summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Add missing example to sudoruleMartin Kosek2014-01-151-1/+20
| | | | https://fedorahosted.org/freeipa/ticket/4090
* Change the way we determine if the host has a password set.Rob Crittenden2014-01-151-1/+1
| | | | | | | | | | When creating a host with a password we don't set a Kerberos principal or add the Kerberos objectclasses. Those get added when the host is enrolled. If one passed in --password= (so no password) then we incorrectly thought the user was in fact setting a password, so the principal and objectclasses weren't updated. https://fedorahosted.org/freeipa/ticket/4102
* Use old entry state in LDAPClient.update_entry.Jan Cholasta2014-01-101-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3488
* hbactest does not work for external usersMartin Kosek2014-01-101-3/+5
| | | | | | | | | | Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched. https://fedorahosted.org/freeipa/ticket/3803
* Allow anonymous and all permissionsPetr Viktorin2014-01-072-2/+40
| | | | | | | Disallow adding permissions with non-default bindtype to privileges Ticket: https://fedorahosted.org/freeipa/ticket/4032 Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
* Use new registration API in the privilege pluginPetr Viktorin2014-01-071-20/+14
|
* Add OTP support to ipalib CLINathaniel McCallum2013-12-183-2/+339
| | | | https://fedorahosted.org/freeipa/ticket/3368
* permission_find: Do not fail for ipasearchrecordslimit=-1Petr Viktorin2013-12-171-1/+2
| | | | | | | ipasearchrecordslimit can be -1, which means unlimited. The permission_find post_callback failed in this case in legacy permission handling. Do not fail in this case.
* Remove default from the ipapermlocation optionPetr Viktorin2013-12-131-1/+0
| | | | | | | The value from my machine ended up wired into API.txt, so builds on other machines would fail. Correct the mistake.
* Make sure SYSTEM permissions can be retreived with --all --rawPetr Viktorin2013-12-131-2/+10
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
* permission plugin: Ensure ipapermlocation (subtree) always existsPetr Viktorin2013-12-131-0/+10
|
* Roll back ACI changes on failed permission updatesPetr Viktorin2013-12-131-11/+52
|
* Verify ACIs are added correctly in testsPetr Viktorin2013-12-131-4/+10
| | | | | | | To double-check the ACIs are correct, this uses different code than the new permission plugin: the aci_show command. A new option, location, is added to the command to support these checks.
* Rewrite the Permission pluginPetr Viktorin2013-12-132-336/+704
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* Fix internal error in the user-status command.Jan Cholasta2013-12-101-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/4066
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-033-9/+226
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-3/+22
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-3/+10
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Switch client to JSON-RPCPetr Viktorin2013-11-261-3/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* Break long doc string in the Host pluginPetr Viktorin2013-11-211-12/+11
| | | | | | Also split the translations in French and Ukraininan Part of https://fedorahosted.org/freeipa/ticket/3587
* Add userClass attribute for usersAna Krivokapic2013-11-191-3/+19
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Add automember rebuild command to the web UIAna Krivokapic2013-11-151-4/+6
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3928
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-152-4/+5
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
* Add automember rebuild commandAna Krivokapic2013-11-151-10/+133
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-082-5/+22
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-052-6/+6
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Remove AllowLMhash from the allowed IPA config stringsSumit Bose2013-11-011-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3795
* Always use lists for values in LDAPEntry internally.Jan Cholasta2013-10-311-0/+2
| | | | | | | Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce lists for attribute values, this will be removed. https://fedorahosted.org/freeipa/ticket/3521
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-5/+5
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Use new ipaldap entry API in aci and permission pluginPetr Viktorin2013-10-302-23/+27
|
* Update Permission and ACI plugins to decorator registration APIPetr Viktorin2013-10-302-30/+24
|
* trusts: Fix typo in error message for realm-domain mismatchTomas Babej2013-10-251-2/+2
|
* trusts: combine filters with AND to make sure only the intended domain matchesJakub Hrozek2013-10-241-1/+2
|
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
* trusts: Do not create ranges for subdomains in case of POSIX trustTomas Babej2013-10-141-11/+39
| | | | | | For the AD trusts where the ID range for the root level domain is of ipa-ad-trust-posix type, do not create a separate ranges for the subdomains, since POSIX attributes provide global mapping.
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-0/+6
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-3/+20
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-1/+0
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-51/+278
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Do not add trust to AD in case of IPA realm-domain mismatchTomas Babej2013-10-031-0/+13
| | | | | | | | Make sure that trust-add command fails when admin attempts to add an Active Directory trust when the realm name and the domain name of the IPA server do not match. https://fedorahosted.org/freeipa/ticket/3923
* Use correct super-calls in get_args() methodsPetr Viktorin2013-10-021-22/+8
| | | | | | | | | | The get_args methods in ipalib.crud and ipalib.plugins.baseldap used super() calls that skipped some of the classes in the inheritance chain, and contained code that reimplemented some of the skipped functionality. This made it difficult to customize the get_args behavior. Use proper super() calls.
* Fix service-disable in CA-less install.Jan Cholasta2013-08-291-20/+21
| | | | https://fedorahosted.org/freeipa/ticket/3886
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+44
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Add base-id, range-size and range-type options to trust-add dialogPetr Vobornik2013-08-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3049
* Allow API plugin registration via a decoratorPetr Viktorin2013-08-141-3/+5
| | | | | | | | | | | | This makes plugin registration easier to read, less error-prone, and, for many Plugins in a single module, faster to write. Functionally, the decorator is equivalent to current plugin registration. However, in the future this style will allow cleaner semantics. As an example, and to exercise the new syntax to prevent regressions, the ping plugin is converted to this style.
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-6/+4
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
generated by cgit (git 2.34.1) at 2024-06-08 04:39:31 +0000