Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add type argument to x509.load_certificate() so it can handle binary certs | Rob Crittenden | 2009-12-01 | 1 | -9/+12 |
| | |||||
* | Rename GeneralizedTime to AccessTime. | Pavel Zuna | 2009-12-01 | 3 | -8/+8 |
| | |||||
* | Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. | Pavel Zuna | 2009-12-01 | 1 | -2/+94 |
| | |||||
* | Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. | Rob Crittenden | 2009-11-30 | 4 | -27/+784 |
| | | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr | ||||
* | Fix boolean attributes in DNS plugin. | Pavel Zuna | 2009-11-30 | 1 | -3/+9 |
| | | | | | Sometimes they worked fine and sometimes DS rejected them as invalid. | ||||
* | Fix Bool parameter type. It was impossible to set it to FALSE. | Pavel Zuna | 2009-11-30 | 2 | -3/+5 |
| | |||||
* | Fix takes_options in automount plugin. | Pavel Zuna | 2009-11-30 | 1 | -1/+1 |
| | |||||
* | Print only one line of docstrings in command listings. | Pavel Zuna | 2009-11-30 | 1 | -4/+3 |
| | | | | Full docstring is shown on `ipa help COMMAND`. | ||||
* | Use correct attribute for hosts. | Rob Crittenden | 2009-11-25 | 1 | -1/+1 |
| | |||||
* | Fix two bugs: one in parsing the ACI and one in comparing two ACIs | Rob Crittenden | 2009-11-25 | 1 | -4/+4 |
| | | | | | | | | | | The parsing bug was looking for the string 'version' expecting to find the ACI version. This blew up with the attribute nsosversion. Use the string 'version 3.0' instead. The comparison bug appeared if neither ACI had a targetattr attribute. It was trying to create a set out of a None which is illegal. If an ACI doesn't have any targetattrs then return () instead. | ||||
* | Reading INT parameter class should respect radix prefix | John Dennis | 2009-11-23 | 1 | -0/+29 |
| | | | | | | | | | | This modifies the original patch by including a unit test, handling floats when passed as unicode, and handling large magnitude values beyond maxint. The INT parameter class was not respecting any radix prefix (e.g. 0x) the user may have supplied. This patch implements _convert_scalar method for the Int class so that we can pass the special radix base of zero to the int constructor telling it to determine the radix from the prefix (if present). | ||||
* | If plugin fails to load log the traceback | John Dennis | 2009-11-23 | 1 | -1/+2 |
| | | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> If plugin fails to load log the traceback If a plugin fails to load due to some kind of error it would be nice if the error log contained the traceback so you can examine what went wrong rather than being left blind as to why it failed to load. | ||||
* | add new error class for certificate operations | John Dennis | 2009-11-19 | 1 | -1/+28 |
| | | | | add new error class for certificate operations | ||||
* | error strings in documentation were missing unicode specifier | John Dennis | 2009-11-19 | 1 | -3/+3 |
| | | | | error strings in documentation were missing unicode specifier | ||||
* | Provide additional help to --help option | Rob Crittenden | 2009-11-19 | 1 | -0/+7 |
| | |||||
* | Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled). | Pavel Zuna | 2009-11-18 | 1 | -4/+4 |
| | |||||
* | Remove 'ipaObject' objectClass from rolegroups and taskgroups. | Pavel Zuna | 2009-11-18 | 2 | -4/+2 |
| | |||||
* | Add fail-safe so any kind of exception is handled in XML-RPC server. | Rob Crittenden | 2009-11-18 | 1 | -0/+5 |
| | | | | | | | If an exception is not handled here then the context isn't destroyed leaving at least an LDAP connection dangling. This means the next time this thread/process tries to handle a connection it will fail because a context already exists. | ||||
* | Add support for setting/adding arbitrary attributes | Rob Crittenden | 2009-11-17 | 2 | -0/+106 |
| | | | | | | | | | | | | | | | | | | | | | | | This introduces 2 new params: --setattr and --addattr Both take a name/value pair, ala: ipa user-mod --setattr=postalcode=20601 jsmith --setattr replaces or sets the current attribute to the value --addattr adds the value to an attribute (or sets a new attribute) OptionsParser allows multiple versions of this, so you can have multiple setattr and addattr, either for the same attribute or for different attributes. ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith Values are silent dropped if either of these on an existing param: ipa user-mod --setattr=givenname=Jerry jsmith Is a no-op. | ||||
* | _convert_scalar() should throw an error if passed a tuple or list | Rob Crittenden | 2009-11-17 | 1 | -0/+12 |
| | | | | | A parameter needs to have multivalue set in order to work on lists/tuples and even then _convert_scalar() will be sent one value at a time. | ||||
* | Fix typo in name of exception | Rob Crittenden | 2009-11-12 | 1 | -1/+1 |
| | |||||
* | Use File parameter for CSR in cert_request command plugin. | Pavel Zuna | 2009-11-06 | 1 | -29/+12 |
| | |||||
* | Add 'File' parameter type. | Pavel Zuna | 2009-11-06 | 3 | -2/+47 |
| | | | | Accepts filenames and loads file contents as parameter value. | ||||
* | ipa-server-install now renders UI assets | Jason Gerard DeRose | 2009-11-04 | 1 | -2/+1 |
| | |||||
* | Use a new mechanism for delegating certificate issuance. | Rob Crittenden | 2009-11-03 | 3 | -43/+42 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com | ||||
* | Add mod_python adapter and some UI tuning | Jason Gerard DeRose | 2009-10-27 | 1 | -1/+1 |
| | |||||
* | Remove ipalib/plugins/basegroup.py. It's become obsolete. | Pavel Zuna | 2009-10-23 | 1 | -551/+0 |
| | |||||
* | Fix bug in print_attribute. | Pavel Zuna | 2009-10-23 | 1 | -1/+1 |
| | | | | | When the attribute had no values an exception was generated while trying to word-wrap it. | ||||
* | Display membership attributes (member, memberOf) by default in show/find. | Pavel Zuna | 2009-10-21 | 3 | -3/+5 |
| | |||||
* | Require that a host exist before creating a service for it. | Rob Crittenden | 2009-10-21 | 1 | -0/+5 |
| | |||||
* | The name coming out of DNS will have a trailing dot (.). Remove it. | Rob Crittenden | 2009-10-21 | 1 | -1/+1 |
| | |||||
* | First pass at enforcing certificates be requested from same host | Rob Crittenden | 2009-10-21 | 3 | -29/+91 |
| | | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs. | ||||
* | Change Password param so (password, confirm_password) can be passed to ↵ | Jason Gerard DeRose | 2009-10-18 | 2 | -0/+18 |
| | | | | _convert_scalar() | ||||
* | Use the FQDN and not just the hostname internally. | Rob Crittenden | 2009-10-16 | 1 | -2/+2 |
| | |||||
* | Fixed 'import json' for simplejson compatability | Jason Gerard DeRose | 2009-10-16 | 1 | -0/+51 |
| | |||||
* | Make plugin browser show plugin parent class | Jason Gerard DeRose | 2009-10-14 | 1 | -0/+3 |
| | |||||
* | Removed util.add_global_options() and frontend.Application | Jason Gerard DeRose | 2009-10-14 | 4 | -72/+4 |
| | |||||
* | Giant webui patch take 2 | Jason Gerard DeRose | 2009-10-13 | 9 | -23/+85 |
| | |||||
* | Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. | Pavel Zuna | 2009-10-08 | 2 | -2/+8 |
| | |||||
* | Fix bug in group plugin. Was using wrong variable for attributes. | Pavel Zuna | 2009-10-08 | 1 | -1/+1 |
| | | | | Fix bug #527537. | ||||
* | Make the taskgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-07 | 1 | -135/+40 |
| | |||||
* | Make the rolegroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -46/+41 |
| | |||||
* | Make the hostgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -173/+45 |
| | |||||
* | Make the netgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -309/+116 |
| | |||||
* | Make the user plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -230/+76 |
| | |||||
* | Make the service plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -205/+66 |
| | |||||
* | Fix unit tests for plugins using baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -1/+4 |
| | |||||
* | Make the group plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -124/+65 |
| | |||||
* | Make the config plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -103/+33 |
| | |||||
* | Add HBAC plugin and introduce GeneralizedTime parameter type. | Pavel Zuna | 2009-10-05 | 3 | -1/+427 |
| |