| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).
https://fedorahosted.org/freeipa/ticket/1388
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a comma into a privilege name to assure we can handle
commas.
Commas must be escaped for some parameters, add escape_comma() utility
and invoke it for the necessary parameters.
Utilize a DN object to properly construct a DN and most importantly to
allow equality testing beween the DN we expect and the one
returned. This is necessary because a DN can be encoded according to
different encoding syntaxes all of which are valid. DN objects always
decode from their input. DN objects can test for equality between DN's
without being affected by DN encoding.
Add a equality callback for the dn in the expected dict. When the test
framework tests for equality between the expected value and the
returned value it will call back into a function we provide which will
convert the returned dn into a DN object. An equality test is then
performed between two DN objects. This is the only way to properly
compare two dn's.
|
|
|
|
|
|
|
|
|
|
| |
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1276
https://fedorahosted.org/freeipa/ticket/1277
https://fedorahosted.org/freeipa/ticket/1308
Added new Exception: AttrValueNotFound
Fixed XML Test for Sudorule remove_option
1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule)
1277 (Raise DuplicateEntry Error when adding a duplicate sudo option)
1308 (Make sudooption a required option for sudorule_remove_option)
|
|
|
|
|
|
|
|
| |
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.
https://fedorahosted.org/freeipa/ticket/993
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.
So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.
I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.
This also prevents duplicate indirect users and looping on circular
membership.
ticket https://fedorahosted.org/freeipa/ticket/1273
|
|
|
|
| |
ticket https://fedorahosted.org/freeipa/ticket/1265
|
|
|
|
|
|
|
|
| |
Add Add tests for users, groups, hosts and hostgroups to verify membership
Update API to version 2.3
https://fedorahosted.org/freeipa/ticket/1170
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.
Add two new LDAPObject values to control this behavior:
limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed
By default both of these lists are empty so are skipped.
ticket 744
|
|
|
|
|
|
|
|
| |
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.
This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.
The UI will need to be changed to switch from using cn to using
givenname and sn.
ticket 1136
|
|
|
|
| |
ticket 1151
|
|
|
|
|
|
|
|
| |
Do a server-side sort if there is a primary key.
Fix a couple of tests that were failing due to the new sorting.
ticket 794
|
|
|
|
|
|
|
|
|
|
|
|
| |
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
|
|
|
|
| |
ticket 1146
|
|
|
|
|
|
|
| |
Jakub did the initial diagnosis of this, I added a fix for removing
the last entry when removing members and a test case.
ticket 1000
|
|
|
|
|
|
|
| |
It was a design decision to not allow nesting sudo command groups,
remove it.
ticket 1004
|
|
|
|
|
|
|
|
|
|
|
|
| |
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
|
|
|
|
|
|
|
| |
Previously the user's city parameter is defined to use the 'locality'
attribute. This was a problem because the attribute would be returned
as 'l' by the directory server causing a mismatch. Now the parameter
has been changed to use the 'l' attribute.
|
|
|
|
|
|
|
|
| |
This patch adds a proper summary text to HBAC command which is
then printed out in CLI. Now, HBAC plugin output is consistent
with other plugins.
https://fedorahosted.org/freeipa/ticket/596
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some attribute enforcement is done by schema, others should be done
by the required option in a Parameter. description, for example, is
required by many plugins but not the schema. We need to enforce in the
framework that required options are provided.
After all the setattr/addattr work is done run through the modifications
and ensure that no required values will be removed.
ticket 852
|
|
|
|
| |
ticket 944
|
|
|
|
|
|
|
|
|
| |
This patch removes some individual work-arounds of converting strings
to unicode, they only masked the problem. String values are not
passed to the validator or normalizers so things like adding the
realm automatically to services weren't happening.
ticket 941
|
|
|
|
|
|
| |
Also add a unit test for address.
Ticket 889
|
|
|
|
|
|
|
|
|
| |
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
|
|
|
|
|
|
|
|
| |
This patch fixes test for Permission plugin - mainly permission-mod
part. Description field that the tests expected and which was
removed in ticket 792 was removed from the tests.
https://fedorahosted.org/freeipa/ticket/892
|
|
|
|
|
|
|
|
| |
This is mostly due to inconsistent option name usage but also due
to the aci plugin not always treating memberof as a special kind
of filter.
ticket 869
|
|
|
|
|
|
|
| |
This also drops description from permissions since it seems redundant and
fixes up the help text a little.
ticket 792
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes nonfunctional rename operation in permission
plugin. Also makes sure, that no change is made to the underlying
ACI in pre_callback() when the target permission already exists.
Several tests for the rename operation have been created to ensure
that the it won't break again unnoticed.
https://fedorahosted.org/freeipa/ticket/814
|
|
|
|
|
|
|
| |
Bind cannot load a zone if any of its name server records is not
resolvable.
https://fedorahosted.org/freeipa/ticket/838
|
|
|
|
|
|
|
|
|
| |
Error out when deleting a nonexistent DNS record
Also fixes the DNS unit tests.
https://fedorahosted.org/freeipa/ticket/816
https://fedorahosted.org/freeipa/ticket/829
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/293
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/762
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/773
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.
This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.
ticket 687
|
|
|
|
|
|
| |
The renaming follows previous discussion on mailing list and it leads to
name compatibility with other plugins (e.g. sudorule). It is also
necessary for following changes in ipa help.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/570
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
| |
Drop filter from the output, it is superfluous.
ticket 634
|
|
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
|
|
|
|
|
|
| |
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
|
|
|
|
|
|
|
| |
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.
ticket 532
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.
We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added
ticket 567
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.
I've added some simple tests for setattr and addattr.
ticket 565
|
| |
|
|
|
|
|
|
|
|
|
| |
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.
Right now only ACIs in the basedn can be managed with this plugin.
ticket 531
|
|
|
|
| |
ticket 545
|