Commit Graph

1443 Commits

Author SHA1 Message Date
Rob Crittenden
b66c680f86 Remove principal as an option when updating an existing user.
ticket 559
2010-12-17 17:08:12 -05:00
Rob Crittenden
e0a39234f7 Add metadata for the selfservice and delegation plugins. 2010-12-14 11:06:51 -05:00
Rob Crittenden
cd7b64103b Add group to group delegation plugin.
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.

ticket 532
2010-12-13 20:15:46 -05:00
Rob Crittenden
8a534bf07b Give the memberof plugin time to work when adding/removing reverse members.
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.

We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.

ticket 560
2010-12-13 17:58:43 -05:00
Jr Aquino
b23b3911d2 sudo run as user or group https://fedorahosted.org/freeipa/ticket/570 2010-12-13 17:56:13 -05:00
Adam Young
2884bce276 relabel role
no longer calling them role groups.
2010-12-13 15:10:20 -05:00
Rob Crittenden
5f8a9b9849 Add --out option to service, host and cert-show to save the cert to a file.
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.

ticket 473
2010-12-13 09:58:26 -05:00
Rob Crittenden
c9807f4b25 Better handle permission object updates versus aci object updates.
permissions are a real group pointed to by an aci, managed by the same
plugin. Any given update can update one or both or neither. Do a better
job at determining what it is that needs to be updated and handle the
case where only the ACI is updated so that EmptyModList is not thrown.

ticket 603
2010-12-13 09:55:28 -05:00
Rob Crittenden
ba8d21f5ae Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.

We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added

ticket 567
2010-12-13 09:53:29 -05:00
Rob Crittenden
e8157f2628 Fix typo in migration documentation 2010-12-13 09:48:16 -05:00
Rob Crittenden
be3c8e8c02 Don't import from ipaserver when not in a server context.
ticket 579
2010-12-11 12:50:17 -05:00
Jan Zeleny
8fd288df08 Print expected error message in hbac-mod
This patch catches NotFound exception and calls handling function
which then sends exception with unified error message.

https://fedorahosted.org/freeipa/ticket/487
2010-12-10 13:52:14 -05:00
Rob Crittenden
e8e274c9e0 Properly handle multi-valued attributes when using setattr/addattr.
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.

I've added some simple tests for setattr and addattr.

ticket 565
2010-12-10 13:42:47 -05:00
Rob Crittenden
1a20d75421 Set labels on all attributes in the config object.
Make the cert subject base read-only. This is here only so replicated servers
know their base.

ticket 466
2010-12-10 13:41:35 -05:00
Rob Crittenden
5b7abefb42 If any params marked alwaysask are provided then prompt for none of them.
ticket 604
2010-12-09 15:06:42 -05:00
Rob Crittenden
bfcf25cf54 Add documentation to the migrate-ds command.
ticket 539
2010-12-09 15:04:32 -05:00
Rob Crittenden
4c09809ea8 Add plugin for manage self-service ACIs
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.

Right now only ACIs in the basedn can be managed with this plugin.

ticket 531
2010-12-08 13:51:10 -05:00
Jr Aquino
751ee81771 Enable/Disable SudoRule https://fedorahosted.org/freeipa/ticket/570 2010-12-08 11:32:55 -05:00
Jr Aquino
cdf360151b Adding user/host category and ipaenabledflag https://fedorahosted.org/freeipa/ticket/570 This patch Addresses items: 1. The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations. 2. The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations. 3. The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations. 2010-12-08 10:30:02 -05:00
Jakub Hrozek
9e5fdcb3a4 Fix kwargs usage in automount plugin
https://fedorahosted.org/freeipa/ticket/580
2010-12-07 17:17:23 -05:00
Pavel Zuna
bee5c1d174 Fix default attributes in config plugin (ipadefaultemaildomain).
Ticket #573
2010-12-07 16:41:06 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Jakub Hrozek
4c75495b3d Do not migrate krbPrincipalKey
https://fedorahosted.org/freeipa/ticket/455
2010-12-07 10:37:26 -05:00
Jakub Hrozek
1c3aa1f2c8 Make the migration plugin more configurable
This patch adds new options to the migration plugin:
 * the option to fine-tune the objectclass of users or groups being imported
 * the option to select the LDAP schema (RFC2307 or RFC2307bis)

Also makes the logic that decides whether an entry is a nested group or user
(for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys
for migrated entries.

https://fedorahosted.org/freeipa/ticket/429
2010-12-07 10:37:17 -05:00
Rob Crittenden
fee9fae941 Add more information and examples on targets.
ticket 310
2010-12-06 11:46:40 -05:00
Rob Crittenden
bfb3e46996 Remove accessTime from HBAC.
ticket 545
2010-12-06 11:42:13 -05:00
Jan Zeleny
19049d1a64 Check if the group exists
When setting default group, we should check if the group exists.
If not, it could lead to some issues with adding new users after
the new default group is set.

https://fedorahosted.org/freeipa/ticket/504
2010-12-06 11:25:25 -05:00
Jan Zeleny
9a5d4f2e18 Document that the default group has to exist
After calling ipa config --defaultgroup=xxx with nonexistent group xxx,
the result will be that no new user can be added. The operation will
always fail in the middle because it is not possible to add the new user
to desired default group.

https://bugzilla.redhat.com/show_bug.cgi?id=654117#c4
2010-12-06 11:24:51 -05:00
Rob Crittenden
1bcd4a389d When deleting multiple entries use --continue, not --continuous.
ticket 561
2010-12-03 17:32:38 -05:00
Rob Crittenden
0ca29095a8 Don't look up the CoS entry with the global password policy.
ticket 523
2010-12-03 13:51:01 -05:00
Rob Crittenden
8a63315ef3 Provide list of available attributes for use in ACI UI.
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.

ticket 446
2010-12-03 13:01:42 -05:00
Endi S. Dewata
867ac1f03d Fixed association links
The create_association_facets() has been modified such that it
does not generate duplicate links. This is done by assigning the
proper labels and hiding non-assignable associations.

Each association will get a label based on the attribute used:
 - memberof: Membership in <entity name>
 - member.*: <entity name> Members
 - managedby: Managed by <entity name>

The following associations will be hidden:
 - memberindirect
 - enrolledby

The internal.py was modified to return localized labels.

The test data has been updated.
2010-12-03 12:57:43 -05:00
Adam Young
e33377bc13 dns2 ui replaceing calls for the dns plugin to the dns2 plugin no has attribute permissions and all other benefits of building on the baseldap plugin 2010-12-03 11:42:38 -05:00
Jan Zeleny
188ca3a360 Added some fields to user object
Some fields were missing from user object, this change adds them
along with their l10n

https://fedorahosted.org/freeipa/ticket/305
2010-12-03 10:18:23 -05:00
Rob Crittenden
a41e69fba3 Add labels for passwords, fix output of exceptions, fix passwd output.
Passwords didn't have internationalizable labels.

Exceptions that occured during required input weren't printed as unicode
so weren't being translated properly.

Don't use output_for_cli() directly in the passwd plugin, use output.Output.

ticket 352
2010-12-02 16:31:42 -05:00
Rob Crittenden
6c393e53b0 This is the second half of a patch. Only the part that had to be
re-based got pushed for some reason.

Use better description for group names in help and always prompt for members

When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.

This will work via a shell if you want to echo too:

$ echo "" | ipa group-add-member g1

This returns 0 members because nothing is read for users or group members.

$ echo -e "g1\nadmin\n" | ipa group-add-member

This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.

ticket 415
2010-12-02 16:29:26 -05:00
Rob Crittenden
df592c6cc8 Use better description for group names in help and always prompt for members
When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.

This will work via a shell if you want to echo too:

$ echo "" | ipa group-add-member g1

This returns 0 members because nothing is read for users or group members.

$ echo -e "g1\nadmin\n" | ipa group-add-member

This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.

ticket 415
2010-12-02 16:21:31 -05:00
Jan Zeleny
ac62447329 Updated output when calling hbac-show
Some attributes weren't included in the output of hbac-show command.
This patch fixes it.

https://fedorahosted.org/freeipa/ticket/494
https://fedorahosted.org/freeipa/ticket/495
2010-12-02 16:10:25 -05:00
Jakub Hrozek
55479e4512 Normalize and convert default params, too
https://fedorahosted.org/freeipa/ticket/555
2010-12-02 16:06:13 -05:00
Pavel Zuna
5db7c4ec34 Add new version of DNS plugin: complete rework with baseldap + unit tests.
Ticket #36
Ticket #450
2010-12-01 21:32:09 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Adam Young
47d61e6cab action panel sibling added function to get sibling entities from the tab set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI 2010-12-01 15:21:02 -05:00
Pavel Zuna
94957c8ddc Prompt correctly for required Password params.
Ticket #361
2010-11-30 15:14:28 -05:00
Rob Crittenden
88133ab43c Create user private groups with a uniqueid.
If we don't then we need to add it when a group is detached causing
aci issues.

I had to move where we create the UPG template until after the DS
restart so the schema is available.

ticket 542
2010-11-30 09:52:05 -05:00
Jan Zeleny
58bcb5e7f9 Handle error messages during various HBAC operations
During some HBAC operations, various error messages were handled
incorrectly - displaying only generic error messages instead of
correct ones, which were defined for the module.

This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.

https://fedorahosted.org/freeipa/ticket/487
2010-11-29 17:19:40 -05:00
Adam Young
16b935169c whoami fix
recent changes to the scope mechanism weren't propigated to the whoami call
2010-11-24 16:36:36 -05:00
Pavel Zuna
a34bb67cbd Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
2010-11-24 09:54:01 -05:00
Rob Crittenden
97e9309db3 Gracefully handle an empty members list
This can occur if you do something like:

$ ipa hbac-add-host --hosts="" testrule

options will have an entry for 'host' but it will be None whcih is
not iterable.

ticket 486
2010-11-24 08:38:48 -05:00
Pavel Zuna
9120155dae Generate better DuplicateEntry error messages in LDAPCreate.
Ticket #530
2010-11-23 21:32:12 -05:00
Pavel Zuna
5060fdfade Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
2010-11-23 21:29:08 -05:00
Rob Crittenden
6d51a48af8 Add ability to add/remove DNS records when adding/removing a host entry.
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.

For IPv4 it will create an A and a PTR DNS record.

IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.

When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.

ticket 238
2010-11-23 18:23:29 -05:00
Endi S. Dewata
3e540272c6 Multivalued email address 2010-11-20 02:31:40 -05:00
Jakub Hrozek
3682a1c385 Improve the documentation of setattr/addattr
https://fedorahosted.org/freeipa/ticket/245
2010-11-19 13:54:27 -05:00
Rob Crittenden
53d1553755 Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.

ticket 250
2010-11-19 13:47:09 -05:00
Rob Crittenden
1b166c9e8b Fix returning effective rights for password policy.
This also returns the rights for cospriority if the policy is for a group.

ticket 449
2010-11-19 12:36:31 -05:00
Rob Crittenden
d4f25453e1 Add managedby to Host entries
This will allow others to provision on behalf of the host.

ticket 280
2010-11-19 10:31:42 -05:00
Rob Crittenden
2046eddb7a Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.

This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.

ticket 297
2010-11-19 10:31:42 -05:00
Simo Sorce
151059b0e7 Use distutil.version to check for min version 2010-11-18 15:13:22 -05:00
Simo Sorce
8c616eb10a add plugin to enable/disable anonymous pkinit 2010-11-18 15:09:51 -05:00
Adam Young
775fc23738 batch init this batches together the calls to json_metadata, i18n_messages, and user-find [whoami] tostreamline the init process, and also allow us to add a call to enumerate the plugins. 2010-11-18 20:02:45 -05:00
Rob Crittenden
25469cf4f1 Increase # of chars in users and groups to 255 and default username to 32.
ticket 434
2010-11-12 17:25:40 -05:00
Rob Crittenden
1db42b5461 Don't include INTERNAL commands in ipa help commands output.
ticket 463
2010-11-10 20:20:29 -05:00
Pavel Zuna
dc34075fa5 Replace 'Locking' in ipa help user with 'Disabling'.
Ticket #452
2010-11-09 14:02:12 -05:00
Adam Young
1f9531bea2 delete to remove THe keyword delete is reserved in Javascript Using it breaks the WebUI on Chrome. This fixes replaces the word with delete. 2010-11-09 02:14:23 -05:00
Rob Crittenden
537f4074d1 Add usercategory and hostcategory and fix displaying members in netgroup_show
ticket 443
2010-11-08 15:23:41 -05:00
Jakub Hrozek
a874d5f8e5 Clarify the description of --raw and -all
https://fedorahosted.org/freeipa/ticket/244
2010-11-08 15:23:03 -05:00
Adam Young
90baf597dd Ticket Expiration
THis patch handles Kerberos ticket expiration in the UI.  Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app

Conflicts:

	install/static/ipa.js
2010-11-08 14:17:47 -05:00
Rob Crittenden
655aa0fcdf Add the --rights option to the LDAPUpdate base class.
ticket 437
2010-11-05 16:30:19 -04:00
Rob Crittenden
9c50371652 Fix typo in exception sample causing a doctest to fail 2010-11-05 12:17:09 -04:00
Adam Young
2c7f2e8fea batch
Allows the user to send multiple commands bundled together
2010-11-05 11:21:42 -04:00
Rob Crittenden
6f5cd3232a user-enable/disable improvements
Always display the account enable/disable status.

Don't ignore the exceptions when a user is already enabled or disabled.

Fix the exception error messages to use the right terminology.

In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.

ticket 392
2010-11-04 12:49:33 -04:00
Rob Crittenden
72cf73b6b6 Output ACI's broken out into attributes rather than a single text field
Also add validation to the List parameter type.

ticket 357
2010-11-04 12:48:45 -04:00
Jr Aquino
c99fda0d1e Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes. 2010-11-03 10:23:40 -04:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Rob Crittenden
03de1b89ca Implement nested netgroups and include summaries for the commands.
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.

ticket 209
2010-10-29 14:03:15 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
c1dfb50ee9 Remove group nesting from the HBAC service groups
ticket 389
2010-10-28 17:34:34 -04:00
Rob Crittenden
33802ab712 Use context to decide which name to return on RequirementsErrors
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).

If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.

ticket 187
2010-10-28 16:06:06 -04:00
Rob Crittenden
ff636984ab Add option to generate random one-time password for hosts for bulk enrollment
ticket 228
2010-10-28 15:27:58 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
47629a604d Retrieve Get Effective Rights output with LDAPRetrieve
The output is a pure python dict so is really only useful when used with
--all so it is required.

Updated to return a string for rights as opposed to a list.  Terser, reducing the wire size by a factor of 3.5
2010-10-28 14:35:34 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Pavel Zuna
93290c8a72 Add LDAPObject setting to handle different attributes for RDN and PKEY. 2010-10-28 07:58:31 -04:00
Simo Sorce
c51ce61e4d UUIDs: remove uuid python plugin and let DS always autogenerate
merge in remove uuid
2010-10-28 07:58:31 -04:00
Adam Young
038ae18a8a whoami goodbye
Removing the whoami plugin, as it has been wrapped up into the user plugin
2010-10-26 10:20:32 -04:00
Rob Crittenden
0e4e1f4bbd Fix two failing tests.
The first test is a mismatch in the sample output of an exception.

The second test adds certificate information output to the service plugin.
2010-10-22 21:45:37 -04:00
Rob Crittenden
6220b53893 Set default encoding to utf-8, use unicode when printing output.
The Gettext() object only does the lookup when you print it as a unicode.

ticket 308
2010-10-22 21:39:53 -04:00
Pavel Zuna
42c78a383d Add flag to group-find to only search on private groups.
ticket #251
2010-10-20 17:38:03 -04:00
Endi S. Dewata
2c5f3cfd60 Host certificate management
The service certificate management UI has been generalized and moved
into certificate.js. The host details page is now using the same code
to manage certificates. The host.py has been modified to return host
certificate info.

The Get/Revoke/View buttons behavior has been modified such that they
are visible only if there is a valid certificate. The Get dialog box
has been fixed to show the correct certificate header and footer.

The ipa.css has been modified to store the style of the status bullets.
New unit tests for certificate has been added. The test data has been
modified to include sample host certificate.
2010-10-20 09:33:44 -04:00
Rob Crittenden
fe7d97a3d9 Fix problem testing for mutual exclusivity in hbac plugin.
This should fix the hbac tests.
2010-10-18 15:47:16 -04:00
Pavel Zuna
dff2ff8300 Disallow RDN change and single-value bypass using setattr/addattr.
When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.

Catch RDN mods and try to return a more reasonable error message.

Ticket #230
Ticket #246
2010-10-18 14:44:42 -04:00
Rob Crittenden
0ceba59d87 Add Requires on ipa-client to ipa-admintools, ensure ipa client is configured
It makes little sense to install ipa-admintools without ipa-client, require it.

Also see if the client has been configured. This is a bit tricky since we
have a full set of defaults. Add a new env option that gets set if at least
one configuration file is loaded.

ticket 213
2010-10-15 15:03:51 -04:00
Rob Crittenden
264413bcb9 Handle regular socket errors gracefully in ipa command
ticket 382
2010-10-15 15:02:18 -04:00
Rob Crittenden
2f6fa22ab0 Improve doc string for password
ticket 182
2010-10-15 15:00:48 -04:00
Endi S. Dewata
4c24581b5c Service certificate UI.
The service.py has been modified to include certificate info in
the service-show result if the service contains usercertificate.

A new file certificate.js has been added to store codes related
to certificates (e.g. revocation reasons, dialog boxes). The
service.js has been modified to provide the UI for certificate
management. The certificate.js can also be used for host
certificate management.

The Makefile.am and index.xhtml has been modified to include
certificate.js. New test data files have been added for certificate
operations.

To test revoke and restore operations the server needs to be
installed with dogtag CA instead of self-signed CA.

The certificate status and revocation reason in the details page
will be implemented in subsequent patches. Unit tests will also
be added in subsequent patches.
2010-10-15 14:26:07 -04:00
Rob Crittenden
19272e5b8e Fix group deletion
ticket 347
2010-10-13 17:58:15 -04:00
Rob Crittenden
53c218cf2f Return non-zero when the number of entries from *-find returned is zero.
ticket 325
2010-10-13 13:00:58 -04:00
Rob Crittenden
3d55b66e48 Enforce the maximum username length from cn=ipaconfig
ticket 226
2010-10-13 13:00:51 -04:00
Rob Crittenden
16931cfe2d Detect when DNS is not configured and return an error message
It would be nicer if we disabled the command altogether but this would require
checking the server to see every time the ipa command is executed (which would
be bad). We can't store this in a configuration file because it is possible
to add a DNS post-install (and it would require adding this to every single
client install).

ticket 147
2010-10-13 13:00:07 -04:00
Rob Crittenden
0197ebbb7b Add ability to import automount files from the command-line.
Support is fairly basic right now and will only work on the CLI. All
the work is done on the client side.

To continue past errors use the --continue option.

Fixed a bug where direct mounts weren't always added properly.

Added real user documentation to the plugin.

ticket 78
2010-10-12 18:07:26 -04:00
Adam Young
dcc0d76ef9 dns metadata
This is a little bit of a copy and paste approach, as the code for__json__
 was copied from baseldap.  Long term, we want to rewrite this plugin as
an extension of baseldap anyway.
2010-10-12 14:30:13 -04:00
Endi S. Dewata
1dc0a3ab3e Certificate management for services.
This is an initial implementation of certificate management for
services. It addresses the mechanism required to view and update
certificates. The complete UI implementation will be addressed in
subsequent patches.

On the server side, the service.py has been modified to define
usercertificate in the service object's takes_params. This is
needed to generate the proper JSON metadata which is needed by
the UI. It also has been modified to accept null certificate for
deletion.

On the client side, the service details page has been modified to
display the base64-encoded certificate in a text area. When the
page is saved, the action handler will store the base64-encoded
certificate in the proper JSON structure. Also the service name
and service hostname are now displayed in separate fields.

The details configuration has been modified to support displaying
and updating certificates. The structure is changed to use maps
to define sections and fields. A section contains name, label,
and an array of fields. A field contains name, label, setup
function, load function, and save function. This is used to
implement custom interface and behavior for certificates.

All other entities, test cases, and test data have been updated
accordingly. Some functions and variables have been renamed to
improve clarity and consistency.
2010-10-12 14:17:24 -04:00
Rob Crittenden
d2a9ccf407 Accept an incoming certificate as either DER or base64 in the service plugin.
The plugin required a base64-encoded certificate and always decoded it
before processing. This doesn't work with the UI because the json module
decodes binary values already.

Try to detect if the incoming value is base64-encoded and decode if
necessary. Finally, try to pull the cert apart to validate it. This will
tell us for sure that the data is a certificate, regardless of the format
it came in as.

ticket 348
2010-10-08 13:15:03 -04:00
Rob Crittenden
be6aa7039b Return non-zero when group membership change fails, no empty fail list.
There is no point (and it is confusing) to print an empty list when
modifying group membership fails, so suppress it.

If any membership change fails we should return non-zero.

tickets 271, 273, 274
2010-10-08 10:11:54 -04:00
Rob Crittenden
bed6e81935 If an HBAC category is 'all' don't allow individual objects to be added.
Basically, make 'all' mutually exclusive. This makes debugging lots easier.
If say usercat='all' there is no point adding specific users to the rule
because it will always apply to everyone.

ticket 164
2010-10-08 10:11:41 -04:00
Adam Young
9cb3a07aca policy and config
Population of the policy and entites tabs.
    DNS and ACI are broken due to PLugin issues
    Fix for entities without search
    Added new files to Makefile.am
    used rolegroup.js file as the start point, renamed to serverconfig.js
2010-10-07 14:51:02 -04:00
Pavel Zuna
8a2ea9a7e0 Fix inconsistent error message when deleting groups that don't exist.
Ticket #292
2010-10-06 10:01:59 -04:00
Pavel Zuna
6606b2a9c5 Rename user-lock and user-unlock to user-enable user-disable.
Ticket #165
2010-10-06 09:20:44 -04:00
Pavel Zuna
9832780414 Add 'continuous' mode to LDAPDelete. Fix *-del unit tests.
Ticket #321
2010-10-06 09:20:41 -04:00
Pavel Zuna
bf053652bc Generate additional positional arguments for baseldap commands from takes_args. 2010-10-06 09:20:38 -04:00
Jr Aquino
bfd2e383dc Added modifications to the sudorule plugin to reflect the schema update. 2010-10-05 21:37:59 -04:00
Adam Young
38490d35d3 phonenumbers
Added in params for phone number  types: phone, fax, mobile ,pager
2010-10-01 16:05:08 -04:00
Rob Crittenden
f906aaf376 Groups are now created as POSIX by default.
ticket 241
2010-10-01 14:16:36 -04:00
Rob Crittenden
aac7badb77 Remove reliance on the name 'admin' as a special user.
And move it to the group 'admins' instead. This way the admin user can
be removed/renamed.

ticket 197
2010-10-01 13:38:52 -04:00
Pavel Zuna
c106922c13 Add Delete capabilities to Search facet in the WebUI.
Ticket #206
2010-10-01 10:00:10 -04:00
Pavel Zuna
838c1f2c94 Add LDAPMultiQuery base class and make it the base of LDAPDelete.
In other words: make *-del commands accept 1 or more primary keys
of entries to be deleted.

Ticket #20
2010-10-01 10:00:01 -04:00
Rob Crittenden
b5fcfb1495 Fix sizelimit/timelimit options not working in user_find 2010-09-30 17:48:00 -04:00
Rob Crittenden
c298560a1e Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.
We lacked good error messages if the user/group container you used doesn't
exist.

Add a --continue option so things can continue if you use a bad user/group
container. This has the side-effect of letting you migrate just users or
groups by using a bad container for the one you don't want.

Fix a Gettext() error when displaying the migrated password message.

ticket 289
2010-09-28 13:39:28 -04:00
Jr Aquino
af48654cbc Add plugins for Sudo Commands, Command Groups and Rules 2010-09-27 22:38:06 -04:00
Adam Young
c187702bfe I18N for web
Performing I18N completely on the server, to leverage the
existing gettext architecture.
Also, the browser does not have access to the Language header.

Added the additional po files for a set of required languages

conflict with install/static/ipa.js was resolved.

Note that the addition of the .po files in this patch is necessary.
In order to get Transifex support, we need to update the LINGUAS
file with the languages for which we want support.  If we don't
add the .po files in, they get automatically generated by the rpmbuild
process.  Our implementation of gettext has a bug in it (It might
be F13 thing) where the the Plurals line is not getting correctly
transformed, which causes a build failure.  However, since the
RPM would have the .po files  anyway, we should revision control
the ones we have, even if they are empty.

Fixed the Bug reporting url to the original value.
Corrected the Chartype encoding for UK
2010-09-27 13:30:55 -04:00
Rob Crittenden
ed56112023 Use the principal from the context in whoami.
ticket 227
2010-09-24 09:55:03 -04:00
Rob Crittenden
47f849ec21 Try to make topic help less confusing. Rename Related to Topic commands.
Also don't print the commands at the bottom if the plugin implements
only one command, like the passwd plugin.

ticket 105
2010-09-23 12:04:13 -04:00
Rob Crittenden
9fd7fedb76 Add an example for creating an HBAC service and service group.
Try to tie in the hbacsvc and hbacsvcgroup plugins better through an
example.

ticket 159
2010-09-23 11:59:14 -04:00
Rob Crittenden
89d2280a79 Add command to resolve a hostname. Returns True or raises NotFound.
Note that this doesn't rely on IPA having a configured DNS server.
It passes the host name to the resolver and doesn't try to do a lookup
within the IPA DNS directly (e.g. no internal LDAP search).

Tries to determine if a domain is included and if not then the IPA
domain is added. This won't do the right thing if there are multiple
configured subdomains.

ticket 106
2010-09-23 11:50:16 -04:00
Pavel Zuna
1bb412239d Big webUI patch.
Quick summary:
- use jQuery UI and jQuery BBQ libraries
- code restructuring

The patch has so many changes they can't be listed here. Many parts
of the code have been rewritten from scrach.

See freeipa-devel mailing list:
webUI code restructuring [wall of text, diagrams, ... you've been warned!]
2010-09-07
2010-09-17 19:42:40 -04:00
Adam Young
5fd09b016b user-find whoami
Now no longer breaks user-find with a filter
Uses the corrected Params for getting option
printf style strings
2010-09-15 15:04:42 -04:00
Adam Young
30def30eaf Revert "user whoami"
This reverts commit bef0690a2f.
2010-09-14 16:42:30 -04:00
Adam Young
bef0690a2f user whoami
Added a whoami option to the user, allows the user to query their own information based on their Kerberos principal
2010-09-14 13:57:56 -04:00
Rob Crittenden
67a4549519 Remove some additional instances of krbV from ipa-client
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.

Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.

ticket 136
2010-09-10 17:04:01 -04:00
Rob Crittenden
2e8bae590e Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.

This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.

This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.

ticket 67
2010-09-09 16:38:45 -04:00
Rob Crittenden
d0ea0bb638 Changes to fix compatibility with Fedora 14
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6

Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata

ticket 155
2010-08-31 16:59:27 -04:00
Rob Crittenden
4b6b710ba6 Update command documentation based on feedback from docs team.
ticket #158
2010-08-27 13:31:04 -04:00
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
e225ad4341 Add support for ldap:///self bind rules
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.

ticket 80
2010-08-19 10:49:42 -04:00
Pavel Zuna
7a007d958b Fix Update function on details page.
The problem was that parameters with no values are automatically
set to None by the framework and it wasn't handled properly in
baseldap.py:get_attributes function. Also, there were two logical
bugs in details.js:
1) atttribute callback to update values were called for input elements
   instead of dt elements
2) it was always trying to update the primary key
2010-08-17 14:53:03 -04:00
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Adam Young
3e6f0f5721 From: Pavel Zuna <pzuna@redhat.com>
Date: Tue, 10 Aug 2010 16:41:28 -0400
Subject: [PATCH 2/6] Add a new INTERNAL plugin that exports plugin meta-data into JSON.

This is required for the webUI, since we're dropping Genshi. *ehm* :)

You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.
2010-08-13 17:56:16 -04:00
Adam Young
030b5dab93 Change the behaviour of addattr/setattr parameters.
setattr and addattr can now be used both to set all values of
ANY attribute. the last setattr always resets the attribute to
the specified value and all addattr append to it.

Examples:
user-mod testuser --setattr=title=msc
  title: msc
user-mod testuser --setattr=title=msb
  title: msb
user-mod testuser --addattr=title=msc
  title: msb, msc
user-mod testuser --setattr=title=
  title:
user-mod testuser --setattr=title=msc --addattr=msb
  title: msc, msb
user-mod testuser --setattr=title=ing --addattr=bc
  title: ing, bc
user-mod testuser --setattr=title=doc
  title: doc

It's not very user friendly, but it's going to be used very very
rarely in special conditions in the CLI and we can use it to save
lots of JSON-RPC roundtrips in the webUI.

This version includes calling the validation of Params during the setting of the attrs.
2010-08-13 16:20:41 -04:00
Pavel Zuna
f15758dbea Improve serialization to JSON.
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
2010-08-12 09:06:22 -04:00
Pavel Zuna
cc9d0ffc67 Fix bug: not found exc. handler was failing for singleton objects 2010-08-12 09:03:36 -04:00
Pavel Zuna
6136f773a9 Add new parameters to LDAPSearch: timelimit and sizelimit. 2010-08-12 09:02:39 -04:00
Pavel Zuna
5797c8167a Make LDAPObject classes JSON serializable. 2010-08-12 09:01:56 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
8ad88b4119 Properly show the members when an add/remove operation fails.
The remove member function in baseldap was not returning failures at all.
The add member function was only showing them in the group object.

Most of the magic is handled in baseldap. Each plugin just needs to define
object_name and object_name_plural. object_name must be all lower-case
because fake-attributes are created so membership can be broken out
per-object type. I left the plural name lower case as well.

ticket 85
2010-08-06 15:34:09 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
830910d1f3 Have the env plugin print all attributes by default
ticket #113
2010-08-06 13:12:42 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Adam Young
056419403a whoami plugin.
It returns the user prinicpal.
This is required by the webui, as the Kerberos credential mechanism in http
does not expose the cleartext prinicpal to the web browser.
2010-08-05 20:36:08 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
18476c9538 Use newer API in ipalib/x509 and add missing import.
The import was only used when running the in-tree lite-server
2010-07-15 11:17:58 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
2bb2850fff Include contents of has_output_params in get_output_params 2010-07-13 09:27:50 -04:00
Rob Crittenden
371a4b2c72 Add separate var for search attributes and config attribute for search fields
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.

Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
2010-07-13 09:27:34 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba0f18dcd6 Clean up imports of hbacsvc plugin
I used pylint to identify a bunch of unnecessary and too-broad imports
2010-07-06 15:39:41 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
901ccc1393 First pass at per-command documentation 2010-06-22 13:58:04 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
1dd7b11b0b Connect the -v cli argument to the verbose flag in xmlrpclib
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
2010-06-03 17:08:22 -04:00
Rob Crittenden
4924270b45 Increase supported weeks per month from 4 to 6 in AccessTime() type 2010-06-03 09:25:25 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
72afb4c605 Try to clear up that uid is a number, not the login name 2010-05-17 13:49:50 -04:00
Rob Crittenden
4a0b38a8ec Enforce that max password lifetime is greater than the min lifetime
461325
2010-05-17 13:49:23 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Rob Crittenden
1943993737 Remove left-over debugging statement 2010-05-14 17:28:22 -04:00
Pavel Zuna
64490a3ee0 Correctly handle EmptyModlist exception in pwpolicy2-mod.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.

This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
2010-05-14 11:07:10 -04:00
Pavel Zuna
7993719329 Add exception callback (exc_callback) to baseldap.py classes.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
2010-05-14 11:06:59 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
Rob Crittenden
fa59c8b9d3 Increase the attributes we display by default and fix up some labels. 2010-05-05 14:58:01 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
Rob Crittenden
2f50668753 Fix output of summary and embedded dictionaries
Summaries were appearing as "Gettext(...")

Embedded dictionaries, such as group membership failures, didn't have
labels so were basically just being dumped.
2010-05-03 13:40:34 -06:00
Martin Nagy
04182bf68f Add forgotten trailing dots in DNS records
583023
2010-04-23 17:19:41 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Pavel Zuna
bc5b5a82d9 Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
  had the has_output attribute in place
- --all: this is related to the output definitions as
  Command.get_options() adds the --all and --raw options automatically
  if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
  overwritten everytime a new one was added from the CLI
2010-04-19 11:38:19 +02:00
Pavel Zuna
18349dda0f Enable LDAPObject subclasses to disable DN normalization in their methods. 2010-04-16 14:24:20 -04:00
Pavel Zuna
671bb9c978 Add interface for baseldap plugins to register additional callbacks. 2010-04-16 13:43:05 -04:00
Pavel Zuna
e143c22d69 Fix output of env plugin. It displayed more than it should. 2010-04-16 11:06:54 -04:00
Jason Gerard DeRose
918721c1d0 XML-RPC signature change 2010-03-30 15:10:58 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Pavel Zuna
c7a35f95c5 Fix output for commands that do not return entries.
I also changed the default value of the print_all argument in
textui.print_entry from False to True. It think it makes more sense this
way, because:

1) if order is None, it will still print something
2) if order is not None, it will print what's in order first and then the
   rest
3) commands that care about the print_all argument have to set it in any
   case, those that don't care usually want to print everything
2010-03-26 16:56:47 -04:00
Rob Crittenden
4a61ff681c Fix cut-and-paste error in pwpolicy plugin 2010-03-23 15:59:54 -04:00
Rob Crittenden
9922f47ecb Do a better query so we can optimize seeing if a cospriority is unique 2010-03-23 14:03:26 -04:00
Pavel Zuna
c9831d1cc6 Use ldap2.make_*dn* methods in pwpolicy plugin.
Fixes #572423.
2010-03-22 11:49:20 -04:00
Pavel Zuna
43ab2c483d Add INTERNAL flag to frontend plugins. If set, the plugin won't show in UI. 2010-03-22 10:41:36 -04:00
Rob Crittenden
664ae51eb6 Raise an error if no modifications were performed in an update.
This will alert the user that nothing was done and is handy when used
with --attr=''. This can be used to delete a non-required attribute but
can be set to any valid attribute, present or not. We should alert the
user if they attempt to delete a non-existant value.
2010-03-19 08:33:42 -06:00
Rob Crittenden
d13fcb6a0c Ensure that the group policy priority is unique.
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
2010-03-19 07:13:33 -06:00
Rob Crittenden
00f27fe8c9 Fix a number of bugs in the pwpolicy plugin
This fixes:
- Consistent usage of priority vs cospriority in options
- Fixes bug introduced with recent patch where global policy couldn't be
  updated
- Doesn't allow cospriority to be removed for groups (#570536)
- returns the priority with group policy so it can be displayed
- Properly unicode encode group names for display
2010-03-19 04:36:56 -06:00
Rob Crittenden
b46f262a60 Include params in Method.output_params
Method overrides the Command get_output_params() method and only returns
the object params, not anything defined within the method itself. Return
those as well so they are displayed in output. Some care needs to be taken
to avoid returning duplicate values. In the case of duplicates the
value in obj.params wins.
2010-03-19 04:31:40 -06:00
Rob Crittenden
1400c85188 Catch modifications with no updates and raise an error
569848
2010-03-17 23:52:15 -06:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00
Rob Crittenden
7ff4efecaa Fix typo in automount doc message.
Update the po to pick up this change too.

573979
2010-03-16 17:23:06 -04:00
Jason Gerard DeRose
c350f84134 Finish deferred translation mechanism 2010-03-16 11:41:22 -06:00
Pavel Zuna
b0f302bd99 Provide more detailed NotFound error messages from baseldap classes. 2010-03-09 16:52:47 -05:00
John Dennis
b75d06e189 localize doc strings
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()

Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.

Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
2010-03-08 21:10:36 -07:00
Rob Crittenden
f7b512b826 When raising an error about a required attribute, use cli_name not name.
name is an LDAP attribute and may not be easily identifiable (e.g. sn).
2010-03-07 13:04:50 +01:00
Rob Crittenden
96d7de9cae Don't calculate min/max lifetime if None is passed in.
None is passed if the option is set with --minlife=''. This is a valid
use case to delete a non-required attribute. In this case we simply
don't do the math on None and things work as expected.

569847
2010-03-07 12:29:31 +01:00
John Dennis
789cba4378 fix bug 570392, command help traceback
As a consequence of using doc=_('some message') the _()
method was returning a Gettext instance, thus when optparse
was handed the help text it received a Gettext instance instead
of a basestring. optparse tried to operate on the Gettext instance
as if it were a basestring and since it wasn't threw an exception.
The fix is to promote (e.g. cast) the option.doc to unicode.
If the option.doc was a str it becomes unicode, if it was unicode
nothing happens, if it was Gettext (or any other object implementing
the __unicode__() method) object is converted to unicode via the
objects rules.

By the way, while debugging this I discovered strings which were not
localized, sometimes option.doc would be a str and sometimes a Gettext
object. In a subsequent patch I'll fix all those unlocalized doc
strings, but I don't want to bury this fix along with a load of
string fixes.
2010-03-05 10:03:41 -05:00
Jason Gerard DeRose
942919bef7 Consolidate to single WSGI entry point 2010-03-01 20:21:38 -07:00
Pavel Zuna
41312ca166 Code cleanup: remove unused stuff, take 1. 2010-03-01 16:53:30 -05:00
Rob Crittenden
766757e4d4 Fix unicode failures in Env tests and dn failures in XML-RPC tests 2010-02-26 12:31:11 -05:00
Rob Crittenden
0700f4d7ca Don't try to revoke a cert that is already revoked.
We get a bit of an unusual error message back from dogtag when trying
to revoke a revoked cert so check its status first.
2010-02-26 12:30:01 -05:00
Pavel Zuna
aa2c124e7d Make the --all option work in Add/Remove Member commands. 2010-02-24 14:56:34 -05:00
Jason Gerard DeRose
8c46e09735 Translatable Param.label, Param.doc 2010-02-24 02:47:39 -07:00
Pavel Zuna
6833a5e2b4 Complete netgroup attributes. 2010-02-23 17:54:54 -05:00
Pavel Zuna
5db8ebb48e Replace incorrect use of str.index with str.find in host plugin. 2010-02-23 17:54:52 -05:00
Pavel Zuna
899f318359 Fix bug where parameter cloning didn't clone validation rules. 2010-02-23 17:54:49 -05:00
Jason Gerard DeRose
47f2e618f9 Fix non XML-RPC tests 2010-02-19 18:10:37 -05:00
Pavel Zuna
03f16810ee Use unicode instead of str for environmental variables in Env. 2010-02-19 14:38:58 -05:00
Pavel Zuna
93a09b2dd1 Make error message in migration plugin unicode. 2010-02-17 12:47:36 -05:00
Rob Crittenden
eb1577686b Expand the types of groups that can be migrated to support IPA v1 migrations 2010-02-17 12:05:02 -05:00
Rob Crittenden
97b5f2571e Don't iterate over empty values in List params 2010-02-17 12:05:01 -05:00
Rob Crittenden
3fd098bb60 Used named variables in calls to print_attribute() 2010-02-17 12:05:01 -05:00
Rob Crittenden
63b55307e5 Reverse patch to not encode int values, handled at OID level properly now. 2010-02-17 09:13:50 -07:00
Pavel Zuna
c0c86232f4 Convert password policy integer values to unicode instead of str. 2010-02-17 10:56:11 -05:00
Pavel Zuna
03967f62e9 Auto-generate --all and --raw for commands, that return entries. 2010-02-17 10:56:06 -05:00
Rob Crittenden
eab1e7cd25 Fix the pwpolicy plugin to work better with new output system. 2010-02-17 04:14:03 -07:00
Rob Crittenden
7ccac40175 Don't base64-encode integers
This is a temporary fix until we either use Params to determine
output type or treat integers differently from other binary values
internally (as unicode instead of str, for example).
2010-02-17 04:13:15 -07:00
Rob Crittenden
58746226d4 Use the Output tuple to determine the order of output
The attributes displayed is now dependant upon their definition in
a Param. This enhances that, giving some level of control over how
the result is displayed to the user.

This also fixes displaying group membership, including failures of
adding/removing entries.

All tests pass now though there is still one problem. We need to
return the dn as well. Once that is fixed we just need to comment
out all the dn entries in the tests and they should once again
pass.
2010-02-15 13:10:11 -07:00
Rob Crittenden
99dcf9d4f9 Fix the automountlocation-tofiles command and add some labels 2010-02-15 12:44:28 -07:00
Jason Gerard DeRose
a63224f4dc Add sha1, md5 to compat 2010-02-12 17:20:46 -05:00
Rob Crittenden
2779da3096 Fix deprecation error importing sha 2010-02-12 17:08:27 -05:00
Jason Gerard DeRose
069763c5c6 Add Object.label class attribute, enable in webUI 2010-02-12 17:07:37 -05:00
Rob Crittenden
338578d10a Allow one-character Param names
This is done explicitly to support the l/localityname attribute.
2010-02-12 13:14:29 -07:00
Pavel Zuna
b31f259b1a Add default automount location. Auto-create auto.direct in new locations. 2010-02-12 10:46:20 -05:00
Jason Gerard DeRose
dc2f246d47 Command.output_params not contains params in Command.params 2010-02-11 14:56:10 -05:00
Jason Gerard DeRose
0ce253fae4 Fix logging in CLI and server (take 2) 2010-02-09 16:36:27 -05:00
Jason Gerard DeRose
c43b69e77c Add support for the 'no_create', 'no_update', and 'no_search' Param flags 2010-02-05 14:32:04 -05:00
Rob Crittenden
e672510c06 Implement pwplicy_find to show all group password policies
find is a bit of a misnomer here because we consider no search terms, it
is all or nothing.
2010-02-03 13:27:46 -05:00
Rob Crittenden
5760170bb3 Add flag to allow a cert to be re-issued
I don't want a user to accidentally re-issue a certificate so I've
added a new flag, --revoke, to revoke the old cert and load the new one.
2010-02-03 13:22:03 -05:00
Rob Crittenden
f43f6c50c6 Only change the log level if it isn't already set
This primarily affects the installer. We want to log to the install/
uninstall file in DEBUG. This was getting reset to INFO causing lots of
details to not show in the logs.
2010-02-03 11:52:15 -05:00
Rob Crittenden
dc55240fe8 Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
2010-02-02 14:02:46 -05:00
Rob Crittenden
8ca97cdf35 Base64-encode binary values on the command-line 2010-02-02 14:02:42 -05:00
Rob Crittenden
e24812ee2d Remove group-specific password policy on group deletion 2010-01-29 09:43:51 -05:00
Jason Gerard DeRose
1d6cc1bb7b Remove __public__ and __proxy__ hold-overs from Plugin class 2010-01-28 13:32:00 -05:00
Jason Gerard DeRose
7b571e3693 Enabled CRUDS in webUI using wehjit 0.2.0 2010-01-26 10:32:44 -05:00
Rob Crittenden
0ab9df8632 Fix merge error, variable mis-named label instead of doc 2010-01-21 15:10:47 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
3a536353fb Fix plugin to work with new output validation, add new helpers
Add a new get_subject() helper and return the subject when retrieving
certificates.

Add a normalizer so that everything before and after the BEGIN/END
block is removed.
2010-01-20 17:01:24 -05:00
Pavel Zuna
c15c1eee72 Add DS migration plugin and password migration page. 2010-01-20 16:54:17 -05:00