| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
The first method to be extracted is handle_errors
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
| |
The ldap2 plugin should only contain the actual CRUDBackend plugin.
Common LDAP classes are moved to ipaldap.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
| |
This decision used the api object, which might not be available
in installer code. Move the decision to callers.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
|
|
|
| |
The connection code depends on the api object. If we want to use
the cache in installer code, where the api object is not always
available, the dependency must be removed.
Luckily, SchemaCache.get_schema is currently always given a connection.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
|
|
|
| |
Legacy Entry methods such as setValue are added to LDAPEntry directly,
so that we can use connection classes that return LDAPEntry with
code that expects Entries.
The Entry and its unique __init__ are still kept for compatibility.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
|
|
| |
This change makes it easier to see what is going on, in addition
to getting rid of pylint exceptions.
Also, make logging imports use explicit names instead of `import *`.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
| |
The two classes were nearly identical, and the updater is
the only code that uses Entity.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
| |
These classes are deprecated, there's no use keeping unused methods around.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
| | |
|
| |
|
|
|
|
|
| |
We did not have the includedir directory with a trailing slash which made
rpm update add a redundant line.
https://fedorahosted.org/freeipa/ticket/3132
|
| |
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3427
|
| |
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3426
|
| |
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3425
|
| |
|
|
|
|
| |
A wrong logic was used to check ipactx.
Fixes https://fedorahosted.org/freeipa/ticket/3424
|
| |
|
|
|
|
|
| |
ipa_mspac_well_known_sids is a globally defined array so the check was
always true.
Fixes https://fedorahosted.org/freeipa/ticket/3423
|
| |
|
|
|
|
|
| |
There was a code path where ret was used instead of kerr to save a
return value.
Fixes https://fedorahosted.org/freeipa/ticket/3422
|
| | |
|
| |
|
|
|
|
|
|
| |
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
|
| |
|
|
|
|
|
|
|
|
| |
Some commands require a connection for interactive prompting.
Prompt after the connection is created.
Option parsing is still done before connecting so that help
can be printed out without a Kerberos ticket.
https://fedorahosted.org/freeipa/ticket/3453
|
| |
|
|
|
|
| |
When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
|
| |
|
|
|
|
|
| |
Current master branch represents future release of FreeIPA (3.2).
Bump VERSION so that current development packages are not being
updated with freeipa-3.1.x packages already released in downstream
repositories.
|
| |
|
|
|
| |
The make-test script now returns 1 in case that any of the test
cases that were run failed.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
| |
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/3352
Design: http://freeipa.org/page/V3/Drop_CSV
|
| |
|
|
|
|
| |
These were never set to anything but the defaults.
Part of work for https://fedorahosted.org/freeipa/ticket/3352
|
| |
|
|
|
|
|
|
|
| |
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
|
| |
|
|
|
|
|
|
| |
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
|
| |
|
|
|
|
|
| |
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The messages module contains message classes that can be added
to a RPC response to provide additional information or warnings.
This patch adds only the module with a single public message,
VersionMissing, and unit tests.
Since message classes are very similar to public errors, some
functionality and unit tests were shared.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732
https://fedorahosted.org/freeipa/ticket/3294
|
| |
|
|
|
|
| |
freeipa.profile was updated accordingly to contain all modules in dojo layer.
This change removes expected errors during the build and therefore it won't confuse others during rpm build. It also helps during development because developer will notice real dependency errors (those not specified this way).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One can specify module ids provided by other means (already built layer file) in providedMids array of build profile file's package section. Builder then ignores dependency errors for specified modules. This allows to build layers without source codes of their dependencies, with no expected errors raised.
Example:
packages:[
{
name: "freeipa",
location: "freeipa",
providedMids: [
'dojo/_base/declare',
'dojo/_base/lang',
'dojo/_base/array',
'dojo/Stateful'
//etc
]
}
],
|
| |
|
|
|
|
|
|
|
|
|
| |
Develop.js contains code useful only for debugging. It is not part of FreeIPA
release.
Is loaded by typing require(['freeipa/develop']); in browser JS console.
It adds IPA global variable and provide easier way of loading AMD modules into
window.ipadev[providedNameOrModuleName] variable.
https://fedorahosted.org/freeipa/ticket/112
|
| |
|
|
|
|
|
|
|
|
| |
Random domain name may bring undererministic behavior. It also breaks
the test on some systems as string.lowercase is locale dependent and
can return non-ASCII letters and thus later break the unicode encoding
and raise UnicodeDecodeError.
Use a fixed domain in "test" TLD instead. This domain is guaranteed to
be not existent.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
|
| |
|
|
|
|
|
| |
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
|
| |
|
|
| |
Tests included.
|
| |
|
|
|
|
|
|
|
| |
Since sudo commands are case-sensitive, we can't use 'sudocmd'
as the RDN.
Tests for case-sensitive behavior included
https://fedorahosted.org/freeipa/ticket/2482
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.
The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.
https://fedorahosted.org/freeipa/ticket/3402
|
| |
|
|
|
|
|
|
| |
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_find
https://fedorahosted.org/freeipa/ticket/2528
|
| |
|
|
|
|
|
| |
Explain how autodiscovery and failover works and which options
are important for these elements.
https://fedorahosted.org/freeipa/ticket/3383
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3334
|
| |
|
|
|
|
|
|
|
| |
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945
|
| |
|
|
|
|
|
|
|
| |
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
|
