summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-032-5/+10
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Use kerberos password policy.Rob Crittenden2010-11-012-15/+35
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Implement nested netgroups and include summaries for the commands.Rob Crittenden2010-10-292-10/+38
| | | | | | | Replace the existing netgroup test cases with Declarative tests. This triples the number of tests we were doing. ticket 209
* Return reason for failure when updating group membership fails.Rob Crittenden2010-10-284-36/+56
| | | | | | | | | | | We used to return a list of dns that failed to be added. We now return a list of tuples instead. The tuple looks like (dn, reason) where reason is the exception that was returned. Also made the label we use for failures to be singular instead of plural since we now print them out individually instead of as comma-separated. ticket 270
* Don't allow managed groups to have group password policy.Rob Crittenden2010-10-282-1/+19
| | | | | | | UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket 160
* Remove group nesting from the HBAC service groupsRob Crittenden2010-10-281-9/+3
| | | | ticket 389
* Use context to decide which name to return on RequirementsErrorsRob Crittenden2010-10-282-6/+13
| | | | | | | | | | | | | | When a Requirement fails we throw an exception including the name of the field that is missing. To make the command-line friendlier we have a cli_name defined which may or may not match the LDAP attribute. This can be confusing if you are using ipalib directly because the attribute name missing may not match what is actually required (desc vs description is a good example). If you use the context 'cli' then it will throw exceptions using cli_name. If you use any other context it will use the name of the attribute. ticket 187
* Add option to generate random one-time password for hosts for bulk enrollmentRob Crittenden2010-10-281-2/+43
| | | | ticket 228
* Populate indirect members when showing a group object.Rob Crittenden2010-10-2811-132/+130
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Retrieve Get Effective Rights output with LDAPRetrieveRob Crittenden2010-10-281-0/+18
| | | | | | | The output is a pure python dict so is really only useful when used with --all so it is required. Updated to return a string for rights as opposed to a list. Terser, reducing the wire size by a factor of 3.5
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-285-0/+22
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* Add LDAPObject setting to handle different attributes for RDN and PKEY.Pavel Zuna2010-10-284-64/+48
|
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-284-580/+5
| | | | merge in remove uuid
* whoami goodbyeAdam Young2010-10-261-41/+0
| | | | Removing the whoami plugin, as it has been wrapped up into the user plugin
* Fix two failing tests.Rob Crittenden2010-10-221-1/+1
| | | | | | The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin.
* Set default encoding to utf-8, use unicode when printing output.Rob Crittenden2010-10-221-4/+5
| | | | | | The Gettext() object only does the lookup when you print it as a unicode. ticket 308
* Add flag to group-find to only search on private groups.Pavel Zuna2010-10-201-2/+29
| | | | ticket #251
* Host certificate managementEndi S. Dewata2010-10-201-0/+35
| | | | | | | | | | | | | | | The service certificate management UI has been generalized and moved into certificate.js. The host details page is now using the same code to manage certificates. The host.py has been modified to return host certificate info. The Get/Revoke/View buttons behavior has been modified such that they are visible only if there is a valid certificate. The Get dialog box has been fixed to show the correct certificate header and footer. The ipa.css has been modified to store the style of the status bullets. New unit tests for certificate has been added. The test data has been modified to include sample host certificate.
* Fix problem testing for mutual exclusivity in hbac plugin.Rob Crittenden2010-10-181-8/+16
| | | | This should fix the hbac tests.
* Disallow RDN change and single-value bypass using setattr/addattr.Pavel Zuna2010-10-183-5/+48
| | | | | | | | | | | When setting or adding an attribute wiht setatt/addattr check to see if there is a Param for the attribute and enforce the multi-value. If there is no Param check the LDAP schema for SINGLE-VALUE. Catch RDN mods and try to return a more reasonable error message. Ticket #230 Ticket #246
* Add Requires on ipa-client to ipa-admintools, ensure ipa client is configuredRob Crittenden2010-10-153-1/+15
| | | | | | | | | | It makes little sense to install ipa-admintools without ipa-client, require it. Also see if the client has been configured. This is a bit tricky since we have a full set of defaults. Add a new env option that gets set if at least one configuration file is loaded. ticket 213
* Handle regular socket errors gracefully in ipa commandRob Crittenden2010-10-151-0/+3
| | | | ticket 382
* Improve doc string for passwordRob Crittenden2010-10-151-1/+1
| | | | ticket 182
* Service certificate UI.Endi S. Dewata2010-10-151-2/+39
| | | | | | | | | | | | | | | | | | | | | | The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
* Fix group deletionRob Crittenden2010-10-131-3/+4
| | | | ticket 347
* Return non-zero when the number of entries from *-find returned is zero.Rob Crittenden2010-10-131-1/+3
| | | | ticket 325
* Enforce the maximum username length from cn=ipaconfigRob Crittenden2010-10-131-0/+3
| | | | ticket 226
* Detect when DNS is not configured and return an error messageRob Crittenden2010-10-131-0/+34
| | | | | | | | | | It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147
* Add ability to import automount files from the command-line.Rob Crittenden2010-10-121-6/+271
| | | | | | | | | | | | | Support is fairly basic right now and will only work on the CLI. All the work is done on the client side. To continue past errors use the --continue option. Fixed a bug where direct mounts weren't always added properly. Added real user documentation to the plugin. ticket 78
* dns metadataAdam Young2010-10-122-5/+27
| | | | | | This is a little bit of a copy and paste approach, as the code for__json__ was copied from baseldap. Long term, we want to rewrite this plugin as an extension of baseldap anyway.
* Certificate management for services.Endi S. Dewata2010-10-121-27/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
* Accept an incoming certificate as either DER or base64 in the service plugin.Rob Crittenden2010-10-083-12/+78
| | | | | | | | | | | | | The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
* Return non-zero when group membership change fails, no empty fail list.Rob Crittenden2010-10-081-0/+26
| | | | | | | | | There is no point (and it is confusing) to print an empty list when modifying group membership fails, so suppress it. If any membership change fails we should return non-zero. tickets 271, 273, 274
* If an HBAC category is 'all' don't allow individual objects to be added.Rob Crittenden2010-10-082-0/+61
| | | | | | | | Basically, make 'all' mutually exclusive. This makes debugging lots easier. If say usercat='all' there is no point adding specific users to the rule because it will always apply to everyone. ticket 164
* policy and configAdam Young2010-10-073-0/+6
| | | | | | | | Population of the policy and entites tabs. DNS and ACI are broken due to PLugin issues Fix for entities without search Added new files to Makefile.am used rolegroup.js file as the start point, renamed to serverconfig.js
* Fix inconsistent error message when deleting groups that don't exist.Pavel Zuna2010-10-061-1/+3
| | | | Ticket #292
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-12/+12
| | | | Ticket #165
* Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.Pavel Zuna2010-10-061-0/+9
| | | | Ticket #321
* Generate additional positional arguments for baseldap commands from takes_args.Pavel Zuna2010-10-062-1/+11
|
* Added modifications to the sudorule plugin to reflect the schema update.Jr Aquino2010-10-051-17/+41
|
* phonenumbersAdam Young2010-10-011-0/+10
| | | | Added in params for phone number types: phone, fax, mobile ,pager
* Groups are now created as POSIX by default.Rob Crittenden2010-10-011-14/+15
| | | | ticket 241
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-5/+0
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Add Delete capabilities to Search facet in the WebUI.Pavel Zuna2010-10-011-2/+6
| | | | Ticket #206
* Add LDAPMultiQuery base class and make it the base of LDAPDelete.Pavel Zuna2010-10-011-33/+65
| | | | | | | In other words: make *-del commands accept 1 or more primary keys of entries to be deleted. Ticket #20
* Fix sizelimit/timelimit options not working in user_findRob Crittenden2010-09-301-1/+1
|
* Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.Rob Crittenden2010-09-281-6/+17
| | | | | | | | | | | | | We lacked good error messages if the user/group container you used doesn't exist. Add a --continue option so things can continue if you use a bad user/group container. This has the side-effect of letting you migrate just users or groups by using a bad container for the one you don't want. Fix a Gettext() error when displaying the migrated password message. ticket 289
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-274-0/+496
|
* I18N for webAdam Young2010-09-272-6/+32
| | | | | | | | | | | | | | | | | | | | | | | Performing I18N completely on the server, to leverage the existing gettext architecture. Also, the browser does not have access to the Language header. Added the additional po files for a set of required languages conflict with install/static/ipa.js was resolved. Note that the addition of the .po files in this patch is necessary. In order to get Transifex support, we need to update the LINGUAS file with the languages for which we want support. If we don't add the .po files in, they get automatically generated by the rpmbuild process. Our implementation of gettext has a bug in it (It might be F13 thing) where the the Plurals line is not getting correctly transformed, which causes a build failure. However, since the RPM would have the .po files anyway, we should revision control the ones we have, even if they are empty. Fixed the Bug reporting url to the original value. Corrected the Chartype encoding for UK
* Use the principal from the context in whoami.Rob Crittenden2010-09-241-2/+2
| | | | ticket 227
generated by cgit (git 2.34.1) at 2024-05-17 00:50:44 +0000