freeipa.git/ipalib/plugins, branch webui-cleanup FreeIPA patches Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss 2010-07-29T14:50:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-20T18:00:43+00:00 b7ca3d68c28b54500a2f908c4e2e6c89b2433461 This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now. 
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Fix netgroup plugin to use correct member attribute names. 2010-07-15T15:18:18+00:00 Rob Crittenden rcritten@redhat.com 2010-07-14T18:45:15+00:00 57a9001f8d12a5caec01c628089a4624499b76bc When the netgroup plugin was rebased it ended up using the member attribute for its memberships and not memberuser/memberhost. I also fixed this same attribute problem in the tests and tried to beef them up a little. If nis/schema compat are enabled it will try to compare the generated triplets with a known-good value. 
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
Clean up crypto code, take advantage of new nss-python capabilities 2010-07-15T14:51:49+00:00 Rob Crittenden rcritten@redhat.com 2010-06-24T15:40:02+00:00 8d2d7429beb6bf66cb3c4fc35a7a3dbb165a432c This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code 
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
Add API to delete a service principal key, service-disable. 2010-07-13T13:29:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-12T21:45:06+00:00 1e1985b17c3988056bef045fa84a9c7aaf0c4c65 I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey. 
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
Add separate var for search attributes and config attribute for search fields 2010-07-13T13:27:34+00:00 Rob Crittenden rcritten@redhat.com 2010-07-12T18:17:33+00:00 371a4b2c72052e0582abb6d3852d903e4c905bf1 Add an optional search_attributes variable in case the attributes you want to display by default aren't what you want to search on. Also link in any cn=ipaconfig attributes that contain a comma-separated list of attributes to search on. 
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.

Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
Handle errors raised by plugins more gracefully in mod_wsgi. 2010-07-12T13:32:33+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T17:37:27+00:00 ccaf537aa6323c5161d3420b653025771db75010 This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow. 
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
Clean up imports of hbacsvc plugin 2010-07-06T19:39:41+00:00 Rob Crittenden rcritten@redhat.com 2010-06-24T15:42:44+00:00 ba0f18dcd68de2d3b64e5d59c537aeee352e55fe I used pylint to identify a bunch of unnecessary and too-broad imports 
I used pylint to identify a bunch of unnecessary and too-broad imports
Add support for User-Private Groups 2010-07-06T19:39:34+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T20:14:46+00:00 ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4). 
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Fix aci_mod command. It should handle more complex operations now. 2010-06-24T14:26:08+00:00 Rob Crittenden rcritten@redhat.com 2010-06-11T16:11:24+00:00 93e54366f9afedcdef78c8dfb6373d4813fba8cb The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation. 
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
First pass at per-command documentation 2010-06-22T17:58:04+00:00 Rob Crittenden rcritten@redhat.com 2010-06-02T18:08:50+00:00 901ccc1393a7e494f7b1b64eaeb2f7809056aafa