Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).
A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.
Ticket #1701
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
1) Add sudorule docstring headline
2) Fix naming inconsistency in Sudo plugins help and summaries,
especially capitalization of Sudo objects - Sudo Rule, Sudo
Command and Sudo Command Group
3) Add missing summaries for sudorule-add-option and
sudorule-remove-option. To keep backward compatibility with
older clients, just print the missing summary with
output_for_cli(), don't expand Output.
https://fedorahosted.org/freeipa/ticket/1595https://fedorahosted.org/freeipa/ticket/1596
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.
ticket https://fedorahosted.org/freeipa/ticket/1574
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.
Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.
We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.
It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.
However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.
Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.
class foo(Command):
'''
The foo command takes out the garbage.
'''
Would become:
class foo(Command):
__doc__ = _('The foo command takes out the garbage.')
But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.
In summary what this patch does is:
* Remove the use of pygettext (modification to install/po/Makefile.in)
* Replace every docstring with an explicit assignment to __doc__ where
the rhs of the assignment is an i18n marking function.
* Single line docstrings appearing in multi-line string literals
(e.g. ''' or """) were replaced with single line string literals
because the multi-line literals were introducing unnecessary
whitespace and newlines in the string extracted for translation. For
example:
'''
The foo command takes out the garbage.
'''
Would appear in the translation catalog as:
"\n
The foo command takes out the garbage.\n
"
The superfluous whitespace and newlines are confusing to translators
and requires us to strip leading and trailing whitespace from the
translation at run time.
* Import statements were moved from below the docstring to above
it. This was necessary because the i18n markers are imported
functions and must be available before the the doc is
parsed. Technically only the import of the i18n markers had to
appear before the doc but stylistically it's better to keep all the
imports together.
* It was observed during the docstring editing process that the
command documentation was inconsistent with respect to the use of
periods to terminate a sentence. Some doc had a trailing period,
others didn't. Consistency was enforced by adding a period to end of
every docstring if one was missing.
* Wrap each topic description in _()
* Replace the use of if 'topic' in dir(module) with the more
Pythonic and efficient getattr(module, 'topic', None)
* Make sure to invoke unicode on the value returned from _()
otherwise you'll get a GettextFactory instance, not a string
* Clean up trailing whitespace errors
A Password param always prompted to confirm the entered password.
This doesn't make sense if you want to prompt for a password to another
system like we do with entitlements. This adds a new boolean option to
control the Password prompt parameter.
https://fedorahosted.org/freeipa/ticket/1695
Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed.
Fixed integer minimum and maximum value checking.
Read-only and non-writable fields are no longer considered required.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
The association table widget and facet have been modified to accept
titles for the add and delete dialogs. The table and facet definitions
have been modified to specify the appropriate titles.
Some unused code have been removed.
Ticket #1629
Do not fail import operation with DuplicateEntry when imported
maps/keys conflict with maps/keys pre-created by
automountlocation-add command. Currently, this applies for map
'auto.direct' and key '/-'.
https://fedorahosted.org/freeipa/ticket/1551
The 'Hide already enrolled' has been removed from the enrollment
dialog because it is checked by default and entries that are already
enrolled cannot be enrolled again.
Ticket #1638
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.
Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.
Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.
https://fedorahosted.org/freeipa/ticket/1528
dns.py at line 976 has an invalid i18n string and cannot be processed
during message extraction causing message catalog generation to fail.
The format parameters are trapped inside the i18n string. Also it's
not necessary to promote the i18n string literal to unicode via the u
prefix because the _() function returns unicode.
The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.
Ticket #1423, #1561
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
change widget and widget unit tests to hold on to entity, not entity name.
Replacing entity_name with entity.name in most places.
The one exception is columns for table_widget.
Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.
cleanup entity assignment.
removed template and layout,
merged setup into create
adder dialogs adjust height for external
removed init from widget, isection, association, facet, host and service
Make unit tests use factory.
fix functional tests to click find link correctly.
tweak to activation test, but still broken.
moved initialization code to the end
use --all for hbacrule find, so the type shows up now
fixed dns exception code and exception handling for get_entity
replace metadata look up with value from entity.
fixed author lines
removed duplicate columns in managed by facets.
tweak to nav fix in order to initialize tab.
more defensive code
update metadata for true false
one line init for entity_name in widget
move init code to end of constructor functions
moved constants to start of function for adder_dialog
external fields for dialogs initialized at dialog creation
sudo sections: move add fields and columns to widget definition.
The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.
decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables
return false at the end of click handler
removed blank labels in sudo command section
fix radio buttons for sudo category
fixed table side for adder dialogs with external fields
comments for future direction with add_columns
https://fedorahosted.org/freeipa/ticket/1451https://fedorahosted.org/freeipa/ticket/1462https://fedorahosted.org/freeipa/ticket/1493https://fedorahosted.org/freeipa/ticket/1497https://fedorahosted.org/freeipa/ticket/1532https://fedorahosted.org/freeipa/ticket/1534
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.
https://fedorahosted.org/freeipa/ticket/1520
The summary value was set to primary key. However, the primary key
may contain also an info option as a workaround for multiple direct
maps problem.
This patch sets the result 'value' and thus summary text to
expected and consistent value.
https://fedorahosted.org/freeipa/ticket/1524
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.
This is controlled by a new booleon option, wait_for_attr, defaulting
to False.
https://fedorahosted.org/freeipa/ticket/1144
If you used sudorule-remove-runasgroup to remove a member that member
still appeared in the command output when --all was included (it isn't a
default attribute). This was due to post-processing to evaluate external
users/groups, the entry was actually updated properly.
https://fedorahosted.org/freeipa/ticket/1348
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).
https://fedorahosted.org/freeipa/ticket/1473
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
It was my understanding that we would be able to pass in an existing UUID
when registering to connect to an existing registration (for the case where
IPA is re-installed). This is supported in the REST API but not python-rhsm.
https://fedorahosted.org/freeipa/ticket/1216
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.
Ticket #1424
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
https://fedorahosted.org/freeipa/ticket/1259
Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.
This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.
Ticket #1435
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.
I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.
https://fedorahosted.org/freeipa/ticket/1285https://fedorahosted.org/freeipa/ticket/1286https://fedorahosted.org/freeipa/ticket/1287
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.
Ticket #1217
The following invalid associations have been removed:
- group's memberindirect netgroup and role
- hostgroup's memberofindirect host
Ticket #1366
Ticket #1367
The IPA.user_status_widget has been modified such that it checks
the facet dirty status and asks the admin to either Update or Reset
the changes. Then the widget shows a dialog to confirm whether
the admin wants to activate/deactivate the user.
Ticket #1395
The entity labels in the following locations have been fixed:
- search facet title: plural
- details facet title: singular
- association facet title: singular
- breadcrumb: plural
- adder dialog title: singular
- deleter dialog title: plural
Some entity labels have been changed into the correct plural form.
Unused file install/ui/test/data/i18n_messages.json has been removed.
Ticket #1249
Ticket #1387
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.
The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.
Ticket #1249
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
When user_add command is executed without uid parameter filled, user
account is created without 'krbprincipalname' attribute. This renders
the user account unusable.
https://fedorahosted.org/freeipa/ticket/1279
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.
https://fedorahosted.org/freeipa/ticket/993
When a new DNS zone is being created a local hostname is set as a
nameserver of the new zone. However, when the zone is created
during ipa-replica-prepare, the the current master/replica doesn't
have to be an IPA server with DNS support. This would lead to DNS
zones with incorrect NS records as they wouldn't point to a valid
name server.
Now, a list of all master servers with DNS support is retrieved
during DNS zone creation and added as NS records for a new DNS
zone.
https://fedorahosted.org/freeipa/ticket/1261
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.
This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.
Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).
https://fedorahosted.org/freeipa/ticket/1266
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.
So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.
Multiple direct maps are still supported and for those the info is
always required.
ticket 1229
LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.
Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.
https://fedorahosted.org/freeipa/ticket/1209
Interactive mode for commands manipulating with DNS records
(dnsrecord-add, dnsrecord-del) is not usable. This patch enhances
the server framework with new callback for interactive mode, which
can be used by commands to inject their own interactive handling.
The callback is then used to improve aforementioned commands'
interactive mode.
https://fedorahosted.org/freeipa/ticket/1018
Attempt to retrieve the schema the first time it is needed rather than
when Apache is started. A global copy is cached for future requests
for performance reasons.
The schema will be retrieved once per Apache child process.
ticket 583
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.
Add two new LDAPObject values to control this behavior:
limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed
By default both of these lists are empty so are skipped.
ticket 744
Migration from a v2 server would fail because of our fake memberofindirect
attribute. This isn't in any objectclass so would cause entries to fail
to migrate. We can safely just remove it.
Also remove any limits on time/size when searching for entries on the
remote server. Otherwise only the number of entries configured in the
local IPA server can be migrated.
ticket 1124
automount implemented using standard facets and containing_entity pkey generation
sample data fixtures for automount.
messages for automount and HBAC.
modified form of the search facet used to nest the automount entities
Add works for nested entities. Delete works for all but keys. Since the API for this is going to change, I'm not going to fix it pre-checkin.
All the places the PKEY prefix is needed uses a single function. Added breadcrumb trail into title.
update ipa_init sample data
add redirect logic for pages without pkeys.
add and delete link to appropriate entities for nested search facet.
Using on demand entities. Fixed breadcrumbs.
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
The IPA.association_facet has been modified to take a read_only parameters.
If the parameter is set to true, the Enroll and Delete buttons will not be
shown. All facets under the memberindirect and memberofindirect facet groups
are marked as read-only.
Ticket #1030
The IPA.entity has been modified to support customizable facet groups.
The default list of facet groups is defined in IPA.entity_header and can
be overriden in the entity definition.
Ticket #1219
Facet container has been added to hold facet header (i.e. title,
search fields, buttons, links) and facet content. Each facet now
occupies separate container, so it can be shown/hidden without
having to redraw the content.
When the pwpolicy attribute "cospriority" is passed to pwpolicy-mod
command and the old value is kept, the command should succeed
if there was at least one other attribute changed. Current
pwpolicy-mod raises exception in this case which may lead to issues
in the WebUI.
https://fedorahosted.org/freeipa/ticket/1104
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.
This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.
The UI will need to be changed to switch from using cn to using
givenname and sn.
ticket 1136
When adding a new DNS zone in the WebUI, IPA server will verify
whether the nameserver is in DNS. Sometimes it is necessary to
skip the verification.
This patch adds a --force option already available in CLI which
can skip this the verification.
https://fedorahosted.org/freeipa/ticket/1105
The entitlement facet will show buttons according to the entitlement
status. If it's unregistered, the facet will show a Register button.
If it's registered, the facet will show a Consume button.
Current PTR validation is unclear and may misled the user. This
patch improves the validation process so that the eventual exception
is clearer. New check that the PTR record is fully qualified has
been added to ensure that the reverse zone resolution behaves as
expected.
Additionally, several strings in the DNS plugin were prepared for
localization.
https://fedorahosted.org/freeipa/ticket/1129
Most of the pwpolicy_* commands do include cospriority in the result
and potentially in the attribute rights (--all --rights). Especially
when --raw output is requested. This patch fixes it for all
pwpolicy commands.
https://fedorahosted.org/freeipa/ticket/1103
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
When duplicate user is added an inconsistent error message to the rest
of the framework is printed. This patch changes this to standard
duplicate error message.
https://fedorahosted.org/freeipa/ticket/1116
This patch fixes a stacktrace that is printed out when a IPv6
AAAA record with subnet prefix length (e.g. /64) is added.
The same error message as when IPv4 record with subnet prefix
length is used.
https://fedorahosted.org/freeipa/ticket/1115
Nested role is not supported in 2.0.x, so the association facet
for it should be removed from the UI. The attribute_members in
role.py needs to be fixed because it is used to generate the
association facet automatically.
Ticket 1092.
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
This patch replaces xgettext with a custom pygettext to generate
translatable strings from plugin files in ipalib/plugins. pygettext
was modified to handle plural forms (credit goes to Jan Hendrik Goellner)
and had some bugs fixed by myself. We only use it for plugins, because
it's the only place where we need to extract docstrings for the built-in
help system.
I also had to make some changes to the way the built-in documentation
systems gets docstrings from modules for this to work.
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
The json_metadata() has been updated to return ipa.Objects and
ipa.Methods. The i18n_messages() has been updated to include other
messages that are not available from the metadata.
