When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.
This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.
Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.
Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.
This change requires an IPA server reinstall since the default ACI
set has been changed.
https://fedorahosted.org/freeipa/ticket/764
Makes the values for the Top level tabs internationizable, and no longer just
passes through their names
Also uses the I18N values for SUDO and HBAC as the static text in the Action p[anel title
So far the only flag to enforce asking in interactive mode was the
alwaysask attribute, which is not sufficient any more. This patch adds
the ability to control for which actions the atrribute shall be asked
for.
So far it was possible to rename any object using LDAPUpdate to a name
with empty primary key. Since this can cause nasty problems, this patch
disables empty string in --rename argument.
https://fedorahosted.org/freeipa/ticket/827
In the host plugin we may change the default objectclasses based on
the options selected. This was affecting it globally and causing
subsequent calls to fail.
This patch contains 2 parts.
The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.
The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).
To determine the API version of the server from a client use the ping
command.
ticket 584
Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.
ticket 752
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
Flag parameters are always autofill by definition, causing unexpected
search results. This patch retypes them to Bool for search commands,
so that users have to/can enter the desired value manually.
Ticket #689
Ticket #701
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.
This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.
ticket 687
It is possible to create an ACI with attributes and then try to set that
to None via a mod command later. We need to catch this and raise an exception.
If all attributes are set to None in an aci then the attr target is removed
from the ACI. This could result in an illegal ACI if there are no other
targets. Having no targets is a legal state, just not a legal final state.
ticket 647
The concept is now following:
topic: either a module or a group of modules containing registered
commands. All these commands will usually handle common entity
type (e.g. hbac rules)
subtopic: each topic can have a number of subtopics. In this case topic
is a group of modules and each module represents a subtopic.
grouping modules to topics is possible by assigning a 2-tuple to module
variable:
topic = ('topic-name','topic description')
The topic description has to be the same in all modules in the topic.
These are examples of commands now available in IPA help:
ipa help - display a list of all topics
ipa help hbac - display help for hbac topic
ipa help hbacrule - display help for a subtopic of hbac
ipa help hbacrule-add - display help for a particular command
https://fedorahosted.org/freeipa/ticket/410
The renaming follows previous discussion on mailing list and it leads to
name compatibility with other plugins (e.g. sudorule). It is also
necessary for following changes in ipa help.
