summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Replace StandardError with ExceptionRobert Kuska2015-09-308-17/+17
| | | | | | | | StandardError was removed in Python3 and instead Exception should be used. Signed-off-by: Robert Kuska <rkuska@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rewrap errors in get_principal to CCacheErrorMichael Simacek2015-09-222-6/+14
| | | | | | | | | Causes nicer error message when kerberos credentials are not available. https://fedorahosted.org/freeipa/ticket/5272 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for ↵Gabe2015-09-222-10/+15
| | | | | | | | unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: add permissions and administrator privilegeJan Cholasta2015-09-171-0/+98
| | | | | | https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: set owner to current user on container creationJan Cholasta2015-09-171-20/+1
| | | | | | | | This reverts commit 419754b1c11139435ae5b5082a51026da0d5e730. https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: add vault container commandsPetr Vobornik2015-09-171-21/+222
| | | | | | | | | | | | | | | | adds commands: * vaultcontainer-show [--service <service>|--user <user>|--shared ] * vaultcontainer-del [--service <service>|--user <user>|--shared ] * vaultcontainer-add-owner [--service <service>|--user <user>|--shared ] [--users <users>] [--groups <groups>] [--services <services>] * vaultcontainer-remove-owner [--service <service>|--user <user>|--shared ] [--users <users>] [--groups <groups>] [--services <services>] https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* baseldap: make subtree deletion optional in LDAPDeleteJan Cholasta2015-09-171-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use bytes instead of str where appropriateJan Cholasta2015-09-174-11/+11
| | | | | | Under Python 2, "str" and "bytes" are synonyms. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-1740-0/+165
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* config: allow user/host attributes with tagging optionsJan Cholasta2015-09-161-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5295 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use six.python_2_unicode_compatibleJan Cholasta2015-09-071-5/+10
| | | | | | | | | | | Rename __unicode__ to __str__ in classes which define it and use the six.python_2_unicode_compatible decorator on them to make them compatible with both Python 2 and 3. Additional changes were required for the ipapython.dnsutil.DNSName class, because it defined both __str__ and __unicode__. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* certprofile: remove 'rename' optionFraser Tweedale2015-09-021-2/+1
| | | | | | | | | The initial fix of ticket 5247 rejected renames, but left the option behind for API compatibility. Remove the option now, according to the consensus that because it never worked, it is fine to remove it. Fixes: https://fedorahosted.org/freeipa/ticket/5247 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: remove "DNSSEC is experimental" warningsMartin Basti2015-09-021-18/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5265 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Modernize use of range()Petr Viktorin2015-09-016-21/+19
| | | | | | | | | | | | In Python 3, range() behaves like the old xrange(). The difference between range() and xrange() is usually not significant, especially if the whole result is iterated over. Convert xrange() usage to range() for small ranges. Use modern idioms in a few other uses of range(). Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use new-style raise syntaxPetr Viktorin2015-09-011-11/+11
| | | | | | | | | The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use the print functionPetr Viktorin2015-09-018-28/+40
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use next() function on iteratorsPetr Viktorin2015-09-011-5/+5
| | | | | | | In Python 3, next() for iterators is a function rather than method. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-0113-26/+29
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.integer_types instead of (long, int)Petr Viktorin2015-09-013-11/+11
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.input instead of raw_inputPetr Viktorin2015-09-011-1/+2
| | | | | | | | In Python 3, raw_input() was renamed to input(). Import the function from six.moves to get the right version. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace filter() calls with list comprehensionsPetr Viktorin2015-09-012-5/+4
| | | | | | | | In Python 3, filter() returns an iterator. Use list comprehensions instead. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-0118-62/+62
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.string_types instead of "basestring"Petr Viktorin2015-09-0113-30/+56
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: Limit size of data stored in vaultDavid Kupka2015-08-261-1/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/5231 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* certprofile: prevent rename (modrdn)Fraser Tweedale2015-08-261-2/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/5247 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* fix missing information in object metadataPetr Vobornik2015-08-261-3/+14
| | | | | | | | | | | Missing 'required' values in takes_params causes Web UI to treat required fields as optional. Regression caused by ba0a1c6b33e2519a48754602413c8379fb1f0ff1 https://fedorahosted.org/freeipa/ticket/5258 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: Remove leftover krbV referenceMartin Basti2015-08-261-1/+1
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: change default vault type to symmetricPetr Vobornik2015-08-261-3/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5251 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-266-415/+77
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Added support for changing vault encryption.Endi S. Dewata2015-08-251-12/+221
| | | | | | | | | | | | The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchiving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: fix forward zone forwarders checksMartin Basti2015-08-251-6/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5179 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* improve the usability of `ipa user-del --preserve` commandMartin Babinsky2015-08-251-57/+66
| | | | | | | | | | | | | | | `ipa user-del` with `--preserve` option will now process multiple entries and handle `--continue` option in a manner analogous to `ipa user-del` in normal mode. In addition, it is now no longer possible to permanently delete a user by accidentally running `ipa user-del --preserve` twice. https://fedorahosted.org/freeipa/ticket/5234 https://fedorahosted.org/freeipa/ticket/5236 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Change internal rsa_(public|private)_key variable namesChristian Heimes2015-08-241-4/+4
| | | | | | | | | | In two places the vault plugin refers to rsa public or rsa private key although the code can handle just any kind of asymmetric algorithms, e.g. ECDSA. The patch just renames the occurences to avoid more confusion in the future. Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* trusts: format Kerberos principal properly when fetching trust topologyAlexander Bokovoy2015-08-241-1/+6
| | | | | | | | | | | | | | | | | | For bidirectional trust if we have AD administrator credentials, we should be using them with Kerberos authentication. If we don't have AD administrator credentials, we should be using HTTP/ipa.master@IPA.REALM credentials. This means we should ask formatting 'creds' object in Kerberos style. For one-way trust we'll be fetching trust topology as TDO object, authenticating with pre-created Kerberos credentials cache, so in all cases we do use Kerberos authentication to talk to Active Directory domain controllers over cross-forest trust link. Part of trust refactoring series. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Fixes: https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add user-stage commandMartin Basti2015-08-212-36/+59
| | | | | | | | | | | | | | This patch replaces 'stageuser-add --from-delete' with new command user-stage. Original way always required to specify first and last name, and overall combination of options was hard to manage. The new command requires only login of deleted user (user-del --preserve). https://fedorahosted.org/freeipa/ticket/5041 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add flag to list all service and user vaultsChristian Heimes2015-08-191-15/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The vault-find plugin has two additional arguments to list all service vaults or user vaults. Since the name of a vault is only unique for a particular user or service, the commands also print the vault user or vault service. The virtual attributes were added in rev 01dd951ddc0181b559eb3dd5ff0336c81e245628. Example: $ ipa vault-find --users ---------------- 2 vaults matched ---------------- Vault name: myvault Type: standard Vault user: admin Vault name: UserVault Type: standard Vault user: admin ---------------------------- Number of entries returned 2 ---------------------------- $ ipa vault-find --services ---------------- 2 vaults matched ---------------- Vault name: myvault Type: standard Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL Vault name: myvault Type: standard Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL ---------------------------- Number of entries returned 2 ---------------------------- https://fedorahosted.org/freeipa/ticket/5150 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-request: remove allowed extensions checkFraser Tweedale2015-08-191-19/+3
| | | | | | | | | | | | | | | cert-request currently permits a limited number of request extensions; uncommon and esoteric extensions are prohibited and this limits the usefulness of custom profiles. The Dogtag profile has total control over what goes into the final certificate and has the option to reject request based on the request extensions present or their values, so there is little reason to restrict what extensions can be used in FreeIPA. Remove the check. Fixes: https://fedorahosted.org/freeipa/ticket/5205 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: Add container information to vault command resultsJan Cholasta2015-08-191-0/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/5150 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: Fix vault-find with criteriaJan Cholasta2015-08-191-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5212 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Prohibit deletion of predefined profilesFraser Tweedale2015-08-181-2/+11
| | | | | | | | | | | Deletion of predefined profiles, including the default profile, should not be allowed. Detect this case and raise an error. Also update the predefined profiles collection to use namedtuple, making it easier to access the various components. Fixes: https://fedorahosted.org/freeipa/ticket/5198 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* user-undel: Fix error messages.David Kupka2015-08-181-7/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5207 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: validate vault typePetr Vobornik2015-08-181-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5211 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* vault: normalize service principal in service vault operationsPetr Vobornik2015-08-181-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5233 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fixed vault container ownership.Endi S. Dewata2015-08-181-2/+23
| | | | | | | | | | The vault-add command has been fixed such that if the user/service private vault container does not exist yet it will be created and owned by the user/service instead of the vault creator. https://fedorahosted.org/freeipa/ticket/5194 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* vault: Fix param labels in output of vault owner commandsJan Cholasta2015-08-181-0/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* baseldap: Allow overriding member param label in LDAPModMemberJan Cholasta2015-08-181-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5214 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* trusts: Detect missing Samba instanceTomas Babej2015-08-171-20/+79
| | | | | | | | | | | | | | | | | | | | | In the event of invocation of trust related commands, IPA server needs to contact local Samba instance. This is not possible on servers that merely act as AD trust agents, since they do not have Samba instance running. Properly detect the absence of the Samba instance and output user-friendly message which includes list of servers that are capable of running the command, if such exist. List of commands affected: * ipa trust-add * ipa trust-fetch-domains * all of the trustdomain commands available via CLI https://fedorahosted.org/freeipa/ticket/5165 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Detect domain clash with IPA domain when adding a AD trustTomas Babej2015-08-171-0/+8
| | | | | | | | | | | | | | | | | | When IPA is deployed in the same domain as AD, trust-add fails since the names of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID. Detect such domain collisions early and bail out with an appropriate error message. https://fedorahosted.org/freeipa/ticket/4549 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Added CLI param and ACL for vault service operations.Endi S. Dewata2015-08-171-94/+83
| | | | | | | | | | | | | The CLIs to manage vault owners and members have been modified to accept services with a new parameter. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add permission for bypassing CA ACL enforcementFraser Tweedale2015-08-141-3/+10
| | | | | | | | | | | | Add the "Request Certificate ignoring CA ACLs" permission and associated ACI, initially assigned to "Certificate Administrators" privilege. Update cert-request command to skip CA ACL enforcement when the bind principal has this permission. Fixes: https://fedorahosted.org/freeipa/ticket/5099 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-30 09:12:35 +0000