summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix structured DNS record outputMartin Kosek2013-03-221-0/+2
| | | | | | | | | | | | | Recent LDAP refactoring replaced entry_attrs regular dict with normalized keys (i.e. lowercase) with LDAPEntry instance which keys may not be normalized. This broke CND command output when --structured and --all options were used. Force lowercase normalization of the LDAPEntry keys in DNS plugin structured format postprocessing. Also add a missing test for DNS record structured output. https://fedorahosted.org/freeipa/ticket/3526
* Realm Domains pageAna Krivokapic2013-03-182-3/+10
| | | | | | Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407
* Web UI:Choose different search option for cert-findPetr Vobornik2013-03-181-0/+12
| | | | | | | | | | This extends certificate search page by search option select. Therefore the search is not restricted to 'subject'. It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a future. https://fedorahosted.org/freeipa/ticket/3419
* Web UI:Certificate pagesPetr Vobornik2013-03-181-0/+7
| | | | | | | | | | | | | | | | | Following pages were added to Web UI: * certificated details * certificate search Certificate is not regular object so it gets no metadata. Therefore artificial metadata were created for it to allow usage of search and details facet. Search and details facet were modified to allow removing of add/remove/update/ reset buttons - certificates have no mod operation and they are not added by standard means. User can revoke and restore certificated in details facet. https://fedorahosted.org/freeipa/ticket/3419
* Improve error messages for external group membersAna Krivokapic2013-03-142-4/+27
| | | | | | | | | | | | | | | | | When adding a duplicate member to a group, an error message is issued, informing the user that the entry is already a member of the group. Similarly, when trying to delete an entry which is not a member, an error message is issued, informing the user that the entry is not a member of the group. These error messages were missing in case of external members. This patch also adds support for using the AD\name or name@ad.domain.com format in ipa group-remove-member command. This format was supported in group-add-member, but not in group-remove-member. Unit test file covering these cases was also added. https://fedorahosted.org/freeipa/ticket/3254
* Enforce exact SID match when adding or modifying a ID rangeTomas Babej2013-03-141-1/+1
| | | | | | | | SID validation in idrange.py now enforces exact match on SIDs, thus one can no longer use SID of an object in a trusted domain as a trusted domain SID. https://fedorahosted.org/freeipa/ticket/3432
* Do not hide idrange-add errors when adding trustMartin Kosek2013-03-131-9/+6
| | | | | | | | | | | We catched all errors that could be raised by idrange-add command and just raised an uncomprehensible ValidationError. This could hide a real underlying problem and make the debugging harder. We should rather just let the command raise the real error (which will be already a PublicError). https://fedorahosted.org/freeipa/ticket/3288
* Remove implicit Str to DN conversion using *-attrTomas Babej2013-03-131-6/+0
| | | | | | | | | | | DNs represented as strings and passed via --setattr or --addattr are no longer implicitly converted to DN type. This solves various errors associated with this behaviour, see tickets below. Unit tests added. https://fedorahosted.org/freeipa/ticket/3348 https://fedorahosted.org/freeipa/ticket/3349
* Remove unneeded python-ldap importsPetr Viktorin2013-03-132-10/+9
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-113-14/+27
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Allow 'nfs:NONE' in global configurationSumit Bose2013-03-081-1/+1
| | | | | | | | | | | | This patch adds 'nfs:NONE' as an allowed entry for the global authorization data type in the CLI and WebUI. This is an ad-hoc solution to make sure that the new default value for the NFS service is not removed by chance. This patch should be removed if a more generic solution is implemented to modify service:TYPE style values of the authorization data type. https://fedorahosted.org/freeipa/ticket/2960
* Mention PAC issue with NFS in service plugin docSumit Bose2013-03-081-1/+7
| | | | https://fedorahosted.org/freeipa/ticket/2960
* Fix internal error in output_for_cli method of sudorule_{enable,disable}.Jan Cholasta2013-03-061-4/+4
| | | | | | | Also fix incorrect super method call in output_for_cli method of sudorule_{add,remove}_option. https://fedorahosted.org/freeipa/ticket/3489
* Fix remove while iterating in suppress_netgroup_memberof.Jan Cholasta2013-03-062-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3464
* Web UI: configurable SID blacklistsPetr Vobornik2013-03-061-0/+1
| | | | | | | Added blacklists section, with ipantsidblacklistincoming and ipantsidblacklistoutgoing multivalued textbox fields, into trust details page. https://fedorahosted.org/freeipa/ticket/3289
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-3/+2
|
* Remove DN normalization from the baseldap plugin.Jan Cholasta2013-03-017-56/+27
|
* Use full DNs in plugin code.Jan Cholasta2013-03-0114-36/+55
|
* Support attributes with multiple names in LDAPEntry.Jan Cholasta2013-03-011-2/+0
|
* Preserve case of attribute names in LDAPEntry.Jan Cholasta2013-03-013-8/+11
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-017-33/+65
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove some unused importsPetr Viktorin2013-03-011-3/+1
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Add custom mapping object for LDAP entry data.Jan Cholasta2013-03-016-28/+28
|
* Add trusted domain range objectclass when using idrange-modTomas Babej2013-02-261-0/+5
| | | | | | When modifing the idrange, one was able to add ipa NT trusted AD domain sid without objectclass ipatrustedaddomainrange being added. This patch fixes the issue.
* Make options checks in idrange-add/mod consistentTomas Babej2013-02-261-16/+46
| | | | | | | | | | | | Both now enforce the following checks: - dom_sid and secondary_rid_base cannot be used together - rid_base must be used together if dom_rid is set - secondary_rid_base and rid_base must be used together if dom_rid is not set Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170
* Update plugin docstrings (topic help) to reflect dropped CSV supportPetr Viktorin2013-02-2210-19/+21
| | | | https://fedorahosted.org/freeipa/ticket/3352
* Update argument docs to reflect dropped CSV supportPetr Viktorin2013-02-228-29/+27
| | | | https://fedorahosted.org/freeipa/ticket/3352
* Fix permission validation and normalization in aci.pyPetr Viktorin2013-02-221-13/+10
| | | | | | | | | The code split the permission string on commas, essentially doing poor man's CSV parsing. So if a permission contained a comma-separated list of valid permissions, validation would pass but we'd get errors later. https://fedorahosted.org/freeipa/ticket/3420
* Rename the "messages" Output of the i18n_messages command to "texts"Petr Viktorin2013-02-211-3/+3
| | | | | | | This is to prevent a fatal name clash wih the new common "messages" Output. Since i18n_messages is an internal plugin, the change does not affect our public API.
* Add the version option to all CommandsPetr Viktorin2013-02-2111-18/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Several Commands were missing the 'version' option. Add it to those that were missing it. Do not remove the version option before calling commands. This means methods such as execute(), forward(), run() receive it. Several of these needed `**options` added to their signatures. Commands in the Cert plugin passed any unknown options to the underlying functions, these are changed to pass what's needed explicitly. Some commands in DNS and Batch plugins now pass version to commands they call. When the option is not given, fill it in automatically. (In a subsequent commit, a warning will be added in this case). Note that the public API did not change: all RPC calls already accepted a version option. There's no need for an API version bump (even though API.txt changes substantially). Design page: http://freeipa.org/page/V3/Messages Tickets: https://fedorahosted.org/freeipa/ticket/2732 https://fedorahosted.org/freeipa/ticket/3294
* Avoid internal error when user is not Trust adminMartin Kosek2013-02-201-1/+1
| | | | | | | | | | | | | | | When user tries to perform any action requiring communication with trusted domain, IPA server tries to retrieve a trust secret on his behalf to be able to establish the connection. This happens for example during group-add-member command when external user is being resolved in the AD. When user is not member of Trust admins group, the retrieval crashes and reports internal error. Catch this exception and rather report properly formatted ACIError. Also make sure that this exception is properly processed in group-add-member post callback. https://fedorahosted.org/freeipa/ticket/3390
* Prevent a sudo command from being deleted if it is a member of a sudo rulePetr Viktorin2013-02-201-0/+26
| | | | Tests included.
* Use ipauniqueid for the RDN of sudo commandsPetr Viktorin2013-02-201-0/+1
| | | | | | | | | Since sudo commands are case-sensitive, we can't use 'sudocmd' as the RDN. Tests for case-sensitive behavior included https://fedorahosted.org/freeipa/ticket/2482
* Prevent changing protected group's name using --setattrTomas Babej2013-02-191-1/+1
| | | | | | | | The name of any protected group now cannot be changed by modifing the cn attribute using --setattr. Unit tests have been added to make sure there is no regression. https://fedorahosted.org/freeipa/ticket/3354
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-2/+135
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-191-0/+141
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add option to specify SID using domain name to idrange-add/modTomas Babej2013-02-181-13/+81
| | | | | | | | | | When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133
* Fix hbachelp examples formattingMartin Kosek2013-02-141-23/+23
| | | | | | Add correct labeling of matched/nonmatched output attributes. Also make sure that "\" is not interpreted as newline escape character but really as a "\" character.
* Add support for AD users to hbactest commandMartin Kosek2013-02-141-10/+131
| | | | | | | | | | | | | | | | | | | | | How this works: 1. When a trusted domain user is tested, AD GC is searched for the user entry Distinguished Name 2. The user entry is then read from AD GC and its SID and SIDs of all its assigned groups (tokenGroups attribute) are retrieved 3. The SIDs are then used to search IPA LDAP database to find all external groups which have any of these SIDs as external members 4. All these groups having these groups as direct or indirect members are added to hbactest allowing it to perform the search LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link - List of group SIDs does not contain group memberships outside of the trusted domain https://fedorahosted.org/freeipa/ticket/2997
* Do not hide SID resolver error in group-add-memberMartin Kosek2013-02-141-3/+0
| | | | | | | | | When group-add-member does not receive any resolved trusted domain object SID, it raises an exception which hides any useful error message passed by underlying resolution methods. Remove the exception to reveal this error messages to user. https://fedorahosted.org/freeipa/ticket/2997
* Generalize AD GC searchMartin Kosek2013-02-141-4/+5
| | | | | | | | | | | | | | Modify access methods to AD GC so that callers can specify a custom basedn, filter, scope and attribute list, thus allowing it to perform any LDAP search. Error checking methodology in these functions was changed, so that it rather raises an exception with a desription instead of simply returning a None or False value which would made an investigation why something does not work much more difficult. External membership method in group-add-member command was updated to match this approach. https://fedorahosted.org/freeipa/ticket/2997
* Add SID blacklist attributesMartin Kosek2013-02-121-6/+38
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-7/+183
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
* Prevent a crash when no entries are successfully migrated.Rob Crittenden2013-02-081-0/+1
| | | | | | | It would fail in _update_default_group() because migrate_cnt wasn't defined in context. https://fedorahosted.org/freeipa/ticket/3386
* Improve migration performanceRob Crittenden2013-02-051-8/+88
| | | | | | | | | | | | | | | | | | | Add new users to the default users group in batches of 100. The biggest overhead of migration is in calculating the modlist when managing the default user's group and applying the changes. A significant amount of time can be saved by not doing this on every add operation. Some other minor improvements include: Add a negative cache for groups not found in the remote LDAP server. Replace call to user_mod with a direct LDAP update. Catch some occurances of LimitError and handle more gracefully. I also added some debug logging to report on migration status and performance. https://fedorahosted.org/freeipa/ticket/3386
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Use fully qualified CCACHE namesMartin Kosek2013-02-011-3/+6
| | | | | | | | | | | | | | Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381
* Fix migration for openldap DSMartin Kosek2013-02-011-1/+13
| | | | | | | | | | | | | | | | | openldap server does not store its schema in cn=schema entry, but rather in cn=subschema. Add a fallback to ldap2 plugin to read from this entry when cn=schema is not found. ldap2 plugin uses the schema when doing some of the automatic encoding, like an automatic encoding of DN object. IPA migration plugin DN attribute processing is now also more tolerant when it finds that some DN attribute was not autoencoded. It tries to convert it to DN on its own and report a warning and continue with user processing when the conversion fails instead of crashing with AssertionError and thus abandoning the whole migration run. https://fedorahosted.org/freeipa/ticket/3372
* Pylint cleanup.Jan Cholasta2013-01-291-2/+2
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Raise ValidationError for incorrect subtree option.Ana Krivokapic2013-01-141-1/+4
| | | | Ticket: https://fedorahosted.org/freeipa/ticket/3233
generated by cgit (git 2.34.1) at 2025-08-28 18:27:13 +0000