summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* permission-mod: Do not copy member attributes to new entryPetr Viktorin2014-02-201-1/+3
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* .mailmap: Remove spurious Kyle Baker linePetr Viktorin2014-02-201-1/+0
| | | | <kbaker@redhat.com> is another person, entirely unrelated to FreeIPA.
* ipactl can not restart ipa services if current status is stoppedMisnyovszki Adam2014-02-191-2/+12
| | | | | | | | | | | | | | fixed by starting the directory server when restarting if it is not currently running to enable fetching running services later restart didn't check that also added a check, that if the directory server started at the beginning, there is no need to restart it https://fedorahosted.org/freeipa/ticket/4050 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support to ipa-kdb for keyless principalsNathaniel McCallum2014-02-192-0/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/3779 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Improve error message on failed Kerberos authenticationAna Krivokapic2014-02-181-2/+2
| | | | | | | | | | | When ipa client installation fails due to failed Kerberos authentication, make sure that the message about the failed authentication is displayed last. This makes it clear to the user that this was the reason for failed installation. https://fedorahosted.org/freeipa/ticket/3573 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Modify DNS tests with LOC records to workaround bug in python-dns.Petr Spacek2014-02-181-5/+5
| | | | | | | | | | | Older versions of dnspython have problems with implicit values for size and h/v precision so our tests use explicit value. See https://github.com/rthalley/dnspython/issues/47 This change is necessary because we want to test if data visible over DNS protocol matches data visible over LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix regular expression for LOC records in DNS.Petr Spacek2014-02-181-8/+13
| | | | | | | | | | | - Fractional parts of integers are not mandatory. - Expressions containing only size or only size + horizontal precision are allowed. - N/S/W/E handling was fixed. See RFC 1876 section 3 for details. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-join usage instructions are incorrectGabe2014-02-181-1/+1
| | | | | | | | Parameter -s for ipa-join has hostame instead of hostname https://fedorahosted.org/freeipa/ticket/3250 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* tests: Move zone enable/disable tests to end of test_dns_plugin.pyPetr Spacek2014-02-141-72/+74
| | | | | | | | This prevents the test suite from hitting limitations in bind-dyndb-ldap 4.0. For details see https://fedorahosted.org/bind-dyndb-ldap/ticket/127 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add libotp internal library for slapi pluginsNathaniel McCallum2014-02-148-0/+970
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable building in C99 modeNathaniel McCallum2014-02-143-3/+3
| | | | | | | | | | | | | C99 is supported on all compilers we target and provides some useful features, including: * Standard struct initializers * Compound literals * For-loop declarations * Standard bool type * Variable arrays (use with caution) * Too many others to mention... Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-kdb: validate that an OTP user has tokensNathaniel McCallum2014-02-143-25/+135
| | | | | | | | | | | | This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update ACIs to permit users to add/delete their own tokensNathaniel McCallum2014-02-133-3/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4087 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix generation of invalid OTP URIsNathaniel McCallum2014-02-131-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4169 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix OTP token names/labelsNathaniel McCallum2014-02-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4171 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-127-88/+780
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make it possible to call custom functions in Declarative testsPetr Viktorin2014-02-121-5/+12
| | | | | | | | | Sometimes, we will want to do more than just call IPA commands and check the output. This patch makes it possible to add arbitrary functions to Declarative tests. They will be called as part of the sequence of tests. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Generate ACIs in the pluginPetr Viktorin2014-02-121-10/+23
| | | | | | | | | Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Convert options in execute, not args_options_2_paramsPetr Viktorin2014-02-121-19/+10
| | | | | | | | With this change, shortcut options like memberof and type will be aplied on the server, not on the client. This will allow us to pass more information than just updated options. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Permission plugin fixesPetr Viktorin2014-02-121-13/+14
| | | | | | | | - Fix i18n for plugin docstring - Fix error when the aci attribute is not present on an entry - Fix error when raising exception for ACI not found Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the TODO filePetr Viktorin2014-02-121-88/+0
| | | | | | | All items in the file either have been fixed or were just stale. Nowadays we just use Trac for issues. Reviewed-By: Martin Košek <mkosek@redhat.com>
* Update README and BUILDPetr Viktorin2014-02-122-34/+68
| | | | | | | | | Update README with information from http://www.freeipa.org/page/Leaflet and fixed links. Update the list of dependencies in BUILD, and link to the Testing wiki page Reviewed-By: Martin Košek <mkosek@redhat.com>
* Correct Jenny Severance's last namePetr Viktorin2014-02-121-1/+1
| | | | Reviewed-By: Martin Košek <mkosek@redhat.com>
* Add a .mailmap filePetr Viktorin2014-02-121-0/+50
| | | | | | | | | | This makes `git shortlog` report correct and consistent names and addresses, even for past commits where the author information is not ideal. See git-shortlog(1) Reviewed-By: Martin Košek <mkosek@redhat.com>
* Fix test_host_plugin for DNS Classless Reverse zonesMartin Basti2014-02-121-2/+2
| | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-by: Martin Kosek <mkosek@redhat.com>
* Move ipa-otpd socket directoryNathaniel McCallum2014-02-114-7/+7
| | | | | https://fedorahosted.org/freeipa/ticket/4167 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNS tests for classless reverse domainsMartin Basti2014-02-114-21/+246
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS classless support for reverse domainsMartin Basti2014-02-112-36/+70
| | | | | | | | | | | | Now users can add reverse zones in classless form: 0/25.1.168.192.in-addr.arpa. 0-25.1.168.192.in-addr.arpa. 128/25 NS ns.example.com. 10 CNAME 10.128/25.1.168.192.in-addr.arpa. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Do not require group name resolution for the non-posix testsTomas Babej2014-02-111-4/+16
| | | | | | | | | | In the non-posix tests on the legacy clients, the testuser does not belong to the testgroup (since this is represented by the NIS group membership). Relax the regular expression check for the output of the id testuser. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipatests: Change expected home directories returned by getentTomas Babej2014-02-112-8/+20
| | | | | | | | | | | | | The hardcoded values for the home directories for the AD users did not properly scale up from the POSIX attrs only test scanario. When using POSIX attrs, the home dir is returned as whatever is set in the AD (/home/username by default). Without using POSIX attributes, the /home/domain/username form is taken by default. Refactor the tests to take this behaviour into account. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipatests: Add test cases for subdomain users on legacy clientsTomas Babej2014-02-111-9/+113
| | | | | | | | | | | Adds test cases for: * getent subdomain user on legacy client * getent subdomain group on legacy client * getent id subdomain user on legacy client * ssh into legacy client with subdomain user * ssh into legacy client with disabled subdomain user Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* PTR records can be added without specify FQDN zone nameMartin Basti2014-02-111-0/+3
| | | | | | | Now adding PTR records will accept zones both with and without end dot. Ticket: https://fedorahosted.org/freeipa/ticket/4151 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Stop sssd service before deleting the cacheTomas Babej2014-02-101-2/+2
| | | | | | | | In the integration tests, we do not stop the sssd service before deleting the cache, but rather start it. We need to stop sssd before deleting the cache. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipatests: Make sure we re-kinit as admin before adding the disabledipauserTomas Babej2014-02-101-0/+2
| | | | | | | | | When we add the disabledipauser during the setup class part of the BaseTestLegacyClient, we need to make sure that we re-kinit admin since we do ntpsync with the AD just before that, which can render the previous ticket invalid. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipatests: Perform a connection test before preparing the clientTomas Babej2014-02-101-0/+4
| | | | | | | | | | | | When the host is down, the preparation of the host fails. This produces misleading errors, since the test framework reports that the actual command being executed failed, when in fact (in case of SSHTransport), the cause of failure was unability to establish a SSH session. https://fedorahosted.org/freeipa/ticket/4132 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipatests: legacy_clients: Test legacy clients with non-posix trustTomas Babej2014-02-101-13/+76
| | | | | | | | | Adds test cases for legacy client support with IPA that has estabilish trust with AD that does not leverage POSIX attributes defined on AD. https://fedorahosted.org/freeipa/ticket/4134 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Remove sourcehostcategory from the default HBAC rule.Jan Cholasta2014-02-062-2/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Migration does not add users to default groupMartin Kosek2014-02-051-7/+10
| | | | | | | | | | When users with missing default group were searched, IPA suffix was not passed so these users were searched in a wrong base DN. Thus, no user was detected and added to default group. https://fedorahosted.org/freeipa/ticket/4141 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: Run restoring backup files and restoring their context in one sessionTomas Babej2014-02-051-10/+14
| | | | | | | | | | | | | | Restoring backup files and restoring their context were two separate commands, what means that in case we use SSHTrasport, which creates a separate SSH session for each command, we try to restore the SELinux context of the changed files in a new session. This causes problems, if the access to files themselves are necessary for the creation of the new SSH session. https://fedorahosted.org/freeipa/ticket/4133 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: Add records for all hosts in master's domainTomas Babej2014-02-053-0/+62
| | | | | | | | | | | | | | All the hosts in the domain have IPA master set as their only nameserver. However, the IPA master does not create records for these machines by default. This is not an big issue for clients or replicas, since those records do get created in other ways, but external hosts using their internal hostnames will not resolve. Adds an A record for each host in master's domain. https://fedorahosted.org/freeipa/ticket/4130 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipatests: test_legacy_clients: Change "test group" to "testgroup"Tomas Babej2014-02-051-2/+2
| | | | | | | | | | The integration test for legacy clients used incorrectly "test group" instead of "testgroup" as group used on AD for test purposes. This is inconsistent with the usage of "testuser". https://fedorahosted.org/freeipa/ticket/4131 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa tool: Print the name of the server we are connecting to with -vPetr Viktorin2014-02-052-3/+8
| | | | | | | | | | | | | The logging level for these messages was decreaed so that they do not show up in ipa-advise output. Reset the log level to INFO and configure ipa-advise to not display INFO messages from xmlclient by default. Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be https://fedorahosted.org/freeipa/ticket/4135 Reviewed-By: Tomáš Babej <tbabej@redhat.com>
* integration tests OpenSSHTransport: Expand tilde to home in ↵Petr Viktorin2014-02-051-1/+2
| | | | | | | | | root_ssh_key_filename Expand paths beginning with a tilde, such as the default ~/.ssh/id_rsa, to the home directory. https://fedorahosted.org/freeipa/ticket/4115
* ipa-lockout: do not fail when default realm cannot be readMartin Kosek2014-02-041-17/+17
| | | | | | | | | | | When ipa-lockout plugin is started during FreeIPA server installation, the default realm may not be available and plugin should then not end with failure. Similarly to other plugins, start in degraded mode in this situation. Operation is fully restored during the final services restart. https://fedorahosted.org/freeipa/ticket/4085
* Fallback to global policy in ipa-lockout pluginMartin Kosek2014-02-031-0/+34
| | | | | | | | | | krbPwdPolicyReference is no longer filled default users. Instead, plugins fallback to hardcoded global policy reference. Fix ipa-lockout plugin to fallback to it instead of failing to apply the policy. https://fedorahosted.org/freeipa/ticket/4085
* Use reserved domain names for testsPetr Spacek2014-01-301-31/+38
| | | | https://fedorahosted.org/freeipa/ticket/4139
* Rename variables in test xmlrpc/dns_pluginPetr Spacek2014-01-301-479/+486
| | | | https://fedorahosted.org/freeipa/ticket/4139
* Use private IPv4 addresses for testsPetr Spacek2014-01-301-48/+63
| | | | https://fedorahosted.org/freeipa/ticket/4139
* BUILD: Fix portability of NSS in file ipa_pwd.cLukas Slebodnik2014-01-283-5/+8
| | | | Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-273-18/+1
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
generated by cgit (git 2.34.1) at 2024-11-11 13:50:22 +0000