summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* webui: add i18n for the rest of QR code stringsPetr Vobornik2014-09-111-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add token from user pagePetr Vobornik2014-09-111-0/+1
| | | | | | | | | | Add 'Add OTP Token' action to user action menu. This option is disabled in self-service when viewing other users. https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: better otp token type labelPetr Vobornik2014-09-111-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Update qrcode support for newer python-qrcodeNathaniel McCallum2014-09-111-2/+2
| | | | | | | | | This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-054-6/+6
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* Add managed read permissions for compat treePetr Viktorin2014-09-054-0/+41
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* FIX DNS wildcard records (RFC4592)Martin Basti2014-09-051-0/+22
| | | | | | | | | | Make validation more strict * DS, NS, DNAME owners should not be a wildcard domanin name * zone name should not be a wildcard domain name Ticket: https://fedorahosted.org/freeipa/ticket/4488 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS fix NS record coexistence validatorMartin Basti2014-09-051-6/+17
| | | | | | | NS can coexistent only with A, AAAA, DS, NS record Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: fix DS record validationMartin Basti2014-09-051-36/+63
| | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3801 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix dnsrecord-mod raise error if last record attr is removedMartin Basti2014-09-051-0/+7
| | | | | | Removing last record attribute causes output type validation error Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Ensure ipaUserAuthTypeClass when needed on user creationNathaniel McCallum2014-09-031-13/+11
| | | | | | | | | Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* permission plugin: Improve description of the target optionPetr Viktorin2014-09-031-1/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Make --target available in the CLIPetr Viktorin2014-09-031-1/+0
| | | | | | | This was left out by mistake when permissions were refactored. The API is already tested. https://fedorahosted.org/freeipa/ticket/4522
* pwpolicy-add: Added better error handlingThorsten Scherf2014-09-021-1/+6
| | | | | | | | | Make error message more meaningful when a password policy is added for a non existing group. https://fedorahosted.org/freeipa/ticket/4334 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaserver/dcerpc.py: Make sure trust is established only to forest root domainAlexander Bokovoy2014-09-011-0/+16
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/4463 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipa trust-add command should be interactiveGabe2014-08-251-1/+25
| | | | | | | | | - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* service: Normalize service principal in get_dnPetr Viktorin2014-08-211-0/+3
| | | | | | This will make any lookup go through the normalization. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support delegating RBAC roles to service principalsPetr Viktorin2014-08-212-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/3164 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: better authentication types descriptionPetr Vobornik2014-08-211-0/+7
| | | | | | | | | | Tooltips were added to "User authentication types" and "Default user authentication types" to describe their relationship and a meaning of not-setting a value. https://fedorahosted.org/freeipa/ticket/4471 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: improved info msgs on login/token sync/reset pwd pagesPetr Vobornik2014-08-201-2/+3
| | | | | | | | | | - add info icons to distinguish and classify the messages. - add info text for OTP fields - fix login instruction inaccuracy related to position of login button https://fedorahosted.org/freeipa/ticket/4470 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Allow to add host if AAAA record existsMartin Basti2014-08-112-6/+17
| | | | | | http://fedorahosted.org/freeipa/ticket/4164 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add functions for DER encoding certificate extensions to ipalib.x509.Jan Cholasta2014-07-301-0/+25
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow overriding NSS database path in RPCClient.Jan Cholasta2014-07-301-2/+5
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for writing list of certificates to a PEM file to ipalib.x509.Jan Cholasta2014-07-301-10/+30
| | | | | | | | | | Also rename load_certificate_chain_from_file to load_certificate_list_from_file. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add certificate store module ipalib.certstore.Jan Cholasta2014-07-301-0/+397
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for extracting extended key usage from certs to ipalib.x509.Jan Cholasta2014-07-301-0/+22
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add functions for extracting certificates fields in DER to ipalib.x509.Jan Cholasta2014-07-301-0/+55
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for checking if certificate is self-signed to ipalib.x509.Jan Cholasta2014-07-301-0/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Verify otptoken timespan is validDavid Kupka2014-07-291-1/+30
| | | | | | | | | When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix group-remove-member crash when group is removed from a protected groupDavid Kupka2014-07-291-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4448 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Exclude attributelevelrights from --raw result processing in baseldap.Jan Cholasta2014-07-291-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4371 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib: idrange: Make non-implemented range types fail the validationTomas Babej2014-07-281-2/+3
| | | | | | | | | | The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to pass the validation tests, however, they are not implemented nor checked by the 389 server plugin. https://fedorahosted.org/freeipa/ticket/4323 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: return 'none' attr level right as unicode stringPetr Vobornik2014-07-251-1/+1
| | | | | | | | | Returning non-unicode causes serialization into base64 which causes havoc in Web UI. https://fedorahosted.org/freeipa/ticket/4454 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Remove redundant search from LDAPAddReverseMember and ↵Tomas Babej2014-07-231-6/+0
| | | | | | LDAPRemoveReverseMember Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix login password expiration detection with OTPNathaniel McCallum2014-07-211-0/+6
| | | | | | | | | | | | | | | | | | | | | The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* webui: custom attr in attributes widgetPetr Vobornik2014-07-211-0/+2
| | | | | | | | | | Web UI doesn't always know what are the possible attributes for target object. This will allow to add custom attributes if necessary. https://fedorahosted.org/freeipa/ticket/4253 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add filter to attributes widgetPetr Vobornik2014-07-211-0/+1
| | | | | | | | | | | Adds filter field to attribute box in permissions for better user experience. User can then quickly find the desired attribute. Initial version of the patch authored by: Adam Misnyovszki https://fedorahosted.org/freeipa/ticket/4253 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Fix typos in dns.pyGabe2014-07-181-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4429 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* trusts: Validate missing trust secret properlyTomas Babej2014-07-141-4/+6
| | | | | | | | | Detect the situation if the user passes empty trust secret and error out properly. https://fedorahosted.org/freeipa/ticket/4266 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Return empty string when no effective rights are foundPetr Viktorin2014-07-091-0/+4
| | | | | | | | | | DS returns the string "none" when no rights were found. All clients would need to special-case this value when checking the rights. Return empty string instead. https://fedorahosted.org/freeipa/ticket/4359 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* webui: capitalize labels of undo and undo all buttonsPetr Vobornik2014-07-081-2/+2
| | | | | | | Make the label of these buttons consistent with other buttons which have capital first letters. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* webui: new navigation structurePetr Vobornik2014-07-041-0/+2
| | | | | | | | https://fedorahosted.org/freeipa/ticket/4418 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow to add managed permission for reverse zonesMartin Basti2014-07-041-2/+2
| | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4422 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add Modify Realm Domains permissionMartin Kosek2014-07-041-0/+8
| | | | | | | | | The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Non IDNA zonename should be normalized to lowercaseMartin Basti2014-07-041-0/+10
| | | | | | Before IDNA support zone was normalized. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipalib: Use DateTime parameter class for OTP token timestamp attributesTomas Babej2014-07-041-3/+3
| | | | | | | | For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix incompatible permission name *zone-delMartin Basti2014-07-031-14/+19
| | | | | | Fixes ticket: https://fedorahosted.org/freeipa/ticket/4383 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Split dns docstringMartin Basti2014-07-031-47/+47
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Help for forward zonesMartin Basti2014-07-031-12/+51
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-10 04:29:15 +0000