summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/baseldap.py
Commit message (Collapse)AuthorAgeFilesLines
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-031-2397/+0
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix: replace incorrect no_cli with no_option flagMartin Basti2016-06-021-1/+1
| | | | | | | | | The 'no_cli' is not valid flag in parameters scope, so to hide option from CLI 'no_option' flag should be used https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-1/+6
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make option --no-members public in CLIMartin Basti2016-05-311-1/+1
| | | | | | | | | With many members commands became slow. Making this option public allows users to speedup searches. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* frontend: move the interactive_prompt callback type to CommandJan Cholasta2016-05-251-36/+1
| | | | | | | | | | | | Move interactive_prompt callback type from baseldap.BaseLDAPCommand to Command. This will make it possible to move all interactive_prompt callbacks to ipaclient. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* frontend: merge baseldap.CallbackRegistry into CommandJan Cholasta2016-05-251-55/+6
| | | | | | | | Also make it possible for subclasses to introduce new callback types. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: remove the unused `csv` argument of ParamJan Cholasta2016-05-251-5/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: make optional positional command arguments actually optionalJan Cholasta2016-05-251-3/+8
| | | | | | | | | Fix several plugins not to assume optional positional arguments have a value of None when not specified. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* frontend: perform argument value validation only on serverJan Cholasta2016-05-251-2/+8
| | | | | | | | | | | | | | | | Do not validate values of command arguments on the client and let the server handle validation. This will make the client more lightweight by not having it to carry validation code and metadata with itself for the price of increasing network traffic in case the validation fails. Types of the arguments are still validated on both the client and the server. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix referenced before assigment variables in except statementsMartin Basti2016-05-201-2/+2
| | | | | | | Variable msg may not exists in the last except context, and even it contains improper value because it is not related to catched exception Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* specify type of exceeded limit when warning about truncated search resultsMartin Babinsky2016-04-131-2/+5
| | | | | | | | | API commands inheriting from LDAPSearch should mention which limit was exceeded in the warning message sent with truncated results. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-9/+5
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fixes minor issuesStanislav Laznicka2016-02-241-1/+1
| | | | | | | | | | | | | Fixes issues discovered by Coverity plugins/baseldap.py: possible undefined value in return certmonger.py: possible dereference of None value i18n.py: fixed always True bug (+ cosmetic change) https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Warn user when ipa *-find reach limitMartin Basti2016-01-271-1/+7
| | | | | | | | | Truncated entries were silently ignored, now a user receives warning. https://fedorahosted.org/freeipa/ticket/4022 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* Remove unused importsMartin Basti2015-12-231-1/+1
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rename caught exception for use outside the except: block.Petr Viktorin2015-10-131-1/+2
| | | | | | | | | | | | | | In Python 3, the variable with the currently handled exception is unset at the end of the except block. (This is done to break reference cycles, since exception instances now carry tracebacks, which contain all locals.) Fix this in baseldap's error handler. Use a simpler structure for the ipatests.raises utility that only uses the exception inside the except block. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for ↵Gabe2015-09-221-2/+2
| | | | | | | | unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: make subtree deletion optional in LDAPDeleteJan Cholasta2015-09-171-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use bytes instead of str where appropriateJan Cholasta2015-09-171-2/+2
| | | | | | Under Python 2, "str" and "bytes" are synonyms. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+3
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-2/+2
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-25/+25
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.string_types instead of "basestring"Petr Viktorin2015-09-011-2/+4
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Allow overriding member param label in LDAPModMemberJan Cholasta2015-08-181-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-12/+12
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* include more information in metadataPetr Vobornik2015-07-031-33/+0
| | | | | | | | | | | added to commands: doc, proper args, NO_CLI added to options: default_from, cli_name, cli_short_name and others https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* baseldap: add support for API commands managing only a single attributeMartin Babinsky2015-07-021-0/+114
| | | | | | | This patch extends the API framework with a set of classes which add/remove values to a single LDAPObject attribute. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Fix possible crash in LDAPObject.handle_duplicate_entryJan Cholasta2015-05-151-1/+1
|
* speed up indirect member processingPetr Vobornik2015-04-271-0/+72
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* speed up convert_attribute_membersPetr Vobornik2015-04-201-8/+28
| | | | | | | | A workaround to avoid usage of slow LDAPEntry._sync_attr #4946 https://fedorahosted.org/freeipa/ticket/4965 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Move schema handling from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* User life cycle: allows MODRDN from ldap2Thierry Bordaz2015-04-161-3/+5
| | | | | | | | | enhance update_entry_rdn so that is allows to move an entry a new superior https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-131-1/+3
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* keytab manipulation permission managementPetr Vobornik2014-10-171-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds new API: ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs only with --all option as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Properly handle the case of renaming object to the same nameTomas Babej2014-09-291-10/+17
| | | | | | | | | | When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Exclude attributelevelrights from --raw result processing in baseldap.Jan Cholasta2014-07-291-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4371 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* baseldap: return 'none' attr level right as unicode stringPetr Vobornik2014-07-251-1/+1
| | | | | | | | | Returning non-unicode causes serialization into base64 which causes havoc in Web UI. https://fedorahosted.org/freeipa/ticket/4454 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Remove redundant search from LDAPAddReverseMember and ↵Tomas Babej2014-07-231-6/+0
| | | | | | LDAPRemoveReverseMember Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Return empty string when no effective rights are foundPetr Viktorin2014-07-091-0/+4
| | | | | | | | | | DS returns the string "none" when no rights were found. All clients would need to special-case this value when checking the rights. Return empty string instead. https://fedorahosted.org/freeipa/ticket/4359 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* sudorule: Refactor add and remove external_post_callbackTomas Babej2014-06-251-10/+46
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* get_ancestors_primary_keys cloneMartin Basti2014-06-031-1/+1
| | | | | | | | | | Fix: classes didnt inherite params from parent correctly Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allows to sort non text entriesMartin Basti2014-06-031-1/+2
| | | | | | | | Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use raw attribute values in command result when --raw is specified.Jan Cholasta2014-04-181-1/+10
| | | | | | | For backward compatibility, the values are converted to unicode, unless the attribute is binary or the conversion fails. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow primary keys to use different type than unicode.Jan Cholasta2014-04-181-19/+50
| | | | | | | | | | Also return list of primary keys instead of a single unicode CSV value from LDAPDelete-based commands. This introduces a new capability 'primary_key_types' for backward compatibility with old clients. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-251-0/+1
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-201-0/+1
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-89/+80
|
* Get original entry state from LDAP in LDAPUpdate.Jan Cholasta2014-01-241-1/+6
|
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-151-2/+3
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
generated by cgit (git 2.34.1) at 2025-06-14 14:15:55 +0000