| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber
carlicenseplate is now multivalued
https://fedorahosted.org/freeipa/ticket/4165
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
This change makes the pkcs10 module more consistent with the x509 module.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The 'top' objectclass is added by DS if not present. On every
update the managed permission updater compared the object_class
list with the state from LDAP, saw that there's an extra 'top'
value, and tried deleting it.
Add 'top' to the list to match the entry in LDAP.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The default read permission is added for Netgroup as an example.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
Previously the search term was only applied to the name.
Fix it so that it filters results based on any attribute.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows code like:
from ipalib.plugins.dns import dnszone_mod
api.Command[dnszone_mod]
This form should be preferred when getting specific objects
because it ensures that the appropriate plugin is imported.
https://fedorahosted.org/freeipa/ticket/4185
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As with the flags, the objectclass should be returned as it is
on the entry.
https://fedorahosted.org/freeipa/ticket/4257
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The old name is kept as a deprecated alias.
https://fedorahosted.org/freeipa/ticket/4231
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add a new Param kwarg, deprecated_cli_aliases, that lists
deprecated aliases.
The aliases will appear in a "Deprecated options" in the help,
and otherwise act as the normal variant.
Preparation for: https://fedorahosted.org/freeipa/ticket/4231
|
| |
|
|
|
|
| |
Previously only the StrEnum param type had the list of values
listed in the help.
Extend the functionality to any kind of Enum.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
reflect ipalib permission changes in Web UI.
- http://www.freeipa.org/page/V4/Permissions_V2
- http://www.freeipa.org/page/V4/Anonymous_and_All_permissions
- http://www.freeipa.org/page/V4/Managed_Read_permissions
- http://www.freeipa.org/page/V4/Multivalued_target_filters_in_permissions
https://fedorahosted.org/freeipa/ticket/4079
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The --memberof logic tried to convert the value of a (memberof=...)
filter to a DN, which failed with filters like (memberof=*).
Do not try to set memberof if the value is not a DN.
A test will be added in a subsequent patch.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The extratargetfilter behaves exactly like targetfilter, so that e.g.
ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.
Part of the work for https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Extend the permission-add and permission-mod commands to process
extratargetfilter.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it
Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.
Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.
Write support will be added in a subsequent patch.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.
https://fedorahosted.org/freeipa/ticket/4247
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this patch implements:
- output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion.
- datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date.
- utc formatter replaced with new datetime formatter
- datetime_validator introduced
- new datetime field, extension of text field, which by default uses datetime formatter and validator
Dojo was regenerated to include dojo/string module
https://fedorahosted.org/freeipa/ticket/4194
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
trust
Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).
This needs to be added to the documentation:
When using 'ipa trust-add ad.domain --trust-secret', one has to manually
validate incoming trust using forest trust properties in AD Domains and
Trusts tool.
Once incoming trust is validated at AD side, use IPA command
'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
From this point on the trust should be usable.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3369
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4187
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This makes searching faster if there are many legacy permissions present.
The root entry (which contains all legacy permission ACIs) is only
looked up once.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4206
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.
https://fedorahosted.org/freeipa/ticket/4212
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In cases where logging was already configured by the time
API.bootstrap() was called, saving the argument parser was
mistakenly skipped along with the logging configuration.
Always set the argument parser on the API object.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
RFC 4226 states the following in section 4:
R6 - The algorithm MUST use a strong shared secret. The length of
the shared secret MUST be at least 128 bits. This document
RECOMMENDs a shared secret length of 160 bits.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.
Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
forest trust
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
|
| |
|
|
|
|
|
|
| |
JSON metadata
https://fedorahosted.org/freeipa/ticket/4201
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.
https://fedorahosted.org/freeipa/ticket/4196
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In the parameters system, we have been checking for a positive list of values
which get converted to None. The problem is that this method can in some
cases throw warnings when type coercion doesn't work (particularly, string
to unicode). Instead, any values that evaluate to False that are neither
numeric nor boolean should be converted to None.
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
|
| |
|
|
|
|
|
|
| |
Maximum serial number field now accepts only positive numbers
https://fedorahosted.org/freeipa/ticket/4163
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4099
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
are present
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.
https://fedorahosted.org/freeipa/ticket/4121
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This class was built into the framework from its early days but it's
not used anywhere.
Remove it along with its tests
https://fedorahosted.org/freeipa/ticket/3460
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/4178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
- Fractional parts of integers are not mandatory.
- Expressions containing only size or only size + horizontal precision
are allowed.
- N/S/W/E handling was fixed.
See RFC 1876 section 3 for details.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4169
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4171
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
