| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
The ipadb DAL driver gets access to the ldap server as Directory Manager now so
this user is not needed anymore.
|
|
|
|
|
|
| |
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
|
|
|
|
|
|
|
| |
Prevent the ipa-pwd-extop plugin from re-generating keys when kadimn is storing
a new set of keys. Only generate the userPassword and sambaXXPassword hashes.
Also avoid checking policies in this case and if history is provided avoid
regenerating the passwordHistory too.
|
|
|
|
| |
Use default policy for new principals created by kadmin
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Initialize module also on ipadb_create invocation. This is what
kdb5_util expects.
|
|
|
|
| |
limit exported symbols only to the ones actually needed by krb5kdc
|
| |
|
|
|
|
| |
It is going to be used by the ipa-kdb module too.
|
|
|
|
| |
Also to be used by ipa-kdb
|
|
|
|
| |
This way we can reuse the same code from ipa-kdb later
|
|
|
|
| |
This removes custom structures and allows easier sharing of code with ipa-kdb
|
| |
|
|
|
|
|
|
|
|
| |
Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.
|
|
|
|
|
| |
mkvno is actually available as part of the key material.
There is no need to store it in the krbExtraData field as it is unused there.
|
| |
|
| |
|
| |
|
|
|
|
| |
Some are actual bugs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.
Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.
We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.
It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.
However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.
Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.
class foo(Command):
'''
The foo command takes out the garbage.
'''
Would become:
class foo(Command):
__doc__ = _('The foo command takes out the garbage.')
But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.
In summary what this patch does is:
* Remove the use of pygettext (modification to install/po/Makefile.in)
* Replace every docstring with an explicit assignment to __doc__ where
the rhs of the assignment is an i18n marking function.
* Single line docstrings appearing in multi-line string literals
(e.g. ''' or """) were replaced with single line string literals
because the multi-line literals were introducing unnecessary
whitespace and newlines in the string extracted for translation. For
example:
'''
The foo command takes out the garbage.
'''
Would appear in the translation catalog as:
"\n
The foo command takes out the garbage.\n
"
The superfluous whitespace and newlines are confusing to translators
and requires us to strip leading and trailing whitespace from the
translation at run time.
* Import statements were moved from below the docstring to above
it. This was necessary because the i18n markers are imported
functions and must be available before the the doc is
parsed. Technically only the import of the i18n markers had to
appear before the doc but stylistically it's better to keep all the
imports together.
* It was observed during the docstring editing process that the
command documentation was inconsistent with respect to the use of
periods to terminate a sentence. Some doc had a trailing period,
others didn't. Consistency was enforced by adding a period to end of
every docstring if one was missing.
|
|
|
|
|
|
|
|
|
| |
In cli.py is a framework for printing out help information. The
command documentation being displayed is internationalized, however
the text generated by the help framework itself is not
internationalized.
The strings output by the help subsystem need to be internationalized.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Wrap each topic description in _()
* Replace the use of if 'topic' in dir(module) with the more
Pythonic and efficient getattr(module, 'topic', None)
* Make sure to invoke unicode on the value returned from _()
otherwise you'll get a GettextFactory instance, not a string
* Clean up trailing whitespace errors
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Iterate over all API commands and perform the following validation:
* Every command must have documentation
and it must be marked for international translation
* Every module hosting a command must have documentation
and it must be marked for international translation
* Every module topic must be marked for international translation
For every error found emit a diagnostic.
Emit a summary of total errors found.
Return error flag if errors found, zero otherwise.
|
|
|
|
| |
ticket https://fedorahosted.org/freeipa/ticket/1714
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1688
The serial associator is used to execute a command multiple times with different parameters. This is used for adding/removing a user into/from multiple groups. It has some issues:
Each command is executed one-by-one, so it could be slow.
* If there's a failure the rest of the commands will not be executed.
* This can be fixed by putting the commands into a batch and execute them at once.
|
|
|
|
|
|
|
| |
The adder dialog for automount map has been modified to select the
direct map by default.
Ticket #1698
|
|
|
|
|
|
|
|
|
| |
A Password param always prompted to confirm the entered password.
This doesn't make sense if you want to prompt for a password to another
system like we do with entitlements. This adds a new boolean option to
control the Password prompt parameter.
https://fedorahosted.org/freeipa/ticket/1695
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1711
|
|
|
|
|
|
| |
This adds proftpd, pure-ftpd, vsftpd and gssftp.
https://fedorahosted.org/freeipa/ticket/1703
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate of server error, but it revealed few UI errors.
Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed.
Fixed integer minimum and maximum value checking.
Read-only and non-writable fields are no longer considered required.
|
|
|
|
|
|
|
| |
When a command returns a partial failure it should be treated as a
success but the failures should still be displayed.
Ticket #1628
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1628
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
|
|
|
|
|
|
|
| |
The 389-ds team is in the process of exposing slapi_rwlock which we
will switch to when it is available.
https://fedorahosted.org/freeipa/ticket/1630
|
|
|
|
|
|
| |
If the user wants the output they can pass the --debug flag to ipactl.
https://fedorahosted.org/freeipa/ticket/1402
|
|
|
|
|
|
|
|
|
|
| |
Since the Add/Delete links in the association table are disabled when
the category is set to 'all', it's no longer necessary to check the
category before showing the add/delete dialogs and modify the category
before adding entries. Thus, the IPA.rule_association_table_widget is
no longer needed.
Ticket #1692
|
|
|
|
| |
ticket 1572
|
|
|
|
| |
ticket 1664
|
|
|
|
|
|
|
|
| |
Added brief explanations for the various Sudo components in the
top level doc. Added doc entries for RunAs User and RunAs
Group.
https://fedorahosted.org/freeipa/ticket/1657
|