summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Server Upgrade: specify order of plugins in update filesMartin Basti2015-04-141-3/+3
| | | | | | | | | | | | * add 'plugin' directive * specify plugins order in update files * remove 'run plugins' options * use ldapupdater API instance in plugins * add update files representing former PreUpdate and PostUpdate order of plugins https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* User life cycle: stageuser-add verbThierry bordaz (tbordaz)2015-04-084-401/+788
| | | | | | | | | | | | | | | Add a accounts plugin (accounts class) that defines variables and methods common to 'users' and 'stageuser'. accounts is a superclass of users/stageuser Add the stageuser plugin, with support of stageuser-add verb. Reviewed By: David Kupka, Martin Basti, Jan Cholasta https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix ldap2 shared connectionMartin Basti2015-04-021-1/+1
| | | | | | | | | Since API is not singleton anymore, ldap2 connections should not be shared by default. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use mod_auth_gssapi instead of mod_auth_kerb.David Kupka2015-03-301-10/+10
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* migrate-ds: print out failed attempts when no users/groups are migratedMartin Babinsky2015-03-231-9/+8
| | | | | | | This patch should fix both https://fedorahosted.org/freeipa/ticket/4846 and https://fedorahosted.org/freeipa/ticket/4952. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* certstore: Make certificate retrieval more robustJan Cholasta2015-03-191-22/+52
| | | | | | https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* DNS: remove NSEC3PARAM from recordsMartin Basti2015-03-091-7/+1
| | | | | | | | NSEC3PARAM is configurable only from zone commands. This patch removes this record type from DNS records. Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS fix: do not show part options for unsupported recordsMartin Basti2015-03-091-1/+2
| | | | | | | Do not show parts options in help output, if record is marked as unsupported. Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS fix: do not traceback if unsupported records are in LDAPMartin Basti2015-03-091-32/+32
| | | | | | | | | | Show records which are unsupported, if they are in LDAP. Those records are not editable, and web UI doesnt show them. Fixes traceback caused by --structured option Ticket: https://fedorahosted.org/freeipa/ticket/4930 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* advise: Add separate API object for ipa-adviseJan Cholasta2015-03-052-56/+2
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Move plugin package setup to ipalib-specific API subclassJan Cholasta2015-03-052-9/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Allow multiple API instancesJan Cholasta2015-03-053-107/+110
| | | | | | | | | | | Merged the Registrar class into the Registry class. Plugins are now registered globally instead of in ipalib.api and are instantiated per-API instance. Different set of plugin base classes can be used in each API instance. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* idviews: Use case-insensitive detection of Default Trust ViewTomas Babej2015-02-231-6/+9
| | | | | | | | | The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib: Make sure correct attribute name is referenced for faxTomas Babej2015-02-191-1/+1
| | | | | | | | | | Fixes the invalid attribute name reference in the 'System: Read User Addressbook Attributes' permission. https://fedorahosted.org/freeipa/ticket/4883 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Changing the token owner changes also the managerMartin Babinsky2015-02-181-0/+13
| | | | | | | | | | This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise. https://fedorahosted.org/freeipa/ticket/4681 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* group-detach does not add correct objectclassesMartin Kosek2015-02-181-0/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/4874 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix TOTP Synchronization Window labelPetr Vobornik2015-02-171-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* permission-add does not prompt for ipapermright in interactive modeGabe2015-02-161-0/+1
| | | | | | | | | - Add flag "ask_create" to ipalib/plugins/permission.py - Bump API version https://fedorahosted.org/freeipa/ticket/4872 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: exit with error message if no users/groups to migrate are foundMartin Babinsky2015-02-161-0/+6
| | | | | | | | | 'ipa migrate-ds' will now exit with error message if no suitable users/groups are found on LDAP server during migration. https://fedorahosted.org/freeipa/ticket/4846 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix warning message on client sideMartin Basti2015-02-131-1/+3
| | | | | | | | Add message about only on server side. https://fedorahosted.org/freeipa/ticket/4793 Reviewed-By: David Kupka <dkupka@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-122-1/+2
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Allow setting ssh public key on ipauseroverride-addDavid Kupka2015-01-271-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4868 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Always return absolute idnsname in dnszone commandsMartin Basti2015-01-261-2/+34
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4722 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow PassSync user to locate and update NT usersMartin Kosek2015-01-191-0/+12
| | | | | | | | | | | | | | | Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
* Detect and warn about invalid DNS forward zone configurationMartin Basti2015-01-152-11/+332
| | | | | | | | | Shows warning if forward and parent authoritative zone do not have proper NS record delegation, which can cause the forward zone will be ineffective and forwarding will not work. Ticket: https://fedorahosted.org/freeipa/ticket/4721 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-132-1/+18
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.David Kupka2015-01-131-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4787 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix default value type for wait_for_dns optionPetr Spacek2015-01-131-1/+1
| | | | | | | wait_for_dns value should be an integer so default value was changed from False to 0. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* rpcclient: use json_encode_binary for verbose outputPetr Vobornik2015-01-131-3/+7
| | | | | | | | `json.dumps` is not able to process some IPA's object types and therefore requires to preprocess it with `json_encode_binary` call. This step was not used in rpcclient's verbose output. https://fedorahosted.org/freeipa/ticket/4773 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: fix compat plugin checkPetr Vobornik2015-01-121-5/+2
| | | | | | | | | | After ACI refactoring, admin cannot read Schema Compatibility plugin configuration and therefore migrade-ds won't find if compat plugin is enabled. Now the check si done by looking if cn=compat subtree is present. https://fedorahosted.org/freeipa/ticket/4825 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Ignore host or hostgroup options set to NoneTomas Babej2014-12-121-0/+6
| | | | | | | | | Since passing --hosts= or --hostsgroups= to idview-apply or unapply commands does not make sense, ignore it. https://fedorahosted.org/freeipa/ticket/4806 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Complain if host is already assigned the ID View in idview-applyTomas Babej2014-12-121-4/+5
| | | | | | | | | | | When running a idview-apply command, the hosts that were already assigned the desired view were silently ignored. Make sure such hosts show up in the list of failed hosts. https://fedorahosted.org/freeipa/ticket/4743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Show SSHFP record containing space in fingerprintMartin Basti2014-12-101-0/+8
| | | | | | | | | SSHFP records added by nsupdate contains extra space (valid), framework couldn't handle it. Ticket: https://fedorahosted.org/freeipa/ticket/4790 Ticket: https://fedorahosted.org/freeipa/ticket/4789 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* hosts: Display assigned ID view by default in host-find and show commandsTomas Babej2014-12-051-3/+18
| | | | | | | | | | Makes ipaassignedidview a default attribute and takes care about the conversion from the DN to the proper ID view name. https://fedorahosted.org/freeipa/ticket/4774 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Create an OTP help topicNathaniel McCallum2014-12-053-0/+7
| | | | | | | This allows the various OTP related commands to be grouped together in the IPA CLI documentation. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-051-0/+119
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add --hosts and --hostgroup options to allow/retrieve keytab methodsPetr Vobornik2014-12-032-12/+44
| | | | | | | | | | | | | | | | | | `--hosts` and `--hostgroup` options added to: * service-allow-create-keytab * service-allow-retrieve-keytab * service-disallow-create-keytab * service-disallow-retrieve-keytab * host-allow-create-keytab * host-allow-retrieve-keytab * host-disallow-create-keytab * host-disallow-retrieve-keytab in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page https://fedorahosted.org/freeipa/ticket/4777 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Throw zonemgr error message before installation proceedsMartin Basti2014-12-012-30/+50
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4771 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Re-initialize NSS database after otptoken plugin testsTomas Babej2014-11-261-11/+20
| | | | | | | | | | | OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Catch USBError during YubiKey locationNathaniel McCallum2014-11-251-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4693 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix error message for nonexistent members and add tests.David Kupka2014-11-241-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4643 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use NSS protocol range API to set available TLS protocolsRob Crittenden2014-11-242-1/+8
| | | | | | | | | | | | | Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix --{user,group}-ignore-attribute in migration plugin.David Kupka2014-11-201-6/+4
| | | | | | | | Ignore case in attribute names. https://fedorahosted.org/freeipa/ticket/4620 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix warning message should not contain CLI commandsMartin Basti2014-11-192-7/+6
| | | | | | | Message is now universal for both CLI and WebUI Ticket: https://fedorahosted.org/freeipa/ticket/4647 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-192-2/+4
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Ensure users exist when assigning tokens to themNathaniel McCallum2014-11-131-2/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve otptoken help messagesNathaniel McCallum2014-11-131-1/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Produce better error in group-add command.David Kupka2014-11-131-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4611 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idrange: include raw range type in outputPetr Vobornik2014-11-111-0/+1
| | | | | | | | iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ranges: prohibit setting --rid-base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-14/+47
| | | | | | | | | | | | We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
generated by cgit (git 2.34.1) at 2024-09-29 23:24:30 +0000