summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Add automember rebuild command to the web UIAna Krivokapic2013-11-151-4/+6
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3928
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-152-4/+5
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
* Add automember rebuild commandAna Krivokapic2013-11-151-10/+133
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-082-5/+22
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-052-6/+6
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Remove AllowLMhash from the allowed IPA config stringsSumit Bose2013-11-011-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3795
* Always use lists for values in LDAPEntry internally.Jan Cholasta2013-10-311-0/+2
| | | | | | | Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce lists for attribute values, this will be removed. https://fedorahosted.org/freeipa/ticket/3521
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-5/+5
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Use new ipaldap entry API in aci and permission pluginPetr Viktorin2013-10-302-23/+27
|
* Update Permission and ACI plugins to decorator registration APIPetr Viktorin2013-10-302-30/+24
|
* trusts: Fix typo in error message for realm-domain mismatchTomas Babej2013-10-251-2/+2
|
* trusts: combine filters with AND to make sure only the intended domain matchesJakub Hrozek2013-10-241-1/+2
|
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
* trusts: Do not create ranges for subdomains in case of POSIX trustTomas Babej2013-10-141-11/+39
| | | | | | For the AD trusts where the ID range for the root level domain is of ipa-ad-trust-posix type, do not create a separate ranges for the subdomains, since POSIX attributes provide global mapping.
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-0/+6
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-3/+20
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-1/+0
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-51/+278
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Do not add trust to AD in case of IPA realm-domain mismatchTomas Babej2013-10-031-0/+13
| | | | | | | | Make sure that trust-add command fails when admin attempts to add an Active Directory trust when the realm name and the domain name of the IPA server do not match. https://fedorahosted.org/freeipa/ticket/3923
* Use correct super-calls in get_args() methodsPetr Viktorin2013-10-021-22/+8
| | | | | | | | | | The get_args methods in ipalib.crud and ipalib.plugins.baseldap used super() calls that skipped some of the classes in the inheritance chain, and contained code that reimplemented some of the skipped functionality. This made it difficult to customize the get_args behavior. Use proper super() calls.
* Fix service-disable in CA-less install.Jan Cholasta2013-08-291-20/+21
| | | | https://fedorahosted.org/freeipa/ticket/3886
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+44
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Add base-id, range-size and range-type options to trust-add dialogPetr Vobornik2013-08-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3049
* Allow API plugin registration via a decoratorPetr Viktorin2013-08-141-3/+5
| | | | | | | | | | | | This makes plugin registration easier to read, less error-prone, and, for many Plugins in a single module, faster to write. Functionally, the decorator is equivalent to current plugin registration. However, in the future this style will allow cleaner semantics. As an example, and to exercise the new syntax to prevent regressions, the ping plugin is converted to this style.
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-6/+4
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Add new command compat-is-enabledAna Krivokapic2013-08-071-0/+44
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Improve help entry for ipa hostTomas Babej2013-08-061-5/+7
| | | | | | | | Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
* Limit pwpolicy maxlife to 20000 daysTomas Babej2013-08-051-0/+1
| | | | | | | | | | | | Since krbMaxPwdLife attribute is represented as number of seconds, setting maxlife to high values such as 999 999 days (~2739 years) would result to overflow when parsing this attribute in kdb plugin, and hence default maxlife of 90 days would be applied. Limit the maximum value of maxlife that can be set through the framework to 20 000 days (~ 54 years). https://fedorahosted.org/freeipa/ticket/3817
* Expose ipaRangeType in Web UIAna Krivokapic2013-07-291-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3759
* Refactor the interactive prompt logic in idrange_addTomas Babej2013-07-261-27/+34
| | | | | | | | | | | | | | | | Make the interactive prompts interpret the following logic: - AD range (dom-sid/dom-name set): require RID base if not set - local range(dom-sid/dom-name not set): a) server with adtrust support: require both RID base and secondary RID base b) server without adtrust support: if any of RID base, secondary RID base set, require both of them https://fedorahosted.org/freeipa/ticket/3786
* Use valid LDAP search base in migration pluginMartin Kosek2013-07-261-1/+2
| | | | | | One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP.
* Remove word 'field' from GECOS param labelPetr Vobornik2013-07-231-1/+1
| | | | No other param/field has 'field' in a label.
* ipaserver/dcerpc: attempt to resolve SIDs through SSSD firstAlexander Bokovoy2013-07-231-6/+3
| | | | | | | | Attempt to resolve SIDs through SSSD first to avoid using trust account password. This makes possible to run HBAC test requests without being in 'trusted admins' group. https://fedorahosted.org/freeipa/ticket/3803
* Use AD LDAP probing to create trusted domain ID rangeTomas Babej2013-07-231-12/+99
| | | | | | | | | | When creating a trusted domain ID range, probe AD DC to get information about ID space leveraged by POSIX users already defined in AD, and create an ID range with according parameters. For more details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD https://fedorahosted.org/freeipa/ticket/3649
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-18/+50
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Fix internal error in idrange-addAna Krivokapic2013-07-221-1/+1
| | | | | | | Fix internal error in idrange-add, caused by a missing 'name' argument of ValidationError. https://fedorahosted.org/freeipa/ticket/3781
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-112-4/+40
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650
* Use LDAP search instead of *group_show to check for a group objectclass.Jan Cholasta2013-07-113-37/+41
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Use LDAP search instead of *group_show to check if a group exists.Jan Cholasta2013-07-116-9/+15
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Remove entitlement supportMartin Kosek2013-06-262-771/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-installAna Krivokapic2013-06-242-5/+62
| | | | | | | | | | | | | Add a new API command 'adtrust_is_enabled', which can be used to determine whether ipa-adtrust-install has been run on the system. This new command is not visible in IPA CLI. Use this command in idrange_add to conditionally require rid-base and secondary-rid-base options. Add tests to cover the new functionality https://fedorahosted.org/freeipa/ticket/3634
* Fail when adding a trust with a different rangeAna Krivokapic2013-06-241-69/+148
| | | | | | | | When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635
* Return ipaRangeType as a list in idrange commandsTomas Babej2013-06-191-1/+1
| | | | | | | To be consistent with the rest of the LDAP commands, return ipaRangeType as a list of unicode strings. Regression caused by https://fedorahosted.org/freeipa/ticket/3647
* PEP8 fixes in idrange.pyTomas Babej2013-06-101-8/+17
|
* Extend idrange commands to support new range origin typesTomas Babej2013-06-101-14/+54
| | | | | | | | | | | | | | Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647
* Remove redundant u'' characterMartin Kosek2013-06-061-1/+1
| | | | | | One Python's unicode marking character was being printed by RPC plugin which then appeared in ipa-client-install output. This patch removes it.
* Incorporate interactive prompts in idrange-addTomas Babej2013-06-051-3/+38
| | | | | | | | | | | In idrange-add command, ensure that RID base is prompted for in the interactive mode if domain SID or domain name was specified. If domain name nor SID was specified, make sure rid base is prompted for if secondary rid base was specified and vice versa. https://fedorahosted.org/freeipa/ticket/3602
* Add prompt_param method to avoid code duplicationTomas Babej2013-06-051-23/+12
| | | | | | | | | | Extracted common code from ipalib/plugins/cli.py and ipalib/plugins/dns.py that provided way to prompt user for the value of specific attribute. Added prompt_param method to Command class in ipalib/frontend.py Done as part of https://fedorahosted.org/freeipa/ticket/3602
generated by cgit (git 2.34.1) at 2025-09-02 06:14:25 +0000