summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* permission CLI: rename --permissions to --rightPetr Viktorin2014-03-211-2/+3
| | | | | | | | The old name is kept as a deprecated alias. https://fedorahosted.org/freeipa/ticket/4231 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* webui: change permissions UI to v2Petr Vobornik2014-03-201-3/+2
| | | | | | | | | | | | | | reflect ipalib permission changes in Web UI. - http://www.freeipa.org/page/V4/Permissions_V2 - http://www.freeipa.org/page/V4/Anonymous_and_All_permissions - http://www.freeipa.org/page/V4/Managed_Read_permissions - http://www.freeipa.org/page/V4/Multivalued_target_filters_in_permissions https://fedorahosted.org/freeipa/ticket/4079 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* permission plugin: Do not change extra target filters by "views"Petr Viktorin2014-03-141-4/+7
| | | | | | | | | | | | | Previously, setting/deleting the "--type" virtual attribute removed all (objectclass=...) target filters. Change so that only the filter associated with --type is removed. The same change applies to --memberof: only filters associated with the option are removed when --memberof is (un-)set. Follow-up to https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Do not fail on non-DN memberof filtersPetr Viktorin2014-03-141-1/+5
| | | | | | | | | | The --memberof logic tried to convert the value of a (memberof=...) filter to a DN, which failed with filters like (memberof=*). Do not try to set memberof if the value is not a DN. A test will be added in a subsequent patch. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Support searching by extratargetfilterPetr Viktorin2014-03-141-1/+1
| | | | | | | | | | The extratargetfilter behaves exactly like targetfilter, so that e.g. ipa permission-find --filter=(objectclass=ipausergroup) finds all permissions with that filter in the ACI. Part of the work for https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission CLI: Rename filter to rawfilter, extratargetfilter to filterPetr Viktorin2014-03-141-4/+6
| | | | | | | Since extratargetfilter is shown by default, change it to also have the "default" (i.e. shorter) option name. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Write support for extratargetfilterPetr Viktorin2014-03-141-47/+88
| | | | | | | | | Extend the permission-add and permission-mod commands to process extratargetfilter. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Output the extratargetfilter virtual attributePetr Viktorin2014-03-141-6/+33
| | | | | | | | | | | | | | | | | | The --filter, --type, and --memberof options interact in a way that's difficult to recreate in the UI: type and memberof are "views" on the filter, they affect it and are affected by it Add a "extratagretfilter" view that only contains the filters not linked to type or memberof. Show extra target filter, and not the full target filter, by default; show both with --all, and full filter only with --raw. Write support will be added in a subsequent patch. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Prohibit deletion of active subdomain rangeTomas Babej2014-03-131-5/+17
| | | | | | | | | | Changes the code in the idrange_del method to not only check for the root domains that match the SID in the IDRange, but for the SIDs of subdomains of trusts as well. https://fedorahosted.org/freeipa/ticket/4247 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* webui: Datetime parsing and formattingPetr Vobornik2014-03-131-0/+1
| | | | | | | | | | | | | | | this patch implements: - output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion. - datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date. - utc formatter replaced with new datetime formatter - datetime_validator introduced - new datetime field, extension of text field, which by default uses datetime formatter and validator Dojo was regenerated to include dojo/string module https://fedorahosted.org/freeipa/ticket/4194 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* trust: do not fetch subdomains in case shared secret was used to set up the ↵Alexander Bokovoy2014-03-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | trust Until incoming trust is validated from AD side, we cannot run any operations against AD using the trust. Also, Samba currently does not suport verifying trust against the other party (returns WERR_NOT_SUPPORTED). This needs to be added to the documentation: When using 'ipa trust-add ad.domain --trust-secret', one has to manually validate incoming trust using forest trust properties in AD Domains and Trusts tool. Once incoming trust is validated at AD side, use IPA command 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. From this point on the trust should be usable. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* UI for radius proxyPetr Vobornik2014-03-121-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* UI for OTP tokensPetr Vobornik2014-03-121-2/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* permission_add: Remove permission entry if adding the ACI failsPetr Viktorin2014-03-121-1/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4187 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* permission-find: Cache the root entry for legacy permissionsPetr Viktorin2014-03-111-8/+23
| | | | | | | | | This makes searching faster if there are many legacy permissions present. The root entry (which contains all legacy permission ACIs) is only looked up once. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions plugin: Don't crash with empty targetfilterPetr Viktorin2014-03-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4206 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Allow multiple values for memberofPetr Viktorin2014-03-071-6/+10
| | | | | | | Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions Additional fix for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Remove attributelevelrights before reverting entryPetr Viktorin2014-03-071-0/+3
| | | | | | | | | LDAPUpdate adds the display-only 'attributelevelrights' attribute, which doesn't exist in LDAP. Remove it before reverting entry. https://fedorahosted.org/freeipa/ticket/4212 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-32/+33
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Certificate search max_serial_number problem fixedAdam Misnyovszki2014-02-251-0/+2
| | | | | | | | Maximum serial number field now accepts only positive numbers https://fedorahosted.org/freeipa/ticket/4163 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Do not assume attribute-level rights for new attributes ↵Petr Viktorin2014-02-211-7/+10
| | | | | | | | | | | | | are present With the --all --raw options, the code assumed attribute-level rights were set on ipaPermissionV2 attributes, even on permissions that did not have the objectclass. Add a check that the data is present before using it. https://fedorahosted.org/freeipa/ticket/4121 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+19
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-209-11/+27
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-51/+94
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Do not copy member attributes to new entryPetr Viktorin2014-02-201-1/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix regular expression for LOC records in DNS.Petr Spacek2014-02-181-8/+13
| | | | | | | | | | | - Fractional parts of integers are not mandatory. - Expressions containing only size or only size + horizontal precision are allowed. - N/S/W/E handling was fixed. See RFC 1876 section 3 for details. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-13/+131
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Generate ACIs in the pluginPetr Viktorin2014-02-121-10/+23
| | | | | | | | | Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Convert options in execute, not args_options_2_paramsPetr Viktorin2014-02-121-19/+10
| | | | | | | | With this change, shortcut options like memberof and type will be aplied on the server, not on the client. This will allow us to pass more information than just updated options. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Permission plugin fixesPetr Viktorin2014-02-121-13/+14
| | | | | | | | - Fix i18n for plugin docstring - Fix error when the aci attribute is not present on an entry - Fix error when raising exception for ACI not found Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS classless support for reverse domainsMartin Basti2014-02-111-11/+34
| | | | | | | | | | | | Now users can add reverse zones in classless form: 0/25.1.168.192.in-addr.arpa. 0-25.1.168.192.in-addr.arpa. 128/25 NS ns.example.com. 10 CNAME 10.128/25.1.168.192.in-addr.arpa. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* PTR records can be added without specify FQDN zone nameMartin Basti2014-02-111-0/+3
| | | | | | | Now adding PTR records will accept zones both with and without end dot. Ticket: https://fedorahosted.org/freeipa/ticket/4151 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove sourcehostcategory from the default HBAC rule.Jan Cholasta2014-02-061-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Migration does not add users to default groupMartin Kosek2014-02-051-7/+10
| | | | | | | | | | When users with missing default group were searched, IPA suffix was not passed so these users were searched in a wrong base DN. Thus, no user was detected and added to default group. https://fedorahosted.org/freeipa/ticket/4141 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-2426-334/+354
|
* Get original entry state from LDAP in LDAPUpdate.Jan Cholasta2014-01-241-1/+6
|
* Trust domains Web UIPetr Vobornik2014-01-211-0/+1
| | | | | | | | | | | | Add Web UI counterpart of following CLI commands: * trust-fetch-domains Refresh list of the domains associated with the trust * trustdomain-del Remove infromation about the domain associated with the trust. * trustdomain-disable Disable use of IPA resources by the domain of the trust * trustdomain-enable Allow use of IPA resources by the domain of the trust * trustdomain-find Search domains of the trust https://fedorahosted.org/freeipa/ticket/4119
* About dialogPetr Vobornik2014-01-211-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/4018
* Hide trust-resolve commandMartin Kosek2014-01-201-0/+1
| | | | | | | | | | | | We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113
* group-show: resolve external members of the groupsAlexander Bokovoy2014-01-201-0/+15
| | | | | | | | Perform SID to name conversion for existing external members of the groups if trust is configured. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 https://fedorahosted.org/freeipa/ticket/4123
* Remove missing VERSION warning in dnsrecord-modMartin Kosek2014-01-171-1/+1
| | | | | | | | dnsrecord-mod may call dnsrecord-delentry command when all records are deleted. However, the version was not passwd to delentry and it resulted in a warning. https://fedorahosted.org/freeipa/ticket/4120
* Stop adding a default password policy referenceSimo Sorce2014-01-161-3/+0
| | | | | | | | | | | | | | | Both the password plugin and the kdb driver code automatically fall back to the default password policy. so stop adding an explicit reference to user objects and instead rely on the fallback. This way users created via the framework and users created via winsync plugin behave the same way wrt password policies and no surprises will happen. Also in case we need to change the default password policy DN this will allow just code changes instead of having to change each user entry created, and distinguish between the default policy and explicit admin changes. Related: https://fedorahosted.org/freeipa/ticket/4085
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
generated by cgit (git 2.34.1) at 2025-08-28 18:13:18 +0000