summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipalib/plugins/aci.py54
-rw-r--r--ipalib/plugins/cert.py17
-rw-r--r--ipalib/plugins/config.py14
-rw-r--r--ipalib/plugins/dns.py8
-rw-r--r--ipalib/plugins/group.py42
-rw-r--r--ipalib/plugins/hbac.py66
-rw-r--r--ipalib/plugins/hbacsvc.py17
-rw-r--r--ipalib/plugins/hbacsvcgroup.py30
-rw-r--r--ipalib/plugins/host.py46
-rw-r--r--ipalib/plugins/hostgroup.py32
-rw-r--r--ipalib/plugins/krbtpolicy.py14
-rw-r--r--ipalib/plugins/netgroup.py26
-rw-r--r--ipalib/plugins/passwd.py16
-rw-r--r--ipalib/plugins/pwpolicy.py42
-rw-r--r--ipalib/plugins/rolegroup.py45
-rw-r--r--ipalib/plugins/service.py56
-rw-r--r--ipalib/plugins/taskgroup.py20
-rw-r--r--ipalib/plugins/user.py26
18 files changed, 323 insertions, 248 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index b6b40e26..ae1c4005 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -20,41 +20,67 @@
"""
Directory Server Access Control Instructions (ACIs)
-ACI's are used to allow or deny access to information. This module is
-currently designed to allow, not deny, access, primarily write access.
+ACIs are used to allow or deny access to information. This module is
+currently designed to allow, not deny, access.
-The primary use of this plugin is to create low-level permission sets
-to allow a group to write or update entries or a set of attributes. This
-may include adding or removing entries as well. These groups are called
-taskgroups. These low-level permissions can be combined into roles
-that grant broader access. These roles are another type of group, rolegroups.
+The aci commands are designed to grant permissions that allow updating
+existing entries or adding or deleting new ones. The goal of the ACIs
+that ship with IPA is to provide a set of low-level permissions that
+grant access to special groups called taskgroups. These low-level
+permissions can be combined into roles that grant broader access. These
+roles are another type of group, rolegroups.
For example, if you have taskgroups that allow adding and modifying users you
could create a rolegroup, useradmin. You would assign users to the useradmin
rolegroup to allow them to do the operations defined by the taskgroups.
-You can create ACIs that delegate permission so users in
-group A can write attributes on group B.
+You can create ACIs that delegate permission so users in group A can write
+attributes on group B.
The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).
+An ACI consists of three parts:
+1. target
+2. permissions
+3. bind rules
+
+The target is a set of rules that define which LDAP objects are being
+targetted. This can include a list of attributes, an area of that LDAP
+tree or an LDAP filter.
+
+The permissions define what the ACI is allowed to do, they are one or more
+of:
+1. write - write one or more attributes
+2. read - read one or more attributes
+3. add - add a new entry to the tree
+4. delete - delete an existing entry
+5. all - all permissions are granted
+
+Note the distinction between attributes and entries. The permissions are
+independent, so being able to add a user does not mean that the user will
+be editabe.
+
+The bind rule defines who this ACI grants permissions to. The LDAP server
+allows this to be any valid LDAP entry but we encourage the use of
+taskgroups so that the rights can be easily shared through rolegroups.
+
For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
EXAMPLES:
- Add an ACI so the group 'secretaries' can update the address on any user:
+ Add an ACI so that the group "secretaries" can update the address on any user:
ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write "Secretaries write addresses"
Show the new ACI:
ipa aci-show "Secretaries write addresses"
- Add an ACI that allows members of the 'addusers' taskgroup to add new users:
+ Add an ACI that allows members of the "addusers" taskgroup to add new users:
ipa aci-add --type=user --taskgroup=addusers --permissions=add "Add new users"
-The show command will show the raw DS ACI.
+The show command shows the raw 389-ds ACI.
IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
@@ -77,7 +103,7 @@ _type_map = {
}
_valid_permissions_values = [
- u'read', u'write', u'add', u'delete', u'selfwrite', u'all'
+ u'read', u'write', u'add', u'delete', u'all'
]
class ListOfACI(output.Output):
@@ -279,7 +305,7 @@ class aci(Object):
cli_name='permissions',
label=_('Permissions'),
doc=_('comma-separated list of permissions to grant' \
- '(read, write, add, delete, selfwrite, all)'),
+ '(read, write, add, delete, all)'),
normalizer=_normalize_permissions,
),
List('attrs?',
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 8920cfe4..1154e2e3 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -24,7 +24,7 @@ IPA certificate operations
Implements a set of commands for managing server SSL certificates.
-Certificate request come in the form of a Certificate Signing Request (CSR)
+Certificate request exist in the form of a Certificate Signing Request (CSR)
in PEM format.
If using the selfsign backend then the subject in the CSR needs to match
@@ -32,15 +32,16 @@ the subject configured in the server. The dogtag CA uses just the CN
value of the CSR and forces the rest of the subject.
A certificate is stored with a service principal and a service principal
-needs a host. So in order to request a certificate the following conditions
-must be met:
+needs a host.
-* The host exists
-* The service exists (or you use the --add option to automatically add it)
+In order to request a certificate:
+
+* The host must exist
+* The service must exist (or you use the --add option to automatically add it)
EXAMPLES:
- Request a new certificate, add the principal:
+ Request a new certificate and add the principal:
ipa cert-request --add --principal=HTTP/lion.example.com example.csr
Retrieve an existing certificate:
@@ -55,7 +56,9 @@ EXAMPLES:
Check the status of a signing request:
ipa cert-status 10
-IPA currently immediately issues (or declines) all certificate requests.
+IPA currently immediately issues (or declines) all certificate requests so
+the status of a request is not normally useful. This is for future-use
+or the case where a CA does not immediately issue a certificate.
"""
from ipalib import api, SkipPluginModule
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index b704a7a2..8b6095f7 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -18,14 +18,14 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Manage IPA configuration
+Manage the IPA configuration
-Manage default values tha IPA uses and some tuning parameters:
+Manage the default values tha IPA uses and some of its tuning parameters.
- Show the current configuration:
+ To show the current configuration:
ipa config-show
- Modify the configuration:
+ To modify the configuration:
ipa config-mod --maxusername=99
The available options are:
@@ -48,7 +48,7 @@ how many records may be returned on a given search.
Server Configuration.
--enable-migration=BOOL Enable migration mode
- --subject=STR base for certificate subjects (OU=Test,O=Example)
+ --subject=STR Base for certificate subjects (OU=Test,O=Example)
"""
@@ -126,7 +126,7 @@ class config(LDAPObject):
Str('ipacertificatesubjectbase?',
cli_name='subject',
label=_('Certificate Subject base'),
- doc=_('base for certificate subjects (OU=Test,O=Example)'),
+ doc=_('Base for certificate subjects (OU=Test,O=Example)'),
),
)
@@ -153,7 +153,7 @@ api.register(config_mod)
class config_show(LDAPRetrieve):
"""
- Display configuration options.
+ Show the current configuration.
"""
api.register(config_show)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index d651ec04..b154b5df 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -17,10 +17,10 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Domain Name System (DNS) plugin
+Domain Name System (DNS) plug-in
Implements a set of commands useful for manipulating DNS records used by
-the BIND LDAP plugin.
+the BIND LDAP plug-in.
EXAMPLES:
@@ -42,10 +42,10 @@ EXAMPLES:
Show zone example.com:
ipa dns-show example.com
- Find zone with 'example' in it's domain name:
+ Find zone with "example" in it's domain name:
ipa dns-find example
- Find records for resources with 'www' in their name in zone example.com:
+ Find records for resources with "www" in their name in zone example.com:
ipa dns-find-rr example.com www
Find A records for resource www in zone example.com
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 9bf5b1de..616eff2a 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -20,43 +20,49 @@
"""
Groups of users
-Manage groups of users. By default new groups are not Posix groups.
-You can mark it as Posix at creation time with the --posix flag and
-can promose a non-Posix group using the --posix flag in group-mod.
-Once a group is a Posix group there is no way to undo this.
+Manage groups of users. By default, new groups are not POSIX groups. You
+can add the --posix to the group-add command to mark a new group
+as POSIX, and you can use the same argument to the group-mod command to
+convert a non-POSIX group to a POSIX group. POSIX groups cannot be
+converted to non-POSIX groups.
Every group must have a description.
-Posix groups must have a group id number (gid). Changing a gid is
-supported but can have impact on your file permissions.
+POSIX groups must have a Group ID number (GID). Changing a GID is
+supported but can have impact on your file permissions. It is not necessary
+to supply a GID when creating a group. IPA will generate one automatically
+if it is not provided.
EXAMPLES:
Add a new group:
ipa group-add --desc='local administrators' localadmins
- Add a new posix group:
+ Add a new POSIX group:
ipa group-add --posix --desc='remote administrators' remoteadmins
- Promote a non-posix group to posix:
+ Convert a non-POSIX group to posix:
ipa group-mod --posix localadmins
- Create a group with a specific group ID number"
+ Add a new POSIX group with a specific Group ID number:
ipa group-add --posix --gid=500 --desc='unix admins' unixadmins
+ Add a new POSIX group and let IPA assign a Group ID number:
+ ipa group-add --posix --desc='printer admins' printeradmins
+
Remove a group:
ipa group-del unixadmins
- Manage group membership, nested groups:
+ To add the "remoteadmins" group to the "localadmins" group:
ipa group-add-member --groups=remoteadmins localadmins
- Manage group membership, users:
+ Add a list of users to the "localadmins" group:
ipa group-add-member --users=test1,test2 localadmins
- Manage group membership, users:
+ Remove a user from the "localadmins" group:
ipa group-remove-member --users=test2 localadmins
- Show a group:
+ Display information about a named group.
ipa group-show localadmins
"""
@@ -122,7 +128,7 @@ api.register(group)
class group_add(LDAPCreate):
"""
- Create new group.
+ Create a new group.
"""
msg_summary = _('Added group "%(value)s"')
@@ -176,7 +182,7 @@ api.register(group_del)
class group_mod(LDAPUpdate):
"""
- Modify group.
+ Modify a group.
"""
msg_summary = _('Modified group "%(value)s"')
@@ -218,7 +224,7 @@ api.register(group_find)
class group_show(LDAPRetrieve):
"""
- Display group.
+ Display information about a named group.
"""
api.register(group_show)
@@ -226,7 +232,7 @@ api.register(group_show)
class group_add_member(LDAPAddMember):
"""
- Add members to group.
+ Add members to a group.
"""
api.register(group_add_member)
@@ -234,7 +240,7 @@ api.register(group_add_member)
class group_remove_member(LDAPRemoveMember):
"""
- Remove members from group.
+ Remove members from a group.
"""
api.register(group_remove_member)
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py
index 0df012d4..4d7681c4 100644
--- a/ipalib/plugins/hbac.py
+++ b/ipalib/plugins/hbac.py
@@ -17,32 +17,40 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Host based access control
+Host-based access control
-Control who can access what services where from where. With HBAC
-you can control which users or groups of users may access a service
-or group of services, additionally restricting the source and source
-hosts.
+Control who can access what services on what hosts and from where. You
+can use HBAC to control which users or groups on a source host can
+access a service, or group of services, on a target host. You can also
+control the times that the rule is active.
-You can also control the times that the rule is active.
+You can also specify a category of users, target hosts, and source
+hosts. This is currently limited to "all", but might be expanded in the
+future.
-It is possible to specify a category of users, hosts or source hosts.
-Currently this is limited to 'all' but may be expanded in the future.
+The access time(s) of a host are cumulative and are not guaranteed to be
+applied in the order displayed.
-Hosts and source hosts must be host entries in IPA (see host plugin).
+Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
+
+The available services and groups of services are controlled by the
+hbacsvc and hbacsvcgroup plug-ins respectively.
EXAMPLES:
- Create a new rule that grants all users access to the host 'server' from
+ Create a rule, "test1", that grants all users access to the host "server" from
anywhere:
ipa hbac-add --type=allow --usercat=all --srchostcat=all test1
ipa hbac-add-host --hosts=server.example.com test1
- Show an HBAC rule:
+ Display the properties of a named HBAC rule:
ipa hbac-show test1
- Add an access time to a rule:
+ Specify that the rule "test1" be active every day between 0800 and 1400:
ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1
+
+ Specify that the rule "test1" be active once, from 10:32 until 10:33 on
+ December 16, 2010:
ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
Create a rule for a specific service. This lets the user john access
@@ -51,10 +59,10 @@ EXAMPLES:
ipa hbac-add-user --users=john john_sshd
ipa hbac-add-service --hbacsvcs=sshd john_sshd
- Disable a rule:
+ Disable a named HBAC rule:
ipa hbac-disable test1
- Remove an HBAC rule:
+ Remove a named HBAC rule:
ipa hbac-del allow_server
"""
@@ -186,7 +194,7 @@ api.register(hbac)
class hbac_add(LDAPCreate):
"""
- Create new HBAC rule.
+ Create a new HBAC rule.
"""
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
if not dn.startswith('cn='):
@@ -203,7 +211,7 @@ api.register(hbac_add)
class hbac_del(LDAPDelete):
"""
- Delete HBAC rule.
+ Delete an HBAC rule.
"""
api.register(hbac_del)
@@ -211,7 +219,7 @@ api.register(hbac_del)
class hbac_mod(LDAPUpdate):
"""
- Modify HBAC rule.
+ Modify an HBAC rule.
"""
api.register(hbac_mod)
@@ -227,7 +235,7 @@ api.register(hbac_find)
class hbac_show(LDAPRetrieve):
"""
- Dispaly HBAC rule.
+ Display the properties of an HBAC rule.
"""
api.register(hbac_show)
@@ -235,7 +243,7 @@ api.register(hbac_show)
class hbac_enable(LDAPQuery):
"""
- Enable HBAC rule.
+ Enable an HBAC rule.
"""
def execute(self, cn):
ldap = self.obj.backend
@@ -259,7 +267,7 @@ api.register(hbac_enable)
class hbac_disable(LDAPQuery):
"""
- Disable HBAC rule.
+ Disable an HBAC rule.
"""
def execute(self, cn):
ldap = self.obj.backend
@@ -283,7 +291,7 @@ api.register(hbac_disable)
class hbac_add_accesstime(LDAPQuery):
"""
- Add access time to HBAC rule.
+ Add an access time to an HBAC rule.
"""
takes_options = (
@@ -360,7 +368,7 @@ api.register(hbac_remove_accesstime)
class hbac_add_user(LDAPAddMember):
"""
- Add users and groups affected by HBAC rule.
+ Add users and groups to an HBAC rule.
"""
member_attributes = ['memberuser']
member_count_out = ('%i object added.', '%i objects added.')
@@ -370,7 +378,7 @@ api.register(hbac_add_user)
class hbac_remove_user(LDAPRemoveMember):
"""
- Remove users and groups affected by HBAC rule.
+ Remove users and groups from an HBAC rule.
"""
member_attributes = ['memberuser']
member_count_out = ('%i object removed.', '%i objects removed.')
@@ -380,7 +388,7 @@ api.register(hbac_remove_user)
class hbac_add_host(LDAPAddMember):
"""
- Add hosts and hostgroups affected by HBAC rule.
+ Add target hosts and hostgroups to an HBAC rule
"""
member_attributes = ['memberhost']
member_count_out = ('%i object added.', '%i objects added.')
@@ -390,7 +398,7 @@ api.register(hbac_add_host)
class hbac_remove_host(LDAPRemoveMember):
"""
- Remove hosts and hostgroups affected by HBAC rule.
+ Remove target hosts and hostgroups from a HBAC rule.
"""
member_attributes = ['memberhost']
member_count_out = ('%i object removed.', '%i objects removed.')
@@ -400,7 +408,7 @@ api.register(hbac_remove_host)
class hbac_add_sourcehost(LDAPAddMember):
"""
- Add source hosts and hostgroups affected by HBAC rule.
+ Add source hosts and hostgroups from a HBAC rule.
"""
member_attributes = ['sourcehost']
member_count_out = ('%i object added.', '%i objects added.')
@@ -410,7 +418,7 @@ api.register(hbac_add_sourcehost)
class hbac_remove_sourcehost(LDAPRemoveMember):
"""
- Remove source hosts and hostgroups affected by HBAC rule.
+ Remove source hosts and hostgroups from an HBAC rule.
"""
member_attributes = ['sourcehost']
member_count_out = ('%i object removed.', '%i objects removed.')
@@ -420,7 +428,7 @@ api.register(hbac_remove_sourcehost)
class hbac_add_service(LDAPAddMember):
"""
- Add services affected by HBAC rule.
+ Add services to an HBAC rule.
"""
member_attributes = ['memberservice']
member_count_out = ('%i object added.', '%i objects added.')
@@ -430,7 +438,7 @@ api.register(hbac_add_service)
class hbac_remove_service(LDAPRemoveMember):
"""
- Remove source hosts and hostgroups affected by HBAC rule.
+ Remove source hosts and hostgroups from an HBAC rule.
"""
member_attributes = ['memberservice']
member_count_out = ('%i object removed.', '%i objects removed.')
diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py
index 2383d70c..d5302cde 100644
--- a/ipalib/plugins/hbacsvc.py
+++ b/ipalib/plugins/hbacsvc.py
@@ -24,16 +24,17 @@ must match the service name that PAM is evaluating.
EXAMPLES:
- Create a new service:
+ Add a new HBAC service:
ipa hbacsvc-add tftp
- Update a service:
- ipa hbacsvc-mod --desc='TFTP service' tftp
+ Modify an existing HBAC service:
+ ipa hbacsvc-mod --desc="TFTP service" tftp
- Find a service (this will find 2, the ftp service and the new tftp service):
+ Search for HBAC services. This example will return two results, the FTP
+ service and the newly-added tftp service:
ipa hbacsvc-find ftp
- Remove a service:
+ Delete an HBAC service:
ipa hbacsvc-del tftp
"""
@@ -78,7 +79,7 @@ api.register(hbacsvc)
class hbacsvc_add(LDAPCreate):
"""
- Add new HBAC service.
+ Add a new HBAC service.
"""
msg_summary = _('Added service "%(value)s"')
@@ -96,7 +97,7 @@ api.register(hbacsvc_del)
class hbacsvc_mod(LDAPUpdate):
"""
- Modify HBAC service.
+ Modify an HBAC service.
"""
api.register(hbacsvc_mod)
@@ -112,7 +113,7 @@ api.register(hbacsvc_find)
class hbacsvc_show(LDAPRetrieve):
"""
- Display HBAC service.
+ Display information about an HBAC service.
"""
api.register(hbacsvc_show)
diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py
index 53a8ca46..70dd32b1 100644
--- a/ipalib/plugins/hbacsvcgroup.py
+++ b/ipalib/plugins/hbacsvcgroup.py
@@ -19,25 +19,27 @@
"""
HBAC Service Groups
-Manage groups of services for HBAC
+HBAC service groups can contain any number of individual services,
+or "members", and can also contain other service groups. Every group must
+have a description.
EXAMPLES:
-
- Create a group of HBAC services:
+
+ Add a new HBAC services group:
ipa hbacsvcgroup-add --desc="login services" login
- Add some members to a HBAC service group:
+ Add members to an HBAC services group:
ipa hbacsvcgroup-add-member --hbacsvcs=sshd,login login
- Show a group:
+ Display information about a named group:
ipa hbacsvcgroup-show login
- A group can contain other groups, add a new group to login:
+ Add a new group to the "login" group:
ipa hbacsvcgroup-add --desc="switch users" suers
ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l suers
ipa hbacsvsgroup-add-member --hbacsvsgroups=suers login
- Remove a group:
+ Delete an HBAC services group:
ipa hbacsvcgroup-del login
"""
@@ -94,7 +96,7 @@ api.register(hbacsvcgroup)
class hbacsvcgroup_add(LDAPCreate):
"""
- Create new hbacsvcgroup.
+ Add a new HBAC services group.
"""
msg_summary = _('Added HBAC Service group "%(value)s"')
@@ -103,7 +105,7 @@ api.register(hbacsvcgroup_add)
class hbacsvcgroup_del(LDAPDelete):
"""
- Delete hbacsvcgroup.
+ Delete an HBAC services group.
"""
msg_summary = _('Deleted HBAC Service group "%(value)s"')
@@ -112,7 +114,7 @@ api.register(hbacsvcgroup_del)
class hbacsvcgroup_mod(LDAPUpdate):
"""
- Modify hbacsvcgroup.
+ Modify an HBAC services group.
"""
msg_summary = _('Modified HBAC Service group "%(value)s"')
@@ -121,7 +123,7 @@ api.register(hbacsvcgroup_mod)
class hbacsvcgroup_find(LDAPSearch):
"""
- Search the groups.
+ Search for an HBAC services group.
"""
msg_summary = ngettext(
'%(count)d group matched', '%(count)d groups matched', 0
@@ -132,7 +134,7 @@ api.register(hbacsvcgroup_find)
class hbacsvcgroup_show(LDAPRetrieve):
"""
- Display hbacsvcgroup.
+ Display information about an HBAC services group.
"""
api.register(hbacsvcgroup_show)
@@ -140,7 +142,7 @@ api.register(hbacsvcgroup_show)
class hbacsvcgroup_add_member(LDAPAddMember):
"""
- Add members to hbacsvcgroup.
+ Add members to an HBAC services group.
"""
api.register(hbacsvcgroup_add_member)
@@ -148,7 +150,7 @@ api.register(hbacsvcgroup_add_member)
class hbacsvcgroup_remove_member(LDAPRemoveMember):
"""
- Remove members from hbacsvcgroup.
+ Remove members from an HBAC services group.
"""
api.register(hbacsvcgroup_remove_member)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 78d4d5a0..d207f526 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -18,47 +18,49 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Hosts/Machines (Identity)
+Hosts/Machines
A host represents a machine. It can be used in a number of contexts:
- service entries are associated with a host
- a host stores the host/ service principal
-- a host may be used in Host-Based Access Control (HBAC) rules
+- a host can be used in Host-Based Access Control (HBAC) rules
- every enrolled client generates a host entry
ENROLLMENT:
-There are three enrollment scenarios when enrolling a new client.
+There are three enrollment scenarios when enrolling a new client:
-1. You are enrolling as a full administrator (hostadmin rolegroup). The
- host entry may exist or not.
-2. You are enrolling as a limited administrator (enrollhost rolegroup). The
- host must already exist.
+1. You are enrolling as a full administrator. The host entry may exist
+ or not. A full administrator is a member of the hostadmin rolegroup
+ or the admins group.
+2. You are enrolling as a limited administrator. The host must already
+ exist. A limited administrator is a member of the enrollhost rolegroup.
3. The host has been created with a one-time password.
-A host may only be enrolled once. If a client has enrolled and needs to
-be re-enrolled then the host entry needs to be removed and re-created.
-Note that this will result in all services for this host being removed too,
-and all SSL certificates associated with those services to be revoked.
+A host can only be enrolled once. If a client has enrolled and needs to
+be re-enrolled, the host entry must be removed and re-created. Note that
+re-creating the host entry will result in all services for the host being
+removed, and all SSL certificates associated with those services being
+revoked.
A host can optionally store information such as where it is located,
the OS that it runs, etc.
EXAMPLES:
- Create a new host
- ipa host-add --location='3rd floor lab' --locality=Dallas test.example.com
+ Add a new host:
+ ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com
- Remove a host
+ Delete a host:
ipa host-del test.example.com
- Create a new host with a one-time password
+ Add a new host with a one-time password:
ipa host-add --os='Fedora 12' --password=Secret123 test.example.com
- Update information about a host
+ Modify information about a host:
ipa host-mod --os='Fedora 12' test.example.com
- Disable the host kerberos key
+ Disable the host kerberos key:
ipa host-disable test.example.com
"""
@@ -191,7 +193,7 @@ api.register(host)
class host_add(LDAPCreate):
"""
- Create new host.
+ Add a new host.
"""
msg_summary = _('Added host "%(value)s"')
@@ -227,7 +229,7 @@ api.register(host_add)
class host_del(LDAPDelete):
"""
- Delete host.
+ Delete a host.
"""
msg_summary = _('Deleted host "%(value)s"')
@@ -261,7 +263,7 @@ api.register(host_del)
class host_mod(LDAPUpdate):
"""
- Modify host.
+ Modify information about a host.
"""
msg_summary = _('Modified host "%(value)s"')
@@ -328,7 +330,7 @@ api.register(host_find)
class host_show(LDAPRetrieve):
"""
- Display host.
+ Display information about a host.
"""
has_output_params = (
Flag('has_keytab',
@@ -351,7 +353,7 @@ api.register(host_show)
class host_disable(LDAPQuery):
"""
- Disable the kerberos key of this host.
+ Disable the kerberos key of a host.
"""
has_output = output.standard_value
msg_summary = _('Removed kerberos key from "%(value)s"')
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index ff97a139..2f9cbab2 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -20,24 +20,30 @@
"""
Groups of hosts.
-This is useful for Host-Based Access Control (HBAC) to group a series
-of hosts together for applying access control.
+Manage groups of hosts. This is useful for applying access control to a
+number of hosts by using Host-based Access Control.
EXAMPLES:
- Create a new host group:
- ipa hostgroup-add --desc='Baltimore hosts' baltimore
+ Add a new host group:
+ ipa hostgroup-add --desc="Baltimore hosts" baltimore
- Add some hosts to the group:
+ Add another new host group:
+ ipa hostgroup-add --desc="Maryland hosts" maryland
+
+ Add members to the hostgroup:
ipa hostgroup-add-member --hosts=box1,box2,box3 baltimore
- Remove a host from the group:
+ Add a hostgroup as a member of another hostgroup:
+ ipa hostgroup-add-member --hostgroups=baltimore maryland
+
+ Remove a host from the hostgroup:
ipa hostgroup-remove-member --hosts=box2 baltimore
Display a host group:
ipa hostgroup-show baltimore
- Removey a host group:
+ Delete a hostgroup:
ipa hostgroup-del baltimore
"""
@@ -94,7 +100,7 @@ api.register(hostgroup)
class hostgroup_add(LDAPCreate):
"""
- Create new hostgroup.
+ Add a new hostgroup.
"""
msg_summary = _('Added hostgroup "%(value)s"')
@@ -104,7 +110,7 @@ api.register(hostgroup_add)
class hostgroup_del(LDAPDelete):
"""
- Delete hostgroup.
+ Delete a hostgroup.
"""
msg_summary = _('Deleted hostgroup "%(value)s"')
@@ -114,7 +120,7 @@ api.register(hostgroup_del)
class hostgroup_mod(LDAPUpdate):
"""
- Modify hostgroup.
+ Modify a hostgroup.
"""
msg_summary = _('Modified hostgroup "%(value)s"')
@@ -136,7 +142,7 @@ api.register(hostgroup_find)
class hostgroup_show(LDAPRetrieve):
"""
- Display hostgroup.
+ Display information about a hostgroup.
"""
api.register(hostgroup_show)
@@ -144,7 +150,7 @@ api.register(hostgroup_show)
class hostgroup_add_member(LDAPAddMember):
"""
- Add members to hostgroup.
+ Add members to a hostgroup.
"""
api.register(hostgroup_add_member)
@@ -152,7 +158,7 @@ api.register(hostgroup_add_member)
class hostgroup_remove_member(LDAPRemoveMember):
"""
- Remove members from hostgroup.
+ Remove members from a hostgroup.
"""
api.register(hostgroup_remove_member)
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index 2c797fd1..5d773d20 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -19,13 +19,13 @@
"""
Kerberos ticket policy
-There is a single kerberos ticket policy. This policy defines the
-maximum ticket lifetime (maximum life of a ticket) and maximum renewal
-age, the period during which the ticket is renewable.
+There is a single Kerberos ticket policy. This policy defines the
+maximum ticket lifetime and the maximum renewal age, the period during
+which the ticket is renewable.
EXAMPLES:
- Display the current policy:
+ Display the current Kerberos ticket policy:
ipa krbtpolicy-show
Reset the policy to the default:
@@ -85,7 +85,7 @@ api.register(krbtpolicy)
class krbtpolicy_mod(LDAPUpdate):
"""
- Modify kerberos ticket policy.
+ Modify Kerberos ticket policy.
"""
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# disable all flag
@@ -99,7 +99,7 @@ api.register(krbtpolicy_mod)
class krbtpolicy_show(LDAPRetrieve):
"""
- Display kerberos ticket policy.
+ Display the current Kerberos ticket policy.
"""
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
# disable all flag
@@ -123,7 +123,7 @@ api.register(krbtpolicy_show)
class krbtpolicy_reset(LDAPQuery):
"""
- Reset kerberos ticket policy to default.
+ Reset Kerberos ticket policy to the default values.
"""
has_output = output.standard_entry
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index d2ffc404..144505be 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -25,19 +25,19 @@ user and host values.
EXAMPLES:
- Create a new netgroup:
- ipa netgroup-add --desc='NFS admins' admins
+ Add a new netgroup:
+ ipa netgroup-add --desc="NFS admins" admins
- Add a member to the group:
+ Add members to the netgroup:
ipa netgroup-add-member --users=tuser1,tuser2 admins
- Remove a member from the group:
+ Remove a member from the netgroup:
ipa netgroup-remove-member --users=tuser2 admins
- Display a netgroup:
+ Display infromation about a netgroup:
ipa netgroup-show admins
- Remove a netgroup:
+ Delete a netgroup:
ipa netgroup-del admins
"""
@@ -131,7 +131,7 @@ api.register(netgroup)
class netgroup_add(LDAPCreate):
"""
- Create new netgroup.
+ Add a new netgroup.
"""
has_output_params = output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@ -149,7 +149,7 @@ api.register(netgroup_add)
class netgroup_del(LDAPDelete):
"""
- Delete netgroup.
+ Delete a netgroup.
"""
api.register(netgroup_del)
@@ -157,7 +157,7 @@ api.register(netgroup_del)
class netgroup_mod(LDAPUpdate):
"""
- Modify netgroup.
+ Modify a netgroup.
"""
has_output_params = output_params
@@ -166,7 +166,7 @@ api.register(netgroup_mod)
class netgroup_find(LDAPSearch):
"""
- Search the groups.
+ Search for a netgroup.
"""
has_output_params = output_params
@@ -175,7 +175,7 @@ api.register(netgroup_find)
class netgroup_show(LDAPRetrieve):
"""
- Display netgroup.
+ Display information about a netgroup.
"""
has_output_params = output_params
@@ -184,7 +184,7 @@ api.register(netgroup_show)
class netgroup_add_member(LDAPAddMember):
"""
- Add members to netgroup.
+ Add members to a netgroup.
"""
has_output_params = LDAPAddMember.has_output_params + output_params
member_attributes = ['memberuser', 'memberhost']
@@ -220,7 +220,7 @@ api.register(netgroup_add_member)
class netgroup_remove_member(LDAPRemoveMember):
"""
- Remove members from netgroup.
+ Remove members from a netgroup.
"""
has_output_params = LDAPRemoveMember.has_output_params + output_params
member_attributes = ['memberuser', 'memberhost']
diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py
index f4f722f1..ef515605 100644
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@@ -17,23 +17,21 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-User password changes
+Set a user's password
-Sets a user password. Normally a user can only change their own password.
-
-If someone other than user changes a password (e.g. helpdesk resets it)
+If someone other than user changes their password (e.g., Helpdesk resets it)
then the password will need to be changed the first time it is used.
This is so the end-user is the only one that knows the password.
-Password policy will control how often a password may be changed,
-what strength requirements there are and long the password history is.
+The IPA password policy controls how often a password may be changed,
+what strength requirements exist, and the length of the password history.
EXAMPLES:
- Reset your own password:
+ To reset your own password:
ipa passwd
- Change another user's password:
+ To change another user's password:
ipa passwd tuser1
"""
@@ -45,7 +43,7 @@ from ipalib import _
class passwd(Command):
"""
- Change user password.
+ Set a user's password
"""
takes_args = (
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index e7cfab65..dbbb4713 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -19,29 +19,31 @@
"""
Password policy
-A password policy sets limitations on passwords including maximum lifetime,
-minimum lifetime, number of passwords to save in history, number of character
-classes required (for stronger passwords) and the password minimum length.
-
-By default there is a single global policy for all users. One can also
-create a password policy associate with a group. A user has only one
-password policy, either the group policy or the global policy. A group
-policy stands alone, it isn't a super-set of the global policy plus
+A password policy sets limitations on IPA passwords, including maximum
+lifetime, minimum lifetime, the number of passwords to save in
+history, the number of character classes required (for stronger passwords)
+and the minimum password length.
+
+By default there is a single, global policy for all users. You can also
+create a password policy to apply to a group. Each user is only subject
+to one password policy, either the group policy or the global policy. A
+group policy stands alone; it is not a super-set of the global policy plus
custom settings.
Each group password policy requires a unique priority setting. If a user
-is in multiple groups that have password policies this priority determines
-which password policy is applied. The lower the value the higher the priority.
+is in multiple groups that have password policies, this priority determines
+which password policy is applied. A lower value indicates a higher priority
+policy.
-A group password policy is automatically removed when the group it is
-assicated with it is removed.
+Group password policies are automatically removed when the groups they
+are associated with are removed.
EXAMPLES:
- Update the global policy:
+ Modify the global policy:
ipa pwpolicy-mod --minlength=10
- Create a group password policy:
+ Add a new group password policy:
ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
Display the global password policy:
@@ -49,11 +51,11 @@ EXAMPLES:
Display a group password policy:
ipa pwpolicy-show localadmins
-
+
Display the policy that would be applied to a given user:
ipa pwpolicy-show --user=tuser1
- Modify a group policy:
+ Modify a group password policy:
ipa pwpolicy-mod --minclasses=2 localadmins
"""
@@ -266,7 +268,7 @@ api.register(pwpolicy)
class pwpolicy_add(LDAPCreate):
"""
- Create new group password policy.
+ Add a new group password policy.
"""
def get_args(self):
yield self.obj.primary_key.clone(attribute=True, required=True)
@@ -295,7 +297,7 @@ api.register(pwpolicy_add)
class pwpolicy_del(LDAPDelete):
"""
- Delete group password policy.
+ Delete a group password policy.
"""
def get_args(self):
yield self.obj.primary_key.clone(attribute=True, required=True)
@@ -312,7 +314,7 @@ api.register(pwpolicy_del)
class pwpolicy_mod(LDAPUpdate):
"""
- Modify group password policy.
+ Modify a group password policy.
"""
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
self.obj.convert_time_on_input(entry_attrs)
@@ -356,7 +358,7 @@ api.register(pwpolicy_mod)
class pwpolicy_show(LDAPRetrieve):
"""
- Display group password policy.
+ Display information about password policy.
"""
takes_options = (
Str('user?',
diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py
index 9ff3ef77..99560c46 100644
--- a/ipalib/plugins/rolegroup.py
+++ b/ipalib/plugins/rolegroup.py
@@ -20,36 +20,41 @@
"""
Rolegroups
-A rolegroup is used for fine-grained delegation. Access control rules (ACIs)
-grant permission to performa a given task (add user, modify group, etc) to
-task groups. Role groups are members of task groups, giving them permission
-to perform the task.
+A rolegroup is used for fine-grained delegation. Access control rules
+(ACIs) grant permission to perform given tasks (add a user, modify a group,
+etc.), to task groups. Rolegroups are members of taskgroups, giving them
+permission to perform the task.
-The logic looks like this:
+The logic behind ACIs and rolegroups proceeds as follows:
- ACI grants permission to taskgroup
+ ACIs grants permission to taskgroup
rolegroups are members of taskgroups
- users, groups, hosts and hostgroups are members of role groups
+ users, groups, hosts and hostgroups are members of rolegroups
-A host/hostgroup may be members because you may want to perform
+Rolegroups can contain both hosts and hostgroups, enabling
operations using the host service principal associated with a machine.
-A rolegroup may not be members of other rolegroups.
+Rolegroups can not contain other rolegroups.
EXAMPLES:
- Create a new role group:
- ipa rolegroup-add --desc="Junion level admin" junioradmin
+ Add a new rolegroup:
+ ipa rolegroup-add --desc="Junior-level admin" junioradmin
- Add this role to some tasks
+ Add this role to some tasks:
ipa taskgroup-add-member --rolegroups=junioradmin addusers
ipa taskgroup-add-member --rolegroups=junioradmin change_password
ipa taskgroup-add-member --rolegroups=junioradmin add_user_to_default_group
+ Yes, this can seem backwards. The taskgroup is the entry that is granted
+ permissions by the ACIs. By adding a rolegroup as a member of a taskgroup
+ it inherits those permissions.
+
Add a group of users to this role:
- ipa rolegroup-add-member --groups=junioradmins junioradmin
+ ipa group-add --desc="User admins" useradmins
+ ipa rolegroup-add-member --groups=useradmins junioradmin
- Display this role group:
+ Display information about a rolegroup:
ipa rolegroup-show junioradmin
"""
@@ -104,7 +109,7 @@ api.register(rolegroup)
class rolegroup_add(LDAPCreate):
"""
- Create new rolegroup.
+ Add a new rolegroup.
"""
msg_summary = _('Added rolegroup "%(value)s"')
@@ -114,7 +119,7 @@ api.register(rolegroup_add)
class rolegroup_del(LDAPDelete):
"""
- Delete rolegroup.
+ Delete a rolegroup.
"""
msg_summary = _('Deleted rolegroup "%(value)s"')
@@ -124,7 +129,7 @@ api.register(rolegroup_del)
class rolegroup_mod(LDAPUpdate):
"""
- Edit rolegroup.
+ Modify a rolegroup.
"""
msg_summary = _('Modified rolegroup "%(value)s"')
@@ -146,7 +151,7 @@ api.register(rolegroup_find)
class rolegroup_show(LDAPRetrieve):
"""
- Display rolegroup.
+ Display information about a rolegroup.
"""
api.register(rolegroup_show)
@@ -154,7 +159,7 @@ api.register(rolegroup_show)
class rolegroup_add_member(LDAPAddMember):
"""
- Add member to rolegroup.
+ Add members to a rolegroup.
"""
api.register(rolegroup_add_member)
@@ -162,7 +167,7 @@ api.register(rolegroup_add_member)
class rolegroup_remove_member(LDAPRemoveMember):
"""
- Remove member from rolegroup.
+ Remove members from a rolegroup.
"""
api.register(rolegroup_remove_member)
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index c9ae0b88..50e8d54f 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -19,44 +19,54 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Services (Identity)
+Services
-A service represents a running service on a host. This service record
-may store a kerberos principal or an SSL certificate (or both).
+A IPA service represents a service that runs on a host. The IPA service
+record can store a Kerberos principal, an SSL certificate, or both.
-A service may be managed directly by a machine, if it has been given
-the proper permission (even a machine other than the one the service is
-associated with). An example of this is requesting an SSL certificate
-using the host service principal credentials of the host.
+An IPA service can be managed directly from a machine, provided that
+machine has been given the correct permission. This is true even for
+machines other than the one the service is associated with. For example,
+requesting an SSL certificate using the host service principal credentials
+of the host. To manage a services using a host credentials you need to
+kinit as the host:
-Adding a service makes it possible to request an SSL certificate or
-keytab for that service but this is done as a separate step later. The
-creation of a service in itself doesn't generate these.
+ # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
-The certificate stored in a service is just the public portion. The
-private key is not stored.
+Adding an IPA service allows the associated service to request an SSL
+certificate or keytab, but this is performed as a separate step; they
+are not produced as a result of adding the service.
+
+Only the public aspect of a certificate is stored in a service record;
+the private key is not stored.
EXAMPLES:
- Add a service:
+ Add a new IPA service:
ipa service-add HTTP/web.example.com
- Allow a host to manage the service certificate:
+ Allow a host to manage an IPA service certificate:
ipa service-add-host --hosts=web.example.com HTTP/web.example.com
ipa rolegroup-add-member --hosts=web.example.com certadmin
- Remove a service:
+ Delete an IPA service:
ipa service-del HTTP/web.example.com
- Find all services for a host:
+ Find all IPA services assicated with a host:
ipa service-find web.example.com
Find all HTTP services:
ipa service-find HTTP
- Disable a service kerberos key:
+ Disable a service Kerberos key:
ipa service-disable HTTP/web.example.com
+ Request a certificate for an IPA service:
+ ipa cert-request --principal=HTTP/web.example.com example.csr
+
+ Generate and retrieve a keytab for an IPA service:
+ ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
+
"""
import base64
@@ -161,7 +171,7 @@ api.register(service)
class service_add(LDAPCreate):
"""
- Add new service.
+ Add a new IPA new service.
"""
msg_summary = _('Added service "%(value)s"')
member_attributes = ['managedby']
@@ -209,7 +219,7 @@ api.register(service_add)
class service_del(LDAPDelete):
"""
- Delete an existing service.
+ Delete an IPA service.
"""
msg_summary = _('Deleted service "%(value)s"')
member_attributes = ['managedby']
@@ -246,7 +256,7 @@ api.register(service_del)
class service_mod(LDAPUpdate):
"""
- Modify service.
+ Modify an existing IPA service.
"""
msg_summary = _('Modified service "%(value)s"')
takes_options = LDAPUpdate.takes_options + (
@@ -282,7 +292,7 @@ api.register(service_mod)
class service_find(LDAPSearch):
"""
- Search for services.
+ Search for IPA services.
"""
msg_summary = ngettext(
'%(count)d service matched', '%(count)d services matched'
@@ -324,7 +334,7 @@ api.register(service_find)
class service_show(LDAPRetrieve):
"""
- Display service.
+ Display information about an IPA service.
"""
member_attributes = ['managedby']
takes_options = LDAPRetrieve.takes_options + (
@@ -370,7 +380,7 @@ api.register(service_remove_host)
class service_disable(LDAPQuery):
"""
- Disable the kerberos key of this service.
+ Disable the Kerberos key of a service.
"""
has_output = output.standard_value
msg_summary = _('Removed kerberos key from "%(value)s"')
diff --git a/ipalib/plugins/taskgroup.py b/ipalib/plugins/taskgroup.py
index e9e95448..0ee90474 100644
--- a/ipalib/plugins/taskgroup.py
+++ b/ipalib/plugins/taskgroup.py
@@ -20,11 +20,13 @@
"""
Taskgroups
-A taskgroup is used for fine-grained delegation. Access control rules (ACIs)
-grant permission to performa a given task (add user, modify group, etc) to
-task groups.
+A taskgroup enables fine-grained delegation of permissions. Access Control
+Rules, or instructions (ACIs), grant permission to taskgroups to perform
+given tasks such as adding a user, modifying a group, etc.
A taskgroup may not be members of other taskgroups.
+
+See rolegroup and aci for additional information.
"""
from ipalib.plugins.baseldap import *
@@ -79,7 +81,7 @@ api.register(taskgroup)
class taskgroup_add(LDAPCreate):
"""
- Create new taskgroup.
+ Add a new taskgroup.
"""
msg_summary = _('Added taskgroup "%(value)s"')
@@ -89,7 +91,7 @@ api.register(taskgroup_add)
class taskgroup_del(LDAPDelete):
"""
- Delete taskgroup.
+ Delete a taskgroup.
"""
msg_summary = _('Deleted taskgroup "%(value)s"')
@@ -99,7 +101,7 @@ api.register(taskgroup_del)
class taskgroup_mod(LDAPUpdate):
"""
- Modify taskgroup.
+ Modify a taskgroup.
"""
msg_summary = _('Modified taskgroup "%(value)s"')
@@ -121,7 +123,7 @@ api.register(taskgroup_find)
class taskgroup_show(LDAPRetrieve):
"""
- Display taskgroup.
+ Display information about a taskgroup.
"""
api.register(taskgroup_show)
@@ -129,7 +131,7 @@ api.register(taskgroup_show)
class taskgroup_add_member(LDAPAddMember):
"""
- Add member to taskgroup.
+ Add members to a taskgroup.
"""
api.register(taskgroup_add_member)
@@ -137,7 +139,7 @@ api.register(taskgroup_add_member)
class taskgroup_remove_member(LDAPRemoveMember):
"""
- Remove member from taskgroup.
+ Remove members from a taskgroup.
"""
api.register(taskgroup_remove_member)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f698aa70..5841d7a0 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -18,19 +18,23 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Users (Identity)
+Users
-Manage user entries.
+Manage user entries. All users are POSIX users.
+
+Locking a user account prevents that user from obtaining new Kerberos
+credentials. It does not invalidate any credentials that have already
+been issued.
EXAMPLES:
- Create a new user:
+ Add a new user:
ipa user-add --first=Tim --last=User --passwd tuser1
- Find a user Tim:
+ Find all users whose entries include the string "Tim":
ipa user-find Tim
- Find all users with Tim as the first name:
+ Find all users with "Tim" as the first name:
ipa user-find --first=Tim
Lock a user account:
@@ -156,7 +160,7 @@ api.register(user)
class user_add(LDAPCreate):
"""
- Create new user.
+ Add a new user.
"""
msg_summary = _('Added user "%(value)s"')
@@ -205,7 +209,7 @@ api.register(user_add)
class user_del(LDAPDelete):
"""
- Delete user.
+ Delete a user.
"""
msg_summary = _('Deleted user "%(value)s"')
@@ -224,7 +228,7 @@ api.register(user_del)
class user_mod(LDAPUpdate):
"""
- Modify user.
+ Modify a user.
"""
msg_summary = _('Modified user "%(value)s"')
@@ -246,7 +250,7 @@ api.register(user_find)
class user_show(LDAPRetrieve):
"""
- Display user.
+ Display information about a user.
"""
api.register(user_show)
@@ -254,7 +258,7 @@ api.register(user_show)
class user_lock(LDAPQuery):
"""
- Lock user account.
+ Lock a user account.
"""
has_output = output.standard_value
@@ -280,7 +284,7 @@ api.register(user_lock)
class user_unlock(LDAPQuery):
"""
- Unlock user account.
+ Unlock a user account.
"""
has_output = output.standard_value