| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Warning: this lacks any sort of authorization.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds 2 new groups: activated and inactivated.
If you, or a group you are a member of, is in inactivated then you are too.
If you, or a group you are a member of, is in the activated group, then you
are too.
In a fight between activated and inactivated, activated wins.
The DNs for doing this matching is case and white space sensitive.
The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.
We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaCustomFields:
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
This could use some optimization.
|
| | | |
|
| | |
| |
| |
| |
| | |
Set gid to the group "ipausers"
Add the user to this default group
|
| | |
| |
| |
| |
| | |
Add secretary to the list of indexes otherwise RDN changing could be slow
Port --addattr, --setattr and --delattr from usermod to groupmod
|
| | | |
|
| | |
| |
| |
| |
| | |
forked-model detection was incorrect.
Both of these return an error instead of raising one
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
|
| | | |
|
| | | |
|
| | | |
|
| |\| |
|
| | |
| |
| |
| | |
add the radiusprofile to the list of objectclasses used when creating a user
|
| |/
|
|
| |
add the radiusprofile to the list of objectclasses used when creating a user
|
| | |
|
| |
|
|
| |
Make find-groups use memberOf to have a prettier dispaly of members
|
| |
|
|
|
| |
http://hostname/config so users can point their MIT client at the IPA
server and automatically fetch the configuration.
|
| |
|
|
| |
NOTE: this doesn't handle referential integrity.
|
| |
|
|
| |
Move some ACI functions around in preparation for cli delegation
|
| |
|
|
| |
to be available to the XML-RPC interface
|
| |
|
|
|
| |
For now I've added a new API call. The field-specific searching is
a ways off.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
request.
|
| | |
|
| |
|
|
|
| |
The API needs to be thought about, but this is a quick fix w/minimal impact
to allow get_entry_by_dn do work on non-leaf entries.
|
| |\ |
|
| | |
| |
| |
| | |
Also a couple double-escaping fixes I missed in the last patch.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> >
> > make install LIBDIR=/usr/lib64
> >
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
|
| |
|
|
|
|
| |
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)
|
| | |
|
| |
|
|
|
|
| |
Modify the way we detect SELinux to use selinuxenabled instead of using
a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection
|
| | |
|
| |
|
|
| |
"use group DN" patch. This fixes it.
|
| |
|
|
|
| |
Add new class of errors for connections
Raise an exception if a connection cannot be made due to missing ccache
|
| |
|
|
|
|
|
| |
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
|
| |
|
|
| |
Added a couple more API calls to make the inverse operations easier.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- Members of groups are clickable
- Combine name and uid into a single column in find users
- Remove license plate from searching
- Mailto links on user emails
- Add timelimit to finds. This is experimental...
- Fix usersearch to only search on objectClass=Person
- Change search to use get parameter
|
