summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Have certmonger track the initial Apache and 389-ds server certs.Rob Crittenden2010-09-091-2/+27
| | | | | | | | | | | | | | | We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
* Changes to fix compatibility with Fedora 14Rob Crittenden2010-08-311-3/+11
| | | | | | | | | | | | Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
* Update command documentation based on feedback from docs team.Rob Crittenden2010-08-2718-248/+323
| | | | ticket #158
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-12/+10
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Add support for ldap:///self bind rulesRob Crittenden2010-08-191-11/+37
| | | | | | | This is added mainly so the self service rules can be updated without resorting to ldapmodify. ticket 80
* Fix Update function on details page.Pavel Zuna2010-08-171-4/+4
| | | | | | | | | | The problem was that parameters with no values are automatically set to None by the framework and it wasn't handled properly in baseldap.py:get_attributes function. Also, there were two logical bugs in details.js: 1) atttribute callback to update values were called for input elements instead of dt elements 2) it was always trying to update the primary key
* Enable a host to retrieve a keytab for all its services.Rob Crittenden2010-08-161-17/+53
| | | | | | | | | | | | | | | | | | | | | | | | Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-167-17/+142
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* From: Pavel Zuna <pzuna@redhat.com>Adam Young2010-08-131-0/+65
| | | | | | | | | | | Date: Tue, 10 Aug 2010 16:41:28 -0400 Subject: [PATCH 2/6] Add a new INTERNAL plugin that exports plugin meta-data into JSON. This is required for the webUI, since we're dropping Genshi. *ehm* :) You can't use this command on the CLI. It takes one optional argument: the name of an IPA object. If not specified, meta-data for all objects are returned.
* Change the behaviour of addattr/setattr parameters.Adam Young2010-08-132-35/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | setattr and addattr can now be used both to set all values of ANY attribute. the last setattr always resets the attribute to the specified value and all addattr append to it. Examples: user-mod testuser --setattr=title=msc title: msc user-mod testuser --setattr=title=msb title: msb user-mod testuser --addattr=title=msc title: msb, msc user-mod testuser --setattr=title= title: user-mod testuser --setattr=title=msc --addattr=msb title: msc, msb user-mod testuser --setattr=title=ing --addattr=bc title: ing, bc user-mod testuser --setattr=title=doc title: doc It's not very user friendly, but it's going to be used very very rarely in special conditions in the CLI and we can use it to save lots of JSON-RPC roundtrips in the webUI. This version includes calling the validation of Params during the setting of the attrs.
* Improve serialization to JSON.Pavel Zuna2010-08-123-2/+27
| | | | | | - Make it recursive. - Make Param classes serializable. - Take python native data types into account.
* Fix bug: not found exc. handler was failing for singleton objectsPavel Zuna2010-08-121-1/+4
|
* Add new parameters to LDAPSearch: timelimit and sizelimit.Pavel Zuna2010-08-121-2/+23
|
* Make LDAPObject classes JSON serializable.Pavel Zuna2010-08-122-0/+23
|
* Allow decoupling of user-private groups.Rob Crittenden2010-08-102-0/+74
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Properly show the members when an add/remove operation fails.Rob Crittenden2010-08-064-19/+20
| | | | | | | | | | | | The remove member function in baseldap was not returning failures at all. The add member function was only showing them in the group object. Most of the magic is handled in baseldap. Each plugin just needs to define object_name and object_name_plural. object_name must be all lower-case because fake-attributes are created so membership can be broken out per-object type. I left the plural name lower case as well. ticket 85
* Add optional error message to pattern validatorRob Crittenden2010-08-063-3/+15
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Require that hosts be resolvable in DNS. Use --force to ignore warnings.Rob Crittenden2010-08-065-16/+46
| | | | | | | | | | | | | This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
* Have the env plugin print all attributes by defaultRob Crittenden2010-08-061-0/+11
| | | | ticket #113
* Fix replacing a certificate in a service.Rob Crittenden2010-08-061-11/+14
| | | | | | | | | | | | When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
* whoami plugin.Adam Young2010-08-051-0/+41
| | | | | | It returns the user prinicpal. This is required by the webui, as the Kerberos credential mechanism in http does not expose the cleartext prinicpal to the web browser.
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-292-411/+55
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-2/+0
| | | | Javascript based ui.
* Fix netgroup plugin to use correct member attribute names.Rob Crittenden2010-07-151-31/+41
| | | | | | | | | When the netgroup plugin was rebased it ended up using the member attribute for its memberships and not memberuser/memberhost. I also fixed this same attribute problem in the tests and tried to beef them up a little. If nis/schema compat are enabled it will try to compare the generated triplets with a known-good value.
* Use newer API in ipalib/x509 and add missing import.Rob Crittenden2010-07-151-0/+1
| | | | The import was only used when running the in-tree lite-server
* Clean up crypto code, take advantage of new nss-python capabilitiesRob Crittenden2010-07-154-337/+147
| | | | | | | | This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-132-7/+127
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Include contents of has_output_params in get_output_paramsRob Crittenden2010-07-131-0/+2
|
* Add separate var for search attributes and config attribute for search fieldsRob Crittenden2010-07-133-1/+17
| | | | | | | | Add an optional search_attributes variable in case the attributes you want to display by default aren't what you want to search on. Also link in any cn=ipaconfig attributes that contain a comma-separated list of attributes to search on.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-123-3/+8
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Clean up imports of hbacsvc pluginRob Crittenden2010-07-061-6/+4
| | | | I used pylint to identify a bunch of unnecessary and too-broad imports
* Add support for User-Private GroupsRob Crittenden2010-07-062-10/+20
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Fix aci_mod command. It should handle more complex operations now.Rob Crittenden2010-06-241-12/+64
| | | | | | | | | | | The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation.
* First pass at per-command documentationRob Crittenden2010-06-2217-7/+432
|
* use NSS for SSL operationsJohn Dennis2010-06-151-126/+7
|
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-034-7/+7
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* Increase supported weeks per month from 4 to 6 in AccessTime() typeRob Crittenden2010-06-031-1/+1
|
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-272-4/+4
| | | | Also fix the memberOf attribute for the HBAC services
* Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroupRob Crittenden2010-05-201-18/+6
|
* Try to clear up that uid is a number, not the login nameRob Crittenden2010-05-171-1/+1
|
* Enforce that max password lifetime is greater than the min lifetimeRob Crittenden2010-05-171-3/+28
| | | | 461325
* Replace old pwpolicy plugin with new one using baseldap, fix tests.Rob Crittenden2010-05-173-718/+230
| | | | Fix deletion of policy when a group is removed.
* Add groups of services to HBACRob Crittenden2010-05-174-9/+305
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* Remove left-over debugging statementRob Crittenden2010-05-141-2/+0
|
* Correctly handle EmptyModlist exception in pwpolicy2-mod.Pavel Zuna2010-05-141-7/+15
| | | | | | | | | | | EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception.
* Add exception callback (exc_callback) to baseldap.py classes.Pavel Zuna2010-05-141-33/+150
| | | | | | It enables plugin authors to supply their own handlers for ExecutionError exceptions generated by calls to ldap2 made from the execute method of baseldap.py classes that extend CallbackInterface.
* Add new password policy plugin based on baseldap.py classes.root2010-05-051-0/+351
|
* Increase the attributes we display by default and fix up some labels.Rob Crittenden2010-05-051-2/+8
|
* Add weekly periodic schedule to AccessTime param type.root2010-05-041-0/+2
| | | | Fix bug #588414
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-031-1/+3
| | | | Also consolidate some duplicate code
generated by cgit (git 2.34.1) at 2024-05-22 17:45:34 +0000