summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Implement an IPA Foreman smartproxy serverHEADmasterRob Crittenden2014-02-2716-7/+1156
| | | | | | | | | | | | | | This currently server supports only host and hostgroup commands for retrieving, adding and deleting entries. The incoming requests are completely unauthenticated and by default requests must be local. Utilize GSS-Proxy to manage the TGT. Configuration information is in the ipa-smartproxy man page. Design: http://www.freeipa.org/page/V3/Smart_Proxy
* Make all ipatokenTOTP attributes mandatoryNathaniel McCallum2014-02-211-1/+1
| | | | | | | | Originally we made them all optional as a workaround for the lack of SELFDN support in 389DS. However, with the advent of SELFDN, this hack is no longer necessary. This patch updates TOTP to match HOTP in this regard. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Do not assume attribute-level rights for new attributes ↵Petr Viktorin2014-02-211-7/+10
| | | | | | | | | | | | | are present With the --all --raw options, the code assumed attribute-level rights were set on ipaPermissionV2 attributes, even on permissions that did not have the objectclass. Add a check that the data is present before using it. https://fedorahosted.org/freeipa/ticket/4121 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the unused ipalib.frontend.Property classPetr Viktorin2014-02-215-127/+23
| | | | | | | | | | This class was built into the framework from its early days but it's not used anywhere. Remove it along with its tests https://fedorahosted.org/freeipa/ticket/3460 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-218-0/+225
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-218-22/+69
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add --force option to ipactlAdam Misnyovszki2014-02-202-48/+67
| | | | | | | | | | | | | | | | If an error occurs in the start up sequence in ipactl start/restart, all the services are stopped. Using the --force option prevents stopping of services that have successfully started, just skips the services which can not be started. ipactl status now shows stopped services also, if the directory server is running. With the contribution of Ana Krivokapic https://fedorahosted.org/freeipa/ticket/3509 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* .mailmap: use correct name format for AdamMartin Kosek2014-02-201-0/+1
| | | | | Name should be First-Name Last-Name. Map all Adam's contributions to this preferred format.
* Add tests for multivalued filtersPetr Viktorin2014-02-201-0/+216
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-2010-14/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-207-234/+296
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Do not copy member attributes to new entryPetr Viktorin2014-02-201-1/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* .mailmap: Remove spurious Kyle Baker linePetr Viktorin2014-02-201-1/+0
| | | | <kbaker@redhat.com> is another person, entirely unrelated to FreeIPA.
* ipactl can not restart ipa services if current status is stoppedMisnyovszki Adam2014-02-191-2/+12
| | | | | | | | | | | | | | fixed by starting the directory server when restarting if it is not currently running to enable fetching running services later restart didn't check that also added a check, that if the directory server started at the beginning, there is no need to restart it https://fedorahosted.org/freeipa/ticket/4050 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-192-0/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Improve error message on failed Kerberos authenticationAna Krivokapic2014-02-181-2/+2
| | | | | | | | | | | When ipa client installation fails due to failed Kerberos authentication, make sure that the message about the failed authentication is displayed last. This makes it clear to the user that this was the reason for failed installation. https://fedorahosted.org/freeipa/ticket/3573 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Modify DNS tests with LOC records to workaround bug in python-dns.Petr Spacek2014-02-181-5/+5
| | | | | | | | | | | Older versions of dnspython have problems with implicit values for size and h/v precision so our tests use explicit value. See https://github.com/rthalley/dnspython/issues/47 This change is necessary because we want to test if data visible over DNS protocol matches data visible over LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix regular expression for LOC records in DNS.Petr Spacek2014-02-181-8/+13
| | | | | | | | | | | - Fractional parts of integers are not mandatory. - Expressions containing only size or only size + horizontal precision are allowed. - N/S/W/E handling was fixed. See RFC 1876 section 3 for details. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-join usage instructions are incorrectGabe2014-02-181-1/+1
| | | | | | | | Parameter -s for ipa-join has hostame instead of hostname https://fedorahosted.org/freeipa/ticket/3250 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* tests: Move zone enable/disable tests to end of test_dns_plugin.pyPetr Spacek2014-02-141-72/+74
| | | | | | | | This prevents the test suite from hitting limitations in bind-dyndb-ldap 4.0. For details see https://fedorahosted.org/bind-dyndb-ldap/ticket/127 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-148-0/+970
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-143-3/+3
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update ACIs to permit users to add/delete their own tokensNathaniel McCallum2014-02-133-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4087 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-127-88/+780
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make it possible to call custom functions in Declarative testsPetr Viktorin2014-02-121-5/+12
| | | | | | | | | Sometimes, we will want to do more than just call IPA commands and check the output. This patch makes it possible to add arbitrary functions to Declarative tests. They will be called as part of the sequence of tests. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Generate ACIs in the pluginPetr Viktorin2014-02-121-10/+23
| | | | | | | | | Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Convert options in execute, not args_options_2_paramsPetr Viktorin2014-02-121-19/+10
| | | | | | | | With this change, shortcut options like memberof and type will be aplied on the server, not on the client. This will allow us to pass more information than just updated options. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Permission plugin fixesPetr Viktorin2014-02-121-13/+14
| | | | | | | | - Fix i18n for plugin docstring - Fix error when the aci attribute is not present on an entry - Fix error when raising exception for ACI not found Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the TODO filePetr Viktorin2014-02-121-88/+0
| | | | | | | All items in the file either have been fixed or were just stale. Nowadays we just use Trac for issues. Reviewed-By: Martin Košek <mkosek@redhat.com>
* Update README and BUILDPetr Viktorin2014-02-122-34/+68
| | | | | | | | | Update README with information from http://www.freeipa.org/page/Leaflet and fixed links. Update the list of dependencies in BUILD, and link to the Testing wiki page Reviewed-By: Martin Košek <mkosek@redhat.com>
* Correct Jenny Severance's last namePetr Viktorin2014-02-121-1/+1
| | | | Reviewed-By: Martin Košek <mkosek@redhat.com>
* Add a .mailmap filePetr Viktorin2014-02-121-0/+50
| | | | | | | | | | This makes `git shortlog` report correct and consistent names and addresses, even for past commits where the author information is not ideal. See git-shortlog(1) Reviewed-By: Martin Košek <mkosek@redhat.com>
* Fix test_host_plugin for DNS Classless Reverse zonesMartin Basti2014-02-121-2/+2
| | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-by: Martin Kosek <mkosek@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-114-7/+7
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS tests for classless reverse domainsMartin Basti2014-02-114-21/+246
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS classless support for reverse domainsMartin Basti2014-02-112-36/+70
| | | | | | | | | | | | Now users can add reverse zones in classless form: 0/25.1.168.192.in-addr.arpa. 0-25.1.168.192.in-addr.arpa. 128/25 NS ns.example.com. 10 CNAME 10.128/25.1.168.192.in-addr.arpa. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Do not require group name resolution for the non-posix testsTomas Babej2014-02-111-4/+16
| | | | | | | | | | In the non-posix tests on the legacy clients, the testuser does not belong to the testgroup (since this is represented by the NIS group membership). Relax the regular expression check for the output of the id testuser. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipatests: Change expected home directories returned by getentTomas Babej2014-02-112-8/+20
| | | | | | | | | | | | | The hardcoded values for the home directories for the AD users did not properly scale up from the POSIX attrs only test scanario. When using POSIX attrs, the home dir is returned as whatever is set in the AD (/home/username by default). Without using POSIX attributes, the /home/domain/username form is taken by default. Refactor the tests to take this behaviour into account. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipatests: Add test cases for subdomain users on legacy clientsTomas Babej2014-02-111-9/+113
| | | | | | | | | | | Adds test cases for: * getent subdomain user on legacy client * getent subdomain group on legacy client * getent id subdomain user on legacy client * ssh into legacy client with subdomain user * ssh into legacy client with disabled subdomain user Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* PTR records can be added without specify FQDN zone nameMartin Basti2014-02-111-0/+3
| | | | | | | Now adding PTR records will accept zones both with and without end dot. Ticket: https://fedorahosted.org/freeipa/ticket/4151 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Stop sssd service before deleting the cacheTomas Babej2014-02-101-2/+2
| | | | | | | | In the integration tests, we do not stop the sssd service before deleting the cache, but rather start it. We need to stop sssd before deleting the cache. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipatests: Make sure we re-kinit as admin before adding the disabledipauserTomas Babej2014-02-101-0/+2
| | | | | | | | | When we add the disabledipauser during the setup class part of the BaseTestLegacyClient, we need to make sure that we re-kinit admin since we do ntpsync with the AD just before that, which can render the previous ticket invalid. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-26 22:42:34 +0000