summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* sudorule: Fix the order of the parameters to have less chaotic outputTomas Babej2014-06-251-11/+11
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Make sure all the relevant attributes are checked when setting ↵Tomas Babej2014-06-251-12/+41
| | | | | | | | category to ALL https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow adding deny commands when command category set to ALLTomas Babej2014-06-251-6/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4340 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Include externalhost and ipasudorunasextgroup in the list of ↵Tomas Babej2014-06-251-1/+2
| | | | | | | | | | | | default attributes The following attributes were missing from the list of default attributes: * externalhost * ipasudorunasextuser * ipasudorunasextgroup Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using external groups as groups of runAsUsersTomas Babej2014-06-251-4/+50
| | | | | | | | | Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using hostmasks for setting allowed hostsTomas Babej2014-06-252-2/+78
| | | | | | | | | Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host commands, which allows setting a range of hosts specified by a hostmask. https://fedorahosted.org/freeipa/ticket/4274 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: PEP8 fixes in sudorule.pyTomas Babej2014-06-251-52/+104
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix incompatible DNS permissionMartin Basti2014-06-251-1/+30
| | | | | | | | | dns(forward)zone-add/remove-permission can work with permissions with relative zone name Ticket:https://fedorahosted.org/freeipa/ticket/4383 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+11
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add several CRUD default permissionsPetr Viktorin2014-06-243-0/+30
| | | | | | | | | | | | Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command Group default permissions to managedPetr Viktorin2014-06-241-0/+22
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command default permissions to managedPetr Viktorin2014-06-241-0/+25
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Service default permissions to managedPetr Viktorin2014-06-241-0/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert SELinux User Map default permissions to managedPetr Viktorin2014-06-241-0/+25
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Role default permissions to managedPetr Viktorin2014-06-241-0/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert the Modify privilege membership permission to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Netgroup default permissions to managedPetr Viktorin2014-06-241-0/+32
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Hostgroup default permissions to managedPetr Viktorin2014-06-241-0/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service Group default permissions to managedPetr Viktorin2014-06-241-0/+22
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service default permissions to managedPetr Viktorin2014-06-241-0/+14
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Rule default permissions to managedPetr Viktorin2014-06-241-0/+36
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Group default permissions to managedPetr Viktorin2014-06-241-0/+40
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Automount default permissions to managedPetr Viktorin2014-06-241-0/+56
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support requests with SAN in cert-request.Jan Cholasta2014-06-242-42/+177
| | | | | | | | | | For each SAN in a request there must be a matching service entry writable by the requestor. Users can request certificates with SAN only if they have "Request Certificate With SubjectAltName" permission. https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* netgroup: Add objectclass attribute to read permissionsPetr Viktorin2014-06-231-2/+2
| | | | | | | | The entries were unreadable without this. Additional fix for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Allow reading ipaNTSecurityIdentifier in user and group objectsTomas Babej2014-06-232-1/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4385 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* host permissions: Allow writing attributes needed for automatic enrollmentPetr Viktorin2014-06-231-1/+13
| | | | | | | | | | | - userclass added to existing Modify hosts permission - usercertificate, userpassword added to a new permissions https://fedorahosted.org/freeipa/ticket/4252 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Host default permissions to managedPetr Viktorin2014-06-231-0/+66
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add posixgroup to groups' permission object filterPetr Viktorin2014-06-231-1/+1
| | | | | | | | | | Private groups don't have the 'ipausergroup' objectclass. Add posixgroup to the objectclass filters to make "--type group" permissions apply to all groups. https://fedorahosted.org/freeipa/ticket/4372 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Join --type objectclass filters with ORPetr Viktorin2014-06-231-17/+23
| | | | | | | | | | | | For groups, we will need to filter on either posixgroup (which UPGs have but non-posix groups don't) and groupofnames/nestedgroup (which normal groups have but UPGs don't). Join permission_filter_objectclasses with `|` and add them as a single ipapermtargetfilter value. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Test and docstring fixesPetr Viktorin2014-06-231-5/+1
| | | | | | | | | The recent conversions to managed permissions left behind a few failing tests. Fix them. Also fix a now incorrect docstring in ipalib.config. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make otptoken use os.urandom() for random dataNathaniel McCallum2014-06-201-2/+2
| | | | | | | This also fixes an error where the default value was not respecting the KEY_LENGTH variable. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Digest part in DLV/DS records allows only heaxadecimal charactersMartin Basti2014-06-201-0/+2
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: DLVRecord type addedMartin Basti2014-06-201-15/+17
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: added NSEC3PARAM record typeMartin Basti2014-06-201-5/+49
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: remove unsuported recordsMartin Basti2014-06-201-97/+4
| | | | | | | Removed SIG, NSEC, KEy, RRSIG records Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Create BASE zone classMartin Basti2014-06-201-528/+333
| | | | | | | | | | | Zones and forward zones have a lot of common code, this patch remove duplications by creating a DNSBase class and its subclasses design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Prevent commands to modify different type of a zoneMartin Basti2014-06-201-16/+128
| | | | | | | | | | | Commands dnsforwardzone-* can modify only forward zones Commands dnszone-* can modify only (master) zones Commands dnsrecord-* can work only with master zones design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Separate master and forward DNS zonesMartin Basti2014-06-201-0/+328
| | | | | | | | | Forward zones are stored in idnsforwadzone objectclasses. design: http://www.freeipa.org/page/V4/Forward_zones Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Convert Password Policy default permissions to managedPetr Viktorin2014-06-181-0/+26
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert COSTemplate default permissions to managedPetr Viktorin2014-06-181-0/+22
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert DNS default permissions to managedPetr Viktorin2014-06-181-0/+101
| | | | | | | | | | | Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* sudorule: Allow unsetting sudoorderTomas Babej2014-06-181-1/+2
| | | | | | | | | | | After setting sudoorder, you are unable to unset it, since the check for uniqueness of order of sudorules is applied incorrectly. Fix the behaviour and cover it in the test suite. https://fedorahosted.org/freeipa/ticket/4360 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-167-10/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib.config: Don't autoconvert values to floatPetr Viktorin2014-06-161-5/+0
| | | | | | | | | | | | | | | | | | When api.env is loaded, strings that "look like" floats got auto-converted to floats. This is wrong, as the conversion to float can lose precision. Case in point: the api_version (e.g. '2.88') should never be interpreted as float. Do not automatically convert to float. We have two numeric options: startup_timeout and wait_for_dns. wait_for_dns is already converted to int when used in the code. Convert startup_timeout to float explicitly when used, so configuration that specified it with a decimal point continues to work. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipalib.config: Only convert basedn to DNPetr Viktorin2014-06-161-1/+1
| | | | | | | | | The current code would convert values to DN if the key was a substring of 'basedn', e.g. 'base' or 'sed'. Only convert if we're actually dealing with 'basedn'. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Add support for managedBy to tokensNathaniel McCallum2014-06-162-9/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also constitutes a rethinking of the token ACIs after the introduction of SELFDN support. Admins, as before, have full access to all token permissions. Normal users have read/search/compare access to all of the non-secret data for tokens assigned to them, whether managed by them or not. Users can add tokens if, and only if, they will also manage this token. Managers can also read/search/compare tokens they manage. Additionally, they can write non-secret data to their managed tokens and delete them. When a normal user self-creates a token (the default behavior), then managedBy is automatically set. When an admin creates a token for another user (or no owner is assigned at all), then managed by is not set. In this second case, the token is effectively read-only for the assigned owner. This behavior enables two important other behaviors. First, an admin can create a hardware token and assign it to the user as a read-only token. Second, when the user is deleted, only his self-managed tokens are deleted. All other (read-only) tokens are instead orphaned. This permits the same token object to be reasigned to another user without loss of any counter data. https://fedorahosted.org/freeipa/ticket/4228 https://fedorahosted.org/freeipa/ticket/4259 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib.frontend: Do API version check before converting argumentsPetr Viktorin2014-06-132-19/+19
| | | | | | | | | | | | | This results in the proper message being shown if the client sends an option the server doesn't have yet. It also adds the check to commands that override run() but not __call__, such as `ipa ping`, and to commands run on the server. Adjust tests for these changes. https://fedorahosted.org/freeipa/ticket/3963 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix --ttl description for DNS zonesPetr Spacek2014-06-121-2/+2
| | | | | | | TTL specified in idnsZone object class affects all records at zone apex, not only SOA record. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-29 16:58:30 +0000