summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* baseldap: Remove redundant search from LDAPAddReverseMember and ↵Tomas Babej2014-07-231-6/+0
| | | | | | LDAPRemoveReverseMember Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix login password expiration detection with OTPNathaniel McCallum2014-07-211-0/+6
| | | | | | | | | | | | | | | | | | | | | The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* webui: custom attr in attributes widgetPetr Vobornik2014-07-211-0/+2
| | | | | | | | | | Web UI doesn't always know what are the possible attributes for target object. This will allow to add custom attributes if necessary. https://fedorahosted.org/freeipa/ticket/4253 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add filter to attributes widgetPetr Vobornik2014-07-211-0/+1
| | | | | | | | | | | Adds filter field to attribute box in permissions for better user experience. User can then quickly find the desired attribute. Initial version of the patch authored by: Adam Misnyovszki https://fedorahosted.org/freeipa/ticket/4253 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Fix typos in dns.pyGabe2014-07-181-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4429 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* trusts: Validate missing trust secret properlyTomas Babej2014-07-141-4/+6
| | | | | | | | | Detect the situation if the user passes empty trust secret and error out properly. https://fedorahosted.org/freeipa/ticket/4266 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Return empty string when no effective rights are foundPetr Viktorin2014-07-091-0/+4
| | | | | | | | | | DS returns the string "none" when no rights were found. All clients would need to special-case this value when checking the rights. Return empty string instead. https://fedorahosted.org/freeipa/ticket/4359 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* webui: capitalize labels of undo and undo all buttonsPetr Vobornik2014-07-081-2/+2
| | | | | | | Make the label of these buttons consistent with other buttons which have capital first letters. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* webui: new navigation structurePetr Vobornik2014-07-041-0/+2
| | | | | | | | https://fedorahosted.org/freeipa/ticket/4418 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow to add managed permission for reverse zonesMartin Basti2014-07-041-2/+2
| | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4422 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add Modify Realm Domains permissionMartin Kosek2014-07-041-0/+8
| | | | | | | | | The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Non IDNA zonename should be normalized to lowercaseMartin Basti2014-07-041-0/+10
| | | | | | Before IDNA support zone was normalized. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipalib: Use DateTime parameter class for OTP token timestamp attributesTomas Babej2014-07-041-3/+3
| | | | | | | | For ipatokennotbefore and ipatokennotafter attributes use DateTime parameter class instead of Str, since these are represented as LDAP Generalized Time in LDAP. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix incompatible permission name *zone-delMartin Basti2014-07-031-14/+19
| | | | | | Fixes ticket: https://fedorahosted.org/freeipa/ticket/4383 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Split dns docstringMartin Basti2014-07-031-47/+47
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Help for forward zonesMartin Basti2014-07-031-12/+51
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Use documentation addresses in dns helpMartin Basti2014-07-031-15/+15
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add DNSSEC experimental support warning messageMartin Basti2014-07-032-0/+29
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add warning about semantic change for zonesMartin Basti2014-07-032-0/+35
| | | | | | | | | --forwarder have different semantic since forward zones support. Add warning if zone contains forwarders. Ticket: https://fedorahosted.org/freeipa/ticket/3210#comment:16 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add NSEC3PARAM to zone settingsMartin Basti2014-07-021-3/+47
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove NSEC3PARAM recordMartin Basti2014-07-021-45/+3
| | | | | | | Revert 5b95be802c6aa12b9464813441f85eaee3e3e82b Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix ACI in DNSMartin Basti2014-07-011-2/+2
| | | | | | | Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord, tlsarecord Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC: add TLSA record typeMartin Basti2014-07-011-15/+44
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Check normalization only for IDNA domainsMartin Basti2014-07-011-10/+15
| | | | | | | | | | Backward compability with older IPA versions which allow to use uppper case. Only IDNA domains will be checked. https://fedorahosted.org/freeipa/ticket/4382 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Ignore unparseable ACIsPetr Viktorin2014-07-011-1/+6
| | | | | | | | | | | | | When manipulating a permission for an entry that has an ACI that the parser cannot process, skip this ACI instead of failing. Add a test that manipulates permission in cn=accounts, where there are complex ipaAllowedOperation-based ACIs. Workaround for: https://fedorahosted.org/freeipa/ticket/4376 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Let Host Administrators use host-disable commandMartin Kosek2014-06-301-1/+1
| | | | | | | | | Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: support unlock user commandPetr Vobornik2014-06-301-0/+2
| | | | | | | | | | Call user-unlock command from Web UI. It will unlock displayed user on current master. https://fedorahosted.org/freeipa/ticket/4407 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add link pointing to OTP sync page to loginPetr Vobornik2014-06-301-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add OTP token synchronizationPetr Vobornik2014-06-301-0/+6
| | | | | | | | New SyncOTPScreen widget and related facet. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add confirmation for dns zone permission actionsPetr Vobornik2014-06-271-0/+2
| | | | | | All header actions should require confirmation. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Add otptoken-sync commandNathaniel McCallum2014-06-261-1/+101
| | | | | | | | | This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add the otptoken-add-yubikey commandNathaniel McCallum2014-06-262-1/+140
| | | | | | | | This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* webui: add placeholders to login screenPetr Vobornik2014-06-261-0/+3
| | | | Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* ipa-passwd: add OTP supportPetr Vobornik2014-06-261-1/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4262 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* sudorule: Refactor add and remove external_post_callbackTomas Babej2014-06-254-85/+156
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Fix the order of the parameters to have less chaotic outputTomas Babej2014-06-251-11/+11
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Make sure all the relevant attributes are checked when setting ↵Tomas Babej2014-06-251-12/+41
| | | | | | | | category to ALL https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow adding deny commands when command category set to ALLTomas Babej2014-06-251-6/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4340 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Include externalhost and ipasudorunasextgroup in the list of ↵Tomas Babej2014-06-251-1/+2
| | | | | | | | | | | | default attributes The following attributes were missing from the list of default attributes: * externalhost * ipasudorunasextuser * ipasudorunasextgroup Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using external groups as groups of runAsUsersTomas Babej2014-06-251-4/+50
| | | | | | | | | Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using hostmasks for setting allowed hostsTomas Babej2014-06-252-2/+78
| | | | | | | | | Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host commands, which allows setting a range of hosts specified by a hostmask. https://fedorahosted.org/freeipa/ticket/4274 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: PEP8 fixes in sudorule.pyTomas Babej2014-06-251-52/+104
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix incompatible DNS permissionMartin Basti2014-06-251-1/+30
| | | | | | | | | dns(forward)zone-add/remove-permission can work with permissions with relative zone name Ticket:https://fedorahosted.org/freeipa/ticket/4383 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+11
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add several CRUD default permissionsPetr Viktorin2014-06-243-0/+30
| | | | | | | | | | | | Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command Group default permissions to managedPetr Viktorin2014-06-241-0/+22
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command default permissions to managedPetr Viktorin2014-06-241-0/+25
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Service default permissions to managedPetr Viktorin2014-06-241-0/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert SELinux User Map default permissions to managedPetr Viktorin2014-06-241-0/+25
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-27 23:40:04 +0000