summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/user.py
Commit message (Collapse)AuthorAgeFilesLines
* Use correct LDAP attributes for city and state.Rob Crittenden2011-02-021-5/+9
| | | | | | Also add a unit test for address. Ticket 889
* Add support for account unlockingJan Zeleny2011-01-281-0/+24
| | | | | | | | This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344
* Modified description of nsaccountlock attributeJan Zeleny2011-01-181-1/+1
| | | | | | | The original one was misleading, giving the value exactly opposite meaning than it actually was. https://fedorahosted.org/freeipa/ticket/741
* Improve filtering of enrollments search results.Pavel Zuna2011-01-041-0/+2
| | | | | | | | | | | | | | | | | | | | | | This is required for effective filtering of enrollments search results in the webUI and also gives an edge to the CLI. After this patch, each LDAPObject can define its relationships to other LDAPObjects. For now, this is used only for filtering search results by enrollments, but there are probably more benefits to come. You can do this for example: # search for all users not enrolled in group admins ipa user-find --not-in-groups=admins # search for all groups not enrolled in group global with user Pavel ipa group-find --users=Pavel --not-in-groups=global # more examples: ipa group-find --users=Pavel,Jakub --no-users=Honza ipa hostgroup-find --hosts=webui.pzuna
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-1/+1
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Don't allow a user's uid to be set to 0.Rob Crittenden2011-01-041-0/+1
| | | | ticket 578
* status labelAdam Young2010-12-231-1/+1
| | | | Change the label for the account status field IAW https://fedorahosted.org/freeipa/ticket/677
* Update built-in help for user (ipa help user) with info about username format.Pavel Zuna2010-12-221-0/+6
| | | | Ticket #436
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-211-0/+1
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* Fix reporting of errors when validating parameters.Pavel Zuna2010-12-211-1/+7
| | | | | | | | | | | | | | | | | | Print the attribute CLI name instead of its 'real' name. The real name is usually the name of the corresponding LDAP attribute, which is confusing to the user. This way we get: Invalid 'login': blablabla instead of: Invalid 'uid': blablabla Another example: Invalid 'hostname': blablabla instead of: Invalid 'fqdn': blablabla Ticket #435
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Remove principal as an option when updating an existing user.Rob Crittenden2010-12-171-0/+1
| | | | ticket 559
* Check for existence of the group when adding a user.Rob Crittenden2010-12-131-0/+12
| | | | | | | | | | | | | The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567
* Provide list of available attributes for use in ACI UI.Rob Crittenden2010-12-031-0/+1
| | | | | | | Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446
* Added some fields to user objectJan Zeleny2010-12-031-2/+46
| | | | | | | Some fields were missing from user object, this change adds them along with their l10n https://fedorahosted.org/freeipa/ticket/305
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-1/+1
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* whoami fixAdam Young2010-11-241-2/+3
| | | | recent changes to the scope mechanism weren't propigated to the whoami call
* Change signature of LDAPSearch.pre_callback.Pavel Zuna2010-11-231-2/+2
| | | | Add the opportunity to change base DN and scope in the callback.
* Multivalued email addressEndi S. Dewata2010-11-201-1/+1
|
* Increase # of chars in users and groups to 255 and default username to 32.Rob Crittenden2010-11-121-2/+2
| | | | ticket 434
* Replace 'Locking' in `ipa help user` with 'Disabling'.Pavel Zuna2010-11-091-1/+1
| | | | Ticket #452
* user-enable/disable improvementsRob Crittenden2010-11-041-10/+23
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Use kerberos password policy.Rob Crittenden2010-11-011-0/+1
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Populate indirect members when showing a group object.Rob Crittenden2010-10-281-16/+0
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-281-0/+1
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* Improve doc string for passwordRob Crittenden2010-10-151-1/+1
| | | | ticket 182
* Enforce the maximum username length from cn=ipaconfigRob Crittenden2010-10-131-0/+3
| | | | ticket 226
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-12/+12
| | | | Ticket #165
* phonenumbersAdam Young2010-10-011-0/+10
| | | | Added in params for phone number types: phone, fax, mobile ,pager
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-5/+0
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Fix sizelimit/timelimit options not working in user_findRob Crittenden2010-09-301-1/+1
|
* Use the principal from the context in whoami.Rob Crittenden2010-09-241-2/+2
| | | | ticket 227
* user-find whoamiAdam Young2010-09-151-0/+13
| | | | | | Now no longer breaks user-find with a filter Uses the corrected Params for getting option printf style strings
* Revert "user whoami"Adam Young2010-09-141-11/+0
| | | | This reverts commit bef0690a2ff9cccf7de132e5e64b4ba631482764.
* user whoamiAdam Young2010-09-141-0/+11
| | | | Added a whoami option to the user, allows the user to query their own information based on their Kerberos principal
* Update command documentation based on feedback from docs team.Rob Crittenden2010-08-271-11/+15
| | | | ticket #158
* Add optional error message to pattern validatorRob Crittenden2010-08-061-0/+3
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Add separate var for search attributes and config attribute for search fieldsRob Crittenden2010-07-131-0/+1
| | | | | | | | Add an optional search_attributes variable in case the attributes you want to display by default aren't what you want to search on. Also link in any cn=ipaconfig attributes that contain a comma-separated list of attributes to search on.
* Add support for User-Private GroupsRob Crittenden2010-07-061-10/+16
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* First pass at per-command documentationRob Crittenden2010-06-221-0/+22
|
* Try to clear up that uid is a number, not the login nameRob Crittenden2010-05-171-1/+1
|
* Code cleanup: remove unused stuff, take 1.Pavel Zuna2010-03-011-23/+12
|
* Translatable Param.label, Param.docJason Gerard DeRose2010-02-241-14/+14
|
* Use the Output tuple to determine the order of outputRob Crittenden2010-02-151-5/+9
| | | | | | | | | | | | | | The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
* Add Object.label class attribute, enable in webUIJason Gerard DeRose2010-02-121-0/+2
|
* Enabled CRUDS in webUI using wehjit 0.2.0Jason Gerard DeRose2010-01-261-0/+3
|
* Add --all to LDAPCreate and make LDAP commands always display default ↵Pavel Zuna2010-01-111-1/+1
| | | | attributes.
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-101-29/+50
| | | | output_for_cli(); enable more webUI stuff
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-5/+4
|
* Make the user plugin use baseldap classes.Pavel Zuna2009-10-051-230/+76
|
generated by cgit (git 2.34.1) at 2025-09-02 20:57:26 +0000