| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
439281
|
| |
|
|
| |
438387
|
| |
|
|
| |
440142
|
| |
|
|
| |
440081
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do account activation by using a Class of Service based on group
membership. A problem can happen if the entry itself has an nsaccountlock
attribute and you try doing Class of Service work as well because the
local attribute has priority. So try to detect that the entry has a local
nsAccountLock attribute and report an appropriate error.
Don't allow the admins or editors groups to be de-activated.
Return a better error message if account [in]activation fails.
Catch errors when doing group [in]activation.
439230
|
| |
|
|
|
|
| |
If a site really wants it gone then can delete it via LDAP.
439281
|
| |
|
|
|
|
|
|
|
|
| |
current value to prevent unnecessary LPAP updates (and failed writes)
Don't check against these lists on updates, only add them on new entries.
Disable the ability to configure in the UI these values for now.
438256
|
| |
|
|
|
|
| |
as a direct or indirect member.
438387
|
| |
|
|
|
|
|
|
|
|
| |
The memberOf attribute includes members that are directly in the group
via the "member" attribute and those that are included as a result of
being in a group that is in the group.
The UI needs to be able to distinguish between the two.
438706
|
| |
|
|
|
|
|
| |
This is more kerberos-like and it doesn't hurt anything, we just won't
allow realms other than our own to be used.
437566
|
| |
|
|
|
|
|
| |
This function was assuming that the target list was all lower-case so the
set could end up with duplicate values which would get kicked out by LDAP.
433680
|
| |
|
|
| |
435713
|
| |
|
|
|
| |
Fix error in service principals where the service wasn't being removed before
doing the DNS lookup.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.
In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.
432874
|
| |
|
|
| |
433880
|
| |
|
|
|
|
| |
There is a --force option for those who know what they are doing.
433483
|
| |
|
|
| |
434542
|
| |
|
|
|
|
|
|
|
|
| |
Fix bug in exception handling where we were sending the wrong thing as detail.
Basically we were catching an LDAP error, generating an IPAError from it,
catching that, then setting the detail of the 2nd exception to another IPAError
rather than the root exception. This caused anything looking at e.detail to
crap out
Resolves 432136
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Removing shebangs (#!) from a bunch of python libraries
- Don't use a variable name in init scripts for the lock file
- Keep the init script name consistent with the binary name, so renamed
ipa-kpasswd.init to ipa_kpasswd.init
- Add status option to the init scripts
- Move most python scripts out of /usr/share/ipa and into the python
site-packages directories (ipaserver and ipaclient)
- Remove unnecessary sys.path.append("/usr/share/ipa")
- Fix the license string in the spec files
- Rename ipa-webgui to ipa_webgui everywhere
- Fix a couple of issues reported by pychecker in ipa-python
|
| | |
|
| |
|
|
| |
easier to use.
|
| |
|
|
| |
This could result in a principal of the form: service/host@something@REALM
|
| | |
|
| |
|
|
| |
fix some problems reported by pychecker.
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Fix group RDN changes
Remove a copy/paste error in the group UI update that caused 2 updates
Fix variable name so groups don't get user objectclasses
Remove color CSS for field backgrounds as they override disabled field display
|
| | |
| |
| |
| | |
Change the syntax on user and group objectclasses in cn=ipaconfig
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This adds the UI and does error checking of the selected object classes but
it doesn't actually use the values yet.
It also generalizes some functions for doing multi-valued fields.
|
| |\| |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
consequences during ipa-server-install.
|
| | |
| |
| |
| | |
Fix some copy-paste errors from the password policy update
|
| | |
| |
| |
| | |
Don't allow the default group for users to be removed.
|
| | | |
|
| | | |
|
| |\| |
|
| | |
| |
| |
| | |
Warning: this lacks any sort of authorization.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds 2 new groups: activated and inactivated.
If you, or a group you are a member of, is in inactivated then you are too.
If you, or a group you are a member of, is in the activated group, then you
are too.
In a fight between activated and inactivated, activated wins.
The DNs for doing this matching is case and white space sensitive.
The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.
We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaCustomFields:
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
This could use some optimization.
|
| | |
| |
| |
| |
| | |
Set gid to the group "ipausers"
Add the user to this default group
|
| | |
| |
| |
| |
| | |
Add secretary to the list of indexes otherwise RDN changing could be slow
Port --addattr, --setattr and --delattr from usermod to groupmod
|
| | | |
|
