| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
| |
Added flag for each groups type: --posix, --nonposix, --external to group-find command.
Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup
https://fedorahosted.org/freeipa/ticket/3483
|
|
|
|
|
|
|
|
|
|
| |
ipa <command> -h only showed the summary string, not the full help.
Use the full docstring. Add a custom help formatter that disables
optparse's reformatting.
Test included
https://fedorahosted.org/freeipa/ticket/3543
|
|
|
|
|
|
|
|
|
| |
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
|
|
|
|
| |
ipakrbauthzdata accepts [null, 'NONE', 'MS-PAC, 'PAD']
New nesting feature of radios/checkboxes was used to handle mutual exclusivity between
['MS-PAC', 'PAD'], 'NONE' and ''.
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3329
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent LDAP refactoring replaced entry_attrs regular dict with
normalized keys (i.e. lowercase) with LDAPEntry instance which keys
may not be normalized. This broke CND command output when
--structured and --all options were used.
Force lowercase normalization of the LDAPEntry keys in DNS plugin
structured format postprocessing. Also add a missing test for
DNS record structured output.
https://fedorahosted.org/freeipa/ticket/3526
|
|
|
|
|
|
| |
Add support for Realm Domains to web UI.
https://fedorahosted.org/freeipa/ticket/3407
|
|
|
|
|
|
|
|
|
|
| |
This extends certificate search page by search option select. Therefore
the search is not restricted to 'subject'.
It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a
future.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following pages were added to Web UI:
* certificated details
* certificate search
Certificate is not regular object so it gets no metadata. Therefore artificial
metadata were created for it to allow usage of search and details facet.
Search and details facet were modified to allow removing of add/remove/update/
reset buttons - certificates have no mod operation and they are not added by
standard means.
User can revoke and restore certificated in details facet.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
| |
The run() method of the show_mappings command was missing
the **options parameter in its signature, causing the
ipa show-mappings to fail with an internal error.
|
|
|
|
|
|
|
| |
The .isalpha() check in validate_domain_name() was too strict,
causing some commands like ipa dnsrecord-add to fail.
https://fedorahosted.org/freeipa/ticket/3385
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a duplicate member to a group, an error message is issued,
informing the user that the entry is already a member of the group.
Similarly, when trying to delete an entry which is not a member,
an error message is issued, informing the user that the entry is not
a member of the group. These error messages were missing in case of
external members.
This patch also adds support for using the AD\name or name@ad.domain.com
format in ipa group-remove-member command. This format was supported in
group-add-member, but not in group-remove-member.
Unit test file covering these cases was also added.
https://fedorahosted.org/freeipa/ticket/3254
|
|
|
|
|
|
|
|
| |
SID validation in idrange.py now enforces exact match on SIDs, thus
one can no longer use SID of an object in a trusted domain as a
trusted domain SID.
https://fedorahosted.org/freeipa/ticket/3432
|
|
|
|
|
|
|
|
|
|
|
| |
We catched all errors that could be raised by idrange-add command and
just raised an uncomprehensible ValidationError. This could hide
a real underlying problem and make the debugging harder.
We should rather just let the command raise the real error (which
will be already a PublicError).
https://fedorahosted.org/freeipa/ticket/3288
|
|
|
|
|
|
|
|
|
|
|
| |
DNs represented as strings and passed via --setattr or --addattr
are no longer implicitly converted to DN type. This solves various
errors associated with this behaviour, see tickets below.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/3348
https://fedorahosted.org/freeipa/ticket/3349
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.
Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.
These were the last uses of ipautil.convert_ldap_error, remove that.
https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds 'nfs:NONE' as an allowed entry for the global
authorization data type in the CLI and WebUI. This is an ad-hoc solution
to make sure that the new default value for the NFS service is not
removed by chance.
This patch should be removed if a more generic solution is implemented
to modify service:TYPE style values of the authorization data type.
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2960
|
|
|
|
|
|
|
| |
Also fix incorrect super method call in output_for_cli method of
sudorule_{add,remove}_option.
https://fedorahosted.org/freeipa/ticket/3489
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3464
|
|
|
|
|
|
|
| |
Added blacklists section, with ipantsidblacklistincoming and
ipantsidblacklistoutgoing multivalued textbox fields, into trust details page.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
|
|
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some commands require a connection for interactive prompting.
Prompt after the connection is created.
Option parsing is still done before connecting so that help
can be printed out without a Kerberos ticket.
https://fedorahosted.org/freeipa/ticket/3453
|
|
|
|
|
|
| |
When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
|
|
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/3352
Design: http://freeipa.org/page/V3/Drop_CSV
|
|
|
|
|
|
| |
These were never set to anything but the defaults.
Part of work for https://fedorahosted.org/freeipa/ticket/3352
|
|
|
|
|
|
|
|
|
| |
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
|
|
|
|
|
|
|
| |
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The messages module contains message classes that can be added
to a RPC response to provide additional information or warnings.
This patch adds only the module with a single public message,
VersionMissing, and unit tests.
Since message classes are very similar to public errors, some
functionality and unit tests were shared.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732
https://fedorahosted.org/freeipa/ticket/3294
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
|
|
|
|
| |
Tests included.
|
|
|
|
|
|
|
|
|
| |
Since sudo commands are case-sensitive, we can't use 'sudocmd'
as the RDN.
Tests for case-sensitive behavior included
https://fedorahosted.org/freeipa/ticket/2482
|
|
|
|
|
|
|
|
| |
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_find
https://fedorahosted.org/freeipa/ticket/2528
|