summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Modififed NSSConnection not to shutdown existing database.Endi S. Dewata2014-11-111-15/+19
| | | | | | | | | | | | The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix dns zonemgr validation regressionMartin Basti2014-10-271-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4663 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overridesAlexander Bokovoy2014-10-241-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* fix forwarder validation errorsMartin Basti2014-10-211-6/+8
| | | | | | Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: remove container_dnssec_keysJan Cholasta2014-10-211-1/+0
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: change link to ipa pageMartin Basti2014-10-211-3/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: ACIMartin Basti2014-10-211-0/+53
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-213-1/+90
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: platform paths and servicesMartin Basti2014-10-211-0/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-202-0/+21
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: do not offer ipa users to Default Trust ViewPetr Vobornik2014-10-201-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4616 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: allow --force in dnszone-mod and dnsrecord-addPetr Vobornik2014-10-201-0/+3
| | | | | | | | | | Allow to use --force when changing authoritative nameserver address in DNS zone. Same for dnsrecord-add for NS record. https://fedorahosted.org/freeipa/ticket/4573 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: management of keytab permissionsPetr Vobornik2014-10-201-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Display token type when viewing tokenNathaniel McCallum2014-10-201-3/+25
| | | | | | | | | When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: add link to OTP token appPetr Vobornik2014-10-171-0/+1
| | | | | | | | | - display info message which points user to FreeOTP project page - the link or the text can be easily changed by a plugin if needed https://fedorahosted.org/freeipa/ticket/4469 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* idviews: error out if appling Default Trust View on hostsPetr Vobornik2014-10-171-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4615 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* keytab manipulation permission managementPetr Vobornik2014-10-173-9/+258
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds new API: ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs only with --all option as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-174-10/+40
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove token vendor, model and serial defaultsNathaniel McCallum2014-10-161-6/+0
| | | | | | | | | These defaults are pretty useless and cause more confusion than they are worth. The serial default never worked anyway. And now that we are displaying the token type separately, there is no reason to doubly record these data points. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Raise better error message for permission added to generated treeMartin Kosek2014-10-161-1/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4523 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
* Allow override of gecos field in ID viewsAlexander Bokovoy2014-10-131-2/+5
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify GID of the userAlexander Bokovoy2014-10-131-1/+6
| | | | | | Resolves https://fedorahosted.org/freeipa/ticket/4617 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify SSH public keysAlexander Bokovoy2014-10-131-0/+44
| | | | | | | | | | | | | Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Support overridding user shell in ID viewsAlexander Bokovoy2014-10-131-2/+6
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove misleading authorization error message in cert-request with --addJan Cholasta2014-10-081-5/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4540 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Sudorule RunAsUser should work with external groupsMartin Kosek2014-10-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4600 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: add link from host to idviewPetr Vobornik2014-09-301-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: facet group labels for idview's facetsPetr Vobornik2014-09-301-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: new ID views sectionPetr Vobornik2014-09-301-0/+26
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* idviews: Make sure only regular IPA objects are allowed to be overridenTomas Babej2014-09-301-1/+17
| | | | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Display the list of hosts when using --allTomas Babej2014-09-301-1/+8
| | | | | | | | | | | | | | Enumerating hosts is a potentially expensive operation (uses paged search to list all the hosts the ID view applies to). Show the list of the hosts only if explicitly asked for (or asked for --all). Do not display with --raw, since this attribute does not exist in LDAP. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Catch errors on unsuccessful AD object lookup when resolving object ↵Tomas Babej2014-09-301-8/+13
| | | | | | | | | | | | | name to anchor When resolving non-existent objects, domain validator will raise ValidationError. We need to anticipate and properly handle this case. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make sure the dict.get method is not abused for MUST attributesTomas Babej2014-09-301-4/+4
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Handle Default Trust View properly in the frameworkTomas Babej2014-09-301-0/+39
| | | | | | | | | | | | Make sure that: 1.) IPA users cannot be added to the Default Trust View 2.) Default Trust View cannot be deleted or renamed Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make description optional for the ID View objectTomas Babej2014-09-301-1/+1
| | | | | | | | | | Description of any object should not be required. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Fix casing of ID Views to be consistentTomas Babej2014-09-301-35/+35
| | | | | | | | | | Replace all occurences of "ID view(s)" with "ID View(s)". Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipaOriginalUidTomas Babej2014-09-301-2/+29
| | | | | | | | | | | For slapi-nis plugin, we need to cache the original uid value of the user in the override object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Resolve anchors to object names in idview-showTomas Babej2014-09-301-111/+128
| | | | | | | | | | | When running idview-show, users will expect a proper object name instead of a object anchor. Make sure the anchors are resolved to the object names unless --raw option was passed. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Raise NotFound errors if object to override could not be foundTomas Babej2014-09-301-0/+7
| | | | | | | | | | | If the object user wishes to override cannot be found, we should properly raise a NotFound error. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Change format of IPA anchor to include domainTomas Babej2014-09-301-2/+14
| | | | | | | | | | | | | | The old format of the IPA anchor, :IPA:<object_uuid> does not contain for the actual domain of the object. Once IPA-IPA trusts are introduced, we will need this information to be kept to be able to resolve the anchor. Change the IPA anchor format to :IPA:<domain>:<object_uuid> Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Alter idoverride methods to work with splitted objectsTomas Babej2014-09-301-40/+28
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride commands into iduseroverride and idgroupoverrideTomas Babej2014-09-301-10/+66
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride object into iduseroverride and idgroupoverrideTomas Babej2014-09-301-54/+103
| | | | | | | | | | | | To be able to better deal with the conflicting user / group names, we split the idoverride objects in the two types. This simplifies the implementation greatly, as we no longer need to set proper objectclasses on each idoverride-mod operation. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Support specifying object names instead of raw anchors onlyTomas Babej2014-09-302-0/+122
| | | | | | | | | | | | Improve usability of the ID overrides by allowing user to specify the common name of the object he wishes to override. This is subsequently converted to the ipaOverrideAnchor, which serves as a stable reference for the object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Extend idview-show command to display assigned idoverrides and hostsTomas Babej2014-09-301-40/+129
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipa idview-apply and idview-unapply commandsTomas Babej2014-09-301-3/+176
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Selected PEP8 fixes for the hostgroup pluginTomas Babej2014-09-301-11/+4
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Remove redundant and star importsTomas Babej2014-09-301-2/+5
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Add helper that returns all members of a hostgroupTomas Babej2014-09-301-0/+8
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idvies: Add managed permissions for idview and idoverride objectsTomas Babej2014-09-301-0/+23
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-30 01:35:06 +0000