| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hardened LDAP configuration
When nsslapd-minssf is greater than 0, running as root
ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.
The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.
Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The replication related attributes with generalized time syntax have
special behaviour implemented in 389, as follows:
In case they are explicitly requested for and not set, 0 is returned.
However, 0 is not a valid value for LDAP Generalized time. Thus
we need to add these attributes to the _SYNTAX_OVERRIDE dictionary,
overriding their conversion to datetime and converting them to
string instead, which perserves the old behaviour expected by the
replication codebase.
https://fedorahosted.org/freeipa/ticket/4350
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Domain name has to be stored in LDAP in punycoded value
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.
In the CLI, accepts one of the following formats:
Accepts LDAP Generalized time without in the following format:
'%Y%m%d%H%M%SZ'
Accepts subset of values defined by ISO 8601:
'%Y-%m-%dT%H:%M:%SZ'
'%Y-%m-%dT%H:%MZ'
'%Y-%m-%dZ'
Also accepts above formats using ' ' (space) as a separator instead of 'T'.
As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.
Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).
Part of: https://fedorahosted.org/freeipa/ticket/3306
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
get_type returns the Python type for an LDAP attribute.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
|
|
|
| |
Use LDAPEntry.generate_modlist instead of LDAPClient._generate_modlist and
remove LDAPClient._generate_modlist.
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
|
|
| |
Remove legacy IPAdmin methods generateModList and updateEntry.
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
|
|
| |
Add some default overrides.
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
|
|
| |
Refactor IPASimpleLDAPObject methods get_syntax and get_single_value.
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
| |
|
|
|
|
|
| |
Creating a LDAPEntry from dict does not set the raw entries,
to display everything we need to combine the underlying data.
https://fedorahosted.org/freeipa/ticket/4015
|
| |
|
|
|
|
|
| |
Now that there's a dedicated schema updater, we do not need the code
in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
|
|
|
|
|
|
|
| |
This is achieved by storing both decoded and encoded attribute values in
LDAPEntry and synchronizing changes between them whenever an attribute is
accessed.
Added a new property "raw" to LDAPEntry. It provides a dictionary-like
object which can be used to directly access encoded attribute values.
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
|
|
|
| |
Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce
lists for attribute values, this will be removed.
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
|
|
|
| |
This method is intended as a counterpart of IPASimpleLDAPObject.encode and
replaces IPASimpleLDAPObject.convert_value_list.
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
| |
|
|
|
|
|
|
| |
When converting the result obtained by python-ldap library,
we need to skip unresolved referral entries, since they cannot
be converted.
https://fedorahosted.org/freeipa/ticket/3814
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Ranges
https://fedorahosted.org/freeipa/ticket/3321
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.
Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.
These were the last uses of ipautil.convert_ldap_error, remove that.
https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
|
|
|
Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
|
