summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Use correct option name in host pluginJakub Hrozek2011-01-121-9/+9
|
* Fixes for the DNS pluginJakub Hrozek2011-01-121-3/+9
| | | | https://fedorahosted.org/freeipa/ticket/730
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-1/+111
|
* Fix output of failed managedby hosts, allow a host to manage itself.Rob Crittenden2011-01-113-3/+9
| | | | | | | | | | | The output problem was a missing label for failed managedby. This also fixes a call to print_entry that was missing the flags argument. Add a flag to specify whether a group can be a member of itself, defaulting to False. ticket 708
* Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.Rob Crittenden2011-01-111-3/+11
| | | | | | | | | Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
* Retype (when cloning) Flag parameters to Bool for search commands.Pavel Zuna2011-01-102-4/+16
| | | | | | | | | Flag parameters are always autofill by definition, causing unexpected search results. This patch retypes them to Bool for search commands, so that users have to/can enter the desired value manually. Ticket #689 Ticket #701
* Display the entries that failed when deleting with --continue.Rob Crittenden2011-01-107-13/+27
| | | | | | | | | | | | We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
* Setting an empty set of target attributes should raise an exception.Rob Crittenden2011-01-104-31/+40
| | | | | | | | | | | It is possible to create an ACI with attributes and then try to set that to None via a mod command later. We need to catch this and raise an exception. If all attributes are set to None in an aci then the attr target is removed from the ACI. This could result in an illegal ACI if there are no other targets. Having no targets is a legal state, just not a legal final state. ticket 647
* Fix 'ipa help permissions'; add 'dns' in allowed types.Pavel Zuna2011-01-071-1/+1
|
* Initial grouping of ipalib plugins for ipa helpJan Zeleny2011-01-076-0/+7
| | | | | This patch makes one group for all HBAC plugins and one group for all sudo plugins.
* Changed concept of ipa helpJan Zeleny2011-01-071-20/+97
| | | | | | | | | | | | | | | | | | | | | | | | The concept is now following: topic: either a module or a group of modules containing registered commands. All these commands will usually handle common entity type (e.g. hbac rules) subtopic: each topic can have a number of subtopics. In this case topic is a group of modules and each module represents a subtopic. grouping modules to topics is possible by assigning a 2-tuple to module variable: topic = ('topic-name','topic description') The topic description has to be the same in all modules in the topic. These are examples of commands now available in IPA help: ipa help - display a list of all topics ipa help hbac - display help for hbac topic ipa help hbacrule - display help for a subtopic of hbac ipa help hbacrule-add - display help for a particular command https://fedorahosted.org/freeipa/ticket/410
* Rename hbac module to hbacruleJan Zeleny2011-01-072-50/+50
| | | | | | The renaming follows previous discussion on mailing list and it leads to name compatibility with other plugins (e.g. sudorule). It is also necessary for following changes in ipa help.
* Rename --ipaddr option of host-add commandJan Zeleny2011-01-071-1/+1
| | | | | | | The option is renamed to --ip-address to be consistent with ipa-replica-prepare. https://fedorahosted.org/freeipa/ticket/655
* facet nestingAdam Young2011-01-073-3/+3
| | | | | correctly nest the facet groups change 'parent' to 'member of' for facet group
* fixed typo for description usage example ↵Jr Aquino2011-01-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/704
* Handle error messages during Host operationsMartin Kosek2011-01-061-2/+9
| | | | | | | | | | Only a generic error message were displayed when a non-existing host was passed to host-del or host-disable operations. This patch adds catching these generic exceptions and raising new exceptions with the correct error message. https://fedorahosted.org/freeipa/ticket/303
* Improve filtering of enrollments search results.Pavel Zuna2011-01-046-13/+68
| | | | | | | | | | | | | | | | | | | | | | This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-1/+1
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Remove unnecessary options from host-del.Rob Crittenden2011-01-041-1/+1
| | | | | | For some reason it was inheriting LDAPCreate.options... ticket 652
* Don't allow a user's uid to be set to 0.Rob Crittenden2011-01-041-0/+1
| | | | ticket 578
* status labelAdam Young2010-12-231-1/+1
| | | | Change the label for the account status field IAW https://fedorahosted.org/freeipa/ticket/677
* Update built-in help for user (ipa help user) with info about username format.Pavel Zuna2010-12-221-0/+6
| | | | Ticket #436
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-2/+2
| | | | ticket 638
* Fix webUI command parameters error on Fedora 14.Pavel Zuna2010-12-221-1/+9
|
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-213-2/+9
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* Fix reporting of errors when validating parameters.Pavel Zuna2010-12-212-2/+11
| | | | | | | | | | | | | | | | | | Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435
* Added some fields to DNS2 pluginJan Zeleny2010-12-211-18/+13
| | | | | | | Field idnszoneactive is marked as optional, because it is set to true by default (see class dnszone_add). https://fedorahosted.org/freeipa/ticket/601
* Fix the mod operations.Pavel Zuna2010-12-211-0/+1
|
* SUDO plugin support for external hosts and users ↵Jr Aquino2010-12-211-4/+191
| | | | https://fedorahosted.org/freeipa/ticket/570
* aci uiAdam Young2010-12-202-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | Implements the role, privilege, permission, delegation and selfservice entities ui. Targetgroup has been added to the object types. The groups lists need to be filter. The filter is currently hidden, with a hyperlink that reads 'filter' to unhide it. Each keystroke in this filter performs an AJAX request to the server. There are bugs on the server side that block some of the functionality from completing Creating a Permission requires one of 4 target types. The add dialog in this version assumes the user will want to create a filter type. They can change this on the edit page. Most search results come back with the values as arrays, but ACIs seem not to. Search and details both required special code to handle non-arrays. The unit tests now make use of the 'module' aspect of QUnit. This means that future unit test will also need to specify the module. The advantage is that multiple tests can share a common setup and teardown. Bugs that need to be fixed before this works 100% are https://fedorahosted.org/freeipa/ticket/634 https://fedorahosted.org/freeipa/ticket/633
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2058-298/+299
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Translate the membergroup dn into a group name.Rob Crittenden2010-12-201-10/+23
| | | | | | Drop filter from the output, it is superfluous. ticket 634
* Enable filtering search results by member attributes.Pavel Zuna2010-12-204-2/+37
| | | | | | | | | | | | | | LDAPSearch base class has now the ability to generate additional options for objects with member attributes. These options are used to filter search results - search only for objects without the specified members. Example: ipa group-find --no-users=admin Only direct members are taken into account. Ticket #288
* Allow RDN changes from CLIJakub Hrozek2010-12-202-1/+21
| | | | https://fedorahosted.org/freeipa/ticket/397
* Check the number of fields when importing automount mapsJakub Hrozek2010-12-201-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/359
* import NSPRError in host.pyJakub Hrozek2010-12-201-0/+1
|
* Added option --no-reverse to add-hostJan Zeleny2010-12-201-14/+23
| | | | | | | | | When adding a host with specific IP address, the operation would fail in case IPA doesn't own the reverse DNS. This new option overrides the check for reverse DNS zone and falls back to different IP address existence check. https://fedorahosted.org/freeipa/ticket/417
* Allow renaming of object that have a parentJakub Hrozek2010-12-201-1/+2
| | | | Allow renaming of object that have a parent
* Make pkey always iterable when deletingJakub Hrozek2010-12-201-3/+5
|
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-174-1/+3
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
* Fix some doctestsRob Crittenden2010-12-171-8/+8
| | | | A few had bad formatting causing the doctests to fail.
* Catch ACI errors better when adding a permission.Rob Crittenden2010-12-171-3/+17
| | | | | | | | We create the aci with the --test flag to test its validity but it doesn't do the same level of tests that actually adding an aci to LDAP does. Catch any syntax errors that get thrown and clean up as best we can. ticket 621
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-172-2/+3
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Remove principal as an option when updating an existing user.Rob Crittenden2010-12-171-0/+1
| | | | ticket 559
* Add metadata for the selfservice and delegation plugins.Rob Crittenden2010-12-142-0/+28
|
* Add group to group delegation plugin.Rob Crittenden2010-12-132-7/+272
| | | | | | | This is a thin wrapper around the ACI plugin that manages granting group A the ability to write a set of attributes of group B. ticket 532
* Give the memberof plugin time to work when adding/removing reverse members.Rob Crittenden2010-12-132-3/+79
| | | | | | | | | | | | When we add/remove reverse members it looks like we're operating on group A but we're really operating on group B. This adds/removes the member attribute on group B and the memberof plugin adds the memberof attribute into group A. We need to give the memberof plugin a chance to do its work so loop a few times, reading the entry to see if the number of memberof is more or less what we expect. Bail out if it is taking too long. ticket 560
* sudo run as user or group https://fedorahosted.org/freeipa/ticket/570Jr Aquino2010-12-131-0/+62
|
* relabel roleAdam Young2010-12-131-1/+1
| | | | no longer calling them role groups.
* Add --out option to service, host and cert-show to save the cert to a file.Rob Crittenden2010-12-134-1/+131
| | | | | | | Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
generated by cgit (git 2.34.1) at 2024-11-20 06:25:52 +0000