summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Simplify date manipulation in pwd pluginmindatefixSimo Sorce2016-07-203-50/+51
| | | | | | | | Use a helper function to perform operations on dates in LDAP attributes. Related to #2795 Signed-off-by: Simo Sorce <simo@redhat.com>
* CI: DNS locationsMartin Basti2016-07-183-17/+277
| | | | | | | | This test is testing default IPA system records in locations, if priority and weight were properly set per service, per server, per location. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS install: Ensure that DNS servers container existsMartin Babinsky2016-07-152-11/+23
| | | | | | | | | | | | | during DNS installation it is assumed that the cn=servers,cn=dns container is always present in LDAP backend when migrating DNS server info to LDAP. This may not always be the case (e.g. when a new replica is set up against older master) so the code must take additional steps to ensure this container is present. https://fedorahosted.org/freeipa/ticket/6083 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* spec: require Dogtag >= 10.3.3-3Fraser Tweedale2016-07-151-3/+3
| | | | | | | | | | Required features that were expected to be released in Dogtag 10.3.4 have instead been released for Fedora in 10.3.3-3. Retract the minimum required version. https://fedorahosted.org/freeipa/ticket/5956 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* schema: Fix subtopic -> topic mappingDavid Kupka2016-07-151-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Tests: Authentication indicators integration testsLenka Doudova2016-07-151-0/+56
| | | | | | https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Tests: Authentication indicators xmlrpc testsLenka Doudova2016-07-151-1/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Tests: Tracker class for servicesLenka Doudova2016-07-151-0/+152
| | | | | | | | | Provides basic service tracker, so far for purposes of [1]. Tracker is not complete, some methods will need to be added in case of service test refactoring. [1] https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* messages: specify message type for ResultFormattingErrorMartin Babinsky2016-07-151-0/+1
| | | | | | | | | | the ResultFormattingError message class was missing a `type` member which could cause `otptoken-add` command to crash during QR image rendering using suboptimal TTY settings https://fedorahosted.org/freeipa/ticket/6081 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Preserve user principal aliases during rename operationMartin Babinsky2016-07-151-0/+46
| | | | | | | | | | | | | | | | When a MODRDN is performed on the user entry, the MODRDN plugin resets both krbPrincipalName and krbCanonicalName to the value constructed from uid. In doing so, hovewer, any principal aliases added to the krbPrincipalName are wiped clean. In this patch old aliases are fetched before the MODRDN operation takes place and inserted back after it is performed. This also preserves previous user logins which can be used further for authentication as aliases. https://fedorahosted.org/freeipa/ticket/6028 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* vault-add: set the default vault type on the client side if none was givenMartin Babinsky2016-07-131-0/+5
| | | | | | | | | | | | `vault-add` commands does much processing depending on the vault type even before the request is forwarded to remote server. Since default values for parameters are now filled only on server side, the client-side logic would fail if the vault type was not explicitly given. In this case we have to retrieve and use the default vault type from schema. https://fedorahosted.org/freeipa/ticket/6047 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Removed unused method parameter from migrate-dsStanislav Laznicka2016-07-131-1/+1
| | | | | | | | | An extra parameter on client side command override of migrate-ds output was causing errors. https://fedorahosted.org/freeipa/ticket/6034 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* host-find: do not show SSH key by defaultMartin Basti2016-07-131-1/+0
| | | | | | | | | Only function 'remove_sshpubkey_from_output_list_post' should be used in postcallbacks of *-find, otherwise only one entry will be cleaned up https://fedorahosted.org/freeipa/ticket/6043 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* caacl: expand plugin documentationFraser Tweedale2016-07-131-6/+28
| | | | | | | | | | Expand the 'caacl' plugin documentation to explain some common confusions including the fact that CA ACLs apply to the target subject principal (not necessarily the principal requesting the cert), and the fact that CA-less CA ACL implies the 'ipa' CA. Fixes: https://fedorahosted.org/freeipa/ticket/6002 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable vault-* commands on clientMartin Basti2016-07-121-16/+0
| | | | | | | | | | | | | Client plugins fot vault commands were disabled by NO_CLI=True, inherited from vault_add_interal, that is always NO_CLI=True. Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2 Removed NO_CLI=True from client side plugins for vault. https://fedorahosted.org/freeipa/ticket/6035 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* kdb: check for local realm in enterprise principalsSumit Bose2016-07-121-12/+40
| | | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* ipa-advise: correct handling of plugin namespace iterationMartin Babinsky2016-07-121-4/+4
| | | | | | | | | | The API object namespace iterators now yield plugin classes themselves instead of their names as strings. The method enumerating through available plugins needs to be made aware of this change. https://fedorahosted.org/freeipa/ticket/6044 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-compat-manage: use server API to retrieve plugin statusMartin Babinsky2016-07-121-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6033 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipatests: remove ipacertbase option from test CSR configurationMilan Kubík2016-07-122-7/+0
| | | | | | | | | The issue was found during test review. If the cert base contains spaces, openssl req fails. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipatests: Test Sub CA with CAACL and certificate profileMilan Kubík2016-07-121-0/+110
| | | | | | | | | | | | | Test the Sub CA feature by signing a CSR with custom certificate profile. The test also covers 'cert-request' fallback behaviour for missing 'cacn' and 'profile-id' options by reusing the fixtures from the module. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipatests: Extend CAACL suite to cover Sub CA membersMilan Kubík2016-07-122-7/+45
| | | | | | https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipatests: Tracker implementation for Sub CA featureMilan Kubík2016-07-124-0/+309
| | | | | | | | | The patch implements Tracker subclass for CA plugin and the basic CRUD tests for the plugin entries. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipa-nis-manage: Use server API to retrieve plugin statusMartin Babinsky2016-07-121-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6027 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* uninstall: untrack lightweight CA certsFraser Tweedale2016-07-121-0/+6
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/6020 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Test for incorrect client domainOleg Fayans2016-07-011-0/+52
| | | | | | https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client-install: log exceptions from certmonger.request_certPetr Spacek2016-07-011-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix incorrect check for principal type when evaluating CA ACLsMartin Babinsky2016-07-011-1/+3
| | | | | | | | This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Become IPA 4.4.0Petr Vobornik2016-07-011-1/+1
|
* IPA 4.4.0 TranslationsMartin Basti2016-07-0122-2718/+3786
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Allow unexpiring passwordsDavid Kupka2016-07-015-12/+33
| | | | | | | | | | Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3Fraser Tweedale2016-07-012-4/+12
| | | | | | | | | | | | | | ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix internal errors in host-add and other commands caused by DNS resolutionPetr Spacek2016-07-013-78/+96
| | | | | | | | | | | | | | | | | | Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused is_local(), interface, and defaultnet from CheckedIPAddressPetr Spacek2016-07-011-9/+0
| | | | | | | | All these were unused so I'm removing them to keep the code clean and easier to read. At this point it is clear that only difference between netaddr.IPAddress and CheckedIPAddress is prefixlen attribute. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Bump SSSD version in requiresMartin Basti2016-07-012-3/+3
| | | | | | | | | This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 for function sss_nss_getnamebycert() https://fedorahosted.org/freeipa/ticket/4955 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* schema: Perform the check for schema update when force_schema_check is TrueDavid Kupka2016-07-011-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add --cn option to cert-statusFraser Tweedale2016-07-013-11/+12
| | | | | | | | | Add the 'cacn' option to the cert-status command. Right now there is nothing we need to (or can) do with it, but we add it anyway for future use. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add widget for kerberos aliases to service pagePavel Vomacka2016-07-011-5/+12
| | | | | | | | | Also changes the name of option which is send during adding new service from 'krbprincipalname' to 'krbcanonicalname'. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add widget for kerberos aliases to hosts pagePavel Vomacka2016-07-011-1/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add widget for kerberos aliases to user pagePavel Vomacka2016-07-011-1/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add widgets for kerberos aliasesPavel Vomacka2016-07-013-0/+120
| | | | | | | | Create own custom_command_multivalued_widget for kerberos aliases. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Set default confirmation button label to 'Remove'Pavel Vomacka2016-07-011-1/+2
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/5831 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Change error handling in custom_command_multivalued_widgetPavel Vomacka2016-07-011-3/+11
| | | | | | | | | | | The custom_command_multivalued_widget now handles remove and add commands errors correctly and shows error message. Part of: https://fedorahosted.org/freeipa/ticket/5381 add_error Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Unify display of principal names/aliases across entitiesMartin Babinsky2016-07-0111-17/+57
| | | | | | | | | | | | Since now users, hosts, and service all support assigning multiple principal aliases to them, the display of kerberos principal names should be consistent across all these objects. Principal aliases and canonical names will now be displayed in all add, mod, show, and find operations. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Provide API for management of host, service, and user principal aliasesMartin Babinsky2016-07-018-42/+299
| | | | | | | | | | | | | | | | | | | | | | | | | | New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...]) were added to manage principal aliases. 'add' commands will check the following: * the correct principal type is supplied as an alias * the principals have correct realm and the realm/alternative suffix (e.g. e-mail) do not overlap with those of trusted AD domains If the entry does not have canonical principal name, the first returned principal name will be set as one. This is mostly to smoothly operate on entries created on older servers. 'remove' commands will check that there is at least one principal alias equal to the canonical name left on the entry. See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases https://fedorahosted.org/freeipa/ticket/1365 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make framework consider krbcanonicalname as service primary keyMartin Babinsky2016-07-013-20/+97
| | | | | | | | | | | | | | The framework does not allow single param to appear as both positional argument and option in a single command, or to represent two different positional arguments for that matter. Since principal aliases shall go to krbprincipalname attribute, the framework has to be tricked to believe krbcanonicalname is the service's primary key. The entry DN stored in LDAP remains the same. https://fedorahosted.org/freeipa/ticket/1365 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow for commands that use positional parameters to add/remove attributesMartin Babinsky2016-07-017-41/+90
| | | | | | | | | | | | | | | Commands that modify a single multivalued attribute of an entry should use positional parameters to specify both the primary key and the values to add/remove. Named options are redundant in this case. The `--certificate option` of `*-add/remove-cert` commands was turned mandatory to avoid EmptyModlist when it is omitted. https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replace an ACI relying on presence of deprecated objectclassMartin Babinsky2016-07-011-1/+2
| | | | | Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add ACI for admins to modify principal attributesMartin Babinsky2016-07-011-0/+2
| | | | | | | | | | | | This is required for admins to utilize the APIs that enable them to add/remove principal aliases to entities. https://fedorahosted.org/freeipa/ticket/3864 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Migrate management framework plugins to use Principal parameterMartin Babinsky2016-07-0112-239/+213
| | | | | | | | | | | | All plugins will now use this parameter and common code for all operations on Kerberos principals. Additional semantic validators and normalizers were added to determine or append a correct realm so that the previous behavior is kept intact. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: introduce Principal parameterMartin Babinsky2016-07-016-1/+54
| | | | | | | | | | | This patch introduces a separate Principal parameter that allows the framework to syntactically validate incoming/outcoming principals by using a single shared codebase. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-30 11:32:26 +0000