summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Re-implement access control using an updated model.Rob Crittenden2010-12-0132-2525/+3073
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* admin determinationAdam Young2010-12-011-2/+13
| | | | | extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins added check for group admins
* action panel sibling added function to get sibling entities from the tab ↵Adam Young2010-12-0113-253/+168
| | | | set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-304-1/+16
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Prompt correctly for required Password params.Pavel Zuna2010-11-301-10/+13
| | | | Ticket #361
* Multicolumn association facetEndi S. Dewata2010-11-3020-253/+1168
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The association facet has been modified to support multiple columns. By default the facet will have one column which is the primary key of the associated object (e.g. username of a group member), so the existing code will work like before. Other fields (e.g. user's full name) can be added by subclassing the ipa_association_facet class and specifying the additional columns to display. These additional fields will be retrieved using a batch operation. Previously a single association facet instance will be used for all associations in an entity. Now each association will have its own association facet. This way each association facet can be customized differently as needed. The <entity>-enroll URL parameter has been removed because it's no longer needed. The ipa_entity.create_association_facets() is provided to generate the default association facets with one column for the primary key. The column click handler has been moved out of ipa_column to provide more flexibility for customization. The get_action_panel() and get_client_area() have been modified to search within the entity's container. The group entity has been fully converted to use the new UI framework. Association facets that have been modified to use multiple columns are: - User Group's member_user - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd - Service's managedby_host New test data files have been added. Unit tests have been updated.
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-302-4/+8
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
* Create user private groups with a uniqueid.Rob Crittenden2010-11-303-3/+5
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Init smods to prevent crash if encode_keys failsJakub Hrozek2010-11-291-1/+1
|
* Handle error messages during various HBAC operationsJan Zeleny2010-11-291-0/+8
| | | | | | | | | | | During some HBAC operations, various error messages were handled incorrectly - displaying only generic error messages instead of correct ones, which were defined for the module. This patch adds catching these generic exceptions and raising new exceptions with the correct error message. https://fedorahosted.org/freeipa/ticket/487
* Fixed navigation problem with nested entities.Endi S. Dewata2010-11-295-8/+8
| | | | | Replaced _entity with -entity in IPA.tab_state(). Replaced sudo-entity with sudorule-entity.
* top nav index allows links between differnt top level tabs by calculating ↵Adam Young2010-11-294-21/+66
| | | | the index of the top level tab for the target tab. new version creats third level navigation for nested entities, such as SUDO and HBAC
* build tweaks - use automake's foreign mode, avoid creating empty files to ↵Nalin Dahyabhai2010-11-296-20/+5
| | | | satisfy gnu mode - run autoreconf -f to ensure that everything matches
* quote class memberAdam Young2010-11-291-1/+1
| | | | | the class member variable is a reserved keyword in Javascript. This patch fixes a syntax error.
* whoami fixAdam Young2010-11-241-2/+3
| | | | recent changes to the scope mechanism weren't propigated to the whoami call
* navigation format UXD guidance to cleanup navigation. adjusts the tab fontAdam Young2010-11-245-15/+18
|
* action panel formattingAdam Young2010-11-248-24/+51
| | | | | Cleans up the indentation of the action panel Puts the sudo and HBAC entries in a consistent order
* Rename parent LDAPObject pkeys in child LDAPObject methods.Pavel Zuna2010-11-241-1/+5
| | | | | | | | If the parent and child entries have the same attribute as primary key (such as in the DNS schema), we need to rename the parent key to prevent a param name conflict. It has no side effects, because the primary key name is always taken from the LDAPObject params, never from the method params.
* Verify the --ip-address option when setting up DNS.Rob Crittenden2010-11-242-1/+3
| | | | | | | | | There was a corner case where the value of --ip-address was never verified if you were also setting up DNS. Added this bit of information to the man page too. ticket 399
* Catch when we fail to get a cert chain from the CA during installationRob Crittenden2010-11-241-1/+5
| | | | | | Also don't free the XML document if it was never created. ticket 404
* Gracefully handle an empty members listRob Crittenden2010-11-241-1/+4
| | | | | | | | | | | This can occur if you do something like: $ ipa hbac-add-host --hosts="" testrule options will have an entry for 'host' but it will be None whcih is not iterable. ticket 486
* Display user and host membership in netgroups.Rob Crittenden2010-11-242-2/+11
| | | | | | | This uses an enhanced memberof plugin that allows multiple attributes to be configured to create memberOf attributes. tickets 109 and 110
* Generate better DuplicateEntry error messages in LDAPCreate.Pavel Zuna2010-11-231-6/+13
| | | | Ticket #530
* Change signature of LDAPSearch.pre_callback.Pavel Zuna2010-11-236-18/+30
| | | | Add the opportunity to change base DN and scope in the callback.
* Add ability to add/remove DNS records when adding/removing a host entry.Rob Crittenden2010-11-234-1/+165
| | | | | | | | | | | | | | | | | | A host in DNS must have an IP address so a valid IP address is required when adding a host. The --force flag will be needed too since you are adding a host that isn't in DNS. For IPv4 it will create an A and a PTR DNS record. IPv6 isn't quite supported yet. Some basic work in the DNS installer is needed to get this working. Once the get_reverse_zone() returns the right value then this should start working and create an AAAA record and the appropriate reverse entry. When deleting a host with the --updatedns flag it will try to remove all records it can find in the zone for this host. ticket 238
* Fix modrdn plugin crash bug.Simo Sorce2010-11-231-25/+10
| | | | | | | | | Constant values were assigned to variables gthat would later be freed with slapi_ch_free_string(). Make copies instead so the free doesn't blow. Also remove useless tests, as these functions already check for NULL on their own. Fixes: https://fedorahosted.org/freeipa/ticket/529
* ipa-client code cleanupJakub Hrozek2010-11-227-98/+73
| | | | | | | Fixes errors about implicit function declaration and moves duplicated gettext code into a common module. Also silences some warnings. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Silence compilation warnings in SLAPI pluginsJakub Hrozek2010-11-229-59/+54
| | | | Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Don't use deprecated ldap_bind_sJakub Hrozek2010-11-221-1/+11
| | | | | | ldap_bind_s is marked as deprecated in new libldap releases. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Use internal implementation of internal Kerberos functionsJakub Hrozek2010-11-227-6/+73
| | | | | | | | | | | Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Stricter compilation flagsJakub Hrozek2010-11-2211-0/+28
| | | | | | | Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Common include file for SLAPI plugin loggingJakub Hrozek2010-11-2219-449/+332
| | | | | | | | | Consolidate the common logging macros into common/util.h and use them in SLAPI plugins instead of calling slapi_log_error() directly. https://fedorahosted.org/freeipa/ticket/408 Signed-off-by: Simo Sorce <ssorce@redhat.com>
* SUDO Commands and Command GroupsEndi S. Dewata2010-11-2221-31/+776
| | | | | | | | | | | | The SUDO Commands and Command Groups pages have been added under SUDO Rules tab. Similar to HBAC navigation issue, these entities do not have their own tab, so an exception has been added to the navigation code to read sudo-entity parameter to determine the entity being viewed. Fixing this issue will require framework changes. New test data for these operations have been added.
* Fixed action panel queriesEndi S. Dewata2010-11-2212-98/+215
| | | | | | | | | | | | | | | Previously the queries for action panel were done globally. Since each entity container has its own action panel, the queries will return multiple results. This is fixed by qualifying the query to run within the entity container. The query has also been moved into ipa_facet.get_action_panel(). Entities that do not have their own entity container (e.g. HBAC services and service groups) will need to override this method to get the action panel from the right entity container (e.g. HBAC rules). The facet.setup_views() has been renamed to facet.create_action_panel(). New test data for SUDO rules have been added.
* Don't use full pathnames for kerberos binaries, let PATH find them.Rob Crittenden2010-11-221-1/+1
| | | | | Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out.
* Handle wget failures trying to retrieve the CA during the client installRob Crittenden2010-11-221-1/+5
| | | | ticket 405
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-223-4/+75
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* Save and restore on uninstall ds related config filesSimo Sorce2010-11-222-1/+14
|
* id ranges: change DNA configurationSimo Sorce2010-11-229-72/+68
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Ensure that Apache is running with MPM=PreforkJan Zeleny2010-11-221-1/+5
| | | | | | | Script wsgi.py checks if Apache is compiled with MPM=Prefork and if not, it refuses to run. https://fedorahosted.org/freeipa/ticket/252
* Configure KDC to use multiple workersSimo Sorce2010-11-221-0/+34
| | | | | Only if more than one CPU is available Only if supported by the installed krb5kdc
* Use sys.exit to quit scriptsJakub Hrozek2010-11-226-73/+45
| | | | | | | Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
* Multivalued email addressEndi S. Dewata2010-11-203-3/+3
|
* Automatically disable pkinit when not supportedSimo Sorce2010-11-191-0/+4
|
* Use provided domain name for the rest of installationJan Zeleny2010-11-191-1/+1
| | | | | | | | When installing IPA client, the install script used detected domain name of the machine instead of that given by administrator (in case one was given) https://fedorahosted.org/freeipa/ticket/363
* Improve the documentation of setattr/addattrJakub Hrozek2010-11-191-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/245
* Log interactive options in install scriptsJakub Hrozek2010-11-193-0/+18
|
* Give a detached group a full set of group objectclasses.Rob Crittenden2010-11-193-9/+26
| | | | | | | The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
* Use radio buttons for HBAC rule typeEndi S. Dewata2010-11-192-3/+35
| | | | | To be consistent with the details page, the rule type in the HBAC add dialog box has been converted into radio buttons.
* Host Enrollment via OTPEndi S. Dewata2010-11-199-114/+421
| | | | | | | | | | | | | The support for host enrollment via one-time-password has been added. When submitted, the OTP will be used to set the host's userpassword. Previously each IPA command can only have one JSON test data file. The ipa_cmd() has been modifies to accept an optional command name. When used with static files, it will pull the test data whose name is the same as the command name. The batch.json has been renamed to ipa_init.json for UI initialization. Some test data have been added for operations against specific hosts.
generated by cgit (git 2.34.1) at 2025-09-03 14:43:53 +0000