Commit Graph

76 Commits

Author SHA1 Message Date
Petr Viktorin
d3a34591a8 permission_add: Remove permission entry if adding the ACI fails
https://fedorahosted.org/freeipa/ticket/4187

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-03-12 12:17:08 +01:00
Petr Viktorin
34c3d309d9 permission-find: Cache the root entry for legacy permissions
This makes searching faster if there are many legacy permissions present.

The root entry (which contains all legacy permission ACIs) is only
looked up once.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-11 10:00:27 +01:00
Petr Viktorin
d727599aa8 permissions plugin: Don't crash with empty targetfilter
https://fedorahosted.org/freeipa/ticket/4206

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:06:52 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Petr Viktorin
02e61961da permission-mod: Remove attributelevelrights before reverting entry
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.

https://fedorahosted.org/freeipa/ticket/4212

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 16:52:40 +01:00
Petr Viktorin
773e006ddd permission plugin: Do not assume attribute-level rights for new attributes are present
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-21 14:33:49 +01:00
Petr Viktorin
78b657b02d Add permission_filter_objectclasses for explicit type filters
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
0824d12c95 permission-mod: Do not copy member attributes to new entry
Fixes: https://fedorahosted.org/freeipa/ticket/4178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-20 12:33:36 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
2f3ab2914a permission plugin: Generate ACIs in the plugin
Construct the ACI string from permission entry directly
in the permission plugin.

This is the next step in moving away from ipalib.aci.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
15995d1f38 permission plugin: Convert options in execute, not args_options_2_params
With this change, shortcut options like memberof and type will be
aplied on the server, not on the client.
This will allow us to pass more information than just updated options.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
419f3ad627 Permission plugin fixes
- Fix i18n for plugin docstring
- Fix error when the aci attribute is not present on an entry
- Fix error when raising exception for ACI not found

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Jan Cholasta
c2bd6f365d Convert remaining frontend code to LDAPEntry API. 2014-01-24 20:38:15 +01:00
Jan Cholasta
24d85f15ee Use old entry state in LDAPClient.update_entry.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Petr Viktorin
4a64a1f18b Allow anonymous and all permissions
Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
2014-01-07 09:56:41 +01:00
Petr Viktorin
1a9beac1be permission_find: Do not fail for ipasearchrecordslimit=-1
ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
2013-12-17 12:29:56 +01:00
Petr Viktorin
acede580e1 Remove default from the ipapermlocation option
The value from my machine ended up wired into API.txt,
so builds on other machines would fail.

Correct the mistake.
2013-12-13 16:32:39 +01:00
Petr Viktorin
d38748d64f Make sure SYSTEM permissions can be retreived with --all --raw
Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
2013-12-13 15:08:52 +01:00
Petr Viktorin
7fc35ced1d permission plugin: Ensure ipapermlocation (subtree) always exists 2013-12-13 15:08:52 +01:00
Petr Viktorin
53caa7aca2 Roll back ACI changes on failed permission updates 2013-12-13 15:08:52 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Petr Viktorin
2c433cdd7e Use new ipaldap entry API in aci and permission plugin 2013-10-30 11:50:05 +01:00
Petr Viktorin
7051f510b6 Update Permission and ACI plugins to decorator registration API 2013-10-30 11:50:04 +01:00
Jan Cholasta
5b2e0e2ba5 Remove DN normalization from the baseldap plugin. 2013-03-01 16:59:47 +01:00
Jan Cholasta
bb36683c84 Use the dn attribute of LDAPEntry to set/get DNs of entries.
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
2013-03-01 16:59:46 +01:00
Petr Viktorin
5752b35d16 Update argument docs to reflect dropped CSV support
https://fedorahosted.org/freeipa/ticket/3352
2013-02-22 17:20:35 +01:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
Tomas Babej
7e9eb9caad Fixes different behaviour of permission-mod and show.
Both commands now produce the same output regarding
the attributelevelrights.

https://fedorahosted.org/freeipa/ticket/2875
2012-08-29 16:02:43 -04:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Martin Kosek
6ff5f28142 permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.

Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.

https://fedorahosted.org/freeipa/ticket/2658
2012-06-01 07:51:59 +02:00
Rob Crittenden
8d00d7c130 Enforce sizelimit in permission-find, post_callback returns truncated
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.

We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.

The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.

https://fedorahosted.org/freeipa/ticket/2322
2012-05-30 08:46:21 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Petr Viktorin
c5689e7faf Do not use extra command options in ACI, permission, selfservice
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for ACI-related plugins.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-14 10:38:07 +02:00
Rob Crittenden
95bb8d0f45 Fix overlapping cn param/option issue, pass cn as aciname in find
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.

The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.

https://fedorahosted.org/freeipa/ticket/2320
2012-05-14 10:07:41 +02:00
Rob Crittenden
1a26406db2 Revert "Validate attributes in permission-add"
This reverts commit 1356988b7a.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:55 -04:00
Jan Cholasta
3ba9cc8eb4 Refactor exc_callback invocation.
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).

Add some extra checks to existing exception callbacks.
2012-04-26 09:00:30 +02:00
Ondrej Hamada
2584e9be67 Unable to rename permission object
The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2571
2012-04-11 22:29:04 -04:00
Petr Viktorin
6e5c8b25bf Limit permission and selfservice names to alphanumerics, -, _, space
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.

https://fedorahosted.org/freeipa/ticket/2585
2012-04-09 20:56:29 -04:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Ondrej Hamada
1356988b7a Validate attributes in permission-add
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
2012-02-28 18:22:24 -05:00
Martin Kosek
3bd36af36e Remove debug messages
https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2323
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
2012-02-06 08:49:31 +01:00
Martin Kosek
cf12f3106a Fix raw format for ACI commands
ACI plugins (permission, selfservice and delegation) were not
prepared to serve ACIs in a raw format, i.e. raw "aci" attribute
taken from LDAP. This patch fixes all these plugins and their
commands to provide provide this format. Few ACI raw format unit
tests were added for all these plugins.

https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2223
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
2012-02-03 17:04:51 +01:00
Rob Crittenden
64ee2464e8 Display the value of memberOf ACIs in permission plugin.
There were two problems:

1. memberof wasn't in the list of things we looked for in the return value
   from aci_show()
2. The value wasn't being translated into a group name.

Use the DN class to retrieve the group name from the memberof URI.

Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.

https://fedorahosted.org/freeipa/ticket/2100
2012-01-04 20:27:26 -05:00
Jan Cholasta
135ccf89de Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.

Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.

ticket 2007
2011-11-30 17:08:35 +01:00
Martin Kosek
a486f49a37 Create pkey-only option for find commands
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.

This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.

https://fedorahosted.org/freeipa/ticket/1262
2011-10-27 14:17:51 +00:00