Commit Graph

36 Commits

Author SHA1 Message Date
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Rob Crittenden
9cac1d88fc Sort entries returned by *-find by the primary key (if any).
Do a server-side sort if there is a primary key.

Fix a couple of tests that were failing due to the new sorting.

ticket 794
2011-04-13 17:29:16 +02:00
Rob Crittenden
deaf029023 Change default gecos from uid to first and last name.
ticket 1146
2011-04-05 14:18:55 -04:00
Rob Crittenden
6f58f38748 Display the entries that failed when deleting with --continue.
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.

This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.

ticket 687
2011-01-10 10:32:10 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
ffc967b47a Fix a slew of tests.
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
2010-12-17 17:01:57 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Pavel Zuna
42c78a383d Add flag to group-find to only search on private groups.
ticket #251
2010-10-20 17:38:03 -04:00
Rob Crittenden
f906aaf376 Groups are now created as POSIX by default.
ticket 241
2010-10-01 14:16:36 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
766757e4d4 Fix unicode failures in Env tests and dn failures in XML-RPC tests 2010-02-26 12:31:11 -05:00
Pavel Zuna
aa2c124e7d Make the --all option work in Add/Remove Member commands. 2010-02-24 14:56:34 -05:00
Rob Crittenden
58746226d4 Use the Output tuple to determine the order of output
The attributes displayed is now dependant upon their definition in
a Param. This enhances that, giving some level of control over how
the result is displayed to the user.

This also fixes displaying group membership, including failures of
adding/removing entries.

All tests pass now though there is still one problem. We need to
return the dn as well. Once that is fixed we just need to comment
out all the dn entries in the tests and they should once again
pass.
2010-02-15 13:10:11 -07:00
Jason Gerard DeRose
ab1aba5a9a Added Fuzzy docstrings; make-test now runs doctests in tests/*; fixed 'existant' mispelling 2009-12-18 10:56:13 -05:00
Jason Gerard DeRose
29f243bf4e Fuzzy feelings 2009-12-17 11:22:14 -05:00
Jason Gerard DeRose
8ae0f9c8aa host and hostgroup summary messages, declarative tests; fix tests for 'dn' 2009-12-16 15:54:55 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
Pavel Zuna
e01b1b8f99 Fix unit tests for plugins using baseldap classes. 2009-10-05 15:59:09 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Pavel Zuna
48d6669796 Fix unit tests to handle new group-{add, del}-member semantics. 2009-07-02 13:33:05 -04:00
Pavel Zuna
72e4816140 Add unit tests for new plugins. 2009-07-02 13:33:04 -04:00
Pavel Zuna
12ee586392 Remove unit tests for old plugins. 2009-07-02 13:33:04 -04:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Rob Crittenden
ad4819ff66 Add tests for posix groups 2009-03-20 09:28:23 -04:00
Rob Crittenden
98d4644bff Fix remaining issues with XML-RPC test cases
Tied the make-test script into the test target of the top-level Makefile
Added code to xmlrpc_test.py so that it configures the API if it isn't
already done which enables individual tests to be executed.
2009-02-04 09:03:40 -05:00
Jason Gerard DeRose
0211c76cd0 Fixed some of the test_xmlrpc unit tests 2009-02-03 15:29:05 -05:00
Rob Crittenden
5717c9d668 Applied Rob's errors patch 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
48a278047d Mostly got the test_xmlrpc/ tests working again 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
231f0bd65a Finished reworked cli.CLI class into cli.cli plugin 2009-02-03 15:29:04 -05:00
Rob Crittenden
0dd1ba3721 Add some negative testing to the user and group plugin tests 2009-01-19 10:40:11 -05:00
Rob Crittenden
d6502f0ba8 Skip tests if the remote XML-RPC server is not responding. 2008-11-03 18:04:25 -05:00
Rob Crittenden
a97f5d76d1 Initial tests for user, group and service plugin API 2008-11-03 17:31:32 -05:00