9
| | | | | We were being left with orphan services if the host entry was not removed using the FQDN.
* Fix output for commands that do not return entries.Pavel Zuna2010-03-262-5/+26
| | | | | | | | | | | | I also changed the default value of the print_all argument in textui.print_entry from False to True. It think it makes more sense this way, because: 1) if order is None, it will still print something 2) if order is not None, it will print what's in order first and then the rest 3) commands that care about the print_all argument have to set it in any case, those that don't care usually want to print everything
* Fix cut-and-paste error in pwpolicy pluginRob Crittenden2010-03-231-2/+2
|
* Do a better query so we can optimize seeing if a cospriority is uniqueRob Crittenden2010-03-231-7/+11
|
generated by cgit (git 2.34.1) at 2024-11-16 01:20:11 +0000