summaryrefslogtreecommitdiffstats
path: root/ipalib/constants.py
Commit message (Collapse)AuthorAgeFilesLines
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-2/+2
| | | | ticket 638
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-2/+3
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-271-0/+3
|
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-161-0/+1
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-2/+0
| | | | Javascript based ui.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-0/+1
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-031-1/+1
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* Add groups of services to HBACRob Crittenden2010-05-171-0/+2
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* Consolidate to single WSGI entry pointJason Gerard DeRose2010-03-011-1/+1
|
* Allow one-character Param namesRob Crittenden2010-02-121-1/+1
| | | | This is done explicitly to support the l/localityname attribute.
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-041-2/+1
|
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-3/+15
|
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-151-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-2/+0
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Allow replicas of an IPA server using an internal dogtag server as the CARob Crittenden2009-07-151-1/+1
| | | | | | | | This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
* Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.Rob Crittenden2009-07-101-0/+1
| | | | | | | | | | | | There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
* Remove use_ldap2 constant.Pavel Zuna2009-07-021-1/+0
|
* Add new env variables: container_taskgroup, container_rolegroup and ↵Pavel Zuna2009-05-261-0/+3
| | | | container_netgroup.
* Dogtag keeps telling me to use port 9444 and not 9443, use it.Rob Crittenden2009-05-261-1/+1
|
* Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ ↵Jason Gerard DeRose2009-05-111-22/+22
| | | | don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
* Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new ↵Pavel Zuna2009-04-221-0/+2
| | | | LDAP backend debugging.
* Add 'container_hbac' env variable.root2009-04-031-1/+1
|
* Implemented more elegant way for entire plugin module to be conditionally ↵Jason Gerard DeRose2009-02-171-1/+1
| | | | skipped; updated cert.py and ra.py modules to use this
* Added env.enable_ra variable and change cert.py and ra.py plugin modules to ↵Jason Gerard DeRose2009-02-171-0/+3
| | | | register plugins conditionally
* Add policy-related container constantsJakub Hrozek2009-02-101-0/+7
|
* Finished reworked cli.CLI class into cli.cli pluginJason Gerard DeRose2009-02-031-0/+4
|
* More work on xmlrpc stuff, started migrated more code to use errors2 instead ↵Jason Gerard DeRose2009-02-031-2/+2
| | | | of errors
* Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requestedJason Gerard DeRose2009-02-031-0/+6
|
* Added Object.params_minus() method; various small tweaksJason Gerard DeRose2009-02-031-24/+8
|
* Started moving some core classes and functions from plugable.py to new ↵Jason Gerard DeRose2008-12-301-2/+8
| | | | base.py module
* Some more reorganization in Env and added class docstring to Env with lots ↵Jason Gerard DeRose2008-12-221-2/+2
| | | | of examples
* Cleaned up Env.__setattr__() and Env.__setitem__() a bit updated their unit ↵Jason Gerard DeRose2008-12-221-1/+6
| | | | tests
* The Env.__setitem__() implied conversion is now case sensitive; ↵Jason Gerard DeRose2008-12-221-17/+20
| | | | Env.__setitem__() now also accepts None as a value
* Started work on per-request gettext setupJason Gerard DeRose2008-12-181-2/+4
|
* New Param: added unit tests for TypeError cases in DefaultFrom.__init__()Jason Gerard DeRose2008-12-181-1/+1
|
* New Param: added missing unit tests for TypeError and ValueError cases in ↵Jason Gerard DeRose2008-12-181-1/+1
| | | | parse_param_spec()
* Finished kwarg validation and extension mechanism in parameter.ParamJason Gerard DeRose2008-12-111-0/+6
|
* Started roughing out the consolidated type/parameter system in ↵Jason Gerard DeRose2008-12-101-1/+5
| | | | parameters.py; started corresponding unit tests
* Add autmount-specific location and default entriesRob Crittenden2008-11-141-0/+1
|
* Changed calling signature of output_for_cli(); started work on 'textui' ↵Jason Gerard DeRose2008-11-121-0/+2
| | | | backend plugin
* Added 'conf_dir' env variable, which is directory containing config filesJason Gerard DeRose2008-11-101-0/+1
|
* Revive the hostgroup_container and include add/remove hosts in hostgroups pluginRob Crittenden2008-11-041-0/+1
|
* Added custom log formatter util.LogFormatter that makes the human-readable ↵Jason Gerard DeRose2008-10-311-2/+2
| | | | time stamp in UTC
* Logging formats are now env variables; added log_format_stderr_debug format ↵Jason Gerard DeRose2008-10-311-17/+33
| | | | used when env.debug is True
* lite-xmlrpc.py now uses api.bootstrap() property, logs to api.loggerJason Gerard DeRose2008-10-281-1/+2
|
* Added util.configure_logging() function; API.bootstrap() now calls ↵Jason Gerard DeRose2008-10-281-0/+16
| | | | util.configure_logging()
* More CLI cleanup, got all basics working againJason Gerard DeRose2008-10-271-0/+1
|
* More docstrings, functionality, and unit tests for improved CLI classJason Gerard DeRose2008-10-271-1/+0
|
* Env._bootstrap() now also sets Env.conf_defaultJason Gerard DeRose2008-10-271-1/+2
|