summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove unused function get_subjectaltname from the cert plugin.Jan Cholasta2014-03-251-14/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update pkcs10 module functions to always load CSRs and allow selecting format.Jan Cholasta2014-03-251-5/+3
| | | | | | This change makes the pkcs10 module more consistent with the x509 module. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* permission plugin: Add 'top' to the list of object classesPetr Viktorin2014-03-251-1/+3
| | | | | | | | | | | The 'top' objectclass is added by DS if not present. On every update the managed permission updater compared the object_class list with the state from LDAP, saw that there's an extra 'top' value, and tried deleting it. Add 'top' to the list to match the entry in LDAP. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-252-0/+20
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow modifying permissions with ":" in the namePetr Viktorin2014-03-251-2/+29
| | | | | | | | | | | | | | The ":" character will be reserved for default permissions, so that users cannot create a permission with a name that will later be added as a default. Allow the ":" character modifying/deleting permissions*, but not when creating them. Also do not allow the new name to contain ":" when renaming. (* modify/delete have unrelated restrictions on managed permissions) Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-find: Fix handling of the search term for legacy permissionsPetr Viktorin2014-03-251-17/+24
| | | | | | | Previously the search term was only applied to the name. Fix it so that it filters results based on any attribute. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Do not add the ipapermissionv2 for outputPetr Viktorin2014-03-241-5/+4
| | | | | | | | | As with the flags, the objectclass should be returned as it is on the entry. https://fedorahosted.org/freeipa/ticket/4257 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission CLI: rename --permissions to --rightPetr Viktorin2014-03-211-2/+3
| | | | | | | | The old name is kept as a deprecated alias. https://fedorahosted.org/freeipa/ticket/4231 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* webui: change permissions UI to v2Petr Vobornik2014-03-201-3/+2
| | | | | | | | | | | | | | reflect ipalib permission changes in Web UI. - http://www.freeipa.org/page/V4/Permissions_V2 - http://www.freeipa.org/page/V4/Anonymous_and_All_permissions - http://www.freeipa.org/page/V4/Managed_Read_permissions - http://www.freeipa.org/page/V4/Multivalued_target_filters_in_permissions https://fedorahosted.org/freeipa/ticket/4079 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* permission plugin: Do not change extra target filters by "views"Petr Viktorin2014-03-141-4/+7
| | | | | | | | | | | | | Previously, setting/deleting the "--type" virtual attribute removed all (objectclass=...) target filters. Change so that only the filter associated with --type is removed. The same change applies to --memberof: only filters associated with the option are removed when --memberof is (un-)set. Follow-up to https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Do not fail on non-DN memberof filtersPetr Viktorin2014-03-141-1/+5
| | | | | | | | | | The --memberof logic tried to convert the value of a (memberof=...) filter to a DN, which failed with filters like (memberof=*). Do not try to set memberof if the value is not a DN. A test will be added in a subsequent patch. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Support searching by extratargetfilterPetr Viktorin2014-03-141-1/+1
| | | | | | | | | | The extratargetfilter behaves exactly like targetfilter, so that e.g. ipa permission-find --filter=(objectclass=ipausergroup) finds all permissions with that filter in the ACI. Part of the work for https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission CLI: Rename filter to rawfilter, extratargetfilter to filterPetr Viktorin2014-03-141-4/+6
| | | | | | | Since extratargetfilter is shown by default, change it to also have the "default" (i.e. shorter) option name. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Write support for extratargetfilterPetr Viktorin2014-03-141-47/+88
| | | | | | | | | Extend the permission-add and permission-mod commands to process extratargetfilter. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Output the extratargetfilter virtual attributePetr Viktorin2014-03-141-6/+33
| | | | | | | | | | | | | | | | | | The --filter, --type, and --memberof options interact in a way that's difficult to recreate in the UI: type and memberof are "views" on the filter, they affect it and are affected by it Add a "extratagretfilter" view that only contains the filters not linked to type or memberof. Show extra target filter, and not the full target filter, by default; show both with --all, and full filter only with --raw. Write support will be added in a subsequent patch. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Prohibit deletion of active subdomain rangeTomas Babej2014-03-131-5/+17
| | | | | | | | | | Changes the code in the idrange_del method to not only check for the root domains that match the SID in the IDRange, but for the SIDs of subdomains of trusts as well. https://fedorahosted.org/freeipa/ticket/4247 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* webui: Datetime parsing and formattingPetr Vobornik2014-03-131-0/+1
| | | | | | | | | | | | | | | this patch implements: - output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion. - datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date. - utc formatter replaced with new datetime formatter - datetime_validator introduced - new datetime field, extension of text field, which by default uses datetime formatter and validator Dojo was regenerated to include dojo/string module https://fedorahosted.org/freeipa/ticket/4194 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* trust: do not fetch subdomains in case shared secret was used to set up the ↵Alexander Bokovoy2014-03-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | trust Until incoming trust is validated from AD side, we cannot run any operations against AD using the trust. Also, Samba currently does not suport verifying trust against the other party (returns WERR_NOT_SUPPORTED). This needs to be added to the documentation: When using 'ipa trust-add ad.domain --trust-secret', one has to manually validate incoming trust using forest trust properties in AD Domains and Trusts tool. Once incoming trust is validated at AD side, use IPA command 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. From this point on the trust should be usable. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* UI for radius proxyPetr Vobornik2014-03-121-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* UI for OTP tokensPetr Vobornik2014-03-121-2/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* permission_add: Remove permission entry if adding the ACI failsPetr Viktorin2014-03-121-1/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/4187 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* permission-find: Cache the root entry for legacy permissionsPetr Viktorin2014-03-111-8/+23
| | | | | | | | | This makes searching faster if there are many legacy permissions present. The root entry (which contains all legacy permission ACIs) is only looked up once. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions plugin: Don't crash with empty targetfilterPetr Viktorin2014-03-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4206 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Allow multiple values for memberofPetr Viktorin2014-03-071-6/+10
| | | | | | | Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions Additional fix for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Remove attributelevelrights before reverting entryPetr Viktorin2014-03-071-0/+3
| | | | | | | | | LDAPUpdate adds the display-only 'attributelevelrights' attribute, which doesn't exist in LDAP. Remove it before reverting entry. https://fedorahosted.org/freeipa/ticket/4212 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-051-32/+33
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Certificate search max_serial_number problem fixedAdam Misnyovszki2014-02-251-0/+2
| | | | | | | | Maximum serial number field now accepts only positive numbers https://fedorahosted.org/freeipa/ticket/4163 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Do not assume attribute-level rights for new attributes ↵Petr Viktorin2014-02-211-7/+10
| | | | | | | | | | | | | are present With the --all --raw options, the code assumed attribute-level rights were set on ipaPermissionV2 attributes, even on permissions that did not have the objectclass. Add a check that the data is present before using it. https://fedorahosted.org/freeipa/ticket/4121 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-7/+19
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-209-11/+27
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-51/+94
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Do not copy member attributes to new entryPetr Viktorin2014-02-201-1/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix regular expression for LOC records in DNS.Petr Spacek2014-02-181-8/+13
| | | | | | | | | | | - Fractional parts of integers are not mandatory. - Expressions containing only size or only size + horizontal precision are allowed. - N/S/W/E handling was fixed. See RFC 1876 section 3 for details. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-13/+131
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Generate ACIs in the pluginPetr Viktorin2014-02-121-10/+23
| | | | | | | | | Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Convert options in execute, not args_options_2_paramsPetr Viktorin2014-02-121-19/+10
| | | | | | | | With this change, shortcut options like memberof and type will be aplied on the server, not on the client. This will allow us to pass more information than just updated options. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Permission plugin fixesPetr Viktorin2014-02-121-13/+14
| | | | | | | | - Fix i18n for plugin docstring - Fix error when the aci attribute is not present on an entry - Fix error when raising exception for ACI not found Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS classless support for reverse domainsMartin Basti2014-02-111-11/+34
| | | | | | | | | | | | Now users can add reverse zones in classless form: 0/25.1.168.192.in-addr.arpa. 0-25.1.168.192.in-addr.arpa. 128/25 NS ns.example.com. 10 CNAME 10.128/25.1.168.192.in-addr.arpa. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* PTR records can be added without specify FQDN zone nameMartin Basti2014-02-111-0/+3
| | | | | | | Now adding PTR records will accept zones both with and without end dot. Ticket: https://fedorahosted.org/freeipa/ticket/4151 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove sourcehostcategory from the default HBAC rule.Jan Cholasta2014-02-061-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Migration does not add users to default groupMartin Kosek2014-02-051-7/+10
| | | | | | | | | | When users with missing default group were searched, IPA suffix was not passed so these users were searched in a wrong base DN. Thus, no user was detected and added to default group. https://fedorahosted.org/freeipa/ticket/4141 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-2426-334/+354
|
* Get original entry state from LDAP in LDAPUpdate.Jan Cholasta2014-01-241-1/+6
|
generated by cgit (git 2.34.1) at 2025-09-01 00:53:17 +0000