| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Drop filter from the output, it is superfluous.
ticket 634
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/397
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/359
|
| |
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When adding a host with specific IP address, the operation would fail in
case IPA doesn't own the reverse DNS. This new option overrides the
check for reverse DNS zone and falls back to different IP address
existence check.
https://fedorahosted.org/freeipa/ticket/417
|
| |
|
|
| |
Allow renaming of object that have a parent
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
| |
|
|
| |
A few had bad formatting causing the doctests to fail.
|
| |
|
|
|
|
|
|
| |
We create the aci with the --test flag to test its validity but it doesn't
do the same level of tests that actually adding an aci to LDAP does. Catch
any syntax errors that get thrown and clean up as best we can.
ticket 621
|
| |
|
|
| |
ticket 502
|
| |
|
|
|
| |
There is no need for these to be done as updates, just add these entries
to the bootstrapping.
|
| |
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
| |
|
|
| |
ticket 559
|
| |
|
|
|
|
|
| |
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
|
| |
|
|
|
|
| |
Also check for url-encoded passwords before logging them.
ticket 324
|
| |
|
|
| |
Was origially KInit but the command is kinit
|
| |
|
|
| |
Change the link in the error message to the one that will actually fix the problem
|
| | |
|
| |
|
|
| |
ticket 599
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The user details facet has been modified such that when the account
is activated/deactivated the page will be reloaded.
Some methods in the framework have been changed:
- The ipa_widget.clear() has been removed because it can be replaced
by existing reset().
- The ipa_widget.set_values() has been renamed into update().
|
| | |
|
| |
|
|
|
|
|
| |
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.
ticket 532
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.
We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.
ticket 560
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/543
|
| |
|
|
| |
no longer calling them role groups.
|
| |
|
|
|
|
|
| |
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.
ticket 473
|
| |
|
|
|
|
|
|
|
| |
permissions are a real group pointed to by an aci, managed by the same
plugin. Any given update can update one or both or neither. Do a better
job at determining what it is that needs to be updated and handle the
case where only the ACI is updated so that EmptyModList is not thrown.
ticket 603
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.
We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added
ticket 567
|
| | |
|
| |
|
|
| |
ticket 579
|
| |
|
|
|
|
|
| |
If the ticket is expired or otherwise unusable it should fall back to the DM
password. It was prompted for correctly but wasn't being passed on.
ticket 549
|
| | |
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/613
|
| |
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
| |
|
|
|
|
|
| |
This patch catches NotFound exception and calls handling function
which then sends exception with unified error message.
https://fedorahosted.org/freeipa/ticket/487
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.
I've added some simple tests for setattr and addattr.
ticket 565
|
| |
|
|
|
|
|
| |
Make the cert subject base read-only. This is here only so replicated servers
know their base.
ticket 466
|
| |
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
| |
|
|
|
|
|
|
|
|
|
| |
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
|
| |
|
|
|
| |
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
|
