IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
456 Commits 11 Branches 60 Tags
6ea3d9610e62322b843b22b6acf531dce384305c
Commit Graph

87 Commits

Author SHA1 Message Date
Rob Crittenden
6ea3d9610e Utilize user and group objectclass lists in cn=ipaconfig 
Change the syntax on user and group objectclasses in cn=ipaconfig
 2007-12-06 00:30:26 -05:00
Rob Crittenden
eb141b02ff Move dn removal to the XML-RPC side and remove empty attributes 2007-12-05 17:26:39 -05:00
Rob Crittenden
15b7dc6ff9 Add UI for service principal creation and keytab retrieval 2007-12-05 15:17:11 -05:00
Rob Crittenden
2fbe5cbf49 Phase 1 of allowing admins to set the default object classes for users & groups 
This adds the UI and does error checking of the selected object classes but
it doesn't actually use the values yet.

It also generalizes some functions for doing multi-valued fields.
 2007-12-04 13:18:37 -05:00
Rob Crittenden
299e457698 Convert krbmaxpwdlife and krbminpwdlife from seconds into days and hours 2007-12-03 18:07:47 -05:00
rcritten@redhat.com
c32a960cae Compatibility changes to work on RHEL 5 with python 2.4 2007-11-30 15:53:02 -05:00
Karl MacMillan
002312c050 Revert logging setup change because it has unintended 
consequences during ipa-server-install.
 -
Rob Crittenden
8ff9f63d80 Require that the default users group exists 
Fix some copy-paste errors from the password policy update
 2007-11-30 13:27:33 -05:00
Rob Crittenden
bac556557d Don't allow the admins or editors groups to be removed. 
Don't allow the default group for users to be removed.
 2007-11-30 12:49:08 -05:00
Rob Crittenden
5025e990e9 Remove optional arguments from the XML-RPC interface 2007-11-29 16:48:32 -05:00
Karl MacMillan
edc7af1446 Add xml-rpc interface for getting keytabs. 
Warning: this lacks any sort of authorization.
 -
Karl MacMillan
67cddce4d4 Generate master password from Simo. -
Simo Sorce
3580d0affb Use groupOfNames and member, not groupOfUniqueNames and uniqueMember 2007-11-20 10:22:43 -05:00
Rob Crittenden
f42f1f44c8 Enable group inactivation by using the Class of Service plugin. 
This adds 2 new groups: activated and inactivated.

If you, or a group you are a member of, is in inactivated then you are too.

If you, or a group you are a member of, is in the activated group, then you
are too.

In a fight between activated and inactivated, activated wins.

The DNs for doing this matching is case and white space sensitive.

The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.

We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
 2007-11-20 22:45:29 -05:00
Rob Crittenden
1967aafa39 Implement the password policy UI and finish IPA policy UI 
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
  dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
    ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
    ipaGroupSearchFields: cn,description
    ipaSearchTimeLimit: 2
    ipaSearchRecordsLimit: 0
    ipaCustomFields:
    ipaHomesRootDir: /home
    ipaDefaultLoginShell: /bin/sh
    ipaDefaultPrimaryGroup: ipausers
    ipaMaxUsernameLength: 8
    ipaPwdExpAdvNotify: 4
This could use some optimization.
 2007-11-16 12:59:32 -05:00
Rob Crittenden
eecbaf91e2 Use the dna plugin to automatically assign uid 
Set gid to the group "ipausers"
Add the user to this default group
 2007-11-13 15:03:20 -05:00
Rob Crittenden
cd489f0a73 Allow a user or group to change an attribute in its RDN 
Add secretary to the list of indexes otherwise RDN changing could be slow
Port --addattr, --setattr and --delattr from usermod to groupmod
 2007-11-12 23:11:55 -05:00
Rob Crittenden
99b84bfd01 Handle ldap.UNWILLING_TO_PERFORM more gracefully 2007-11-09 16:34:52 -05:00
John Dennis
22493d9b9f remove offensive use of rpm 
add the radiusprofile to the list of objectclasses used when creating a user
 2007-11-06 16:26:10 -05:00
Karl MacMillan
27f0aab667 Rename memberOf to group_members in xml-rpc interface. -
Rob Crittenden
1d6e88565c Add memberOf API call to the XML-RPC interface 
Make find-groups use memberOf to have a prettier dispaly of members
 2007-10-30 15:07:02 -04:00
Kevin McCarthy
859291a706 Add delete user and group to webgui. 
NOTE: this doesn't handle referential integrity.
 2007-10-23 16:46:50 -07:00
Rob Crittenden
04636b8ae7 Add an LDAP attribute -> label mapping function to XML-RPC layer 
Move some ACI functions around in preparation for cli delegation
 2007-10-22 17:06:52 -04:00
Rob Crittenden
a47f893957 update_user and update_group need to be defined differently in order 
to be available to the XML-RPC interface
 2007-10-22 10:09:39 -04:00
Kevin McCarthy
5e651a6496 Finish the email autosuggest. 
For now I've added a new API call.  The field-specific searching is
a ways off.
 2007-10-18 14:33:55 -07:00
Kevin McCarthy
fbbdd27b53 Creates an update_entry api call, aliases update_user and update_group to it. 2007-10-15 09:04:13 -07:00
Kevin McCarthy
63f7cdf7f7 Adds delegation listing and creation to the GUI. 2007-10-12 15:11:55 -07:00
Rob Crittenden
95f0c52013 Remove buggy connection caching. Create a new connection for each LDAP 
request.
 2007-10-12 10:37:36 -04:00
Kevin McCarthy
06b107ed5f Add inetUser objectclass. Remove test-users ldif. 2007-10-11 12:19:42 -07:00
Kevin McCarthy
4c2a33d0e8 Refactor the __get_entry into __get_base_entry and __get_sub_entry(). 
The API needs to be thought about, but this is a quick fix w/minimal impact
to allow get_entry_by_dn do work on non-leaf entries.
 2007-10-11 10:10:03 -07:00
Kevin McCarthy
2b38769b50 Combine get_user/group by dn/cn into get_entry_by_cn/dn. 
Also a couple double-escaping fixes I missed in the last patch.
 2007-10-09 09:26:16 -07:00
Kevin McCarthy
b73f825657 Several escaping fixes: 
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)
 2007-10-05 15:25:58 -07:00
Rob Crittenden
eddc5d4e42 New LDAP connection pool that does locking 2007-10-08 16:18:38 -04:00
rcritten@redhat.com
53e872fb72 Try to catch more error conditions during installation 
Modify the way we detect SELinux to use selinuxenabled instead of using
  a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection
 2007-10-03 17:37:13 -04:00
Kevin McCarthy
1cef67e2e1 Add the rest of the user fields to the user pages. 2007-10-03 13:53:14 -07:00
rcritten@redhat.com
e0b225b1b6 I broke add_groups_to_user and remove_groups_from_user with my 
"use group DN" patch. This fixes it.
 2007-10-02 17:26:09 -04:00
rcritten@redhat.com
6aa72b44e4 Do group operations based on the group DN, not the CN 
Add new class of errors for connections
Raise an exception if a connection cannot be made due to missing ccache
 2007-10-02 16:56:51 -04:00
Simo Sorce
cfac4acf9f Rely more on kerberos. 
Don't read ipa.conf to get the realm, the kerberos libs do that for you.
Use the krbPrincipalName to change passwords
Make it possible to specify the principal at user creation.
Mail is not a required attribute so far, don't require it.
 2007-10-01 17:33:16 -04:00
Kevin McCarthy
dbf8c1aeb9 Add group management to the user edit page. 
Added a couple more API calls to make the inverse operations easier.
 2007-09-28 16:01:42 -07:00
Kevin McCarthy
0431a536e5 patch queue: add_filters.patch 2007-09-27 16:07:05 -07:00
Kevin McCarthy
572b3e9fdd Make timelimit a parameter to the find methods. 2007-09-27 15:51:26 -07:00
Kevin McCarthy
24c22a2ebc Misc small fixes: 
- Members of groups are clickable
- Combine name and uid into a single column in find users
- Remove license plate from searching
- Mailto links on user emails
- Add timelimit to finds.  This is experimental...
- Fix usersearch to only search on objectClass=Person
- Change search to use get parameter
 2007-09-25 11:25:48 -07:00
Kevin McCarthy
1725397a53 Adds methods to manipulate groups by dns. 
Renamed some of the user_group parameters to be self-evident.
Binary wrapping isn't necessary on strings, so removed from xmlrpc calls.
 2007-09-26 15:47:34 -07:00
Kevin McCarthy
fa7759684f Adds manager and direct reports to usershow page. 
Fixes a bug with the group by member where is wasn't trapping not found errors.
 2007-09-25 15:44:49 -07:00
Kevin McCarthy
765279d82b Show the list of groups a user belongs to. 2007-09-25 13:35:43 -07:00
rcritten@redhat.com
fddae7a8a2 Fix error when using with TurboGears 2007-09-25 08:36:23 -04:00
rcritten@redhat.com
2fec56d679 Enable LDAP debugging using the mod_python Apache configuration directive 
PythonOption IPADebug On/Off
 2007-09-21 14:39:52 -04:00
rcritten@redhat.com
e41bb1d6fe Don't fall back on proxy authentication. We don't generate the certificates 
anymore and that failure just causes more confusion.
 2007-09-24 15:23:50 -04:00
Simo Sorce
fbfefe6b0e Merge conflicts between rob and kevin patches 2007-09-20 16:58:54 -04:00
Kevin McCarthy
036cf58042 Handle add/remove failures a little bit better. 
Still some refinements that can be done, but at least it shows the failures
now.
 2007-09-19 13:43:52 -07:00