summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* DNSSEC: added NSEC3PARAM record typeMartin Basti2014-06-206-13/+66
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: remove unsuported recordsMartin Basti2014-06-203-149/+8
| | | | | | | Removed SIG, NSEC, KEy, RRSIG records Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix handle python-dns UnicodeErrorMartin Basti2014-06-201-4/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Tests DNS: forward zonesMartin Basti2014-06-202-2/+738
| | | | | | | design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Create BASE zone classMartin Basti2014-06-201-528/+333
| | | | | | | | | | | Zones and forward zones have a lot of common code, this patch remove duplications by creating a DNSBase class and its subclasses design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Prevent commands to modify different type of a zoneMartin Basti2014-06-201-16/+128
| | | | | | | | | | | Commands dnsforwardzone-* can modify only forward zones Commands dnszone-* can modify only (master) zones Commands dnsrecord-* can work only with master zones design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Separate master and forward DNS zonesMartin Basti2014-06-204-2/+425
| | | | | | | | | Forward zones are stored in idnsforwadzone objectclasses. design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Clarify LDAPClient docstrings about get_entry, get_entries and find_entriesPetr Spacek2014-06-201-1/+6
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: Allow read access to masters, but not their services, to auth'd usersPetr Viktorin2014-06-191-1/+1
| | | | | | | | | | Fixes commit b243da415ecb2c28b5aa9bc563595efe35a40987 A bad version of the patch was sent and pushed. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow read access to masters, but not their services, to auth'd usersPetr Viktorin2014-06-191-0/+4
| | | | | | | | | | | | | | | The ipa host-del command checks if the host to be deleted is an IPA master by looking up the entry in cn=masters. If the entry is not accessible, host-del would proceed to delete the host. Thus we need to allow reading the master entries to at least those that can delete hosts. Since the host information is also available via DNS, it makes no sense be extremely secretive about it. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Periodically refresh global ipa-kdb configurationNathaniel McCallum2014-06-195-45/+86
| | | | | | | | | | | | | Before this patch, ipa-kdb would load global configuration on startup and never update it. This means that if global configuration is changed, the KDC never receives the new configuration until it is restarted. This patch enables caching of the global configuration with a timeout of 60 seconds. https://fedorahosted.org/freeipa/ticket/4153 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Convert Password Policy default permissions to managedPetr Viktorin2014-06-183-26/+32
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert COSTemplate default permissions to managedPetr Viktorin2014-06-183-24/+28
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add $REALM to variables supported by the managed permission updaterPetr Viktorin2014-06-181-0/+1
| | | | | | | | This will allow converting password policy permissions Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the update_dns_permissions pluginPetr Viktorin2014-06-181-56/+0
| | | | | | | | | This plugin created permissions that the managed permission updater would remove right away. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert DNS default permissions to managedPetr Viktorin2014-06-185-88/+118
| | | | | | | | | | | Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed permission updater: Add mechanism to replace SYSTEM permissionsPetr Viktorin2014-06-181-0/+18
| | | | | | | | | | | | | | The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* sudorule: Allow unsetting sudoorderTomas Babej2014-06-182-1/+6
| | | | | | | | | | | After setting sudoorder, you are unable to unset it, since the check for uniqueness of order of sudorules is applied incorrectly. Fix the behaviour and cover it in the test suite. https://fedorahosted.org/freeipa/ticket/4360 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix self argument in tasksPetr Viktorin2014-06-162-4/+4
| | | | Reviewed-By: Tomáš Babej <tbabej@redhat.com>
* ipaplatform: Move hardcoded paths from Fedora platform files to path namespaceTomas Babej2014-06-164-32/+36
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Contain all the tasks in the TaskNamespaceTomas Babej2014-06-162-253/+236
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Pylint fixesTomas Babej2014-06-161-15/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Link to platform module during build timeTomas Babej2014-06-163-1/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Let fedora path module use PathNamespace classTomas Babej2014-06-161-1/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change makefiles to accomodate for new platform packageTomas Babej2014-06-165-51/+97
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove remnants of the ipapython/platformTomas Babej2014-06-167-304/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-1661-470/+743
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-1625-36/+12
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change paths dependant on ipaservices to use ipaplatform.pathsTomas Babej2014-06-162-6/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-1623-102/+124
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-1613-30/+43
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move Fedora-specific implementations of tasks to fedora base ↵Tomas Babej2014-06-164-108/+124
| | | | | | | | platform file https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove legacy redhat platform moduleTomas Babej2014-06-162-282/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Do not require custom Authconfig implementations from platform ↵Tomas Babej2014-06-166-155/+220
| | | | | | | | modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move restore_context and check_selinux_status implementations ↵Tomas Babej2014-06-162-47/+59
| | | | | | | | to base fedora platform tasks https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Moved Fedora 16 service implementations and refactored them as ↵Tomas Babej2014-06-163-204/+215
| | | | | | | | base Fedora module service implementations https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Add base fedora platform moduleTomas Babej2014-06-164-0/+92
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Create default implementations for tasks that were missing themTomas Babej2014-06-161-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move default implementations of tasks from service.py.inTomas Babej2014-06-162-37/+33
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move service base platfrom related functionality to ↵Tomas Babej2014-06-164-386/+416
| | | | | | | | ipaplatform/base/service.py https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Create separate module for platform filesTomas Babej2014-06-165-0/+112
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: expose krbprincipalexpirationPetr Vobornik2014-06-161-0/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3306 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: move RPC result extraction logic to AdapterPetr Vobornik2014-06-168-92/+122
| | | | | | | | | | | | | | | It enables declarative extraction of values from partial results of a batch commands and also further extensibility in custom adapters. The default adapter has detection logic for this extraction so it can use bare record or extract data from normal or batch RPC command. Minor change of user plugin fixed: https://fedorahosted.org/freeipa/ticket/4355 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* ipalib.config: Don't autoconvert values to floatPetr Viktorin2014-06-164-9/+5
| | | | | | | | | | | | | | | | | | When api.env is loaded, strings that "look like" floats got auto-converted to floats. This is wrong, as the conversion to float can lose precision. Case in point: the api_version (e.g. '2.88') should never be interpreted as float. Do not automatically convert to float. We have two numeric options: startup_timeout and wait_for_dns. wait_for_dns is already converted to int when used in the code. Convert startup_timeout to float explicitly when used, so configuration that specified it with a decimal point continues to work. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipalib.config: Only convert basedn to DNPetr Viktorin2014-06-161-1/+1
| | | | | | | | | The current code would convert values to DN if the key was a substring of 'basedn', e.g. 'base' or 'sed'. Only convert if we're actually dealing with 'basedn'. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Add support for managedBy to tokensNathaniel McCallum2014-06-167-26/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether managed by them or not. Users can add tokens if, and only if, they will also manage this token. Managers can also read/search/compare tokens they manage. Additionally, they can write non-secret data to their managed tokens and delete them. When a normal user self-creates a token (the default behavior), then managedBy is automatically set. When an admin creates a token for another user (or no owner is assigned at all), then managed by is not set. In this second case, the token is effectively read-only for the assigned owner. This behavior enables two important other behaviors. First, an admin can create a hardware token and assign it to the user as a read-only token. Second, when the user is deleted, only his self-managed tokens are deleted. All other (read-only) tokens are instead orphaned. This permits the same token object to be reasigned to another user without loss of any counter data. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib.frontend: Do API version check before converting argumentsPetr Viktorin2014-06-133-22/+24
| | | | | | | | | | | | | This results in the proper message being shown if the client sends an option the server doesn't have yet. It also adds the check to commands that override run() but not __call__, such as `ipa ping`, and to commands run on the server. Adjust tests for these changes. https://fedorahosted.org/freeipa/ticket/3963 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix --ttl description for DNS zonesPetr Spacek2014-06-124-14/+14
| | | | | | | TTL specified in idnsZone object class affects all records at zone apex, not only SOA record. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* webui: add sudoorder field to sudo rule pagePetr Vobornik2014-06-121-0/+5
| | | | | | | part of https://fedorahosted.org/freeipa/ticket/2348 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* webui: control sudo rule deny command tables by category switchPetr Vobornik2014-06-123-61/+63
| | | | | | | | | `memberdenycmd_sudocmd` and `memberdenycmd_sudocmdgroup` tables are now enabled/disabled based on `cmdcategory` as well. https://fedorahosted.org/freeipa/ticket/4361 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>