| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/580
|
|
|
|
| |
Ticket #573
|
|
|
|
| |
ticket 496
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/455
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new options to the migration plugin:
* the option to fine-tune the objectclass of users or groups being imported
* the option to select the LDAP schema (RFC2307 or RFC2307bis)
Also makes the logic that decides whether an entry is a nested group or user
(for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys
for migrated entries.
https://fedorahosted.org/freeipa/ticket/429
|
|
|
|
| |
ticket 310
|
|
|
|
| |
ticket 545
|
|
|
|
|
|
|
|
| |
When setting default group, we should check if the group exists.
If not, it could lead to some issues with adding new users after
the new default group is set.
https://fedorahosted.org/freeipa/ticket/504
|
|
|
|
|
|
|
|
|
| |
After calling ipa config --defaultgroup=xxx with nonexistent group xxx,
the result will be that no new user can be added. The operation will
always fail in the middle because it is not possible to add the new user
to desired default group.
https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4
|
|
|
|
| |
ticket 561
|
|
|
|
| |
ticket 523
|
|
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The create_association_facets() has been modified such that it
does not generate duplicate links. This is done by assigning the
proper labels and hiding non-assignable associations.
Each association will get a label based on the attribute used:
- memberof: Membership in <entity name>
- member.*: <entity name> Members
- managedby: Managed by <entity name>
The following associations will be hidden:
- memberindirect
- enrolledby
The internal.py was modified to return localized labels.
The test data has been updated.
|
|
|
|
| |
attribute permissions and all other benefits of building on the baseldap plugin
|
|
|
|
|
|
|
| |
Some fields were missing from user object, this change adds them
along with their l10n
https://fedorahosted.org/freeipa/ticket/305
|
|
|
|
|
|
|
|
|
|
|
| |
Passwords didn't have internationalizable labels.
Exceptions that occured during required input weren't printed as unicode
so weren't being translated properly.
Don't use output_for_cli() directly in the passwd plugin, use output.Output.
ticket 352
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
re-based got pushed for some reason.
Use better description for group names in help and always prompt for members
When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.
This will work via a shell if you want to echo too:
$ echo "" | ipa group-add-member g1
This returns 0 members because nothing is read for users or group members.
$ echo -e "g1\nadmin\n" | ipa group-add-member
This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.
ticket 415
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.
This will work via a shell if you want to echo too:
$ echo "" | ipa group-add-member g1
This returns 0 members because nothing is read for users or group members.
$ echo -e "g1\nadmin\n" | ipa group-add-member
This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.
ticket 415
|
|
|
|
|
|
|
|
| |
Some attributes weren't included in the output of hbac-show command.
This patch fixes it.
https://fedorahosted.org/freeipa/ticket/494
https://fedorahosted.org/freeipa/ticket/495
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/555
|
|
|
|
|
| |
Ticket #36
Ticket #450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
|
|
|
| |
set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI
|
|
|
|
| |
Ticket #361
|
|
|
|
|
|
|
|
|
|
| |
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
|
|
|
|
|
|
|
|
|
|
|
| |
During some HBAC operations, various error messages were handled
incorrectly - displaying only generic error messages instead of
correct ones, which were defined for the module.
This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.
https://fedorahosted.org/freeipa/ticket/487
|
|
|
|
| |
recent changes to the scope mechanism weren't propigated to the whoami call
|
|
|
|
|
|
|
|
| |
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
|
|
|
|
|
|
|
|
|
|
|
| |
This can occur if you do something like:
$ ipa hbac-add-host --hosts="" testrule
options will have an entry for 'host' but it will be None whcih is
not iterable.
ticket 486
|
|
|
|
| |
Ticket #530
|
|
|
|
| |
Add the opportunity to change base DN and scope in the callback.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.
For IPv4 it will create an A and a PTR DNS record.
IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.
When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.
ticket 238
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/245
|
|
|
|
|
|
|
| |
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
|
|
|
|
|
|
| |
This also returns the rights for cospriority if the policy is for a group.
ticket 449
|
|
|
|
|
|
| |
This will allow others to provision on behalf of the host.
ticket 280
|
|
|
|
|
|
|
|
|
| |
Disable any services when its host is disabled.
This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.
ticket 297
|
| |
|
| |
|
|
|
|
| |
and user-find [whoami] tostreamline the init process, and also allow us to add a call to enumerate the plugins.
|
|
|
|
| |
ticket 434
|
|
|
|
| |
ticket 463
|
|
|
|
| |
Ticket #452
|
|
|
|
| |
breaks the WebUI on Chrome. This fixes replaces the word with delete.
|
|
|
|
| |
ticket 443
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/244
|
|
|
|
|
|
|
|
| |
THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app
Conflicts:
install/static/ipa.js
|