summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix internal error in the user-status command.Jan Cholasta2013-12-101-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/4066
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-034-9/+227
| | | | https://fedorahosted.org/freeipa/ticket/3368
* migrate-ds added --ca-cert-file=FILE optionMartin Basti2013-12-021-3/+22
| | | | | | | FILE is used to specify CA certificate for DS connection when TLS is required (ldaps://...). Ticket: https://fedorahosted.org/freeipa/ticket/3243
* Changed CLI to allow to use FILE as optional paramMartin Basti2013-12-021-5/+7
|
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-3/+10
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* Switch client to JSON-RPCPetr Viktorin2013-11-266-47/+285
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* Break long doc string in the Host pluginPetr Viktorin2013-11-211-12/+11
| | | | | | Also split the translations in French and Ukraininan Part of https://fedorahosted.org/freeipa/ticket/3587
* Add ConcatenatedLazyText objectPetr Viktorin2013-11-211-0/+46
| | | | | | | | This object will allow splitting large translatable strings into more pieces, so translators don't have to re-translate the entire text when a small part changes. https://fedorahosted.org/freeipa/ticket/3587
* Add userClass attribute for usersAna Krivokapic2013-11-191-3/+19
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Add automember rebuild command to the web UIAna Krivokapic2013-11-151-4/+6
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3928
* Fix error message when adding duplicate automember ruleAna Krivokapic2013-11-152-4/+5
| | | | | | Also fix object_name and object_name_plural for automember rules. https://fedorahosted.org/freeipa/ticket/2708
* Add automember rebuild commandAna Krivokapic2013-11-151-10/+133
| | | | | | | | | | | Add a new command to IPA CLI: ipa automember-rebuild The command integrates the automember rebuild membership task functionality into IPA CLI. It makes it possible to rebuild automember membership for groups/hostgroups. Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-082-5/+22
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-052-6/+6
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Remove AllowLMhash from the allowed IPA config stringsSumit Bose2013-11-011-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3795
* Always use lists for values in LDAPEntry internally.Jan Cholasta2013-10-311-0/+2
| | | | | | | Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce lists for attribute values, this will be removed. https://fedorahosted.org/freeipa/ticket/3521
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-5/+5
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Use new ipaldap entry API in aci and permission pluginPetr Viktorin2013-10-302-23/+27
|
* Help plugin: don't fail if a topic's module is not foundPetr Viktorin2013-10-301-3/+8
| | | | | | | | Previously the help plugin failed when searching for the docstring when a topic's module was not found. This can happen when some server plugins are loaded (e.g. for tests). Use empty documentation when the topic is not found.
* Fix invalid assumption NSS initialization check in SSLTransportPetr Viktorin2013-10-301-1/+3
| | | | | | There code assumes that the `conn` in any Connection in the context is a ServerProxy. This might not always be the case: ldap2 uses a python-ldap connection here.
* Update Permission and ACI plugins to decorator registration APIPetr Viktorin2013-10-302-30/+24
|
* trusts: Fix typo in error message for realm-domain mismatchTomas Babej2013-10-251-2/+2
|
* trusts: combine filters with AND to make sure only the intended domain matchesJakub Hrozek2013-10-241-1/+2
|
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
* trusts: Do not create ranges for subdomains in case of POSIX trustTomas Babej2013-10-141-11/+39
| | | | | | For the AD trusts where the ID range for the root level domain is of ipa-ad-trust-posix type, do not create a separate ranges for the subdomains, since POSIX attributes provide global mapping.
* Add IntEnum parameter to ipalibNathaniel McCallum2013-10-092-25/+43
|
* Allow multiple types in Param type validationNathaniel McCallum2013-10-091-35/+18
| | | | | Int already needed to take both int and long. This makes the functionality available for all Param classes.
* Add optional_create flagNathaniel McCallum2013-10-082-5/+12
|
* Don't special case the Password class in Param.__init__()Nathaniel McCallum2013-10-081-11/+6
|
* Document no_search in Param flagsNathaniel McCallum2013-10-071-1/+3
|
* ipa-kdb: Handle parent-child relationship for subdomainsAlexander Bokovoy2013-10-041-0/+6
| | | | | | | | | | | | | | | | | When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service.
* trust: integrate subdomains support into trust-addAlexander Bokovoy2013-10-041-3/+20
|
* ipaserver/dcerpc: remove use of trust account authenticationAlexander Bokovoy2013-10-041-1/+0
| | | | | | | | Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal, it is possible to use it when talking to the trusted AD DC. Remove support for authenticating as trust account because it should not really be used other than within Samba.
* frontend: report arguments errors with better detailAlexander Bokovoy2013-10-041-1/+2
| | | | | When reporting argument errors, show also a context -- what is processed, what is the name of the command.
* trusts: support subdomains in a forestAlexander Bokovoy2013-10-041-51/+278
| | | | | | | | | | | | | | | | | | | Add IPA CLI to manage trust domains. ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA ipa trustdomain-find <trust> -- show all available domains ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust> ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain By default all discovered trust domains are allowed to access IPA resources IPA KDC needs also information for authentication paths to subdomains in case they are not hierarchical under AD forest trust root. This information is managed via capaths section in krb5.conf. SSSD should be able to generate it once ticket https://fedorahosted.org/sssd/ticket/2093 is resolved. part of https://fedorahosted.org/freeipa/ticket/3909
* Do not add trust to AD in case of IPA realm-domain mismatchTomas Babej2013-10-031-0/+13
| | | | | | | | Make sure that trust-add command fails when admin attempts to add an Active Directory trust when the realm name and the domain name of the IPA server do not match. https://fedorahosted.org/freeipa/ticket/3923
* Use correct super-calls in get_args() methodsPetr Viktorin2013-10-022-24/+21
| | | | | | | | | | The get_args methods in ipalib.crud and ipalib.plugins.baseldap used super() calls that skipped some of the classes in the inheritance chain, and contained code that reimplemented some of the skipped functionality. This made it difficult to customize the get_args behavior. Use proper super() calls.
* Don't exclude symlinks when loading pluginsNick Hatch2013-09-161-1/+1
|
* Fix service-disable in CA-less install.Jan Cholasta2013-08-291-20/+21
| | | | https://fedorahosted.org/freeipa/ticket/3886
* Fix tests which fail after ipa-adtrust-installAna Krivokapic2013-08-281-0/+44
| | | | | | | | | | Some unit tests were failing after ipa-adtrust-install has been run on the IPA server, due to missing attributes ('ipantsecurityidentifier') and objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if ipa-adtrust-install has been run, and adds missing attributes and objectclasses where appropriate. https://fedorahosted.org/freeipa/ticket/3852
* Fix incorrect error message occurence when re-adding the trustTomas Babej2013-08-271-1/+1
| | | | | | | | | You cannot re-add the trust and modify the range in the process. The check in the code was malfunctioning since it assumed that range_size parameter has default value. However, default value is assigned only later in the add_range function. https://fedorahosted.org/freeipa/ticket/3870
* Add base-id, range-size and range-type options to trust-add dialogPetr Vobornik2013-08-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3049
* Allow API plugin registration via a decoratorPetr Viktorin2013-08-142-3/+32
| | | | | | | | | | | | This makes plugin registration easier to read, less error-prone, and, for many Plugins in a single module, faster to write. Functionally, the decorator is equivalent to current plugin registration. However, in the future this style will allow cleaner semantics. As an example, and to exercise the new syntax to prevent regressions, the ping plugin is converted to this style.
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-6/+4
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Add new command compat-is-enabledAna Krivokapic2013-08-071-0/+44
| | | | | | | | | Add a new API command 'compat-is-enabled' which can be used to determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups. The new command is not visible in IPA CLI. https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Enable running API commands in ipa-advise pluginsAna Krivokapic2013-08-071-2/+2
| | | | | https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Add a word wrapping for comment log messages to AdviceLoggerTomas Babej2013-08-061-2/+7
| | | | | The comments logged through AdviceLogger are now wrapped up to 70 characters. This change has been documented in the docstrings.
* Improve help entry for ipa hostTomas Babej2013-08-061-5/+7
| | | | | | | | Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
generated by cgit (git 2.34.1) at 2025-09-02 06:15:09 +0000