summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ipaplatform: Drop the base authconfig classTomas Babej2014-06-252-106/+34
| | | | | | | | | | As authconfig is a distro-specific tool there is no incentive for implying that other platforms should implement any authconfig implementation of their own. Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Document the platform tasks APITomas Babej2014-06-252-6/+72
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Refactor add and remove external_post_callbackTomas Babej2014-06-254-85/+156
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Expect root listed out if no RunAsUser availableTomas Babej2014-06-251-2/+2
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Do not expect enumeration of runasuser groupsTomas Babej2014-06-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALLTomas Babej2014-06-251-10/+10
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Add coverage for category ALL validationTomas Babej2014-06-251-9/+184
| | | | | | | | | | | Makes sure sudorules behave correctly both when adding new entries with corresponding category set to ALL, and when setting the category to all when corresponding entries exist. The only exception of deny commands with cmdcategory ALL is covered as well. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Add coverage for external entriesTomas Babej2014-06-251-0/+87
| | | | | | | | | | Covers functionality of external entries for: * users * runAsUsers * groups of RunAsUsers * runAsGroups Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_sudo: Add tests for allowing hosts via hostmasksTomas Babej2014-06-251-0/+36
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Enforce category ALL checks on dirsrv levelTomas Babej2014-06-252-5/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Fix the order of the parameters to have less chaotic outputTomas Babej2014-06-251-11/+11
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Make sure all the relevant attributes are checked when setting ↵Tomas Babej2014-06-251-12/+41
| | | | | | | | category to ALL https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow adding deny commands when command category set to ALLTomas Babej2014-06-251-6/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4340 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Include externalhost and ipasudorunasextgroup in the list of ↵Tomas Babej2014-06-251-1/+2
| | | | | | | | | | | | default attributes The following attributes were missing from the list of default attributes: * externalhost * ipasudorunasextuser * ipasudorunasextgroup Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Make sure sudoRunAsGroup is dereferencing the correct attributeTomas Babej2014-06-252-4/+7
| | | | | | | | | Makes sure we dereference the correct attribute. Also adds object class checking. https://fedorahosted.org/freeipa/ticket/4324 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using external groups as groups of runAsUsersTomas Babej2014-06-255-7/+57
| | | | | | | | | Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: Allow using hostmasks for setting allowed hostsTomas Babej2014-06-255-4/+86
| | | | | | | | | Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host commands, which allows setting a range of hosts specified by a hostmask. https://fedorahosted.org/freeipa/ticket/4274 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* sudorule: PEP8 fixes in sudorule.pyTomas Babej2014-06-251-52/+104
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix incompatible DNS permissionMartin Basti2014-06-251-1/+30
| | | | | | | | | dns(forward)zone-add/remove-permission can work with permissions with relative zone name Ticket:https://fedorahosted.org/freeipa/ticket/4383 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: don't limit permission search in privilegesPetr Vobornik2014-06-251-2/+1
| | | | | | | | | | | | Search for privileges was limited to bindruletype==permission. There was no reason to do that. This patch removes the restriction. Related to: https://fedorahosted.org/freeipa/ticket/4079 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: fix field's default valuePetr Vobornik2014-06-251-1/+1
| | | | | | | | Fields with default value, such as DNS Zone's idnsforwardpolicy, were marked as dirty when no value was loaded and when default value of input control was other than empty. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui-ci: adjust tests to dns changesPetr Vobornik2014-06-252-2/+2
| | | | | | All DNS Zone names must be fully qualified. Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-253-0/+21
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-252-2/+3
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Change OTPSyncRequest structure to use OctetStringNathaniel McCallum2014-06-255-56/+79
| | | | | | | | This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add missing ipa-otptoken-import.1.gz to spec fileAlexander Bokovoy2014-06-251-0/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix packaging issue with doubly specified directoriesAlexander Bokovoy2014-06-251-1/+1
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Implement OTP token importingNathaniel McCallum2014-06-2516-0/+1089
| | | | | | | | | | | | | | | | | | | | This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix ipa.service restartMartin Basti2014-06-251-1/+4
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* test_permission_plugin: Fix permission_find test for legacy permissionsPetr Viktorin2014-06-241-2/+2
| | | | | | | Most of the legacy permissions have been removed. Do not test that there are many of them. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add several CRUD default permissionsPetr Viktorin2014-06-244-0/+42
| | | | | | | | | | | | Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command Group default permissions to managedPetr Viktorin2014-06-243-27/+28
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command default permissions to managedPetr Viktorin2014-06-243-27/+31
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Service default permissions to managedPetr Viktorin2014-06-243-55/+38
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert SELinux User Map default permissions to managedPetr Viktorin2014-06-243-30/+31
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Role default permissions to managedPetr Viktorin2014-06-243-44/+38
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert the Modify privilege membership permission to managedPetr Viktorin2014-06-243-9/+10
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Netgroup default permissions to managedPetr Viktorin2014-06-243-44/+40
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Hostgroup default permissions to managedPetr Viktorin2014-06-243-44/+38
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service Group default permissions to managedPetr Viktorin2014-06-243-26/+28
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service default permissions to managedPetr Viktorin2014-06-243-16/+18
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Rule default permissions to managedPetr Viktorin2014-06-243-32/+44
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Group default permissions to managedPetr Viktorin2014-06-245-54/+48
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Automount default permissions to managedPetr Viktorin2014-06-244-83/+68
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove GetEffectiveRights control when ldap2.get_effective_rights fails.Jan Cholasta2014-06-241-3/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support requests with SAN in cert-request.Jan Cholasta2014-06-244-43/+193
| | | | | | | | | | For each SAN in a request there must be a matching service entry writable by the requestor. Users can request certificates with SAN only if they have "Request Certificate With SubjectAltName" permission. https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-242-1/+57
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* netgroup: Add objectclass attribute to read permissionsPetr Viktorin2014-06-232-4/+4
| | | | | | | | The entries were unreadable without this. Additional fix for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Allow reading ipaNTSecurityIdentifier in user and group objectsTomas Babej2014-06-233-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4385 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* webui: plugin APIPetr Vobornik2014-06-233-2/+63
| | | | | | | | | new `extend` module should serve as a stable API for plugin authors. It should expose the most commonly used global calls. https://fedorahosted.org/freeipa/ticket/4345 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
generated by cgit (git 2.34.1) at 2026-03-14 03:55:06 +0000