summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* ipalib: Make sure correct attribute name is referenced for faxTomas Babej2015-02-191-1/+1
| | | | | | | | | | Fixes the invalid attribute name reference in the 'System: Read User Addressbook Attributes' permission. https://fedorahosted.org/freeipa/ticket/4883 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Changing the token owner changes also the managerMartin Babinsky2015-02-181-0/+13
| | | | | | | | | | This works if the change is made to a token which is owned and managed by the same person. The new owner then automatically becomes token's manager unless the attribute 'managedBy' is explicitly set otherwise. https://fedorahosted.org/freeipa/ticket/4681 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* group-detach does not add correct objectclassesMartin Kosek2015-02-181-0/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/4874 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix TOTP Synchronization Window labelPetr Vobornik2015-02-171-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* permission-add does not prompt for ipapermright in interactive modeGabe2015-02-161-0/+1
| | | | | | | | | - Add flag "ask_create" to ipalib/plugins/permission.py - Bump API version https://fedorahosted.org/freeipa/ticket/4872 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: exit with error message if no users/groups to migrate are foundMartin Babinsky2015-02-161-0/+6
| | | | | | | | | 'ipa migrate-ds' will now exit with error message if no suitable users/groups are found on LDAP server during migration. https://fedorahosted.org/freeipa/ticket/4846 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix warning message on client sideMartin Basti2015-02-131-1/+3
| | | | | | | | Add message about only on server side. https://fedorahosted.org/freeipa/ticket/4793 Reviewed-By: David Kupka <dkupka@redhat.com>
* Expose the disabled User Auth TypeNathaniel McCallum2015-02-122-1/+2
| | | | | | | | | Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Allow setting ssh public key on ipauseroverride-addDavid Kupka2015-01-271-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4868 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Always return absolute idnsname in dnszone commandsMartin Basti2015-01-261-2/+34
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4722 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow PassSync user to locate and update NT usersMartin Kosek2015-01-191-0/+12
| | | | | | | | | | | | | | | Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
* Detect and warn about invalid DNS forward zone configurationMartin Basti2015-01-152-11/+332
| | | | | | | | | Shows warning if forward and parent authoritative zone do not have proper NS record delegation, which can cause the forward zone will be ineffective and forwarding will not work. Ticket: https://fedorahosted.org/freeipa/ticket/4721 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-132-1/+18
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.David Kupka2015-01-131-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4787 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix default value type for wait_for_dns optionPetr Spacek2015-01-131-1/+1
| | | | | | | wait_for_dns value should be an integer so default value was changed from False to 0. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* rpcclient: use json_encode_binary for verbose outputPetr Vobornik2015-01-131-3/+7
| | | | | | | | `json.dumps` is not able to process some IPA's object types and therefore requires to preprocess it with `json_encode_binary` call. This step was not used in rpcclient's verbose output. https://fedorahosted.org/freeipa/ticket/4773 Reviewed-By: Martin Basti <mbasti@redhat.com>
* migrate-ds: fix compat plugin checkPetr Vobornik2015-01-121-5/+2
| | | | | | | | | | After ACI refactoring, admin cannot read Schema Compatibility plugin configuration and therefore migrade-ds won't find if compat plugin is enabled. Now the check si done by looking if cn=compat subtree is present. https://fedorahosted.org/freeipa/ticket/4825 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Ignore host or hostgroup options set to NoneTomas Babej2014-12-121-0/+6
| | | | | | | | | Since passing --hosts= or --hostsgroups= to idview-apply or unapply commands does not make sense, ignore it. https://fedorahosted.org/freeipa/ticket/4806 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* idviews: Complain if host is already assigned the ID View in idview-applyTomas Babej2014-12-121-4/+5
| | | | | | | | | | | When running a idview-apply command, the hosts that were already assigned the desired view were silently ignored. Make sure such hosts show up in the list of failed hosts. https://fedorahosted.org/freeipa/ticket/4743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Show SSHFP record containing space in fingerprintMartin Basti2014-12-101-0/+8
| | | | | | | | | SSHFP records added by nsupdate contains extra space (valid), framework couldn't handle it. Ticket: https://fedorahosted.org/freeipa/ticket/4790 Ticket: https://fedorahosted.org/freeipa/ticket/4789 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* hosts: Display assigned ID view by default in host-find and show commandsTomas Babej2014-12-051-3/+18
| | | | | | | | | | Makes ipaassignedidview a default attribute and takes care about the conversion from the DN to the proper ID view name. https://fedorahosted.org/freeipa/ticket/4774 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Create an OTP help topicNathaniel McCallum2014-12-053-0/+7
| | | | | | | This allows the various OTP related commands to be grouped together in the IPA CLI documentation. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make token auth and sync windows configurableNathaniel McCallum2014-12-051-0/+119
| | | | | | | | | | | This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add --hosts and --hostgroup options to allow/retrieve keytab methodsPetr Vobornik2014-12-032-12/+44
| | | | | | | | | | | | | | | | | | `--hosts` and `--hostgroup` options added to: * service-allow-create-keytab * service-allow-retrieve-keytab * service-disallow-create-keytab * service-disallow-retrieve-keytab * host-allow-create-keytab * host-allow-retrieve-keytab * host-disallow-create-keytab * host-disallow-retrieve-keytab in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page https://fedorahosted.org/freeipa/ticket/4777 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Throw zonemgr error message before installation proceedsMartin Basti2014-12-012-30/+50
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4771 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Re-initialize NSS database after otptoken plugin testsTomas Babej2014-11-261-11/+20
| | | | | | | | | | | OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Catch USBError during YubiKey locationNathaniel McCallum2014-11-251-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4693 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix error message for nonexistent members and add tests.David Kupka2014-11-241-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4643 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use NSS protocol range API to set available TLS protocolsRob Crittenden2014-11-242-1/+8
| | | | | | | | | | | | | Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix --{user,group}-ignore-attribute in migration plugin.David Kupka2014-11-201-6/+4
| | | | | | | | Ignore case in attribute names. https://fedorahosted.org/freeipa/ticket/4620 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix warning message should not contain CLI commandsMartin Basti2014-11-192-7/+6
| | | | | | | Message is now universal for both CLI and WebUI Ticket: https://fedorahosted.org/freeipa/ticket/4647 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable QR code display by default in otptoken-addNathaniel McCallum2014-11-192-2/+4
| | | | | | | | | | This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Ensure users exist when assigning tokens to themNathaniel McCallum2014-11-131-2/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Improve otptoken help messagesNathaniel McCallum2014-11-131-1/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Produce better error in group-add command.David Kupka2014-11-131-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4611 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idrange: include raw range type in outputPetr Vobornik2014-11-111-0/+1
| | | | | | | | iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ranges: prohibit setting --rid-base with ipa-trust-ad-posix typePetr Vobornik2014-11-111-14/+47
| | | | | | | | | | | | We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modififed NSSConnection not to shutdown existing database.Endi S. Dewata2014-11-111-15/+19
| | | | | | | | | | | | The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix dns zonemgr validation regressionMartin Basti2014-10-271-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4663 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overridesAlexander Bokovoy2014-10-241-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* fix forwarder validation errorsMartin Basti2014-10-211-6/+8
| | | | | | Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: remove container_dnssec_keysJan Cholasta2014-10-211-1/+0
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: change link to ipa pageMartin Basti2014-10-211-3/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: ACIMartin Basti2014-10-211-0/+53
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: validate forwardersMartin Basti2014-10-213-1/+90
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: platform paths and servicesMartin Basti2014-10-211-0/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-202-0/+21
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: do not offer ipa users to Default Trust ViewPetr Vobornik2014-10-201-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4616 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: allow --force in dnszone-mod and dnsrecord-addPetr Vobornik2014-10-201-0/+3
| | | | | | | | | | Allow to use --force when changing authoritative nameserver address in DNS zone. Same for dnsrecord-add for NS record. https://fedorahosted.org/freeipa/ticket/4573 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: management of keytab permissionsPetr Vobornik2014-10-201-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-28 11:02:33 +0000