| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.
This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.
In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.
https://fedorahosted.org/freeipa/ticket/2260
|
| |
|
|
|
|
| |
This patch adds UI for SELinux user mapping. Its design is based on HBAC Rule design.
https://fedorahosted.org/freeipa/ticket/2145
|
| |
|
|
|
|
|
|
|
|
| |
This is what we already do in the HBAC plugin, this ports it to Sudo.
If a category (user, host, etc) is u'all' then we don't allow individual
members be added. Conversely if there are members we don't allow the
category be set to u'all'.
https://fedorahosted.org/freeipa/ticket/1440
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.
Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."
https://fedorahosted.org/freeipa/ticket/2092
|
| |
|
|
|
|
| |
Also fix a bunch of trailing whitespace.
https://fedorahosted.org/freeipa/ticket/1751
|
| |
|
|
|
|
|
|
|
|
| |
aci_mod command is composed of 2 ACI commands: aci_del which
deletes the old ACI and aci_add which adds the new modified ACI.
However, if aci_add command fails then both new and the old ACI
are lost. Old ACI must be restored in this case.
https://fedorahosted.org/freeipa/ticket/2013
https://fedorahosted.org/freeipa/ticket/2014
|
| |
|
|
|
|
|
|
|
|
| |
The certificate request dialog box has been modified to show
the OpenSSL commands for generating a CSR.
The realm and entry names in the test data have been fixed to
be more consistent.
Ticket #1012
|
| |
|
|
|
|
| |
Contributed by Jérôme Fenal
https://fedorahosted.org/freeipa/ticket/2261
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When multiple HBAC rules are defined, IPA default limits to retrieve
objects may limit the scope of HBAC testing. To allow full range of rules
to be tested support for --sizelimit option is added.
In addition, when --rules option is specified, make sure only those rules
are retrieved regardless total number of rules defined. This should also
speed up HBAC test performance for real life scenarios when few new rules
are added to large collection of rules.
https://fedorahosted.org/freeipa/ticket/2230
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.
The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL.
Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1903
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Having a Parameter maxvalue larger that 2G makes Python convert it
to "long" type instead of "int" type. Our framework than fails to
bootstrap the API when it detects long integer in Parameter
maxvalue.
Remove the clashing maxvalue out entirely as we can't transfer
values larger than 2G anyway (xmlrpc limitation).
https://fedorahosted.org/freeipa/ticket/2082
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use new structured DNSRecord parameters to generate per-type API
for all supported DNS RR types. This should help significantly
the end-user with manipulating complex DNS record type (MX, LOC,
etc.).
All enhancements are integrated to current DNS record commands:
1) dnsrecord-add
- Records can be either entered as a raw value (e.g. --mx-rec=
"1 srv1.example.com" for MX record) or per-part:
--mx-preference=1 --mx-exchanger=srv1.example.com
- CLI interactive help behavior was changed. It will ask for
a record type and then ask for all DNS record part values
(e.g. MX Preference value, MX Exchanger value).
2) dnsrecord-mod
- This command can now operate in 2 modes. When only a raw DNS
record is entered (e.g. --mx-rec="1 srv1.example.com") it
operates in standard mode and replaces any previous mxrecord
value with the --mx-rec value.
When any structured parameter (e.g. --mx-preference) is passed
it modifies just the specified parts of one mxrecord value
referred by --mx-rec:
--mx-rec="1 srv1.example.com" --mx-preference=2
- New interactive help has been implemented. It will ask for a
record to be modified (in the same manner as dnsrecord-del)
and then let user change DNS record part(s) for chosen
records.
3) All dnsrecord-* commands have now --structured option
- When this option is passed, instead of displaying raw DNS values
all DNS records are parsed and displayed per-part. Example:
$ ipa dnsrecord-show example.com @ --structured
Record name: @
Records:
Record type: MX
Record data: 0 server1.example.com.
MX Preference: 0
MX Exchanger: server1.example.com.
Record type: NS
Record data: ns1.example.com.
NS Hostname: ns1.example.com.
All API changes are compatible with clients without this patch.
https://fedorahosted.org/freeipa/ticket/2082
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current DNS record processing architecture has many flaws,
including custom execute() methods which does not take advantage
of base LDAP commands or nonstandard and confusing DNS record
option processing.
This patch refactors DNS record processing with the following
improvements:
* Every DNS record has now own Parameter type. Each DNS record
consists from one or more "parts" which are also Parameters.
This architecture will enable much easier implementation of
future per-DNS-type API.
* Validation is now not written as a separate function for
every parameter but is delegated to DNS record parts.
* Normalization is also delegated to DNS record parts.
* Since standard LDAP base commands execute method is now used,
dnsrecord-add and dnsrecord-mod correctly supports --setattr
and --addattr options.
* In order to prevent confusion unsupported DNS record types
are now hidden. They are still present in the plugin so that
old clients receive proper validation error.
The patch also contains several fixes:
* Fix domain-name validation and normalization- allow domain
names that are not fully qualified. For example --cname-rec=bar
is a valid domain-name for bind which will translate it then
as bar.<owning-domain>. This change implies, that fully qualified
domain names must end with '.'.
* Do not let user accidentally remove entire zone with command
"ipa dnsrecord-del @ --del-all".
* Fix --ttl and --class option processing in dnsrecord-add and
dnsrecord-mod.
All API changes are compatible with clients without this patch.
https://fedorahosted.org/freeipa/ticket/2082
|
| |
|
|
|
|
|
|
| |
The user details page has been modified to show the password policy
and Kerberos ticket policy that apply to the user. The policies are
currently displayed as read-only.
Ticket #703
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.
Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.
https://fedorahosted.org/freeipa/ticket/2085
|
| |
|
|
| |
Contributed by Jérôme Fenal
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1466
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.
Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).
I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.
https://fedorahosted.org/freeipa/ticket/1979
|
| |
|
|
|
|
|
|
| |
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.
https://fedorahosted.org/freeipa/ticket/755
|
| |
|
|
|
|
|
| |
Hard-coded labels in HBAC Test have been moved into internal.py to
allow translation.
Ticket #388
|
| |
|
|
|
|
|
|
|
| |
The json_metadata command has been modified to accept some new
options and return the commands metadata. The API.txt has been
updated as well. The UI has been modified to use commands metadata
instead of methods metadata.
Ticket #388
|
| |
|
|
|
|
|
|
|
| |
This makes no changes to the functionality in the command-line or
GUI because these all have defaults anyway. This is mostly to show
them properly in the UI and prevent someone from trying to erase the
value (and getting a nasty schema error in response).
https://fedorahosted.org/freeipa/ticket/2015
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.
The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.
Sorting function had to be introduced due to the fact that pwpolicy's
primary key is also it's 'cn' and global policy is not allowed to have any
priority.
https://fedorahosted.org/freeipa/ticket/2045
|
| |
|
|
|
|
|
| |
Make sure that --enable-migration in config plugin works correctly
and user can use to both enable and disable migration.
https://fedorahosted.org/freeipa/ticket/2150
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.
Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.
ticket 2007
|
| |
|
|
|
|
|
| |
Change our default zone manager to hostmaster@<domain> (as per
RFC 2142 recommendation).
https://fedorahosted.org/freeipa/ticket/1981
|
| |
|
|
|
|
|
|
|
|
| |
The validator has been improved to support better both SOA format
(e-mail address in a domain name format, without '@') and standard
e-mail format. Allow '\.' character in a SOA format encoding the
standard '.' in the local-part of an e-mail. Normalization code
has been moved to one common function.
https://fedorahosted.org/freeipa/ticket/2053
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a --delattr option to round out multi-valued attribute
manipulation. The new option is available for all LDAPUpdate based
commands. --delattr is evaluated last, it can remove any value
present either in --addattr/--setattr option or in current LDAP
object.
--*attr processing was completely refactored and placed to one
independent function available for all baseldap commands. For this
purpose a missing common base class for all baseldap commands has
been implemented. The new class should serve not only for --*attr
processing but also for other common baseldap methods and
attributes.
This approach will also benefit other custom commands based neither
on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr
option processing when needed.
https://fedorahosted.org/freeipa/ticket/1929
|
| |
|
|
|
|
|
|
|
|
|
|
| |
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
|
| |
|
|
| |
Contributed by Jérôme Fenal
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parameters in LDAP objects missed an information if they are real
LDAP attributes or not. Real LDAP attributes are written to
entry_attrs dictionary in plugin callbacks and are being encoded.
This causes issues when plugin callbacks does not expect that
the parameters values are already encoded for submission to LDAP.
This patch introduces a new flag "noattribute" used to mark that
a parameter is not an LDAP attribute and thus should not be encoded
or added to entry_attrs. Param documentation is improved to describe
the meaning of this and other Param flags or attributes.
https://fedorahosted.org/freeipa/ticket/2097
|
| |
|
|
|
|
|
| |
The permission target section has been modified to use widgets
to create the target selection and handle multiple fields.
Ticket #2098
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove config-mod options help from config module help to keep the
option doc on one place and without unnecessary redundancy. The new
format is more consistent with the rest of the plugins. Also fix
several inconsistencies in the labels/doc, including:
- using abbreviation when not needed
- using '.' at the end of options help
https://fedorahosted.org/freeipa/ticket/1906
|
| |
|
|
| |
Contributed by Jérôme Fenal
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement missing validators for DNS RR types so that we can capture
at least basic user errors. Additionally, a normalizer creating
a fully-qualified domain name has been implemented for several RRs
where name server may mis-interpret the domain name otherwise.
Unit tests exercising these new validators for the most common
RR types have been added. This patch also consolidates hard-coded
values in DNS test to one place.
https://fedorahosted.org/freeipa/ticket/1106
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The 'Keytab' field in output of all 'user-*' commands was changed
to 'Kerberos keys available'. In order to do this change for 'user-*'
commands only, the flag 'has_keytab' had to be removed from common
output parametrs in ipalib/baseldap.py. This change also affected the
host.py and service.py, where the 'has_keytab' flag was added to their
local output params. Both host.py and service.py holds the old field
caption - 'Keytab' - because of compatibility with older clients.
https://fedorahosted.org/freeipa/ticket/1961
|
| |
|
|
|
|
|
|
|
|
|
|
| |
--allow-dynupdate was implemented as a Flag parameter type, which
is not convenient for LDAP attributes. When a DNS zone with
permitted dynamic updates was modified and the --allow-dynupdate
flag was not set, dynamic updates were turned off.
This patch changes the option type to Bool parameter type which
behaves according to user expectations when modifying the zone.
https://fedorahosted.org/freeipa/ticket/2039
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1945
|
| |
|
|
|
|
|
|
| |
The reset password dialog for user has been modified to provide
a field to specify the current password when changing the user's
own password.
Ticket #2065
|
| |
|
|
|
|
|
|
|
|
|
|
| |
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.
This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.
https://fedorahosted.org/freeipa/ticket/1262
|
| |
|
|
|
|
|
|
|
|
| |
Labels using the word "enroll" (except for host enrollment) have
been modified to use more relevant words.
The IPA.add_dialog has been renamed into IPA.entity_adder_dialog
for clarity.
Ticket #1642
|
| |
|
|
|
|
|
| |
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
|
| |
|
|
|
|
|
|
|
|
|
| |
Do at least a basic validation of DNS zone manager mail address.
Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.
https://fedorahosted.org/freeipa/ticket/1966
|
| |
|
|
|
|
|
|
|
| |
The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.
Ticket #1696, #1973
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1988
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.
This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.
https://fedorahosted.org/freeipa/ticket/1914
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1982
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.
Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.
https://fedorahosted.org/freeipa/ticket/1866
|
