summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Revert "Hide topology and domainlevel features"Tomas Babej2015-07-103-14/+1
| | | | | | | | | This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipalib: pass api instance into textui in doctest snippetsMilan KubĂ­k2015-07-101-12/+13
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Fix missing format for InvalidDomainLevelErrorTomas Babej2015-07-101-0/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Prevent to rename certprofile profile idMartin Basti2015-07-101-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5074 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix error message when certificate CN is invalidPetr Vobornik2015-07-091-3/+1
| | | | | | The error message was probably copied from mail address check below. Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: show multiple certPetr Vobornik2015-07-091-0/+3
| | | | | | | | | | | New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: cert-request improvementsPetr Vobornik2015-07-091-1/+3
| | | | | | | | | | | | | | | Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 Reviewed-By: Martin Basti <mbasti@redhat.com>
* move session_logout command to ipalib/plugins directoryPetr Vobornik2015-07-082-29/+31
| | | | | | | | API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert-request: enforce caacl for principals in SANFraser Tweedale2015-07-081-17/+25
| | | | | | | | | cert-request currently does not enforce caacls for principals included in the subjectAltName requestExtension. Enforce for any dNSName values recognised as hosts/services known to FreeIPA. Fixes: https://fedorahosted.org/freeipa/ticket/5096 Reviewed-By: David Kupka <dkupka@redhat.com>
* caacl: fix incorrect construction of HbacRequest for hostsFraser Tweedale2015-07-081-3/+4
| | | | | | | | The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: caaclPetr Vobornik2015-07-081-0/+13
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix logging in APIMartin Basti2015-07-081-2/+2
| | | | | | Setup log in API before first usage Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib: Fix skip_version_check optionJan Cholasta2015-07-082-9/+6
| | | | | | | | | | | This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added vault access control.Endi S. Dewata2015-07-081-6/+112
| | | | | | | | | | | New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-081-14/+51
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-34/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-081-1/+8
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-081-1/+2
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* add option to skip client API version checkMartin Babinsky2015-07-084-4/+13
| | | | | | | | | This can be either set in IPA config file or specified as 'ipa --skip-version-check [COMMAND]'. part of https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add ability to update profile config in DogtagFraser Tweedale2015-07-081-3/+32
| | | | | | | | | Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add option to export profile configFraser Tweedale2015-07-081-3/+36
| | | | | | | | | Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-083-1/+14
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added ipaVaultPublicKey attribute.Endi S. Dewata2015-07-071-8/+8
| | | | | | | | | A new attribute ipaVaultPublicKey has been added to replace the existing ipaPublicKey used to store the vault public key. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Added symmetric and asymmetric vaults.Endi S. Dewata2015-07-071-35/+548
| | | | | | | | | | | The vault plugin has been modified to support symmetric and asymmetric vaults to provide additional security over the standard vault by encrypting the data before it's sent to the server. The encryption functionality is implemented using the python-cryptography library. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* include more information in metadataPetr Vobornik2015-07-033-70/+24
| | | | | | | | | | | added to commands: doc, proper args, NO_CLI added to options: default_from, cli_name, cli_short_name and others https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-031-1/+1
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: make cn of new segment consistent with topology pluginPetr Vobornik2015-07-031-1/+1
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* topologysegment: hide direction and enable optionsPetr Vobornik2015-07-031-1/+2
| | | | | | | | These options should not be touched by users yet. https://fedorahosted.org/freeipa/ticket/5061 Reviewed-By: David Kupka <dkupka@redhat.com>
* new commands to manage user/host/service certificatesMartin Babinsky2015-07-023-2/+98
| | | | | | | | | | | | A new group of commands is introduced that simplifies adding and removing binary certificates to entries. A general form of the command is ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB] Part of http://www.freeipa.org/page/V4/User_Certificates and https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* reworked certificate normalization and revocationMartin Babinsky2015-07-023-146/+55
| | | | | | | | | | | Validation of certificate is now handled by `x509.validate_certificate'. Revocation of the host and service certificates was factored out to a separate function. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: add support for API commands managing only a single attributeMartin Babinsky2015-07-021-0/+114
| | | | | | | This patch extends the API framework with a set of classes which add/remove values to a single LDAPObject attribute. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-3/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Do not abort the find & show commands on conversion errorsTomas Babej2015-07-021-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Display the wrong attribute name when mandatory attribute is missingThierry Bordaz2015-07-021-1/+1
| | | | | | | When activating a stageuser, if 'sn' or 'cn' or 'uid' is missing it displays an error with 'cn' Reviewed-By: Tomas Babej <tbabej@redhat.com>
* DNS: Do not traceback if DNS is not installedMartin Basti2015-07-011-2/+11
| | | | | | | | | Instead of internal error show 'DNS is not configured' message, when a dns* command is executed. https://fedorahosted.org/freeipa/ticket/5017 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* plugable: Remove unused call method of PluginJan Cholasta2015-07-011-18/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugin base classes and modules using API propertiesJan Cholasta2015-07-012-16/+25
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Change is_production_mode to method of APIJan Cholasta2015-07-012-15/+11
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Remove SetProxy, DictProxy and MagicDictJan Cholasta2015-07-011-110/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Lock API on finalization rather than on initializationJan Cholasta2015-07-011-10/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Do not use DictProxy for APIJan Cholasta2015-07-011-9/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-018-48/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Load plugins only from modules imported by APIJan Cholasta2015-07-013-7/+24
| | | | | | | | Previously all plugin modules imported from anywhere were added to the API. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugins to import in API by module namesJan Cholasta2015-07-012-45/+45
| | | | | | | | | This change removes the automatic plugins sub-package magic and allows specifying modules in addition to packages. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Move find_modules_in_dir from util to plugableJan Cholasta2015-07-012-24/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-014-6/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Move plugin base class and override logic to APIJan Cholasta2015-07-013-163/+122
| | | | | | | | | | | | Each API object now maintains its own view of registered plugins. This change removes the need to register plugin base classes. This reverts commit 2db741e847c60d712dbc8ee1cd65a978a78eb312. https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Remove ID overrides for permanently removed users and groupsTomas Babej2015-07-013-5/+40
| | | | | | | | | For IPA users and groups we are able to trigger a removal of any relevant ID overrides in user-del and group-del commands. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Allow users specify the raw anchor directly as identifierTomas Babej2015-07-011-11/+31
| | | | | | | | | | | | | | For various reasons, it can happen that the users or groups that have overrides defined in a given ID view are no longer resolvable. Since user and group names are used to specify the ID override objects too by leveraging the respective user's or group's ipaUniqueID, we need to provide a fallback in case these user or group entries no longer exist. https://fedorahosted.org/freeipa/ticket/5026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Set dcerpc detection flag properlyTomas Babej2015-07-011-1/+3
| | | | | | | | | The availability of dcerpc bindings is being checked on the client side as well, hence we need to define it properly. https://fedorahosted.org/freeipa/ticket/5025 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 12:59:43 +0000