summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Do not assume attribute-level rights for new attributes ↵Petr Viktorin2014-02-211-7/+10
| | | | | | | | | | | | | are present With the --all --raw options, the code assumed attribute-level rights were set on ipaPermissionV2 attributes, even on permissions that did not have the objectclass. Add a check that the data is present before using it. https://fedorahosted.org/freeipa/ticket/4121 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+19
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-209-11/+27
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-51/+94
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Do not copy member attributes to new entryPetr Viktorin2014-02-201-1/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix regular expression for LOC records in DNS.Petr Spacek2014-02-181-8/+13
| | | | | | | | | | | - Fractional parts of integers are not mandatory. - Expressions containing only size or only size + horizontal precision are allowed. - N/S/W/E handling was fixed. See RFC 1876 section 3 for details. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-13/+131
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Generate ACIs in the pluginPetr Viktorin2014-02-121-10/+23
| | | | | | | | | Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Convert options in execute, not args_options_2_paramsPetr Viktorin2014-02-121-19/+10
| | | | | | | | With this change, shortcut options like memberof and type will be aplied on the server, not on the client. This will allow us to pass more information than just updated options. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Permission plugin fixesPetr Viktorin2014-02-121-13/+14
| | | | | | | | - Fix i18n for plugin docstring - Fix error when the aci attribute is not present on an entry - Fix error when raising exception for ACI not found Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS classless support for reverse domainsMartin Basti2014-02-111-11/+34
| | | | | | | | | | | | Now users can add reverse zones in classless form: 0/25.1.168.192.in-addr.arpa. 0-25.1.168.192.in-addr.arpa. 128/25 NS ns.example.com. 10 CNAME 10.128/25.1.168.192.in-addr.arpa. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* PTR records can be added without specify FQDN zone nameMartin Basti2014-02-111-0/+3
| | | | | | | Now adding PTR records will accept zones both with and without end dot. Ticket: https://fedorahosted.org/freeipa/ticket/4151 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove sourcehostcategory from the default HBAC rule.Jan Cholasta2014-02-061-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Migration does not add users to default groupMartin Kosek2014-02-051-7/+10
| | | | | | | | | | When users with missing default group were searched, IPA suffix was not passed so these users were searched in a wrong base DN. Thus, no user was detected and added to default group. https://fedorahosted.org/freeipa/ticket/4141 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-2426-334/+354
|
* Get original entry state from LDAP in LDAPUpdate.Jan Cholasta2014-01-241-1/+6
|
* Trust domains Web UIPetr Vobornik2014-01-211-0/+1
| | | | | | | | | | | | Add Web UI counterpart of following CLI commands: * trust-fetch-domains Refresh list of the domains associated with the trust * trustdomain-del Remove infromation about the domain associated with the trust. * trustdomain-disable Disable use of IPA resources by the domain of the trust * trustdomain-enable Allow use of IPA resources by the domain of the trust * trustdomain-find Search domains of the trust https://fedorahosted.org/freeipa/ticket/4119
* About dialogPetr Vobornik2014-01-211-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/4018
* Hide trust-resolve commandMartin Kosek2014-01-201-0/+1
| | | | | | | | | | | | We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113
* group-show: resolve external members of the groupsAlexander Bokovoy2014-01-201-0/+15
| | | | | | | | Perform SID to name conversion for existing external members of the groups if trust is configured. https://bugzilla.redhat.com/show_bug.cgi?id=1054391 https://fedorahosted.org/freeipa/ticket/4123
* Remove missing VERSION warning in dnsrecord-modMartin Kosek2014-01-171-1/+1
| | | | | | | | dnsrecord-mod may call dnsrecord-delentry command when all records are deleted. However, the version was not passwd to delentry and it resulted in a warning. https://fedorahosted.org/freeipa/ticket/4120
* Stop adding a default password policy referenceSimo Sorce2014-01-161-3/+0
| | | | | | | | | | | | | | | Both the password plugin and the kdb driver code automatically fall back to the default password policy. so stop adding an explicit reference to user objects and instead rely on the fallback. This way users created via the framework and users created via winsync plugin behave the same way wrt password policies and no surprises will happen. Also in case we need to change the default password policy DN this will allow just code changes instead of having to change each user entry created, and distinguish between the default policy and explicit admin changes. Related: https://fedorahosted.org/freeipa/ticket/4085
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
* trust-fetch-domains: create ranges for new child domainsAlexander Bokovoy2014-01-151-121/+135
| | | | | | | | | | | | When trust is added, we do create ranges for discovered child domains. However, this functionality was not available through 'trust-fetch-domains' command. Additionally, make sure non-existing trust will report proper error in trust-fetch-domains. https://fedorahosted.org/freeipa/ticket/4111 https://fedorahosted.org/freeipa/ticket/4104
* Add missing example to sudoruleMartin Kosek2014-01-151-1/+20
| | | | https://fedorahosted.org/freeipa/ticket/4090
* Change the way we determine if the host has a password set.Rob Crittenden2014-01-151-1/+1
| | | | | | | | | | When creating a host with a password we don't set a Kerberos principal or add the Kerberos objectclasses. Those get added when the host is enrolled. If one passed in --password= (so no password) then we incorrectly thought the user was in fact setting a password, so the principal and objectclasses weren't updated. https://fedorahosted.org/freeipa/ticket/4102
* Use old entry state in LDAPClient.update_entry.Jan Cholasta2014-01-101-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3488
* hbactest does not work for external usersMartin Kosek2014-01-101-3/+5
| | | | | | | | | | Original patch for ticket #3803 implemented support to resolve SIDs through SSSD. However, it also broke hbactest for external users. The result of the updated external member group search must be local non-external groups, not the external ones. Otherwise the rule is not matched. https://fedorahosted.org/freeipa/ticket/3803
* Allow anonymous and all permissionsPetr Viktorin2014-01-072-2/+40
| | | | | | | Disallow adding permissions with non-default bindtype to privileges Ticket: https://fedorahosted.org/freeipa/ticket/4032 Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
* Use new registration API in the privilege pluginPetr Viktorin2014-01-071-20/+14
|
* Add OTP support to ipalib CLINathaniel McCallum2013-12-183-2/+339
| | | | https://fedorahosted.org/freeipa/ticket/3368
* permission_find: Do not fail for ipasearchrecordslimit=-1Petr Viktorin2013-12-171-1/+2
| | | | | | | ipasearchrecordslimit can be -1, which means unlimited. The permission_find post_callback failed in this case in legacy permission handling. Do not fail in this case.
* Remove default from the ipapermlocation optionPetr Viktorin2013-12-131-1/+0
| | | | | | | The value from my machine ended up wired into API.txt, so builds on other machines would fail. Correct the mistake.
* Make sure SYSTEM permissions can be retreived with --all --rawPetr Viktorin2013-12-131-2/+10
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
* permission plugin: Ensure ipapermlocation (subtree) always existsPetr Viktorin2013-12-131-0/+10
|
* Roll back ACI changes on failed permission updatesPetr Viktorin2013-12-131-11/+52
|
* Verify ACIs are added correctly in testsPetr Viktorin2013-12-131-4/+10
| | | | | | | To double-check the ACIs are correct, this uses different code than the new permission plugin: the aci_show command. A new option, location, is added to the command to support these checks.
* Rewrite the Permission pluginPetr Viktorin2013-12-132-336/+704
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* Fix internal error in the user-status command.Jan Cholasta2013-12-101-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/4066
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-033-9/+226
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-3/+22
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-3/+10
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Switch client to JSON-RPCPetr Viktorin2013-11-261-3/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* Break long doc string in the Host pluginPetr Viktorin2013-11-211-12/+11
| | | | | | Also split the translations in French and Ukraininan Part of https://fedorahosted.org/freeipa/ticket/3587
* Add userClass attribute for usersAna Krivokapic2013-11-191-3/+19
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
generated by cgit (git 2.34.1) at 2025-08-29 02:42:19 +0000