freeipa.git/ipalib/plugins, branch WIP Unnamed repository; edit this file 'description' to name the repository. Perform case-insensitive searches for principals on TGS requests 2012-04-30T15:26:24+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-03-26T11:23:42+00:00 3c8876c3587c86de9684afe882965d40f1c75847 We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577 
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
Update docs for user-status, always show disabled, time for each server. 2012-04-23T08:20:34+00:00 Rob Crittenden rcritten@redhat.com 2012-04-23T08:16:45+00:00 d7f7bb11dfa62fbafbe3e0e321e32bad8da2ecf4 Provide some guidance on how to read and understand the output. Some manual work is needed to identify which master the user is locked on. Always display the enabled/disabled status. Include the time that the master was contacted in the output for each master as lockout is very time sensitive. https://fedorahosted.org/freeipa/ticket/2162 
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.

Always display the enabled/disabled status.

Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.

https://fedorahosted.org/freeipa/ticket/2162
Fix name error in hbactest 2012-04-19T13:22:49+00:00 John Dennis jdennis@redhat.com 2012-04-19T12:56:07+00:00 885bb07bb1c5c7052aa04a5d2e43227fd1f6cd50 Ticket #2512 In hbactest.py there is a name error wrapped inside a try/except block that ignores all errors so the code block exits prematurely leaving a critical variable uninitialized. The name error is the result of a cut-n-paste error that references a variable that had never been initialized in the scope of the code block. Python generates an exception when this variable is referenced but because it's wrapped in a try/except block that catches all errors and ignores all errors there is no evidence that something went wrong. The fix is to use the correct variables. At some point we may want to revist if ignoring all errors and proceding as if nothing happened is actually correct. Alexander tells me this mimics what SSSD does in the hbac rule processing, thus the ignoring of errors is intentional. But in a plugin whose purpose is to test and exercise hbac rules I'm not sure ignoring all errors is really the right behavior. 
Ticket #2512

In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.

The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.

The fix is to use the correct variables.

At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
Fix internal error when renaming user with an empty string. 2012-04-18T07:03:53+00:00 Jan Cholasta jcholast@redhat.com 2012-04-12T11:29:21+00:00 c043a65728ec897a31373e0ebe00f52ac8978dc1 ticket 2629 
ticket 2629
Do not fail migration because of duplicate groups 2012-04-17T04:20:31+00:00 Martin Kosek mkosek@redhat.com 2012-04-17T18:39:32+00:00 88927fb78b5dd8df6fdccb79c84c02691c7aeb46 When 2 groups in a remote LDAP server share the same GID number, the migration may fail entirely with incomprehensible message. This should not be taken as unrecoverable error - GID number check is just a sanity check, a warning is enough. This patch also makes sure that GID check warnings include a user name to make an investigation easier. https://fedorahosted.org/freeipa/ticket/2644 
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.

https://fedorahosted.org/freeipa/ticket/2644
Raise proper exception when LDAP limits are exceeded 2012-04-17T03:23:57+00:00 Martin Kosek mkosek@redhat.com 2012-04-17T07:56:04+00:00 a663e83cb2717ac4cf831261c93c1582f562a07f ldap2 plugin returns NotFound error for find_entries/get_entry queries when the server did not manage to return an entry due to time limits. This may be confusing for user when the entry he searches actually exists. This patch fixes the behavior in ldap2 plugin to 1) Return even a zero search results + truncated bool set in ldap2.find_entries 2) Raise LimitsExceeded in ldap2.get_entry and ldap2.find_entry_by_attr instead of NotFound error This changed several assumptions about ldap2.find_entries results. Several calls accross IPA code base had to be amended. https://fedorahosted.org/freeipa/ticket/2606 
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
don't append basedn to container if it is included 2012-04-17T02:26:49+00:00 John Dennis jdennis@redhat.com 2012-04-16T22:48:57+00:00 72efa64c81fc44dbc05c48730c339120888fecbe ticket #2566 When specifying a container to ds-migrate we should not automatically append the basedn if it is provided by the end-user. This is easy to detect using DN objects because DN objects have a endswith() method which can easily and correctly ascertain if a base already exists. 
ticket #2566

When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.

This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.
Fix empty external member processing 2012-04-17T14:22:37+00:00 Ondrej Hamada ohamada@redhat.com 2012-04-03T13:16:58+00:00 6f7224f252775c01e13c281a83e555b627834ffd Validation of external member was failing for empty strings because of wrong condition. https://fedorahosted.org/freeipa/ticket/2447 
Validation of external member was failing for empty strings because of
wrong condition.

https://fedorahosted.org/freeipa/ticket/2447
Fix dnsrecord_add interactive mode 2012-04-15T22:37:18+00:00 Martin Kosek mkosek@redhat.com 2012-04-16T09:00:00+00:00 568de5027b9c7057e6f71cca4a45ced9ca7a7db6 dnsrecord_add interactive mode did not work correctly when more than one DNS record part was entered as command line option. It asked for remaining options more than once. This patch fixes this situation and also adds tests to cover this use case properly. https://fedorahosted.org/freeipa/ticket/2641 
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.

https://fedorahosted.org/freeipa/ticket/2641
Return correct record name in DNS plugin 2012-04-16T14:11:33+00:00 Martin Kosek mkosek@redhat.com 2012-04-12T07:44:50+00:00 0acdae0b4dc4809025bae6062a28fff99b105632 When dnsrecord-add or dnsrecord-mod commands are used on a root zone record (it has a special name "@"), a zone name is returned instead of a special name "@". This confuses DNS part of Web UI which is then not able to manipulate records in the root zone when these commands are used. This patch fixes these 2 commands to return correct value when a root zone is modified. https://fedorahosted.org/freeipa/ticket/2627 https://fedorahosted.org/freeipa/ticket/2628 
When dnsrecord-add or dnsrecord-mod commands are used on a root
zone record (it has a special name "@"), a zone name is returned
instead of a special name "@". This confuses DNS part of Web UI
which is then not able to manipulate records in the root zone
when these commands are used.

This patch fixes these 2 commands to return correct value when
a root zone is modified.

https://fedorahosted.org/freeipa/ticket/2627
https://fedorahosted.org/freeipa/ticket/2628