summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
...
* Display token type when viewing tokenNathaniel McCallum2014-10-201-3/+25
| | | | | | | | | When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: add link to OTP token appPetr Vobornik2014-10-171-0/+1
| | | | | | | | | - display info message which points user to FreeOTP project page - the link or the text can be easily changed by a plugin if needed https://fedorahosted.org/freeipa/ticket/4469 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* idviews: error out if appling Default Trust View on hostsPetr Vobornik2014-10-171-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4615 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* keytab manipulation permission managementPetr Vobornik2014-10-173-9/+258
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds new API: ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs only with --all option as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-174-10/+40
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove token vendor, model and serial defaultsNathaniel McCallum2014-10-161-6/+0
| | | | | | | | | These defaults are pretty useless and cause more confusion than they are worth. The serial default never worked anyway. And now that we are displaying the token type separately, there is no reason to doubly record these data points. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Raise better error message for permission added to generated treeMartin Kosek2014-10-161-1/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4523 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
* Allow override of gecos field in ID viewsAlexander Bokovoy2014-10-131-2/+5
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify GID of the userAlexander Bokovoy2014-10-131-1/+6
| | | | | | Resolves https://fedorahosted.org/freeipa/ticket/4617 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow user overrides to specify SSH public keysAlexander Bokovoy2014-10-131-0/+44
| | | | | | | | | | | | | Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Support overridding user shell in ID viewsAlexander Bokovoy2014-10-131-2/+6
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove misleading authorization error message in cert-request with --addJan Cholasta2014-10-081-5/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4540 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Sudorule RunAsUser should work with external groupsMartin Kosek2014-10-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4600 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: add link from host to idviewPetr Vobornik2014-09-301-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: facet group labels for idview's facetsPetr Vobornik2014-09-301-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: new ID views sectionPetr Vobornik2014-09-301-0/+26
| | | | | | https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* idviews: Make sure only regular IPA objects are allowed to be overridenTomas Babej2014-09-301-1/+17
| | | | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Display the list of hosts when using --allTomas Babej2014-09-301-1/+8
| | | | | | | | | | | | | | Enumerating hosts is a potentially expensive operation (uses paged search to list all the hosts the ID view applies to). Show the list of the hosts only if explicitly asked for (or asked for --all). Do not display with --raw, since this attribute does not exist in LDAP. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Catch errors on unsuccessful AD object lookup when resolving object ↵Tomas Babej2014-09-301-8/+13
| | | | | | | | | | | | | name to anchor When resolving non-existent objects, domain validator will raise ValidationError. We need to anticipate and properly handle this case. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make sure the dict.get method is not abused for MUST attributesTomas Babej2014-09-301-4/+4
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Handle Default Trust View properly in the frameworkTomas Babej2014-09-301-0/+39
| | | | | | | | | | | | Make sure that: 1.) IPA users cannot be added to the Default Trust View 2.) Default Trust View cannot be deleted or renamed Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Make description optional for the ID View objectTomas Babej2014-09-301-1/+1
| | | | | | | | | | Description of any object should not be required. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Fix casing of ID Views to be consistentTomas Babej2014-09-301-35/+35
| | | | | | | | | | Replace all occurences of "ID view(s)" with "ID View(s)". Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipaOriginalUidTomas Babej2014-09-301-2/+29
| | | | | | | | | | | For slapi-nis plugin, we need to cache the original uid value of the user in the override object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Resolve anchors to object names in idview-showTomas Babej2014-09-301-111/+128
| | | | | | | | | | | When running idview-show, users will expect a proper object name instead of a object anchor. Make sure the anchors are resolved to the object names unless --raw option was passed. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Raise NotFound errors if object to override could not be foundTomas Babej2014-09-301-0/+7
| | | | | | | | | | | If the object user wishes to override cannot be found, we should properly raise a NotFound error. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Change format of IPA anchor to include domainTomas Babej2014-09-301-2/+14
| | | | | | | | | | | | | | The old format of the IPA anchor, :IPA:<object_uuid> does not contain for the actual domain of the object. Once IPA-IPA trusts are introduced, we will need this information to be kept to be able to resolve the anchor. Change the IPA anchor format to :IPA:<domain>:<object_uuid> Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Alter idoverride methods to work with splitted objectsTomas Babej2014-09-301-40/+28
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride commands into iduseroverride and idgroupoverrideTomas Babej2014-09-301-10/+66
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Split the idoverride object into iduseroverride and idgroupoverrideTomas Babej2014-09-301-54/+103
| | | | | | | | | | | | To be able to better deal with the conflicting user / group names, we split the idoverride objects in the two types. This simplifies the implementation greatly, as we no longer need to set proper objectclasses on each idoverride-mod operation. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Support specifying object names instead of raw anchors onlyTomas Babej2014-09-302-0/+122
| | | | | | | | | | | | Improve usability of the ID overrides by allowing user to specify the common name of the object he wishes to override. This is subsequently converted to the ipaOverrideAnchor, which serves as a stable reference for the object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Extend idview-show command to display assigned idoverrides and hostsTomas Babej2014-09-301-40/+129
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipa idview-apply and idview-unapply commandsTomas Babej2014-09-301-3/+176
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Selected PEP8 fixes for the hostgroup pluginTomas Babej2014-09-301-11/+4
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Remove redundant and star importsTomas Babej2014-09-301-2/+5
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* hostgroup: Add helper that returns all members of a hostgroupTomas Babej2014-09-301-0/+8
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idvies: Add managed permissions for idview and idoverride objectsTomas Babej2014-09-301-0/+23
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Create basic idview plugin structureTomas Babej2014-09-301-0/+191
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib: PEP8 fixes for host pluginTomas Babej2014-09-301-18/+22
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib: Remove redundant and star imports from host pluginTomas Babej2014-09-301-8/+8
| | | | | | | | | | Also fixes incorrect error catching for UnicodeDecodeError. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Add ipaAssignedIDVIew reference to the host objectTomas Babej2014-09-301-3/+6
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Create container for ID views under cn=accountsTomas Babej2014-09-301-0/+1
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Introduce NSS database /etc/ipa/nssdbJan Cholasta2014-09-301-1/+1
| | | | | | | | | | This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* baseldap: Properly handle the case of renaming object to the same nameTomas Babej2014-09-291-10/+17
| | | | | | | | | | When renaming a object to the same name, errors.EmptyModList is raised. This is not properly handled, and can cause other modifications in the LDAPUpdate command to be ignored. https://fedorahosted.org/freeipa/ticket/4548 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Do not require description in UI.David Kupka2014-09-297-7/+7
| | | | | | | | | Description attribute is not required in LDAP schema so there is no reason to require it in UI. Modified tests to reflect this change. https://fedorahosted.org/freeipa/ticket/4387 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove --ip-address, --name-server otpions from DNS helpMartin Basti2014-09-261-5/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4149 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS: autofill admin emailMartin Basti2014-09-252-16/+6
| | | | | | | | | Admins email (SOA RNAME) is autofilled with value 'hostmaster'. Bind will automaticaly append zone part. Part of ticket: https://fedorahosted.org/freeipa/ticket/4149 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Deprecation of --name-server and --ip-address option in DNSMartin Basti2014-09-252-81/+95
| | | | | | | | | | | | | Option --name-server is changing only SOA MNAME, this option has no more effect to NS records Option --ip-addres is just ignored A warning message is sent after use these options Part of ticket: https://fedorahosted.org/freeipa/ticket/4149 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix DNS plugin to allow to add root zoneMartin Basti2014-09-251-24/+32
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4149 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS: remove --class optionMartin Basti2014-09-251-4/+5
| | | | | | | | This option haven't been working, it is time to remove it. Ticket: https://fedorahosted.org/freeipa/ticket/3414 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-28 04:59:04 +0000