freeipa.git/tests/test_xmlrpc/objectclasses.py, branch webui_isolate FreeIPA patches Make an ipa-tests package 2013-06-17T17:22:50+00:00 Petr Viktorin pviktori@redhat.com 2013-05-21T11:40:27+00:00 c60142efda817f030a7495cd6fe4a19953e55afa Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM containing the test suite Part of the work for: https://fedorahosted.org/freeipa/ticket/3654 
Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM
containing the test suite

Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
Filter groups by type (POSIX, non-POSIX, external) 2013-04-09T17:00:30+00:00 Petr Vobornik pvoborni@redhat.com 2013-03-11T11:37:29+00:00 e64db8cbc2e9571200cd14e7d2313102022c2813 Added flag for each groups type: --posix, --nonposix, --external to group-find command. Group types: * non-POSIX: not posix, not external * POSIX: with objectclass posixgroup * external: with objectclass ipaexternalgroup https://fedorahosted.org/freeipa/ticket/3483 
Added flag for each groups type: --posix, --nonposix, --external to group-find command.

Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup

https://fedorahosted.org/freeipa/ticket/3483
Add list of domains associated to our realm to cn=etc 2013-02-19T12:15:46+00:00 Ana Krivokapic akrivoka@redhat.com 2013-02-12T15:50:00+00:00 3253a305416c963fcdc2670caa2c22c167ccc0d2 Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945 
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/2945
Add support for external group members 2012-06-28T14:53:33+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-06-20T13:08:33+00:00 a6ff85f425d5c38dd89fcd8999e0d62eadb969a1 When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664 
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
Per-domain DNS record permissions 2012-06-28T13:21:21+00:00 Martin Kosek mkosek@redhat.com 2012-06-27T11:10:10+00:00 52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0 IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511 
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
Remove trust work unit test failures 2012-06-14T10:21:18+00:00 Martin Kosek mkosek@redhat.com 2012-06-14T09:02:16+00:00 0c96f5935607e3825ed76330d3375dec9689c8ba Trust work that was pushed recently requires few changes in unit tests to prevent test failures. This patch also removes repetitive construction of group DN in group unit tests. 
Trust work that was pushed recently requires few changes in unit
tests to prevent test failures. This patch also removes repetitive
construction of group DN in group unit tests.
Add support for SSH public keys to user and host objects. 2012-02-14T03:21:27+00:00 Jan Cholasta jcholast@redhat.com 2011-12-07T07:50:31+00:00 3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29 This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754 
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
Add support for storing MAC address in host entries. 2012-01-26T13:11:33+00:00 Rob Crittenden rcritten@redhat.com 2012-01-20T20:10:44+00:00 52e3488b75e1ed2de7a021148169901a522dbbcb macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers <hostname> I tested nslcd and it only returned one macaddress value. https://fedorahosted.org/freeipa/ticket/1132 
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.

It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>

I tested nslcd and it only returned one macaddress value.

https://fedorahosted.org/freeipa/ticket/1132
Add SELinux user mapping framework. 2011-12-09T14:46:25+00:00 Rob Crittenden rcritten@redhat.com 2011-11-23T21:59:21+00:00 55512dc938eb4a9a6655e473beab587e340af55c This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755 
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.

https://fedorahosted.org/freeipa/ticket/755
34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31T07:49:43+00:00 Jr Aquino jr.aquino@citrix.com 2011-08-31T00:48:15+00:00 d05ace8fba6ea4a61c1070d5e5687aaa5d2aee2b Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272 
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272