summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* idviews: Resolve anchors to object names in idview-showTomas Babej2014-09-111-115/+132
|
* idviews: Do not set ipaanchoruuid from when modifyingTomas Babej2014-09-111-5/+0
|
* idviews: Raise NotFound errors if object to override could not be foundTomas Babej2014-09-111-0/+11
|
* idviews: Change format of IPA anchor to include domainTomas Babej2014-09-111-2/+14
|
* idviews: Alter idoverride methods to work with splitted objectsTomas Babej2014-09-111-39/+27
|
* idviews: Do not set idoverride objectclass dynamicallyTomas Babej2014-09-111-89/+0
|
* idviews: Split the idoverride commands into iduseroverride and idgroupoverrideTomas Babej2014-09-111-10/+65
|
* idviews: Split the idoverride object into iduseroverride and idgroupoverrideTomas Babej2014-09-111-54/+102
|
* idviews: Support specifying object names instead of raw anchors onlyTomas Babej2014-09-112-0/+123
|
* idviews: Enforce overriding of at least one attribute in idoverrideTomas Babej2014-09-041-0/+11
|
* ipalib: host_del: Extend LDAPDelete's takes_options instead of overridingTomas Babej2014-09-041-1/+1
| | | | | | | | | The host-del command did not accept --continue option, since the takes_options was overriden and did not take the options from LDAPDelete. Fix the behaviour. https://fedorahosted.org/freeipa/ticket/4473
* idviews: Extend idview-show command to display assigned idoverrides and hostsTomas Babej2014-09-041-1/+85
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Add ipa idview-apply and idview-unapply commandsTomas Babej2014-09-041-3/+179
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* hostgroup: Selected PEP8 fixes for the hostgroup pluginTomas Babej2014-09-041-11/+4
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* hostgroup: Remove redundant and star importsTomas Babej2014-09-041-2/+5
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* hostgroup: Add helper that returns all members of a hostgroupTomas Babej2014-09-041-0/+8
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Set proper objectclass for the ID override objectsTomas Babej2014-09-041-1/+88
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idvies: Add managed permissions for idview and idoverride objectsTomas Babej2014-09-041-0/+23
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Create basic idview plugin structureTomas Babej2014-09-041-0/+191
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* ipalib: PEP8 fixes for host pluginTomas Babej2014-09-041-16/+21
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* ipalib: Remove redundant and star imports from host pluginTomas Babej2014-09-041-8/+8
| | | | | | Also fixes incorrect error catching for UnicodeDecodeError. Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Add ipaAssignedIDVIew reference to the host objectTomas Babej2014-09-041-3/+6
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Create container for ID views under cn=accountsTomas Babej2014-09-041-0/+1
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* baseldap: Fix undefined variable reference in LDAPAddReverseMember and ↵Tomas Babej2014-09-041-26/+18
| | | | LDAPRemoveReverseMember
* Ensure ipaUserAuthTypeClass when needed on user creationNathaniel McCallum2014-09-031-13/+11
| | | | | | | | | Also, remove the attempt to load the objectClasses when absent. This never makes sense during an add operation. https://fedorahosted.org/freeipa/ticket/4455 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* permission plugin: Improve description of the target optionPetr Viktorin2014-09-031-1/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Make --target available in the CLIPetr Viktorin2014-09-031-1/+0
| | | | | | | This was left out by mistake when permissions were refactored. The API is already tested. https://fedorahosted.org/freeipa/ticket/4522
* pwpolicy-add: Added better error handlingThorsten Scherf2014-09-021-1/+6
| | | | | | | | | Make error message more meaningful when a password policy is added for a non existing group. https://fedorahosted.org/freeipa/ticket/4334 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaserver/dcerpc.py: Make sure trust is established only to forest root domainAlexander Bokovoy2014-09-011-0/+16
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/4463 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipa trust-add command should be interactiveGabe2014-08-251-1/+25
| | | | | | | | | - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* service: Normalize service principal in get_dnPetr Viktorin2014-08-211-0/+3
| | | | | | This will make any lookup go through the normalization. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support delegating RBAC roles to service principalsPetr Viktorin2014-08-212-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/3164 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: better authentication types descriptionPetr Vobornik2014-08-211-0/+7
| | | | | | | | | | Tooltips were added to "User authentication types" and "Default user authentication types" to describe their relationship and a meaning of not-setting a value. https://fedorahosted.org/freeipa/ticket/4471 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: improved info msgs on login/token sync/reset pwd pagesPetr Vobornik2014-08-201-2/+3
| | | | | | | | | | - add info icons to distinguish and classify the messages. - add info text for OTP fields - fix login instruction inaccuracy related to position of login button https://fedorahosted.org/freeipa/ticket/4470 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Allow to add host if AAAA record existsMartin Basti2014-08-112-6/+17
| | | | | | http://fedorahosted.org/freeipa/ticket/4164 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add functions for DER encoding certificate extensions to ipalib.x509.Jan Cholasta2014-07-301-0/+25
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow overriding NSS database path in RPCClient.Jan Cholasta2014-07-301-2/+5
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for writing list of certificates to a PEM file to ipalib.x509.Jan Cholasta2014-07-301-10/+30
| | | | | | | | | | Also rename load_certificate_chain_from_file to load_certificate_list_from_file. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add certificate store module ipalib.certstore.Jan Cholasta2014-07-301-0/+397
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for extracting extended key usage from certs to ipalib.x509.Jan Cholasta2014-07-301-0/+22
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add functions for extracting certificates fields in DER to ipalib.x509.Jan Cholasta2014-07-301-0/+55
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for checking if certificate is self-signed to ipalib.x509.Jan Cholasta2014-07-301-0/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Verify otptoken timespan is validDavid Kupka2014-07-291-1/+30
| | | | | | | | | When creating or modifying otptoken check that token validity start is not after validity end. https://fedorahosted.org/freeipa/ticket/4244 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix group-remove-member crash when group is removed from a protected groupDavid Kupka2014-07-291-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4448 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Exclude attributelevelrights from --raw result processing in baseldap.Jan Cholasta2014-07-291-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4371 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib: idrange: Make non-implemented range types fail the validationTomas Babej2014-07-281-2/+3
| | | | | | | | | | The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to pass the validation tests, however, they are not implemented nor checked by the 389 server plugin. https://fedorahosted.org/freeipa/ticket/4323 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: return 'none' attr level right as unicode stringPetr Vobornik2014-07-251-1/+1
| | | | | | | | | Returning non-unicode causes serialization into base64 which causes havoc in Web UI. https://fedorahosted.org/freeipa/ticket/4454 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Remove redundant search from LDAPAddReverseMember and ↵Tomas Babej2014-07-231-6/+0
| | | | | | LDAPRemoveReverseMember Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix login password expiration detection with OTPNathaniel McCallum2014-07-211-0/+6
| | | | | | | | | | | | | | | | | | | | | The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 09:14:02 +0000