summaryrefslogtreecommitdiffstats
path: root/VERSION
Commit message (Collapse)AuthorAgeFilesLines
* dns_name_values capability addedMartin Basti2014-06-031-2/+2
| | | | | | | | | | Added capability to transfer DNSName type between server and client Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169i Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* dns: Add idnsSecInlineSigning attribute, add --dnssec option to zonePetr Viktorin2014-05-281-2/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3801 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Only specify the ipatokenuniqueid default in the add operationNathaniel McCallum2014-05-231-2/+2
| | | | | | | | | | | Specifying the default in the LDAP Object causes the parameter to be specified for non-add operations. This is especially problematic when performing the modify operation as it causes the primary key to change for every modification. https://fedorahosted.org/freeipa/ticket/4227 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib: Expose krbPrincipalExpiration in CLITomas Babej2014-05-051-2/+2
| | | | | | | | | Adds a krbPrincipalExpiration attribute to the user class in user.py ipalib plugin as a DateTime parameter. Part of: https://fedorahosted.org/freeipa/ticket/3306 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Add DateTime parameterTomas Babej2014-05-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds a parameter that represents a DateTime format using datetime.datetime object from python's native datetime library. In the CLI, accepts one of the following formats: Accepts LDAP Generalized time without in the following format: '%Y%m%d%H%M%SZ' Accepts subset of values defined by ISO 8601: '%Y-%m-%dT%H:%M:%SZ' '%Y-%m-%dT%H:%MZ' '%Y-%m-%dZ' Also accepts above formats using ' ' (space) as a separator instead of 'T'. As a simplification, it does not deal with timezone info and ISO 8601 values with timezone info (+-hhmm) are rejected. Values are expected to be in the UTC timezone. Values are saved to LDAP as LDAP Generalized time values in the format '%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid confusion, in addition to subset of ISO 8601 values, the LDAP generalized time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the format user will see on the output). Part of: https://fedorahosted.org/freeipa/ticket/3306 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow primary keys to use different type than unicode.Jan Cholasta2014-04-181-2/+2
| | | | | | | | | | Also return list of primary keys instead of a single unicode CSV value from LDAPDelete-based commands. This introduces a new capability 'primary_key_types' for backward compatibility with old clients. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* automember rebuild nowait feature addedAdam Misnyovszki2014-04-091-2/+2
| | | | | | | | | | | | | | | automember-rebuild uses asynchronous 389 task, and returned success even if the task didn't run. this patch fixes this issue adding a --nowait parameter to 'ipa automember-rebuild', defaulting to False, thus when the script runs without it, it waits for the 'nstaskexitcode' attribute, which means the task has finished. Old usage can be enabled using --nowait, and returns the DN of the task for further polling. New tests added also. https://fedorahosted.org/freeipa/ticket/4239 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Extending user plugin with inetOrgPerson fieldsAdam Misnyovszki2014-03-281-2/+2
| | | | | | | | | | | | | | | According to http://tools.ietf.org/html/rfc2798 ipa client and web ui extended with inetOrgPerson fields: - employeenumber - employeetype - preferredlanguage - departmentnumber carlicenseplate is now multivalued https://fedorahosted.org/freeipa/ticket/4165 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow modifying permissions with ":" in the namePetr Viktorin2014-03-251-2/+2
| | | | | | | | | | | | | | The ":" character will be reserved for default permissions, so that users cannot create a permission with a name that will later be added as a default. Allow the ":" character modifying/deleting permissions*, but not when creating them. Also do not allow the new name to contain ":" when renaming. (* modify/delete have unrelated restrictions on managed permissions) Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission CLI: rename --permissions to --rightPetr Viktorin2014-03-211-2/+2
| | | | | | | | The old name is kept as a deprecated alias. https://fedorahosted.org/freeipa/ticket/4231 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* permission plugin: Output the extratargetfilter virtual attributePetr Viktorin2014-03-141-2/+2
| | | | | | | | | | | | | | | | | | The --filter, --type, and --memberof options interact in a way that's difficult to recreate in the UI: type and memberof are "views" on the filter, they affect it and are affected by it Add a "extratagretfilter" view that only contains the filters not linked to type or memberof. Show extra target filter, and not the full target filter, by default; show both with --all, and full filter only with --raw. Write support will be added in a subsequent patch. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Allow multiple values for memberofPetr Viktorin2014-03-071-2/+2
| | | | | | | Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions Additional fix for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-2/+2
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-2/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-2/+2
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-1/+2
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add OTP support to ipalib CLINathaniel McCallum2013-12-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Rewrite the Permission pluginPetr Viktorin2013-12-131-1/+1
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-1/+1
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* Add userClass attribute for usersAna Krivokapic2013-11-191-1/+1
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Add automember rebuild commandAna Krivokapic2013-11-151-1/+1
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-081-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-1/+1
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Bump 3.4 development version to 3.3.90Martin Kosek2013-08-081-1/+1
|
* Become 3.3.0Martin Kosek2013-08-081-1/+1
|
* Become 3.3.0 Beta 2Martin Kosek2013-08-071-1/+1
|
* Add new command compat-is-enabledAna Krivokapic2013-08-071-1/+1
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Limit pwpolicy maxlife to 20000 daysTomas Babej2013-08-051-1/+1
| | | | | | | | | | | | Since krbMaxPwdLife attribute is represented as number of seconds, setting maxlife to high values such as 999 999 days (~2739 years) would result to overflow when parsing this attribute in kdb plugin, and hence default maxlife of 90 days would be applied. Limit the maximum value of maxlife that can be set through the framework to 20 000 days (~ 54 years). https://fedorahosted.org/freeipa/ticket/3817
* Become 3.3.0 Beta 1Martin Kosek2013-07-241-3/+3
|
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-111-1/+1
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-installAna Krivokapic2013-06-241-1/+1
| | | | | | | | | | | | | Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
* Deprecate options --dom-sid and --dom-name in idrange-modAna Krivokapic2013-05-311-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3636
* Bump version for development branch to 3.2.99Rob Crittenden2013-05-101-1/+1
|
* Become 3.2.0Rob Crittenden2013-05-101-1/+1
|
* Add userClass attribute for hostsMartin Kosek2013-04-261-1/+1
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Become 3.2.0 Beta 1Rob Crittenden2013-04-161-2/+2
|
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-121-1/+1
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Fix output for some CLI commandsAna Krivokapic2013-04-111-1/+1
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Become 3.2.0 Prerelease 1Martin Kosek2013-04-021-3/+3
|
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-1/+1
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Bump FreeIPA version for development branchMartin Kosek2013-02-251-1/+1
| | | | | | | Current master branch represents future release of FreeIPA (3.2). Bump VERSION so that current development packages are not being updated with freeipa-3.1.x packages already released in downstream repositories.
* Rename the "messages" Output of the i18n_messages command to "texts"Petr Viktorin2013-02-211-1/+1
| | | | | | | This is to prevent a fatal name clash wih the new common "messages" Output. Since i18n_messages is an internal plugin, the change does not affect our public API.
* Add client capabilities, enable messagesPetr Viktorin2013-02-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The API version the client sends can now be used to check what the client expects or is capable of. All version tests IPA does will be be named and listed in one module, ipalib.capabilities, which includes a function to test a specific capability against an API version. Similarly to Python's __future__ module, capabilities.py also serves as documentation of backwards-incompatible changes to the API. The first capability to be defined is "messages". Recent enough clients can accept a list of warnings or other info under the "messages" key in the result dict. If a JSON client does not send the API version, it is assumed this is a testing client (e.g. curl from the command line). Such a client "has" all capabilities, but it will always receive a warning mentioning that forward compatibility is not guaranteed. If a XML client does not send the API version, it is assumed it uses the API version before capabilities were introduced. (This is to keep backwards compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294) Whenever a capability is added, the API version must be incremented. To ensure that, capabilities are written to API.txt and checked by `makeapi --validate`. Design page: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-1/+1
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-191-1/+1
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add SID blacklist attributesMartin Kosek2013-02-121-1/+1
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-1/+1
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
generated by cgit (git 2.34.1) at 2024-11-16 11:21:19 +0000