summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Add more information and examples on targets.Rob Crittenden2010-12-061-6/+33
| | | | ticket 310
* Remove accessTime from HBAC.Rob Crittenden2010-12-061-19/+24
| | | | ticket 545
* Check if the group existsJan Zeleny2010-12-061-0/+6
| | | | | | | | When setting default group, we should check if the group exists. If not, it could lead to some issues with adding new users after the new default group is set. https://fedorahosted.org/freeipa/ticket/504
* Document that the default group has to existJan Zeleny2010-12-061-1/+2
| | | | | | | | | After calling ipa config --defaultgroup=xxx with nonexistent group xxx, the result will be that no new user can be added. The operation will always fail in the middle because it is not possible to add the new user to desired default group. https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4
* When deleting multiple entries use --continue, not --continuous.Rob Crittenden2010-12-031-1/+1
| | | | ticket 561
* Don't look up the CoS entry with the global password policy.Rob Crittenden2010-12-031-2/+2
| | | | ticket 523
* Provide list of available attributes for use in ACI UI.Rob Crittenden2010-12-035-2/+26
| | | | | | | Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446
* Fixed association linksEndi S. Dewata2010-12-031-0/+4
| | | | | | | | | | | | | | | | | | | The create_association_facets() has been modified such that it does not generate duplicate links. This is done by assigning the proper labels and hiding non-assignable associations. Each association will get a label based on the attribute used: - memberof: Membership in <entity name> - member.*: <entity name> Members - managedby: Managed by <entity name> The following associations will be hidden: - memberindirect - enrolledby The internal.py was modified to return localized labels. The test data has been updated.
* dns2 ui replaceing calls for the dns plugin to the dns2 plugin no has ↵Adam Young2010-12-031-1/+1
| | | | attribute permissions and all other benefits of building on the baseldap plugin
* Added some fields to user objectJan Zeleny2010-12-031-2/+46
| | | | | | | Some fields were missing from user object, this change adds them along with their l10n https://fedorahosted.org/freeipa/ticket/305
* Add labels for passwords, fix output of exceptions, fix passwd output.Rob Crittenden2010-12-023-9/+14
| | | | | | | | | | | Passwords didn't have internationalizable labels. Exceptions that occured during required input weren't printed as unicode so weren't being translated properly. Don't use output_for_cli() directly in the passwd plugin, use output.Output. ticket 352
* This is the second half of a patch. Only the part that had to beRob Crittenden2010-12-026-5/+6
| | | | | | | | | | | | | | | | | | | | | | | re-based got pushed for some reason. Use better description for group names in help and always prompt for members When running <foo>-[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo "" | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e "g1\nadmin\n" | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415
* Use better description for group names in help and always prompt for membersRob Crittenden2010-12-021-5/+8
| | | | | | | | | | | | | | | | | | | When running <foo>-[add|remove]-member completely interactively it didn't prompt for managing membership, it just reported that 0 members were handled which was rather confusing. This will work via a shell if you want to echo too: $ echo "" | ipa group-add-member g1 This returns 0 members because nothing is read for users or group members. $ echo -e "g1\nadmin\n" | ipa group-add-member This adds the user admin to the group g1. It adds it as a user because user membership is prompted for first. ticket 415
* Updated output when calling hbac-showJan Zeleny2010-12-021-2/+6
| | | | | | | | Some attributes weren't included in the output of hbac-show command. This patch fixes it. https://fedorahosted.org/freeipa/ticket/494 https://fedorahosted.org/freeipa/ticket/495
* Normalize and convert default params, tooJakub Hrozek2010-12-021-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/555
* Add new version of DNS plugin: complete rework with baseldap + unit tests.Pavel Zuna2010-12-011-0/+584
| | | | | Ticket #36 Ticket #450
* Re-implement access control using an updated model.Rob Crittenden2010-12-0113-361/+1176
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* action panel sibling added function to get sibling entities from the tab ↵Adam Young2010-12-014-4/+4
| | | | set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI
* Prompt correctly for required Password params.Pavel Zuna2010-11-301-10/+13
| | | | Ticket #361
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+1
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Handle error messages during various HBAC operationsJan Zeleny2010-11-291-0/+8
| | | | | | | | | | | During some HBAC operations, various error messages were handled incorrectly - displaying only generic error messages instead of correct ones, which were defined for the module. This patch adds catching these generic exceptions and raising new exceptions with the correct error message. https://fedorahosted.org/freeipa/ticket/487
* whoami fixAdam Young2010-11-241-2/+3
| | | | recent changes to the scope mechanism weren't propigated to the whoami call
* Rename parent LDAPObject pkeys in child LDAPObject methods.Pavel Zuna2010-11-241-1/+5
| | | | | | | | If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params.
* Gracefully handle an empty members listRob Crittenden2010-11-241-1/+4
| | | | | | | | | | | This can occur if you do something like: $ ipa hbac-add-host --hosts="" testrule options will have an entry for 'host' but it will be None whcih is not iterable. ticket 486
* Generate better DuplicateEntry error messages in LDAPCreate.Pavel Zuna2010-11-231-6/+13
| | | | Ticket #530
* Change signature of LDAPSearch.pre_callback.Pavel Zuna2010-11-236-18/+30
| | | | Add the opportunity to change base DN and scope in the callback.
* Add ability to add/remove DNS records when adding/removing a host entry.Rob Crittenden2010-11-234-1/+165
| | | | | | | | | | | | | | | | | | A host in DNS must have an IP address so a valid IP address is required when adding a host. The --force flag will be needed too since you are adding a host that isn't in DNS. For IPv4 it will create an A and a PTR DNS record. IPv6 isn't quite supported yet. Some basic work in the DNS installer is needed to get this working. Once the get_reverse_zone() returns the right value then this should start working and create an AAAA record and the appropriate reverse entry. When deleting a host with the --updatedns flag it will try to remove all records it can find in the zone for this host. ticket 238
* Multivalued email addressEndi S. Dewata2010-11-201-1/+1
|
* Improve the documentation of setattr/addattrJakub Hrozek2010-11-191-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/245
* Give a detached group a full set of group objectclasses.Rob Crittenden2010-11-192-8/+25
| | | | | | | The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
* Fix returning effective rights for password policy.Rob Crittenden2010-11-192-2/+6
| | | | | | This also returns the rights for cospriority if the policy is for a group. ticket 449
* Add managedby to Host entriesRob Crittenden2010-11-191-3/+33
| | | | | | This will allow others to provision on behalf of the host. ticket 280
* Revoke a host's certificate (if any) when it is deleted or disabled.Rob Crittenden2010-11-192-93/+246
| | | | | | | | | Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
* Use distutil.version to check for min versionSimo Sorce2010-11-181-2/+8
|
* add plugin to enable/disable anonymous pkinitSimo Sorce2010-11-181-0/+98
|
* batch init this batches together the calls to json_metadata, i18n_messages, ↵Adam Young2010-11-181-30/+41
| | | | and user-find [whoami] tostreamline the init process, and also allow us to add a call to enumerate the plugins.
* Increase # of chars in users and groups to 255 and default username to 32.Rob Crittenden2010-11-122-4/+4
| | | | ticket 434
* Don't include INTERNAL commands in `ipa help commands` output.Rob Crittenden2010-11-101-0/+2
| | | | ticket 463
* Replace 'Locking' in `ipa help user` with 'Disabling'.Pavel Zuna2010-11-091-1/+1
| | | | Ticket #452
* delete to remove THe keyword delete is reserved in Javascript Using it ↵Adam Young2010-11-091-1/+1
| | | | breaks the WebUI on Chrome. This fixes replaces the word with delete.
* Add usercategory and hostcategory and fix displaying members in netgroup_showRob Crittenden2010-11-081-0/+24
| | | | ticket 443
* Clarify the description of --raw and -allJakub Hrozek2010-11-082-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/244
* Ticket ExpirationAdam Young2010-11-081-1/+8
| | | | | | | | THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app Conflicts: install/static/ipa.js
* Add the --rights option to the LDAPUpdate base class.Rob Crittenden2010-11-051-10/+24
| | | | ticket 437
* Fix typo in exception sample causing a doctest to failRob Crittenden2010-11-051-1/+1
|
* batchAdam Young2010-11-051-0/+86
| | | | Allows the user to send multiple commands bundled together
* user-enable/disable improvementsRob Crittenden2010-11-043-22/+35
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Output ACI's broken out into attributes rather than a single text fieldRob Crittenden2010-11-042-74/+87
| | | | | | Also add validation to the List parameter type. ticket 357
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-032-5/+10
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Use kerberos password policy.Rob Crittenden2010-11-012-15/+35
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
generated by cgit (git 2.34.1) at 2024-09-27 11:18:27 +0000