| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
|
| |
|
|
|
|
|
| |
Field idnszoneactive is marked as optional, because it is set to true by
default (see class dnszone_add).
https://fedorahosted.org/freeipa/ticket/601
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/570
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements the role, privilege, permission, delegation and selfservice entities ui.
Targetgroup has been added to the object types.
The groups lists need to be filter. The filter is currently hidden, with a
hyperlink that reads 'filter' to unhide it. Each keystroke in this filter
performs an AJAX request to the server.
There are bugs on the server side that block some of the functionality from
completing
Creating a Permission requires one of 4 target types. The add dialog in this
version assumes the user will want to create a filter type. They can change
this on the edit page.
Most search results come back with the values as arrays, but ACIs seem not to.
Search and details both required special code to handle non-arrays.
The unit tests now make use of the 'module' aspect of QUnit. This means that
future unit test will also need to specify the module. The advantage is that
multiple tests can share a common setup and teardown.
Bugs that need to be fixed before this works 100% are
https://fedorahosted.org/freeipa/ticket/634
https://fedorahosted.org/freeipa/ticket/633
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
| |
Drop filter from the output, it is superfluous.
ticket 634
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/397
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/359
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When adding a host with specific IP address, the operation would fail in
case IPA doesn't own the reverse DNS. This new option overrides the
check for reverse DNS zone and falls back to different IP address
existence check.
https://fedorahosted.org/freeipa/ticket/417
|
| |
|
|
| |
Allow renaming of object that have a parent
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
| |
|
|
| |
A few had bad formatting causing the doctests to fail.
|
| |
|
|
|
|
|
|
| |
We create the aci with the --test flag to test its validity but it doesn't
do the same level of tests that actually adding an aci to LDAP does. Catch
any syntax errors that get thrown and clean up as best we can.
ticket 621
|
| |
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
| |
|
|
| |
ticket 559
|
| | |
|
| |
|
|
|
|
|
| |
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.
ticket 532
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.
We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.
ticket 560
|
| | |
|
| |
|
|
| |
no longer calling them role groups.
|
| |
|
|
|
|
|
| |
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.
ticket 473
|
| |
|
|
|
|
|
|
|
| |
permissions are a real group pointed to by an aci, managed by the same
plugin. Any given update can update one or both or neither. Do a better
job at determining what it is that needs to be updated and handle the
case where only the ACI is updated so that EmptyModList is not thrown.
ticket 603
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.
We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added
ticket 567
|
| | |
|
| |
|
|
| |
ticket 579
|
| |
|
|
|
|
|
| |
This patch catches NotFound exception and calls handling function
which then sends exception with unified error message.
https://fedorahosted.org/freeipa/ticket/487
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.
I've added some simple tests for setattr and addattr.
ticket 565
|
| |
|
|
|
|
|
| |
Make the cert subject base read-only. This is here only so replicated servers
know their base.
ticket 466
|
| |
|
|
| |
ticket 604
|
| |
|
|
| |
ticket 539
|
| |
|
|
|
|
|
|
|
| |
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.
Right now only ACIs in the basedn can be managed with this plugin.
ticket 531
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/580
|
| |
|
|
| |
Ticket #573
|
| |
|
|
| |
ticket 496
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/455
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new options to the migration plugin:
* the option to fine-tune the objectclass of users or groups being imported
* the option to select the LDAP schema (RFC2307 or RFC2307bis)
Also makes the logic that decides whether an entry is a nested group or user
(for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys
for migrated entries.
https://fedorahosted.org/freeipa/ticket/429
|
| |
|
|
| |
ticket 310
|
| |
|
|
| |
ticket 545
|
| |
|
|
|
|
|
|
| |
When setting default group, we should check if the group exists.
If not, it could lead to some issues with adding new users after
the new default group is set.
https://fedorahosted.org/freeipa/ticket/504
|
| |
|
|
|
|
|
|
|
| |
After calling ipa config --defaultgroup=xxx with nonexistent group xxx,
the result will be that no new user can be added. The operation will
always fail in the middle because it is not possible to add the new user
to desired default group.
https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4
|
| |
|
|
| |
ticket 561
|
| |
|
|
| |
ticket 523
|
| |
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The create_association_facets() has been modified such that it
does not generate duplicate links. This is done by assigning the
proper labels and hiding non-assignable associations.
Each association will get a label based on the attribute used:
- memberof: Membership in <entity name>
- member.*: <entity name> Members
- managedby: Managed by <entity name>
The following associations will be hidden:
- memberindirect
- enrolledby
The internal.py was modified to return localized labels.
The test data has been updated.
|
