Do not call status after pkisilent, it will return non-zero.
Instead restart server after pkisilent so configuration
changes take effect, the check the status.
The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.
The ipa_sudorule_association_adder_dialog() has been modified such
that it only displays the external field if there is an external
attribute for that field.
TAKE 1
- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
(The webUI made the impression you can enroll parents as well, but it was
broken.)
- When enrolling new members, you can choose not to display already enrolled
ones. (On by default.)
- Couple cosmetic changes.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
Currently the code depends on using a password to create replication
agreements. so this patch forces the request of the dirmgr password until we
can fix the internal issues that prevent using the amdin user with SASL/GSSAPI
to create replication agreements.
The previous code was removing only one agreement, leaving all other in place.
This would leave dangling replication agreements once the replica is
uninstalled.
Fixes: https://fedorahosted.org/freeipa/ticket/624
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements
Fixes: https://fedorahosted.org/freeipa/ticket/625
Can remove replication agreements between 2 replicas as long as it is
not the last agreement (except for Ad replication agreements, which can
always be removed).
Fixes: https://fedorahosted.org/freeipa/ticket/551
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
