Commit Graph

2914 Commits

Author SHA1 Message Date
Rob Crittenden
537f4074d1 Add usercategory and hostcategory and fix displaying members in netgroup_show
ticket 443
2010-11-08 15:23:41 -05:00
Jakub Hrozek
a874d5f8e5 Clarify the description of --raw and -all
https://fedorahosted.org/freeipa/ticket/244
2010-11-08 15:23:03 -05:00
Rob Crittenden
3bb0186199 Remove ipa-fix-CVE-2008-3274, it isn't needed any more.
ticket 331
2010-11-08 14:23:27 -05:00
Rob Crittenden
d76ead6cce Add additional default HBAC login services
ticket 307
2010-11-08 14:23:03 -05:00
Adam Young
90baf597dd Ticket Expiration
THis patch handles Kerberos ticket expiration in the UI.  Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app

Conflicts:

	install/static/ipa.js
2010-11-08 14:17:47 -05:00
Adam Young
29c9c70d46 Clear fields after add
This version corrects an error in the oriogianl patch cause  by matching
the wrong opening brace
2010-11-08 15:05:19 -05:00
Adam Young
9a785ed91c rights check
if the field does not have a 'w' for writable in its rights, disable it.
Merged with the HBAC/Widget changes
add and remove links are managed via permissions now
2010-11-05 16:41:07 -04:00
Rob Crittenden
655aa0fcdf Add the --rights option to the LDAPUpdate base class.
ticket 437
2010-11-05 16:30:19 -04:00
Rob Crittenden
9c50371652 Fix typo in exception sample causing a doctest to fail 2010-11-05 12:17:09 -04:00
Adam Young
2c7f2e8fea batch
Allows the user to send multiple commands bundled together
2010-11-05 11:21:42 -04:00
Rob Crittenden
db758c92cd Merge branch 'master' of ssh://rcritten@git.fedorahosted.org/git/freeipa 2010-11-04 15:13:08 -04:00
Nalin Dahyabhai
7b296f2623 add support for hostCategory and userCategory 2010-11-04 14:43:03 -04:00
Endi S. Dewata
d99ebc0f37 HBAC Details Page
The UI framework has been extended to include a collection of widgets:
 - ipa_widget: base class
 - ipa_text_widget: text field
 - ipa_radio_widget: radio button
 - ipa_textarea_widget: textarea
 - ipa_button_widget: button
 - ipa_column_widget: column for table
 - ipa_table_widget: table

These widgets can be used to create input controls. They can also be
extended to create custom controls.

The framework has also been enhanced to support custom layouts. This
can be used to change the look of the application without changing
the code. Initially this is only available in details section.

Layout consists of a collection of HTML templates. Each template is a
complete and valid HTML file representing a portion of a page. The
template will be loaded and initialized by the code, then filled with
the data from the server. The layouts are located in
install/static/layouts/<name> folder.

By default, if no templates are used, the fields in the details page
are rendered vertically using dd/dt/dd tags. For pages that require
different layout, a custom UI needs to be developed. There are two ways
to do that:
 - write a custom widget to generate the UI dynamically
 - create an HTML template and write the initialization code

For components that are quite complex or used frequently, it's might
be better to use the first method. For simple pages that are used only
in one location or need to support customization, the second method
might be preferable. Other benefits of templates:
 - cleaner code and UI separation
 - more flexibility in customization
 - new pages can be developed quickly and require less coding
 - multiple templates can be used with the same initialization code
 - easier to maintain

The HBAC details page has been implemented using both methods. By
default it will use custom widgets to generate the page. To use a
custom layout, add the following parameter to the URL, then reload
the page:

  &layout=<name>

Currently the only available layout is 'default' which produces the
same look as the custom widgets.

The HBAC details page is usable, but it still needs additional work.
The access time is not working yet. There is no undo button, hint,
or validation yet.

The table in the association facet has also been changed to use
ipa_association_widget which is derived from ipa_table_widget.

The Makefile has been updated to include the layouts. The unit tests
have been updated as well.
2010-11-04 14:22:32 -04:00
Rob Crittenden
05a16f50d7 Remove hardcoded domain value and replace with $SUFFIX 2010-11-04 13:55:46 -04:00
Rob Crittenden
6f5cd3232a user-enable/disable improvements
Always display the account enable/disable status.

Don't ignore the exceptions when a user is already enabled or disabled.

Fix the exception error messages to use the right terminology.

In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.

ticket 392
2010-11-04 12:49:33 -04:00
Rob Crittenden
72cf73b6b6 Output ACI's broken out into attributes rather than a single text field
Also add validation to the List parameter type.

ticket 357
2010-11-04 12:48:45 -04:00
Rob Crittenden
65bf1c82a0 Use correct attribute name, nshostlocation, not location. 2010-11-03 17:37:35 -04:00
Rob Crittenden
656166dc46 Merge branch 'master' of ssh://rcritten@git.fedorahosted.org/git/freeipa 2010-11-03 17:37:07 -04:00
Adam Young
681ce7e534 jslint cleanup 2010-11-03 15:50:29 -04:00
Endi S. Dewata
f7a4c53e60 HBAC test data 2010-11-03 10:26:25 -04:00
Jan Zeleny
3d979dab98 Add SEE ALSO section to ipa man page
All ipa-* commands except for ipa-fix-CVE-2008-3274 were added to SEE
also section of ipa(1).
Ticket: #329
2010-11-03 10:26:02 -04:00
Jan Zeleny
813b675268 Remove reference to ipa_webgui
Reference was removed from ipa-server-install(1) man page.
Ticket: #330
2010-11-03 10:25:07 -04:00
Jr Aquino
c99fda0d1e Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes. 2010-11-03 10:23:40 -04:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Adam Young
aff2816d20 group_remove_memeber.json
meta data for testing and developmemt
2010-10-29 23:55:45 -04:00
Jakub Hrozek
228b0ea656 Remove extra --prompt-all from ipa(1) man page
http://fedorahosted.org/freeipa/ticket/328
2010-10-29 14:45:50 -04:00
Rob Crittenden
03de1b89ca Implement nested netgroups and include summaries for the commands.
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.

ticket 209
2010-10-29 14:03:15 -04:00
Adam Young
6df16f3a10 delete associations
Uses code very similar to the search code for deleting associations
Had to modify how we were configuring for bulk so that the logic for delete matched the logic for enroll

Fixed unit test and removed the 'new' from the associator call
2010-10-29 17:12:55 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
c1dfb50ee9 Remove group nesting from the HBAC service groups
ticket 389
2010-10-28 17:34:34 -04:00
Simo Sorce
4f8e4482b3 pwd-plugin: Always use a special salt by default.
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
2010-10-28 17:18:03 -04:00
Simo Sorce
79c39339da pwd-plugin: fix slapi log target in logging functions 2010-10-28 17:17:59 -04:00
Rob Crittenden
33802ab712 Use context to decide which name to return on RequirementsErrors
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).

If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.

ticket 187
2010-10-28 16:06:06 -04:00
Rob Crittenden
ff636984ab Add option to generate random one-time password for hosts for bulk enrollment
ticket 228
2010-10-28 15:27:58 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
47629a604d Retrieve Get Effective Rights output with LDAPRetrieve
The output is a pure python dict so is really only useful when used with
--all so it is required.

Updated to return a string for rights as opposed to a list.  Terser, reducing the wire size by a factor of 3.5
2010-10-28 14:35:34 -04:00
Endi S. Dewata
de3cc334ed Dialog boxes for AJAX, HTTP, and IPA errors.
The ipa_cmd() has been modified to identity the type of the error
it has received and display the error using the right dialog box.
The dialog box can be customized further to display the appropriate
amount of information for each type of error.
2010-10-28 13:11:51 -04:00
Endi S. Dewata
528145d5df Framework for custom UI
This patch introduces a new framework for implementing custom UI.
It consists of the following classes:

Main:
 - IPA: global namespace and object repository
 - ipa_entity: base class for entities
 - ipa_facet: base class for facets

Add dialog:
 - ipa_add_dialog: default add dialog
 - ipa_add_field: the fields used in the dialog

Search facet:
 - ipa_search_facet: default search facet
 - ipa_search_column: the columns in the search result

Details facet:
 - ipa_details_facet: default details facet
 - ipa_details_section: the sections in the details facet
 - ipa_details_field: the fields in the details facet

Association facet:
 - ipa_association_facet: default association facet
 - ipa_association_config: the association configurations

To use this framework, create a class extending the ipa_entity (e.g.
ipa_hbac). Use the create_* methods to create add dialog, search facet,
details facet, and association facet. The fields/columns for the dialog
and facets can be specified using the init() function. Custom UI can be
defined by overwriting the base methods (e.g. setup, save, load).
The entity must be added into the repository using IPA.add_entity().

The original ipa_entity_setup() has been generalized by moving facet-
specific codes into the corresponding facet. Some facet names are still
hard-coded. This will be fixed in follow-up patches.

Some global variables have been removed because their function has been
replaced by the object repository:
 - ipa_entity_add_list
 - ipa_entity_search_list
 - ipa_entity_details_list
 - window_hash_cache

Some functions and variables have been moved into IPA namespace:
 - ipa_json_url -> IPA.json_url
 - ipa_use_static_files -> IPA.use_static_files
 - ipa_ajax_options -> IPA.ajax_options
 - ipa_objs -> IPA.metadata
 - ipa_messages -> IPA.messages
 - ipa_dialog -> IPA.error_dialog
 - ipa_init() -> IPA.init()

Initially the HBAC and Service entities have been rewritten to use the
new framework. The DNS is partially converted, the ipa_records_facet
is used to define custom records facet.

Other entities can still work using the old framework. The old framework
has been modified to be a wrapper for the new framework. Eventually all
entities will be converted to use the new framework.

Some unit tests have been modified to use the new framework.
2010-10-28 09:28:17 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Pavel Zuna
93290c8a72 Add LDAPObject setting to handle different attributes for RDN and PKEY. 2010-10-28 07:58:31 -04:00
Simo Sorce
c51ce61e4d UUIDs: remove uuid python plugin and let DS always autogenerate
merge in remove uuid
2010-10-28 07:58:31 -04:00
Simo Sorce
1bfd0f8791 ipa_uuid: prevent false positives on modifies
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
2010-10-28 07:58:31 -04:00
Simo Sorce
99a7f83c3c ipa_uuid: Handle generation of the uuid when it is a RDN 2010-10-28 07:58:31 -04:00
Simo Sorce
2a141bf2c1 ipa-uuid: Add enforce mode
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
2010-10-28 07:58:31 -04:00
Simo Sorce
7fc6dfbcac ipa-uuid: Code cleanups
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
2010-10-28 07:58:31 -04:00
Simo Sorce
1233a7aff3 ipa-uuid: safer unlock handling
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
2010-10-28 07:58:31 -04:00
Simo Sorce
2d63522d48 ipa-uuid: Reset generate flag at every cycle
Avoid false positives if more than one uuid attribute is generated
in the same entry.
2010-10-28 07:58:31 -04:00
Simo Sorce
56724fa024 ipa-uuid: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
3f1293582f ipa-modrdn: Remove unused functions 2010-10-28 07:58:31 -04:00