IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
8,531 Commits 11 Branches 60 Tags
02ab34c60b5e624ef0653a473316633a5618b07c
Commit Graph

1734 Commits

Author SHA1 Message Date
Martin Basti
10725033c6 DNSSEC: change link to ipa page 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
5556b7f50e DNSSEC: ACI 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
ca030a089f DNSSEC: validate forwarders 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-20 16:47:49 +02:00
Petr Vobornik
df1ed11b48 webui: do not offer ipa users to Default Trust View 
https://fedorahosted.org/freeipa/ticket/4616

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-20 12:29:10 +02:00
Petr Vobornik
741c31c2b4 webui: allow --force in dnszone-mod and dnsrecord-add 
Allow to use --force when changing authoritative nameserver address in DNS zone.

Same for dnsrecord-add for NS record.

https://fedorahosted.org/freeipa/ticket/4573

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-20 12:06:02 +02:00
Petr Vobornik
d8f05d8841 webui: management of keytab permissions 
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-20 10:13:47 +02:00
Nathaniel McCallum
560606a991 Display token type when viewing token 
When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-20 09:59:19 +02:00
Petr Vobornik
43d3593873 webui: add link to OTP token app 
- display info message which points user to FreeOTP project page
- the link or the text can be easily changed by a plugin if needed

https://fedorahosted.org/freeipa/ticket/4469

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-17 15:53:34 +02:00
Petr Vobornik
49fde3b047 idviews: error out if appling Default Trust View on hosts 
https://fedorahosted.org/freeipa/ticket/4615

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-17 14:28:13 +02:00
Petr Vobornik
59ee6314af keytab manipulation permission management 
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-17 14:11:35 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled 
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
Nathaniel McCallum
284792e7d8 Remove token vendor, model and serial defaults 
These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 17:55:39 +02:00
Martin Kosek
061f7ff331 Raise better error message for permission added to generated tree 
https://fedorahosted.org/freeipa/ticket/4523

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
 2014-10-16 16:00:18 +02:00
Alexander Bokovoy
5ec23ccb5f Allow override of gecos field in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
b50524b10c Allow user overrides to specify GID of the user 
Resolves https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
ca42d3469a Allow user overrides to specify SSH public keys 
Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.

SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454

Resolves https://fedorahosted.org/freeipa/ticket/4509

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
63be2ee9f0 Support overridding user shell in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Jan Cholasta
8e602eaf46 Remove misleading authorization error message in cert-request with --add 
https://fedorahosted.org/freeipa/ticket/4540

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-08 09:21:37 +02:00
Martin Kosek
3b8a7883de Sudorule RunAsUser should work with external groups 
https://fedorahosted.org/freeipa/ticket/4600

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-02 11:06:47 +02:00
Petr Vobornik
00d598bab0 webui: add link from host to idview 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
2cc78acf9b webui: facet group labels for idview's facets 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
ae5a34cbbc webui: new ID views section 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Tomas Babej
51816930a6 idviews: Make sure only regular IPA objects are allowed to be overriden 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
902655da59 idviews: Display the list of hosts when using --all 
Enumerating hosts is a potentially expensive operation (uses paged
search to list all the hosts the ID view applies to). Show the list
of the hosts only if explicitly asked for (or asked for --all).
Do not display with --raw, since this attribute does not exist in
LDAP.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
47268575c9 idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor 
When resolving non-existent objects, domain validator will raise ValidationError. We need
to anticipate and properly handle this case.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
dbf8d97ecf idviews: Make sure the dict.get method is not abused for MUST attributes 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
13089eae52 idviews: Handle Default Trust View properly in the framework 
Make sure that:
1.) IPA users cannot be added to the Default Trust View
2.) Default Trust View cannot be deleted or renamed

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
2131187ea9 idviews: Make description optional for the ID View object 
Description of any object should not be required.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
1d6f591cc5 idviews: Fix casing of ID Views to be consistent 
Replace all occurences of "ID view(s)" with "ID View(s)".

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
277b762d36 idviews: Add ipaOriginalUid 
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
3ff410d3a7 idviews: Resolve anchors to object names in idview-show 
When running idview-show, users will expect a proper object name instead of a object anchor.
Make sure the anchors are resolved to the object names unless --raw option was passed.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
c1f51cff02 idviews: Raise NotFound errors if object to override could not be found 
If the object user wishes to override cannot be found, we should properly raise a
NotFound error.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
961790e20a idviews: Change format of IPA anchor to include domain 
The old format of the IPA anchor, :IPA:<object_uuid> does not contain for the actual domain
of the object. Once IPA-IPA trusts are introduced, we will need this information to be kept
to be able to resolve the anchor.

Change the IPA anchor format to :IPA:<domain>:<object_uuid>

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
c6d50c456f idviews: Alter idoverride methods to work with splitted objects 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
cbf1ad84f1 idviews: Split the idoverride commands into iduseroverride and idgroupoverride 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
b4a13aeea8 idviews: Split the idoverride object into iduseroverride and idgroupoverride 
To be able to better deal with the conflicting user / group names, we split the
idoverride objects in the two types. This simplifies the implementation greatly,
as we no longer need to set proper objectclasses on each idoverride-mod operation.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
d03b09beb4 idviews: Support specifying object names instead of raw anchors only 
Improve usability of the ID overrides by allowing user to specify the common name of
the object he wishes to override. This is subsequently converted to the ipaOverrideAnchor,
which serves as a stable reference for the object.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
186c161ef5 idviews: Extend idview-show command to display assigned idoverrides and hosts 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
f3576bd94b idviews: Add ipa idview-apply and idview-unapply commands 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
6e94d23a92 hostgroup: Selected PEP8 fixes for the hostgroup plugin 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
ce42bf282f hostgroup: Remove redundant and star imports 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
936eaada89 hostgroup: Add helper that returns all members of a hostgroup 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
377ab0c4a6 idvies: Add managed permissions for idview and idoverride objects 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
b65b74890b idviews: Create basic idview plugin structure 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
f48a7bb730 ipalib: PEP8 fixes for host plugin 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
3e2e5a4d28 ipalib: Remove redundant and star imports from host plugin 
Also fixes incorrect error catching for UnicodeDecodeError.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
be36525dc5 idviews: Add ipaAssignedIDVIew reference to the host object 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
d83af7d38d baseldap: Properly handle the case of renaming object to the same name 
When renaming a object to the same name, errors.EmptyModList is raised.
This is not properly handled, and can cause other modifications in the
LDAPUpdate command to be ignored.

https://fedorahosted.org/freeipa/ticket/4548

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-09-29 15:24:58 +02:00
David Kupka
cd9a4cca1f Do not require description in UI. 
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.

https://fedorahosted.org/freeipa/ticket/4387

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-09-29 12:53:43 +02:00