summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/baseldap.py
Commit message (Collapse)AuthorAgeFilesLines
* Rename caught exception for use outside the except: block.Petr Viktorin2015-10-131-1/+2
| | | | | | | | | | | | | | In Python 3, the variable with the currently handled exception is unset at the end of the except block. (This is done to break reference cycles, since exception instances now carry tracebacks, which contain all locals.) Fix this in baseldap's error handler. Use a simpler structure for the ipatests.raises utility that only uses the exception inside the except block. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for ↵Gabe2015-09-221-2/+2
| | | | | | | | unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: make subtree deletion optional in LDAPDeleteJan Cholasta2015-09-171-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use bytes instead of str where appropriateJan Cholasta2015-09-171-2/+2
| | | | | | Under Python 2, "str" and "bytes" are synonyms. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+3
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-2/+2
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-25/+25
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.string_types instead of "basestring"Petr Viktorin2015-09-011-2/+4
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Allow overriding member param label in LDAPModMemberJan Cholasta2015-08-181-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-12/+12
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* include more information in metadataPetr Vobornik2015-07-031-33/+0
| | | | | | | | | | | added to commands: doc, proper args, NO_CLI added to options: default_from, cli_name, cli_short_name and others https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* baseldap: add support for API commands managing only a single attributeMartin Babinsky2015-07-021-0/+114
| | | | | | | This patch extends the API framework with a set of classes which add/remove values to a single LDAPObject attribute. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Fix possible crash in LDAPObject.handle_duplicate_entryJan Cholasta2015-05-151-1/+1
|
* speed up indirect member processingPetr Vobornik2015-04-271-0/+72
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* speed up convert_attribute_membersPetr Vobornik2015-04-201-8/+28
| | | | | | | | A workaround to avoid usage of slow LDAPEntry._sync_attr #4946 https://fedorahosted.org/freeipa/ticket/4965 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Move schema handling from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* User life cycle: allows MODRDN from ldap2Thierry Bordaz2015-04-161-3/+5
| | | | | | | | | enhance update_entry_rdn so that is allows to move an entry a new superior https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-131-1/+3
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* keytab manipulation permission managementPetr Vobornik2014-10-171-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds new API: ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs only with --all option as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Properly handle the case of renaming object to the same nameTomas Babej2014-09-291-10/+17
| | | | | | | | | | When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Exclude attributelevelrights from --raw result processing in baseldap.Jan Cholasta2014-07-291-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4371 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* baseldap: return 'none' attr level right as unicode stringPetr Vobornik2014-07-251-1/+1
| | | | | | | | | Returning non-unicode causes serialization into base64 which causes havoc in Web UI. https://fedorahosted.org/freeipa/ticket/4454 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Remove redundant search from LDAPAddReverseMember and ↵Tomas Babej2014-07-231-6/+0
| | | | | | LDAPRemoveReverseMember Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Return empty string when no effective rights are foundPetr Viktorin2014-07-091-0/+4
| | | | | | | | | | DS returns the string "none" when no rights were found. All clients would need to special-case this value when checking the rights. Return empty string instead. https://fedorahosted.org/freeipa/ticket/4359 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* sudorule: Refactor add and remove external_post_callbackTomas Babej2014-06-251-10/+46
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* get_ancestors_primary_keys cloneMartin Basti2014-06-031-1/+1
| | | | | | | | | | Fix: classes didnt inherite params from parent correctly Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allows to sort non text entriesMartin Basti2014-06-031-1/+2
| | | | | | | | Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use raw attribute values in command result when --raw is specified.Jan Cholasta2014-04-181-1/+10
| | | | | | | For backward compatibility, the values are converted to unicode, unless the attribute is binary or the conversion fails. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow primary keys to use different type than unicode.Jan Cholasta2014-04-181-19/+50
| | | | | | | | | | Also return list of primary keys instead of a single unicode CSV value from LDAPDelete-based commands. This introduces a new capability 'primary_key_types' for backward compatibility with old clients. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-251-0/+1
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-201-0/+1
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-89/+80
|
* Get original entry state from LDAP in LDAPUpdate.Jan Cholasta2014-01-241-1/+6
|
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-151-2/+3
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
* Always use lists for values in LDAPEntry internally.Jan Cholasta2013-10-311-0/+2
| | | | | | | Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce lists for attribute values, this will be removed. https://fedorahosted.org/freeipa/ticket/3521
* Use correct super-calls in get_args() methodsPetr Viktorin2013-10-021-22/+8
| | | | | | | | | | The get_args methods in ipalib.crud and ipalib.plugins.baseldap used super() calls that skipped some of the classes in the inheritance chain, and contained code that reimplemented some of the skipped functionality. This made it difficult to customize the get_args behavior. Use proper super() calls.
* Add new hidden command option to suppress processing of membership attributes.Jan Cholasta2013-07-231-18/+50
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Use LDAP search instead of *group_show to check if a group exists.Jan Cholasta2013-07-111-0/+5
| | | | https://fedorahosted.org/freeipa/ticket/3706
* Improve error messages for external group membersAna Krivokapic2013-03-141-0/+4
| | | | | | | | | | | | | | | | | When adding a duplicate member to a group, an error message is issued, informing the user that the entry is already a member of the group. Similarly, when trying to delete an entry which is not a member, an error message is issued, informing the user that the entry is not a member of the group. These error messages were missing in case of external members. This patch also adds support for using the AD\name or name@ad.domain.com format in ipa group-remove-member command. This format was supported in group-add-member, but not in group-remove-member. Unit test file covering these cases was also added. https://fedorahosted.org/freeipa/ticket/3254
* Remove implicit Str to DN conversion using *-attrTomas Babej2013-03-131-6/+0
| | | | | | | | | | | DNs represented as strings and passed via --setattr or --addattr are no longer implicitly converted to DN type. This solves various errors associated with this behaviour, see tickets below. Unit tests added. https://fedorahosted.org/freeipa/ticket/3348 https://fedorahosted.org/freeipa/ticket/3349
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-0/+2
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Remove DN normalization from the baseldap plugin.Jan Cholasta2013-03-011-11/+10
|
* Use full DNs in plugin code.Jan Cholasta2013-03-011-6/+8
|
* Preserve case of attribute names in LDAPEntry.Jan Cholasta2013-03-011-1/+4
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-011-17/+41
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove some unused importsPetr Viktorin2013-03-011-3/+1
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Add custom mapping object for LDAP entry data.Jan Cholasta2013-03-011-13/+13
|
* Update argument docs to reflect dropped CSV supportPetr Viktorin2013-02-221-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3352
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-54/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
generated by cgit (git 2.34.1) at 2025-09-01 23:49:48 +0000