summaryrefslogtreecommitdiffstats
path: root/API.txt
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix maxvalue in DNS pluginMartin Kosek2012-01-121-6/+6
| | | | | | | | | | | | Having a Parameter maxvalue larger that 2G makes Python convert it to "long" type instead of "int" type. Our framework than fails to bootstrap the API when it detects long integer in Parameter maxvalue. Remove the clashing maxvalue out entirely as we can't transfer values larger than 2G anyway (xmlrpc limitation). https://fedorahosted.org/freeipa/ticket/2082
* Create per-type DNS APIMartin Kosek2012-01-121-141/+356
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use new structured DNSRecord parameters to generate per-type API for all supported DNS RR types. This should help significantly the end-user with manipulating complex DNS record type (MX, LOC, etc.). All enhancements are integrated to current DNS record commands: 1) dnsrecord-add - Records can be either entered as a raw value (e.g. --mx-rec= "1 srv1.example.com" for MX record) or per-part: --mx-preference=1 --mx-exchanger=srv1.example.com - CLI interactive help behavior was changed. It will ask for a record type and then ask for all DNS record part values (e.g. MX Preference value, MX Exchanger value). 2) dnsrecord-mod - This command can now operate in 2 modes. When only a raw DNS record is entered (e.g. --mx-rec="1 srv1.example.com") it operates in standard mode and replaces any previous mxrecord value with the --mx-rec value. When any structured parameter (e.g. --mx-preference) is passed it modifies just the specified parts of one mxrecord value referred by --mx-rec: --mx-rec="1 srv1.example.com" --mx-preference=2 - New interactive help has been implemented. It will ask for a record to be modified (in the same manner as dnsrecord-del) and then let user change DNS record part(s) for chosen records. 3) All dnsrecord-* commands have now --structured option - When this option is passed, instead of displaying raw DNS values all DNS records are parsed and displayed per-part. Example: $ ipa dnsrecord-show example.com @ --structured Record name: @ Records: Record type: MX Record data: 0 server1.example.com. MX Preference: 0 MX Exchanger: server1.example.com. Record type: NS Record data: ns1.example.com. NS Hostname: ns1.example.com. All API changes are compatible with clients without this patch. https://fedorahosted.org/freeipa/ticket/2082
* Refactor dnsrecord processingMartin Kosek2012-01-121-182/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current DNS record processing architecture has many flaws, including custom execute() methods which does not take advantage of base LDAP commands or nonstandard and confusing DNS record option processing. This patch refactors DNS record processing with the following improvements: * Every DNS record has now own Parameter type. Each DNS record consists from one or more "parts" which are also Parameters. This architecture will enable much easier implementation of future per-DNS-type API. * Validation is now not written as a separate function for every parameter but is delegated to DNS record parts. * Normalization is also delegated to DNS record parts. * Since standard LDAP base commands execute method is now used, dnsrecord-add and dnsrecord-mod correctly supports --setattr and --addattr options. * In order to prevent confusion unsupported DNS record types are now hidden. They are still present in the plugin so that old clients receive proper validation error. The patch also contains several fixes: * Fix domain-name validation and normalization- allow domain names that are not fully qualified. For example --cname-rec=bar is a valid domain-name for bind which will translate it then as bar.<owning-domain>. This change implies, that fully qualified domain names must end with '.'. * Do not let user accidentally remove entire zone with command "ipa dnsrecord-del @ --del-all". * Fix --ttl and --class option processing in dnsrecord-add and dnsrecord-mod. All API changes are compatible with clients without this patch. https://fedorahosted.org/freeipa/ticket/2082
* HBAC test optional sourcehost optionOndrej Hamada2012-01-091-2/+3
| | | | | | | | | | | | | | | New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
* User-add random password supportOndrej Hamada2011-12-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. https://fedorahosted.org/freeipa/ticket/1979
* Add SELinux user mapping framework.Rob Crittenden2011-12-091-1/+129
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* Added commands into metadata.Endi S. Dewata2011-12-061-1/+5
| | | | | | | | | The json_metadata command has been modified to accept some new options and return the commands metadata. The API.txt has been updated as well. The UI has been modified to use commands metadata instead of methods metadata. Ticket #388
* Mark some attributes required to match the schema.Rob Crittenden2011-12-051-9/+9
| | | | | | | | | This makes no changes to the functionality in the command-line or GUI because these all have defaults anyway. This is mostly to show them properly in the UI and prevent someone from trying to erase the value (and getting a nasty schema error in response). https://fedorahosted.org/freeipa/ticket/2015
* Parse comma-separated lists of values in all parameter types. This can be ↵Jan Cholasta2011-11-301-356/+356
| | | | | | | | | | | | | enabled for a specific parameter by setting the "csv" option to True. Remove "List" parameter type and replace all occurences of it with appropriate multi-valued parameter ("Str" in most cases) with csv enabled. Add new parameter type "Any", capable of holding values of any type. This is needed by the "batch" command, as "Str" is not suitable type for the "methods" parameter. ticket 2007
* Add --delattr option to complement --setattr/--addattrMartin Kosek2011-11-291-67/+89
| | | | | | | | | | | | | | | | | | | | | Add a --delattr option to round out multi-valued attribute manipulation. The new option is available for all LDAPUpdate based commands. --delattr is evaluated last, it can remove any value present either in --addattr/--setattr option or in current LDAP object. --*attr processing was completely refactored and placed to one independent function available for all baseldap commands. For this purpose a missing common base class for all baseldap commands has been implemented. The new class should serve not only for --*attr processing but also for other common baseldap methods and attributes. This approach will also benefit other custom commands based neither on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr option processing when needed. https://fedorahosted.org/freeipa/ticket/1929
* Remove redundant information from API.txtMartin Kosek2011-11-151-2326/+2326
| | | | | | | | | | Some Param or Output attributes do not cause API incompatibility (e.g. doc, label or callables) and does not need to be included in API.txt. When these attributes are modified, a lot of bogus changes may get in API.txt - making the real API changes less detectable. https://fedorahosted.org/freeipa/ticket/2107
* Fix LDAP object parameter encodingMartin Kosek2011-11-151-54/+54
| | | | | | | | | | | | | | | Parameters in LDAP objects missed an information if they are real LDAP attributes or not. Real LDAP attributes are written to entry_attrs dictionary in plugin callbacks and are being encoded. This causes issues when plugin callbacks does not expect that the parameters values are already encoded for submission to LDAP. This patch introduces a new flag "noattribute" used to mark that a parameter is not an LDAP attribute and thus should not be encoded or added to entry_attrs. Param documentation is improved to describe the meaning of this and other Param flags or attributes. https://fedorahosted.org/freeipa/ticket/2097
* Fix API.txtMartin Kosek2011-11-141-1/+1
| | | | | | | Fix a post-makeapi change in one option's label in commit 62c110a3b89e3f37d1f1fa24a2a533a708d5de26 https://fedorahosted.org/freeipa/ticket/1906
* Polish ipa config helpMartin Kosek2011-11-101-3/+3
| | | | | | | | | | | Remove config-mod options help from config module help to keep the option doc on one place and without unnecessary redundancy. The new format is more consistent with the rest of the plugins. Also fix several inconsistencies in the labels/doc, including: - using abbreviation when not needed - using '.' at the end of options help https://fedorahosted.org/freeipa/ticket/1906
* Improve DNS record data validationMartin Kosek2011-11-101-170/+170
| | | | | | | | | | | | | Implement missing validators for DNS RR types so that we can capture at least basic user errors. Additionally, a normalizer creating a fully-qualified domain name has been implemented for several RRs where name server may mis-interpret the domain name otherwise. Unit tests exercising these new validators for the most common RR types have been added. This patch also consolidates hard-coded values in DNS test to one place. https://fedorahosted.org/freeipa/ticket/1106
* Fix DNS zone --allow-dynupdate option behaviorMartin Kosek2011-11-091-4/+4
| | | | | | | | | | | | --allow-dynupdate was implemented as a Flag parameter type, which is not convenient for LDAP attributes. When a DNS zone with permitted dynamic updates was modified and the --allow-dynupdate flag was not set, dynamic updates were turned off. This patch changes the option type to Bool parameter type which behaves according to user expectations when modifying the zone. https://fedorahosted.org/freeipa/ticket/2039
* Create pkey-only option for find commandsMartin Kosek2011-10-271-21/+42
| | | | | | | | | | | | New option --pkey-only is available for all LDAPSearch based classes with primary key visible in the output. This option makes LDAPSearch commands search for primary attribute only. This may be useful when manipulating large data sets. User can at first retrieve all primary keys in a relatively small data package and then run further commands with retrieved primary keys. https://fedorahosted.org/freeipa/ticket/1262
* Add --zonemgr/--admin-mail validatorMartin Kosek2011-10-261-3/+3
| | | | | | | | | | | Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as the SOA record stores this value without it and people may be used to configure it that way. '@' is always removed by the installer/dns plugin before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966
* Improve handling of GIDs when migrating groupsMartin Kosek2011-10-111-3/+4
| | | | | | | | | | | | Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866
* Require current password when using passwd to change your own password.Rob Crittenden2011-10-041-2/+3
| | | | | | | | | | | | | | | | | | Add a new required parameter, current_password. In order to ask this first I added a new parameter option, sortorder. The lower the value the earlier it will be prompted for. I also changed the way autofill works. It will attempt to get the default and if it doesn't get anything will continue prompting interactively. Since current_password is required I'm passing a magic value that means changing someone else's password. We need to pass something since current_password is required. The python-ldap passwd command doesn't seem to use the old password at all so I do a simple bind to validate it. https://fedorahosted.org/freeipa/ticket/1808
* Add regular expression pattern to host names.Rob Crittenden2011-09-271-8/+8
| | | | | | Limit hostnames to letters, digits and - with a maximum length of 255 https://fedorahosted.org/freeipa/ticket/1780
* Normalize uid in user principal to lower-case and do validationRob Crittenden2011-09-221-3/+3
| | | | | | | Use same normalization and validation in passwd plugin and add some tests for invalid principals https://fedorahosted.org/freeipa/ticket/1778
* Skip the cert validator if the csr we are passed in is a valid filenameRob Crittenden2011-09-141-1/+1
| | | | | | | | | The validator will still fire, just after the load_files() call. Basically it will hit the validator twice. The first time it will exit because the value of csr is a filename. The second time it will run the validator against the contents of the file. ticket https://fedorahosted.org/freeipa/ticket/1777
* Remove normalizer that made role, privilege and permission names lower-caseRob Crittenden2011-09-121-28/+28
| | | | https://fedorahosted.org/freeipa/ticket/1747
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+113
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add netgroup as possible memberOf for hostgroupsRob Crittenden2011-08-291-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/1563
* Add option to only prompt once for passwords, use in entitle_registerRob Crittenden2011-08-241-1/+1
| | | | | | | | | A Password param always prompted to confirm the entered password. This doesn't make sense if you want to prompt for a password to another system like we do with entitlements. This adds a new boolean option to control the Password prompt parameter. https://fedorahosted.org/freeipa/ticket/1695
* Fix automountkey-modMartin Kosek2011-08-181-4/+4
| | | | | | | | | | | | | Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. Make automountkey required for automountkey-mod, otherwise it would cause internal server error. Make --newinfo optional so that automountkey may be just renamed without changing its info attribute. https://fedorahosted.org/freeipa/ticket/1528
* Hide continue option from automountkey-delMartin Kosek2011-08-021-1/+1
| | | | | | | This option makes no sense for automount keys. This should be removed in future versions. https://fedorahosted.org/freeipa/ticket/1529
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-291-9/+9
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Autofill the default revocation reasonRob Crittenden2011-07-221-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1514
* Hide the HBAC access type attribute now that deny is deprecated.Rob Crittenden2011-07-211-3/+3
| | | | | | | It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. https://fedorahosted.org/freeipa/ticket/1495
* Add ability to specify DNS reverse zone name by IP network address.Jan Cholasta2011-07-151-10/+13
| | | | | | | In order for this to work, chaining of parameters through default_from is made possible. ticket 1474
* Remove the ability to create new HBAC deny rules.Rob Crittenden2011-07-141-3/+3
| | | | | | | | | | New rules will all be allow type. Existing rules cannot be changed to deny. The type attribute now defaults to allow with autofill so it won't be prompted in interactive mode in the cli. https://fedorahosted.org/freeipa/ticket/1432
* In sudo labels we should use RunAs and not Run As.Rob Crittenden2011-07-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/1328
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-1/+2
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471
* Fixed object_name and object_name_plural internationalizationEndi S. Dewata2011-07-121-142/+142
| | | | | | | | | The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
* Add DNS record modification commandMartin Kosek2011-07-121-0/+44
| | | | | | | | | | | | | | | | | The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137
* Enforce class rules when query=True, continue to not run validators.Rob Crittenden2011-07-111-23/+23
| | | | | | | | | | | | | | | This started as a problem in allowing leading/trailing whitespaces on primary keys. In nearly every command other than add query is True so all rules were ignored on the primary key. This meant that to enforce whitespace we would need to define a validator for each one. I decided instead to set self.all_rules to just the class rules if query == True. So the minimum set of validators will be executed against each type but param-specific validators will only run on add. https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* password expiration labelAdam Young2011-07-051-1/+1
|
* Fixed object_name usage.Endi S. Dewata2011-07-051-44/+44
| | | | | | | | | | | The object_name attribute was used as both an identifier and a label which sometimes require different values (e.g. hbacrule vs. HBAC rule). The code that uses object_name as an identifier has been changed to use the 'name' attribute instead. The values of the object_name attribute have been fixed to become proper labels. Ticket #1217
* config widgets entity select default group checkbox for migrationAdam Young2011-06-301-1/+1
|
* Replace the 'private' option in netgroup-find with 'managed'.Jan Cholasta2011-06-281-2/+3
| | | | | | | The 'private' option is kept in to maintain API compatibility, but is hidden from the user. ticket 1120
* ipaddress for host addAdam Young2011-06-201-1/+1
| | | | updated label triggered an API change
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-1/+1
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Add ignore lists to migrate-ds commandMartin Kosek2011-06-151-1/+5
| | | | | | | | | | | | | | When user migrates users/groups from an old DS instance, the migration may fail on unsupported object classes and/or relevant LDAP object attributes. This patch implements a support for object class and attribute ignore lists that can be used to suppress these migration issues. Additionally, a redundant "dev/null" file is removed from git repo (originally added in 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2). https://fedorahosted.org/freeipa/ticket/1266
* Remove automountinformation as part of the DN for automount.Rob Crittenden2011-06-131-2/+2
| | | | | | | | | | | | | | | | To support multiple direct maps we added description to the DN of automount key entries. The downside of this is that to display a key you had to know the information as well, which was rather pointless if that is what you were trying to get. So now both modes are supported. It will first look for just a key in the description and fall back to including automountinformation if it needs to. Multiple direct maps are still supported and for those the info is always required. ticket 1229
* Add sudorule and hbacrule to memberof and indirectmemberof attributesJr Aquino2011-06-061-4/+20
| | | | | | | | Add Add tests for users, groups, hosts and hostgroups to verify membership Update API to version 2.3 https://fedorahosted.org/freeipa/ticket/1170
* Include the word 'member' with autogenerated optional member labels.Rob Crittenden2011-05-271-76/+76
| | | | | | | There were reports of confusion over what was being prompted for, hopefully adding member will make things clearer. ticket 1062