summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/baseldap.py
Commit message (Collapse)AuthorAgeFilesLines
* Add missing --pkey-only option for selfservice and delegationMartin Kosek2012-01-161-5/+7
| | | | | | | | | | | | pkey-only functionality has to be implemented separately for these modules as they are based on crud.Search instead of standard LDAPSearch. Delegation moduled was also fixed to support new format of ACI's memberof attribute introduced in patch "Display the value of memberOf ACIs in permission plugin." https://fedorahosted.org/freeipa/ticket/2092
* Add labels so HBAC and Sudo rules show under hosts/hostgroups.Rob Crittenden2012-01-161-4/+16
| | | | | | Also fix a bunch of trailing whitespace. https://fedorahosted.org/freeipa/ticket/1751
* Sort password policy by priorityOndrej Hamada2011-12-011-3/+10
| | | | | | | | | | | | | | | | | 'ipa pwpolicy-find' output is now sorted by priority of the policies. Lower position means lower priority. Global policy is then at the bottom. The changes has also affected LDAPSearch class in baseldap.py: LDAPSearch class sorts the search results by primary key be default (which is usually 'cn'). Therefor a function pointer entries_sortfn was added. If no sorting function exists, default sorting by primary key is used. Sorting function had to be introduced due to the fact that pwpolicy's primary key is also it's 'cn' and global policy is not allowed to have any priority. https://fedorahosted.org/freeipa/ticket/2045
* Parse comma-separated lists of values in all parameter types. This can be ↵Jan Cholasta2011-11-301-11/+13
| | | | | | | | | | | | | enabled for a specific parameter by setting the "csv" option to True. Remove "List" parameter type and replace all occurences of it with appropriate multi-valued parameter ("Str" in most cases) with csv enabled. Add new parameter type "Any", capable of holding values of any type. This is needed by the "batch" command, as "Str" is not suitable type for the "methods" parameter. ticket 2007
* Add --delattr option to complement --setattr/--addattrMartin Kosek2011-11-291-61/+174
| | | | | | | | | | | | | | | | | | | | | Add a --delattr option to round out multi-valued attribute manipulation. The new option is available for all LDAPUpdate based commands. --delattr is evaluated last, it can remove any value present either in --addattr/--setattr option or in current LDAP object. --*attr processing was completely refactored and placed to one independent function available for all baseldap commands. For this purpose a missing common base class for all baseldap commands has been implemented. The new class should serve not only for --*attr processing but also for other common baseldap methods and attributes. This approach will also benefit other custom commands based neither on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr option processing when needed. https://fedorahosted.org/freeipa/ticket/1929
* Misleading Keytab fieldOndrej Hamada2011-11-101-3/+0
| | | | | | | | | | | | The 'Keytab' field in output of all 'user-*' commands was changed to 'Kerberos keys available'. In order to do this change for 'user-*' commands only, the flag 'has_keytab' had to be removed from common output parametrs in ipalib/baseldap.py. This change also affected the host.py and service.py, where the 'has_keytab' flag was added to their local output params. Both host.py and service.py holds the old field caption - 'Keytab' - because of compatibility with older clients. https://fedorahosted.org/freeipa/ticket/1961
* Create pkey-only option for find commandsMartin Kosek2011-10-271-1/+11
| | | | | | | | | | | | New option --pkey-only is available for all LDAPSearch based classes with primary key visible in the output. This option makes LDAPSearch commands search for primary attribute only. This may be useful when manipulating large data sets. User can at first retrieve all primary keys in a relatively small data package and then run further commands with retrieved primary keys. https://fedorahosted.org/freeipa/ticket/1262
* Fix LDAPCreate search failureMartin Kosek2011-09-301-1/+6
| | | | | | | | | | | | LDAPCreate reports "search criteria was not specific enough" when LDAP object created in LDAPCreate shares its container with other LDAP objects and there is one with the same name and RDN attribute. Pass objectclass to find_entry_by_attr() function used to retrieve newly created object for POST_CALLBACK to identify correct LDAP object. https://fedorahosted.org/freeipa/ticket/1864
* Include failed service and service groups in hbac rule managementRob Crittenden2011-09-271-0/+3
| | | | | | | | hbacrule-service-add/remove failures weren't being displayed because no label was defined. https://fedorahosted.org/freeipa/ticket/1863 https://fedorahosted.org/freeipa/ticket/1865
* Add external source hosts to HBAC.Rob Crittenden2011-08-291-0/+3
| | | | | | | | When adding/removing source hosts if the host isn't found in IPA it is considered external. The attribute externalhost is used to store external hosts. ticket https://fedorahosted.org/freeipa/ticket/1574
* Add label for HBAC services to show as membersRob Crittenden2011-08-241-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1711
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+26
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-191-0/+53
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Fixed label capitalizationEndi S. Dewata2011-07-141-1/+1
| | | | | | | | The CSS text-transform sometimes produces incorrect capitalization, so the code has been modified to use translated labels that already contain the correct capitalization. Ticket #1424
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-121-11/+11
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Enforce class rules when query=True, continue to not run validators.Rob Crittenden2011-07-111-1/+1
| | | | | | | | | | | | | | | This started as a problem in allowing leading/trailing whitespaces on primary keys. In nearly every command other than add query is True so all rules were ignored on the primary key. This meant that to enforce whitespace we would need to define a validator for each one. I decided instead to set self.all_rules to just the class rules if query == True. So the minimum set of validators will be executed against each type but param-specific validators will only run on add. https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* Fixed object_name usage.Endi S. Dewata2011-07-051-1/+1
| | | | | | | | | | | The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217
* Added singular entity labels.Endi S. Dewata2011-06-271-1/+2
| | | | | | | | | | | | | | | A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249
* Use DN class in get_primary_key_from_dn to return decoded valueJohn Dennis2011-06-221-1/+4
|
* Do lazy LDAP schema retrieval in json handler.Rob Crittenden2011-06-211-0/+1
| | | | | | | It was possible to get to this point without a schema if the first handled request resulted in a Kerberos error. https://fedorahosted.org/freeipa/ticket/1354
* Improve interactive mode for DNS pluginMartin Kosek2011-06-021-0/+42
| | | | | | | | | | | | Interactive mode for commands manipulating with DNS records (dnsrecord-add, dnsrecord-del) is not usable. This patch enhances the server framework with new callback for interactive mode, which can be used by commands to inject their own interactive handling. The callback is then used to improve aforementioned commands' interactive mode. https://fedorahosted.org/freeipa/ticket/1018
* Do a lazy retrieval of the LDAP schema rather than at module load.Rob Crittenden2011-05-301-0/+2
| | | | | | | | | | Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583
* Include the word 'member' with autogenerated optional member labels.Rob Crittenden2011-05-271-1/+1
| | | | | | | There were reports of confusion over what was being prompted for, hopefully adding member will make things clearer. ticket 1062
* Add option to limit the attributes allowed in an entry.Rob Crittenden2011-05-271-0/+36
| | | | | | | | | | | | | | | | Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744
* Customizable facet groups.Endi S. Dewata2011-05-161-0/+3
| | | | | | | | The IPA.entity has been modified to support customizable facet groups. The default list of facet groups is defined in IPA.entity_header and can be overriden in the entity definition. Ticket #1219
* Modify the default attributes shown in user-find to match the UI design.Rob Crittenden2011-04-221-2/+7
| | | | | | | | | | | | | | | This change means the UI can stop using the --all option and have to retrieve significantly less information from the server. It also speeds up user-find as it doesn't have to calculate membership. This adds a new baseclass parameter, search_display_attributes, which can provide a separate list from default_attributes just for find commands. The UI will need to be changed to switch from using cn to using givenname and sn. ticket 1136
* Always ask members in LDAP*ReverseMember commands.Rob Crittenden2011-04-151-1/+1
| | | | | | | This changes the API but alwaysask is enforced on the client only so doesn't change the wire API so I'm not updating the API version. ticket 1081
* Entitlement registration.Endi S. Dewata2011-04-141-1/+21
| | | | | | The entitlement facet will show buttons according to the entitlement status. If it's unregistered, the facet will show a Register button. If it's registered, the facet will show a Consume button.
* Sort entries returned by *-find by the primary key (if any).Rob Crittenden2011-04-131-0/+4
| | | | | | | | Do a server-side sort if there is a primary key. Fix a couple of tests that were failing due to the new sorting. ticket 794
* Fix lint false positives.Jan Cholasta2011-04-131-0/+5
|
* Fix style and grammatical issues in built-in command help.Rob Crittenden2011-03-041-4/+4
| | | | | | | There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-2/+2
| | | | ticket 1005
* Fix translatable strings in ipalib plugins.Pavel Zuna2011-03-011-3/+6
| | | | Needed for xgettext/pygettext processing.
* Sudo command groups are not supposed to allow nesting.Rob Crittenden2011-02-231-10/+1
| | | | | | | It was a design decision to not allow nesting sudo command groups, remove it. ticket 1004
* Collect memberof information for sudo commands.Rob Crittenden2011-02-231-0/+3
| | | | | | | | | | | | We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003
* Add handling for indirect memberof other entries.Rob Crittenden2011-02-211-0/+18
| | | | | | | | | | | | | | | This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. ticket 966
* Updated json_metadata and i18n_messages.Endi S. Dewata2011-02-181-0/+10
| | | | | | The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata.
* Document the --rights output formatJan Zeleny2011-02-171-2/+2
| | | | | https://fedorahosted.org/freeipa/ticket/563 https://fedorahosted.org/freeipa/ticket/588
* A mod command should not be able to remove a required attribute.Rob Crittenden2011-02-141-0/+9
| | | | | | | | | | | | Some attribute enforcement is done by schema, others should be done by the required option in a Parameter. description, for example, is required by many plugins but not the schema. We need to enforce in the framework that required options are provided. After all the setattr/addattr work is done run through the modifications and ensure that no required values will be removed. ticket 852
* Display error messages for failed manageby in service-add/remove-host.Pavel Zuna2011-02-101-0/+3
| | | | Fix #830
* Fixed permission lookupJan Zeleny2011-01-311-7/+5
| | | | | | | | Lookup based on --filter wasn't implemented at all. It did't show until now, because of bug sitting on top of it which was resulting in internal error. This patch fixes the bug and adds the filtering functionality. https://fedorahosted.org/freeipa/ticket/818
* Disable renaming to empty stringJan Zeleny2011-01-241-0/+2
| | | | | | | | So far it was possible to rename any object using LDAPUpdate to a name with empty primary key. Since this can cause nasty problems, this patch disables empty string in --rename argument. https://fedorahosted.org/freeipa/ticket/827
* Make a copy of objectclasses so a call can't update them globally.Rob Crittenden2011-01-241-1/+2
| | | | | | In the host plugin we may change the default objectclasses based on the options selected. This was affecting it globally and causing subsequent calls to fail.
* Fix output of failed managedby hosts, allow a host to manage itself.Rob Crittenden2011-01-111-1/+2
| | | | | | | | | | | The output problem was a missing label for failed managedby. This also fixes a call to print_entry that was missing the flags argument. Add a flag to specify whether a group can be a member of itself, defaulting to False. ticket 708
* Display the entries that failed when deleting with --continue.Rob Crittenden2011-01-101-2/+6
| | | | | | | | | | | | We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
* facet nestingAdam Young2011-01-071-1/+1
| | | | | correctly nest the facet groups change 'parent' to 'member of' for facet group
* Improve filtering of enrollments search results.Pavel Zuna2011-01-041-9/+48
| | | | | | | | | | | | | | | | | | | | | | This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-211-2/+7
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* Fix the mod operations.Pavel Zuna2010-12-211-0/+1
|
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
generated by cgit (git 2.34.1) at 2024-10-02 00:34:47 +0000