15 files changed, 52 insertions, 16 deletions

diff --git a/ipa-server/ipa-gui/ipagui/forms/Makefile.am b/ipa-server/ipa-gui/ipagui/forms/Makefile.am
index 4f1f72d2..a7f3c762 100644
--- a/ipa-server/ipa-gui/ipagui/forms/Makefile.am
+++ b/ipa-server/ipa-gui/ipagui/forms/Makefile.am
@@ -7,6 +7,7 @@ app_PYTHON = 			\
 	ipapolicy.py		\
 	user.py			\
 	delegate.py		\
+	principal.py		\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-server/ipa-gui/ipagui/forms/ipapolicy.py b/ipa-server/ipa-gui/ipagui/forms/ipapolicy.py
index 1d48f8f3..0f9591fb 100644
--- a/ipa-server/ipa-gui/ipagui/forms/ipapolicy.py
+++ b/ipa-server/ipa-gui/ipagui/forms/ipapolicy.py
@@ -9,23 +9,24 @@ class IPAPolicyFields(object):
     ipasearchtimelimit = widgets.TextField(name="ipasearchtimelimit", label="Search Time Limit (sec.)", attrs=dict(size=6,maxlength=6))
     ipasearchrecordslimit = widgets.TextField(name="ipasearchrecordslimit", label="Search Records Limit", attrs=dict(size=6,maxlength=6))
     ipahomesrootdir = widgets.TextField(name="ipahomesrootdir", label="Root for Home Directories")
-    ipadefaultloginshell = widgets.TextField(name="ipadefaultloginshell", label="Default shell")
-    ipadefaultprimarygroup = widgets.TextField(name="ipadefaultprimarygroup", label="Default Users group")
+    ipadefaultloginshell = widgets.TextField(name="ipadefaultloginshell", label="Default Shell")
+    ipadefaultprimarygroup = widgets.TextField(name="ipadefaultprimarygroup", label="Default User Group")
     ipamaxusernamelength = widgets.TextField(name="ipamaxusernamelength", label="Max. Username Length", attrs=dict(size=3,maxlength=3))
     ipapwdexpadvnotify = widgets.TextField(name="ipapwdexpadvnotify", label="Password Expiration Notification (days)", attrs=dict(size=3,maxlength=3))
     ipauserobjectclasses = widgets.TextField(name="ipauserobjectclasses", label="Default User Object Classes", attrs=dict(size=50))
     userobjectclasses = ExpandingForm(name="userobjectclasses", label="Default User Object Classes", fields=[ipauserobjectclasses])
     ipagroupobjectclasses = widgets.TextField(name="ipagroupobjectclasses", label="Default Group Object Classes", attrs=dict(size=50))
     groupobjectclasses = ExpandingForm(name="groupobjectclasses", label="Default User Object Classes", fields=[ipagroupobjectclasses])
+    ipadefaultemaildomain =  widgets.TextField(name="ipadefaultemaildomain", label="Default E-mail Domain", attrs=dict(size=20))
 
     ipapolicy_orig = widgets.HiddenField(name="ipapolicy_orig")
 
     # From cn=accounts
     krbmaxpwdlife = widgets.TextField(name="krbmaxpwdlife", label="Max. Password Lifetime (days)", attrs=dict(size=3,maxlength=3))
     krbminpwdlife = widgets.TextField(name="krbminpwdlife", label="Min. Password Lifetime (hours)", attrs=dict(size=3,maxlength=3))
-    krbpwdmindiffchars = widgets.TextField(name="krbpwdmindiffchars", label="Min. number of character classes", attrs=dict(size=3,maxlength=3))
-    krbpwdminlength = widgets.TextField(name="krbpwdminlength", label="Min. Length of password", attrs=dict(size=3,maxlength=3))
-    krbpwdhistorylength = widgets.TextField(name="krbpwdhistorylength", label="Password History size", attrs=dict(size=3,maxlength=3))
+    krbpwdmindiffchars = widgets.TextField(name="krbpwdmindiffchars", label="Min. Number of Character Classes", attrs=dict(size=3,maxlength=3))
+    krbpwdminlength = widgets.TextField(name="krbpwdminlength", label="Min. Length of Password", attrs=dict(size=3,maxlength=3))
+    krbpwdhistorylength = widgets.TextField(name="krbpwdhistorylength", label="Password History Size", attrs=dict(size=3,maxlength=3))
 
     password_orig = widgets.HiddenField(name="password_orig")
 
@@ -41,6 +42,7 @@ class IPAPolicyValidator(validators.Schema):
     ipadefaultprimarygroup = validators.String(not_empty=True)
     ipauserobjectclasses = validators.ForEach(validators.String(not_empty=True))
     ipagroupobjectclasses = validators.ForEach(validators.String(not_empty=True))
+    ipadefaultemaildomain = validators.String(not_empty=True)
 
     krbmaxpwdlife = validators.Number(not_empty=True)
     krbminpwdlife = validators.Number(not_empty=True)
diff --git a/ipa-server/ipa-gui/ipagui/static/css/style.css b/ipa-server/ipa-gui/ipagui/static/css/style.css
index 6d68e8e3..8017e742 100644
--- a/ipa-server/ipa-gui/ipagui/static/css/style.css
+++ b/ipa-server/ipa-gui/ipagui/static/css/style.css
@@ -395,9 +395,9 @@ ul.checkboxlist li input {
 
 .sortcol {
   cursor: pointer;
-  padding-right: 20px !important;
+  padding-left: 10px !important;
   background-repeat: no-repeat !important;
-  background-position: right center !important;
+  background-position: left center !important;
   text-decoration: underline;
 }
 .sortasc {
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/Makefile.am b/ipa-server/ipa-gui/ipagui/subcontrollers/Makefile.am
index a0c6393f..4a7ff58d 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/Makefile.am
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/Makefile.am
@@ -9,6 +9,7 @@ app_PYTHON = 			\
 	policy.py		\
 	user.py			\
 	delegation.py		\
+	principal.py		\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
index 142d3443..cee239e7 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -71,7 +71,7 @@ class DelegationController(IPAController):
             new_aci.source_group = kw.get('source_group_dn')
             new_aci.dest_group = kw.get('dest_group_dn')
             new_aci.attrs = kw.get('attrs')
-            if (new_aci.attrs, str):
+            if isinstance(new_aci.attrs, str):
                 new_aci.attrs = [new_aci.attrs]
 
             # Look for an existing ACI of the same name
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
index d8237331..267f9d3e 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
@@ -152,6 +152,9 @@ class IPAPolicyController(IPAController):
             if new_ipapolicy.ipagroupobjectclasses != kw.get('ipagroupobjectclasses'):
                 policy_modified = True
                 new_ipapolicy.setValue('ipagroupobjectclasses', kw.get('ipagroupobjectclasses'))
+            if new_ipapolicy.ipadefaultemaildomain != kw.get('ipadefaultemaildomain'):
+                policy_modified = True
+                new_ipapolicy.setValue('ipadefaultemaildomain', kw.get('ipadefaultemaildomain'))
 
             if policy_modified:
                 rv = client.update_ipa_config(new_ipapolicy)
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index ea773584..952278a0 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -29,14 +29,20 @@ user_edit_form = ipagui.forms.user.UserEditForm()
 
 user_fields = ['*', 'nsAccountLock']
 
-email_domain = ipa.config.config.default_realm.lower()
-
 class UserController(IPAController):
 
     def __init__(self, *args, **kw):
         super(UserController,self).__init__(*args, **kw)
 #        self.load_custom_fields()
 
+    def get_email_domain(self):
+        client = self.get_ipaclient()
+
+        conf = client.get_ipa_config()
+        email_domain = conf.ipadefaultemaildomain
+
+        return email_domain
+
     def load_custom_fields(self):
 
         client = self.get_ipaclient()
@@ -733,13 +739,13 @@ class UserController(IPAController):
         givenname = givenname.lower()
         sn = sn.lower()
 
-        email = "%s.%s@%s" % (givenname, sn, email_domain)
+        email = "%s.%s@%s" % (givenname, sn, self.get_email_domain())
         try:
             client.get_user_by_email(email)
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
             return email
 
-        email = "%s@%s" % (self.suggest_uid(givenname, sn), email_domain)
+        email = "%s@%s" % (self.suggest_uid(givenname, sn), self.get_email_domain())
         try:
             client.get_user_by_email(email)
         except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
diff --git a/ipa-server/ipa-gui/ipagui/templates/Makefile.am b/ipa-server/ipa-gui/ipagui/templates/Makefile.am
index 4bf8f142..279b13d4 100644
--- a/ipa-server/ipa-gui/ipagui/templates/Makefile.am
+++ b/ipa-server/ipa-gui/ipagui/templates/Makefile.am
@@ -27,6 +27,10 @@ app_DATA =			\
 	master.kid		\
 	policyindex.kid		\
 	policylayout.kid	\
+	principallayout.kid	\
+	principallist.kid	\
+	principalnewform.kid	\
+	principalnew.kid	\
 	usereditform.kid	\
 	useredit.kid		\
 	userlayout.kid		\
diff --git a/ipa-server/ipa-gui/ipagui/templates/ipapolicyeditform.kid b/ipa-server/ipa-gui/ipagui/templates/ipapolicyeditform.kid
index 9584e445..5114943c 100644
--- a/ipa-server/ipa-gui/ipagui/templates/ipapolicyeditform.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/ipapolicyeditform.kid
@@ -172,6 +172,16 @@ from ipagui.helpers import ipahelper
               py:content="tg.errors.get('ipadefaultprimarygroup')" />
           </td>
         </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="ipapolicy_fields.ipadefaultemaildomain.label" />:
+          </th>
+          <td>
+          <span py:replace="ipapolicy_fields.ipadefaultemaildomain.display(value_for(ipapolicy_fields.ipadefaultemaildomain))" />
+          <span py:if="tg.errors.get('ipadefaultemaildomain')" class="fielderror"
+              py:content="tg.errors.get('ipadefaultemaildomain')" />
+          </td>
+        </tr>
       <tr>
         <th>
           <label class="fieldlabel" for="${ipapolicy_fields.userobjectclasses.field_id}"
diff --git a/ipa-server/ipa-gui/ipagui/templates/ipapolicyshow.kid b/ipa-server/ipa-gui/ipagui/templates/ipapolicyshow.kid
index 50c7d6d8..26621eed 100644
--- a/ipa-server/ipa-gui/ipagui/templates/ipapolicyshow.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/ipapolicyshow.kid
@@ -114,6 +114,12 @@ edit_url = tg.url('/ipapolicy/edit')
         </tr>
         <tr>
           <th>
+            <label class="fieldlabel" py:content="fields.ipadefaultemaildomain.label" />:
+          </th>
+          <td>${ipapolicy.get("ipadefaultemaildomain")}</td>
+        </tr>
+        <tr>
+          <th>
             <label class="fieldlabel" py:content="fields.ipauserobjectclasses.label" />:
           </th>
           <td>
diff --git a/ipa-server/ipa-install/share/60ipaconfig.ldif b/ipa-server/ipa-install/share/60ipaconfig.ldif
index 55212099..f4edbcc9 100644
--- a/ipa-server/ipa-install/share/60ipaconfig.ldif
+++ b/ipa-server/ipa-install/share/60ipaconfig.ldif
@@ -33,9 +33,10 @@ attributetypes: ( 2.16.840.1.113730.3.8.1.10 NAME 'ipaPwdExpAdvNotify' EQUALITY
 attributetypes: ( 2.16.840.1.113730.3.8.1.11 NAME 'ipaUserObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
 # ipaGroupObjectClasses - required objectclasses for groups
 attributetypes: ( 2.16.840.1.113730.3.8.1.12 NAME 'ipaGroupObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributetypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
 ###############################################
 ##
 ## ObjectClasses
 ##
 ## ipaGuiConfig - GUI config parameters objectclass
-objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses) )
+objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain) )
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 3b79dfb6..3f0558d1 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -135,6 +135,7 @@ ipaUserObjectClasses: inetUser
 ipaUserObjectClasses: posixAccount
 ipaUserObjectClasses: krbPrincipalAux
 ipaUserObjectClasses: radiusprofile
+ipaDefaultEmailDomain: $DOMAIN
 
 dn: cn=account inactivation,cn=accounts,$SUFFIX
 changetype: add
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 83f927e3..6b8afd28 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -22,6 +22,7 @@ dn: cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 08b86035..6ba721c3 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -125,6 +125,7 @@ class DsInstance(service.Service):
         self.host_name = None
         self.dm_password = None
         self.sub_dict = None
+        self.domain = None
 
     def create_instance(self, ds_user, realm_name, host_name, dm_password, ro_replica=False):
         self.ds_user = ds_user
@@ -133,6 +134,7 @@ class DsInstance(service.Service):
         self.suffix = realm_to_suffix(self.realm_name)
         self.host_name = host_name
         self.dm_password = dm_password
+        self.domain = host_name[host_name.find(".")+1:]
         self.__setup_sub_dict()
         
         if ro_replica:
@@ -173,7 +175,7 @@ class DsInstance(service.Service):
         self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
                              PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(),
                              REALM=self.realm_name, USER=self.ds_user,
-                             SERVER_ROOT=server_root)
+                             SERVER_ROOT=server_root, DOMAIN=self.domain)
 
     def __create_ds_user(self):
         self.step("creating directory server user")
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 485b6e25..8a49488b 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1425,8 +1425,6 @@ class IPAServer:
         #
         exact_match_filter = "(&(objectclass=krbPrincipalAux)(!(objectClass=person))(!(krbprincipalname=kadmin/*))%s)" % exact_match_filter
         partial_match_filter = "(&(objectclass=krbPrincipalAux)(!(objectClass=person))(!(krbprincipalname=kadmin/*))%s)" % partial_match_filter
-        print exact_match_filter
-        print partial_match_filter
 
         conn = self.getConnection(opts)
         try: