Commit Graph

3132 Commits

Author SHA1 Message Date
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
ffd467bd7e Translate the membergroup dn into a group name.
Drop filter from the output, it is superfluous.

ticket 634
2010-12-20 15:18:42 -05:00
Pavel Zuna
3a9210f06f Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Example:
ipa group-find --no-users=admin

Only direct members are taken into account.

Ticket #288
2010-12-20 12:28:45 -05:00
Jakub Hrozek
ffc6031ad7 Allow RDN changes from CLI
https://fedorahosted.org/freeipa/ticket/397
2010-12-20 11:27:46 -05:00
Jakub Hrozek
bf778a74a3 Clarify ipa-replica-install error message 2010-12-20 11:27:42 -05:00
Jakub Hrozek
1317cf4966 Check the number of fields when importing automount maps
https://fedorahosted.org/freeipa/ticket/359
2010-12-20 11:27:38 -05:00
Jakub Hrozek
ee4d2739f1 Make the IPA installer IPv6 friendly
Notable changes include:
 * parse AAAA records in dnsclient
 * also ask for AAAA records when verifying FQDN
 * do not use functions that are not IPv6 aware - notably socket.gethostbyname()
   The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
   section "Interface Checklist"
2010-12-20 11:27:34 -05:00
Gowrishankar Rajaiyan
b328d845de Correcting my name in Contributors file. 2010-12-20 10:56:35 -05:00
Gowrishankar Rajaiyan
018ca2ce3f Fixing typos in man page of ipa-getkeytab 2010-12-20 10:56:31 -05:00
Jakub Hrozek
d7d77a749c import NSPRError in host.py 2010-12-20 10:46:37 -05:00
Jan Zeleny
a1a8e7c138 Added option --no-reverse to add-host
When adding a host with specific IP address, the operation would fail in
case IPA doesn't own the reverse DNS. This new option overrides the
check for reverse DNS zone and falls back to different IP address
existence check.

https://fedorahosted.org/freeipa/ticket/417
2010-12-20 10:45:27 -05:00
Jakub Hrozek
409e4062f4 Allow renaming of object that have a parent
Allow renaming of object that have a parent
2010-12-20 10:44:10 -05:00
Jakub Hrozek
7aed107973 Make pkey always iterable when deleting 2010-12-20 10:42:33 -05:00
Jakub Hrozek
0e6962f710 Fix delegation.ldif typo 2010-12-20 10:41:25 -05:00
Rob Crittenden
34534a026f Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
2010-12-17 18:04:37 -05:00
Rob Crittenden
7035ffe49c Fix some doctests
A few had bad formatting causing the doctests to fail.
2010-12-17 18:04:37 -05:00
Rob Crittenden
eb9cb783ee Catch ACI errors better when adding a permission.
We create the aci with the --test flag to test its validity but it doesn't
do the same level of tests that actually adding an aci to LDAP does. Catch
any syntax errors that get thrown and clean up as best we can.

ticket 621
2010-12-17 18:04:37 -05:00
Rob Crittenden
1600146c94 Verify that the replication plugin exists before setting up replicas.
ticket 502
2010-12-17 17:31:19 -05:00
Rob Crittenden
358b28398c Move automount, default HBAC services, netgroup and hostgroup bootstrapping.
There is no need for these to be done as updates, just add these entries
to the bootstrapping.
2010-12-17 17:31:19 -05:00
Rob Crittenden
1207a7c83f Fix the change_password permissions and the DNS access controls.
The change_password permission was too broad, limit it to users.

The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.

ticket 628
2010-12-17 17:16:25 -05:00
Rob Crittenden
b66c680f86 Remove principal as an option when updating an existing user.
ticket 559
2010-12-17 17:08:12 -05:00
Rob Crittenden
ffc967b47a Fix a slew of tests.
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
2010-12-17 17:01:57 -05:00
Rob Crittenden
623abc6bdf Properly quote passwords sent to pkisilent so special characters work.
Also check for url-encoded passwords before logging them.

ticket 324
2010-12-17 16:50:14 -05:00
Adam Young
67d1c07112 kinit typo
Was origially KInit  but the command is kinit
2010-12-17 16:36:48 -05:00
Adam Young
00ebf8c4e3 error link
Change the link in the error message to the one that will actually fix the problem
2010-12-17 16:27:11 -05:00
Adam Young
22b2cbbe44 type prevented rendering on firefox4 2010-12-17 16:07:09 -05:00
Rob Crittenden
8f87aa1288 Add krb5-pkinit-openssl as a Requires on ipa-server package
ticket 599
2010-12-16 09:33:11 -05:00
Simo Sorce
fbe72a4521 Use nsContainer and not extensibleObject for masters entries 2010-12-15 10:58:03 -05:00
Endi S. Dewata
cec6703da3 Account activation adjustment
The user details facet has been modified such that when the account
is activated/deactivated the page will be reloaded.

Some methods in the framework have been changed:
 - The ipa_widget.clear() has been removed because it can be replaced
   by existing reset().
 - The ipa_widget.set_values() has been renamed into update().
2010-12-14 16:45:41 -05:00
Rob Crittenden
e0a39234f7 Add metadata for the selfservice and delegation plugins. 2010-12-14 11:06:51 -05:00
Rob Crittenden
cd7b64103b Add group to group delegation plugin.
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.

ticket 532
2010-12-13 20:15:46 -05:00
Rob Crittenden
8a534bf07b Give the memberof plugin time to work when adding/removing reverse members.
When we add/remove reverse members it looks like we're operating on group A
but we're really operating on group B. This adds/removes the member attribute
on group B and the memberof plugin adds the memberof attribute into group A.

We need to give the memberof plugin a chance to do its work so loop a few
times, reading the entry to see if the number of memberof is more or less
what we expect. Bail out if it is taking too long.

ticket 560
2010-12-13 17:58:43 -05:00
Jr Aquino
ced639eb99 tests for sudo run as user or group https://fedorahosted.org/freeipa/ticket/570 2010-12-13 17:56:13 -05:00
Jr Aquino
b23b3911d2 sudo run as user or group https://fedorahosted.org/freeipa/ticket/570 2010-12-13 17:56:13 -05:00
Jr Aquino
13139f2fd6 managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543 2010-12-13 17:56:12 -05:00
Adam Young
2884bce276 relabel role
no longer calling them role groups.
2010-12-13 15:10:20 -05:00
Rob Crittenden
5f8a9b9849 Add --out option to service, host and cert-show to save the cert to a file.
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.

ticket 473
2010-12-13 09:58:26 -05:00
Rob Crittenden
c9807f4b25 Better handle permission object updates versus aci object updates.
permissions are a real group pointed to by an aci, managed by the same
plugin. Any given update can update one or both or neither. Do a better
job at determining what it is that needs to be updated and handle the
case where only the ACI is updated so that EmptyModList is not thrown.

ticket 603
2010-12-13 09:55:28 -05:00
Rob Crittenden
ba8d21f5ae Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.

We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added

ticket 567
2010-12-13 09:53:29 -05:00
Rob Crittenden
e8157f2628 Fix typo in migration documentation 2010-12-13 09:48:16 -05:00
Rob Crittenden
be3c8e8c02 Don't import from ipaserver when not in a server context.
ticket 579
2010-12-11 12:50:17 -05:00
Rob Crittenden
33860ebb43 Pass the DM password when trying to delete a replica.
If the ticket is expired or otherwise unusable it should fall back to the DM
password. It was prompted for correctly but wasn't being passed on.

ticket 549
2010-12-11 10:42:09 -05:00
Rob Crittenden
490ae68e29 Save exception so it can be passed along. 2010-12-11 00:48:33 -05:00
Simo Sorce
918ceca087 Fixes for ipactl script
Fixes: https://fedorahosted.org/freeipa/ticket/613
2010-12-10 23:09:45 -05:00
Simo Sorce
95c4b894f9 Fix Install using dogtag.
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.

Fixes: https://fedorahosted.org/freeipa/ticket/612
2010-12-10 23:09:41 -05:00
Jan Zeleny
8fd288df08 Print expected error message in hbac-mod
This patch catches NotFound exception and calls handling function
which then sends exception with unified error message.

https://fedorahosted.org/freeipa/ticket/487
2010-12-10 13:52:14 -05:00
Rob Crittenden
e8e274c9e0 Properly handle multi-valued attributes when using setattr/addattr.
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.

I've added some simple tests for setattr and addattr.

ticket 565
2010-12-10 13:42:47 -05:00
Rob Crittenden
1a20d75421 Set labels on all attributes in the config object.
Make the cert subject base read-only. This is here only so replicated servers
know their base.

ticket 466
2010-12-10 13:41:35 -05:00
Simo Sorce
bfaea1dd78 Move Selfsigned CA creation out of dsinstance
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.

Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-10 12:28:38 -05:00
Simo Sorce
2efc08a6fc Introduce ipa control script that reads configuration off ldap
This replace the former ipactl script, as well as replace the current way ipa
components are started.

Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.

resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-10 12:28:38 -05:00