summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* batch init this batches together the calls to json_metadata, i18n_messages, ↵Adam Young2010-11-181-30/+41
| | | | and user-find [whoami] tostreamline the init process, and also allow us to add a call to enumerate the plugins.
* Increase # of chars in users and groups to 255 and default username to 32.Rob Crittenden2010-11-122-4/+4
| | | | ticket 434
* Don't include INTERNAL commands in `ipa help commands` output.Rob Crittenden2010-11-101-0/+2
| | | | ticket 463
* Replace 'Locking' in `ipa help user` with 'Disabling'.Pavel Zuna2010-11-091-1/+1
| | | | Ticket #452
* delete to remove THe keyword delete is reserved in Javascript Using it ↵Adam Young2010-11-091-1/+1
| | | | breaks the WebUI on Chrome. This fixes replaces the word with delete.
* Add usercategory and hostcategory and fix displaying members in netgroup_showRob Crittenden2010-11-081-0/+24
| | | | ticket 443
* Clarify the description of --raw and -allJakub Hrozek2010-11-082-5/+5
| | | | https://fedorahosted.org/freeipa/ticket/244
* Ticket ExpirationAdam Young2010-11-081-1/+8
| | | | | | | | THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app Conflicts: install/static/ipa.js
* Add the --rights option to the LDAPUpdate base class.Rob Crittenden2010-11-051-10/+24
| | | | ticket 437
* Fix typo in exception sample causing a doctest to failRob Crittenden2010-11-051-1/+1
|
* batchAdam Young2010-11-051-0/+86
| | | | Allows the user to send multiple commands bundled together
* user-enable/disable improvementsRob Crittenden2010-11-043-22/+35
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Output ACI's broken out into attributes rather than a single text fieldRob Crittenden2010-11-042-74/+87
| | | | | | Also add validation to the List parameter type. ticket 357
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-032-5/+10
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Use kerberos password policy.Rob Crittenden2010-11-012-15/+35
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Implement nested netgroups and include summaries for the commands.Rob Crittenden2010-10-292-10/+38
| | | | | | | Replace the existing netgroup test cases with Declarative tests. This triples the number of tests we were doing. ticket 209
* Return reason for failure when updating group membership fails.Rob Crittenden2010-10-284-36/+56
| | | | | | | | | | | We used to return a list of dns that failed to be added. We now return a list of tuples instead. The tuple looks like (dn, reason) where reason is the exception that was returned. Also made the label we use for failures to be singular instead of plural since we now print them out individually instead of as comma-separated. ticket 270
* Don't allow managed groups to have group password policy.Rob Crittenden2010-10-282-1/+19
| | | | | | | UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket 160
* Remove group nesting from the HBAC service groupsRob Crittenden2010-10-281-9/+3
| | | | ticket 389
* Use context to decide which name to return on RequirementsErrorsRob Crittenden2010-10-282-6/+13
| | | | | | | | | | | | | | When a Requirement fails we throw an exception including the name of the field that is missing. To make the command-line friendlier we have a cli_name defined which may or may not match the LDAP attribute. This can be confusing if you are using ipalib directly because the attribute name missing may not match what is actually required (desc vs description is a good example). If you use the context 'cli' then it will throw exceptions using cli_name. If you use any other context it will use the name of the attribute. ticket 187
* Add option to generate random one-time password for hosts for bulk enrollmentRob Crittenden2010-10-281-2/+43
| | | | ticket 228
* Populate indirect members when showing a group object.Rob Crittenden2010-10-2811-132/+130
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Retrieve Get Effective Rights output with LDAPRetrieveRob Crittenden2010-10-281-0/+18
| | | | | | | The output is a pure python dict so is really only useful when used with --all so it is required. Updated to return a string for rights as opposed to a list. Terser, reducing the wire size by a factor of 3.5
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-285-0/+22
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* Add LDAPObject setting to handle different attributes for RDN and PKEY.Pavel Zuna2010-10-284-64/+48
|
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-284-580/+5
| | | | merge in remove uuid
* whoami goodbyeAdam Young2010-10-261-41/+0
| | | | Removing the whoami plugin, as it has been wrapped up into the user plugin
* Fix two failing tests.Rob Crittenden2010-10-221-1/+1
| | | | | | The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin.
* Set default encoding to utf-8, use unicode when printing output.Rob Crittenden2010-10-221-4/+5
| | | | | | The Gettext() object only does the lookup when you print it as a unicode. ticket 308
* Add flag to group-find to only search on private groups.Pavel Zuna2010-10-201-2/+29
| | | | ticket #251
* Host certificate managementEndi S. Dewata2010-10-201-0/+35
| | | | | | | | | | | | | | | The service certificate management UI has been generalized and moved into certificate.js. The host details page is now using the same code to manage certificates. The host.py has been modified to return host certificate info. The Get/Revoke/View buttons behavior has been modified such that they are visible only if there is a valid certificate. The Get dialog box has been fixed to show the correct certificate header and footer. The ipa.css has been modified to store the style of the status bullets. New unit tests for certificate has been added. The test data has been modified to include sample host certificate.
* Fix problem testing for mutual exclusivity in hbac plugin.Rob Crittenden2010-10-181-8/+16
| | | | This should fix the hbac tests.
* Disallow RDN change and single-value bypass using setattr/addattr.Pavel Zuna2010-10-183-5/+48
| | | | | | | | | | | When setting or adding an attribute wiht setatt/addattr check to see if there is a Param for the attribute and enforce the multi-value. If there is no Param check the LDAP schema for SINGLE-VALUE. Catch RDN mods and try to return a more reasonable error message. Ticket #230 Ticket #246
* Add Requires on ipa-client to ipa-admintools, ensure ipa client is configuredRob Crittenden2010-10-153-1/+15
| | | | | | | | | | It makes little sense to install ipa-admintools without ipa-client, require it. Also see if the client has been configured. This is a bit tricky since we have a full set of defaults. Add a new env option that gets set if at least one configuration file is loaded. ticket 213
* Handle regular socket errors gracefully in ipa commandRob Crittenden2010-10-151-0/+3
| | | | ticket 382
* Improve doc string for passwordRob Crittenden2010-10-151-1/+1
| | | | ticket 182
* Service certificate UI.Endi S. Dewata2010-10-151-2/+39
| | | | | | | | | | | | | | | | | | | | | | The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
* Fix group deletionRob Crittenden2010-10-131-3/+4
| | | | ticket 347
* Return non-zero when the number of entries from *-find returned is zero.Rob Crittenden2010-10-131-1/+3
| | | | ticket 325
* Enforce the maximum username length from cn=ipaconfigRob Crittenden2010-10-131-0/+3
| | | | ticket 226
* Detect when DNS is not configured and return an error messageRob Crittenden2010-10-131-0/+34
| | | | | | | | | | It would be nicer if we disabled the command altogether but this would require checking the server to see every time the ipa command is executed (which would be bad). We can't store this in a configuration file because it is possible to add a DNS post-install (and it would require adding this to every single client install). ticket 147
* Add ability to import automount files from the command-line.Rob Crittenden2010-10-121-6/+271
| | | | | | | | | | | | | Support is fairly basic right now and will only work on the CLI. All the work is done on the client side. To continue past errors use the --continue option. Fixed a bug where direct mounts weren't always added properly. Added real user documentation to the plugin. ticket 78
* dns metadataAdam Young2010-10-122-5/+27
| | | | | | This is a little bit of a copy and paste approach, as the code for__json__ was copied from baseldap. Long term, we want to rewrite this plugin as an extension of baseldap anyway.
* Certificate management for services.Endi S. Dewata2010-10-121-27/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
* Accept an incoming certificate as either DER or base64 in the service plugin.Rob Crittenden2010-10-083-12/+78
| | | | | | | | | | | | | The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
* Return non-zero when group membership change fails, no empty fail list.Rob Crittenden2010-10-081-0/+26
| | | | | | | | | There is no point (and it is confusing) to print an empty list when modifying group membership fails, so suppress it. If any membership change fails we should return non-zero. tickets 271, 273, 274
* If an HBAC category is 'all' don't allow individual objects to be added.Rob Crittenden2010-10-082-0/+61
| | | | | | | | Basically, make 'all' mutually exclusive. This makes debugging lots easier. If say usercat='all' there is no point adding specific users to the rule because it will always apply to everyone. ticket 164
* policy and configAdam Young2010-10-073-0/+6
| | | | | | | | Population of the policy and entites tabs. DNS and ACI are broken due to PLugin issues Fix for entities without search Added new files to Makefile.am used rolegroup.js file as the start point, renamed to serverconfig.js
* Fix inconsistent error message when deleting groups that don't exist.Pavel Zuna2010-10-061-1/+3
| | | | Ticket #292
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-12/+12
| | | | Ticket #165
generated by cgit (git 2.34.1) at 2024-05-05 09:53:25 +0000