summaryrefslogtreecommitdiffstats
path: root/VERSION
Commit message (Collapse)AuthorAgeFilesLines
* permission plugin: Allow multiple values for memberofPetr Viktorin2014-03-071-2/+2
| | | | | | | Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions Additional fix for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-2/+2
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-2/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-2/+2
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-1/+2
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add OTP support to ipalib CLINathaniel McCallum2013-12-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Rewrite the Permission pluginPetr Viktorin2013-12-131-1/+1
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-1/+1
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* Add userClass attribute for usersAna Krivokapic2013-11-191-1/+1
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Add automember rebuild commandAna Krivokapic2013-11-151-1/+1
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-081-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-1/+1
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Bump 3.4 development version to 3.3.90Martin Kosek2013-08-081-1/+1
|
* Become 3.3.0Martin Kosek2013-08-081-1/+1
|
* Become 3.3.0 Beta 2Martin Kosek2013-08-071-1/+1
|
* Add new command compat-is-enabledAna Krivokapic2013-08-071-1/+1
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Limit pwpolicy maxlife to 20000 daysTomas Babej2013-08-051-1/+1
| | | | | | | | | | | | Since krbMaxPwdLife attribute is represented as number of seconds, setting maxlife to high values such as 999 999 days (~2739 years) would result to overflow when parsing this attribute in kdb plugin, and hence default maxlife of 90 days would be applied. Limit the maximum value of maxlife that can be set through the framework to 20 000 days (~ 54 years). https://fedorahosted.org/freeipa/ticket/3817
* Become 3.3.0 Beta 1Martin Kosek2013-07-241-3/+3
|
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-111-1/+1
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-installAna Krivokapic2013-06-241-1/+1
| | | | | | | | | | | | | Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
* Deprecate options --dom-sid and --dom-name in idrange-modAna Krivokapic2013-05-311-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3636
* Bump version for development branch to 3.2.99Rob Crittenden2013-05-101-1/+1
|
* Become 3.2.0Rob Crittenden2013-05-101-1/+1
|
* Add userClass attribute for hostsMartin Kosek2013-04-261-1/+1
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Become 3.2.0 Beta 1Rob Crittenden2013-04-161-2/+2
|
* Deprecate HBAC source hosts from CLIAna Krivokapic2013-04-121-1/+1
| | | | | | | | | | | | | Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
* Fix output for some CLI commandsAna Krivokapic2013-04-111-1/+1
| | | | | | | | | Fix output of dnsrecord_del: it now uses output.standard_delete and excludes --all and --raw flags. Fix output of sudorule_{add,remove}_option: they now use output.standard_entry and include --all and --raw flags. https://fedorahosted.org/freeipa/ticket/3503
* Become 3.2.0 Prerelease 1Martin Kosek2013-04-021-3/+3
|
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-1/+1
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Bump FreeIPA version for development branchMartin Kosek2013-02-251-1/+1
| | | | | | | Current master branch represents future release of FreeIPA (3.2). Bump VERSION so that current development packages are not being updated with freeipa-3.1.x packages already released in downstream repositories.
* Rename the "messages" Output of the i18n_messages command to "texts"Petr Viktorin2013-02-211-1/+1
| | | | | | | This is to prevent a fatal name clash wih the new common "messages" Output. Since i18n_messages is an internal plugin, the change does not affect our public API.
* Add client capabilities, enable messagesPetr Viktorin2013-02-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The API version the client sends can now be used to check what the client expects or is capable of. All version tests IPA does will be be named and listed in one module, ipalib.capabilities, which includes a function to test a specific capability against an API version. Similarly to Python's __future__ module, capabilities.py also serves as documentation of backwards-incompatible changes to the API. The first capability to be defined is "messages". Recent enough clients can accept a list of warnings or other info under the "messages" key in the result dict. If a JSON client does not send the API version, it is assumed this is a testing client (e.g. curl from the command line). Such a client "has" all capabilities, but it will always receive a warning mentioning that forward compatibility is not guaranteed. If a XML client does not send the API version, it is assumed it uses the API version before capabilities were introduced. (This is to keep backwards compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294) Whenever a capability is added, the API version must be incremented. To ensure that, capabilities are written to API.txt and checked by `makeapi --validate`. Design page: http://freeipa.org/page/V3/Messages Ticket: https://fedorahosted.org/freeipa/ticket/2732
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-1/+1
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-191-1/+1
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add SID blacklist attributesMartin Kosek2013-02-121-1/+1
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-1/+1
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
* Relax restriction for leading/trailing whitespaces in *-find commandsTomas Babej2012-12-111-1/+1
| | | | | | | | All *-find commands now enable leading/trailing whitespaces in the search phrase. Behaviour has been implemented directly into crud.Search class. IPA_API_VERSION_MINOR incremented to 45. https://fedorahosted.org/freeipa/ticket/2981
* Added the ability to do Beta versioningLynn Root2012-12-111-1/+11
| | | | | | The VERSION file and Makefile now handles beta versioning when given an argument. Ticket: https://fedorahosted.org/freeipa/ticket/2893
* Become IPA 3.1.0Rob Crittenden2012-12-101-2/+2
|
* Disable global forwarding per-zoneMartin Kosek2012-11-091-1/+1
| | | | | | | | | | | bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
* Process relative nameserver DNS record correctlyMartin Kosek2012-11-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Nameserver hostname passed to dnszone_add command was always treated as FQDN even though it was a relative DNS name to the new zone. All relative names were being rejected as unresolvable. Modify --name-server option processing in dnszone_add and dnszone_mod to respect FQDN/relative DNS name and do the checks accordingly. With this change, user can add a new zone "example.com" and let dnszone_add to create NS record "ns" in it, when supplied with its IP address. IP address check is more strict so that it is not entered when no forward record is created. Places misusing the option were fixed. Nameserver option now also accepts zone name, which means that NS and A record is placed to DNS zone itself. Also "@" is accepted as a nameserver name, BIND understand it also as a zone name. As a side-effect of this change, other records with hostname part (MX, KX, NS, SRV) accept "@" as valid hostname. BIND replaces it with respective zone name as well. Unit tests were updated to test the new format. https://fedorahosted.org/freeipa/ticket/3204
* Avoid uninstalling dependencies during package lifetimeMartin Kosek2012-10-251-2/+2
| | | | | | | | | | | | Requires(pre) only guarantees that package will be present before package scriptlets are run. However, the package can be removed after installation is finished without removing also IPA. Add standard Requires for these dependencies. Remove PRE version number from VERSION. This update and following is done on a top of IPA 3.0.0 GA. https://fedorahosted.org/freeipa/ticket/3189
* Only use service PAC type as an overrideMartin Kosek2012-10-031-1/+1
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-061-1/+1
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Fix DNS SOA serial parameters boundariesMartin Kosek2012-09-061-1/+1
| | | | | | | Set correct boundaries for DNS SOA serial parameters (see RFC 1035, 2181). https://fedorahosted.org/freeipa/ticket/2568
* Become IPA v3 beta 2 (3.0.0.pre2)Rob Crittenden2012-08-151-1/+1
|
* Add --{set,add,del}attr options to commands which are missing them.Jan Cholasta2012-08-031-1/+1
| | | | ticket 2963
generated by cgit (git 2.34.1) at 2024-11-10 13:43:02 +0000