This patch contains 2 parts.
The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.
The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).
To determine the API version of the server from a client use the ping
command.
ticket 584
Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.
ticket 752
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
Flag parameters are always autofill by definition, causing unexpected
search results. This patch retypes them to Bool for search commands,
so that users have to/can enter the desired value manually.
Ticket #689
Ticket #701
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.
This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.
ticket 687
It is possible to create an ACI with attributes and then try to set that
to None via a mod command later. We need to catch this and raise an exception.
If all attributes are set to None in an aci then the attr target is removed
from the ACI. This could result in an illegal ACI if there are no other
targets. Having no targets is a legal state, just not a legal final state.
ticket 647
The concept is now following:
topic: either a module or a group of modules containing registered
commands. All these commands will usually handle common entity
type (e.g. hbac rules)
subtopic: each topic can have a number of subtopics. In this case topic
is a group of modules and each module represents a subtopic.
grouping modules to topics is possible by assigning a 2-tuple to module
variable:
topic = ('topic-name','topic description')
The topic description has to be the same in all modules in the topic.
These are examples of commands now available in IPA help:
ipa help - display a list of all topics
ipa help hbac - display help for hbac topic
ipa help hbacrule - display help for a subtopic of hbac
ipa help hbacrule-add - display help for a particular command
https://fedorahosted.org/freeipa/ticket/410
The renaming follows previous discussion on mailing list and it leads to
name compatibility with other plugins (e.g. sudorule). It is also
necessary for following changes in ipa help.
Only a generic error message were displayed when a non-existing
host was passed to host-del or host-disable operations.
This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.
https://fedorahosted.org/freeipa/ticket/303
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.
After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.
You can do this for example:
# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins
# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global
# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
Print the attribute CLI name instead of its 'real' name.
The real name is usually the name of the corresponding LDAP
attribute, which is confusing to the user.
This way we get:
Invalid 'login': blablabla
instead of:
Invalid 'uid': blablabla
Another example:
Invalid 'hostname': blablabla
instead of:
Invalid 'fqdn': blablabla
Ticket #435
Implements the role, privilege, permission, delegation and selfservice entities ui.
Targetgroup has been added to the object types.
The groups lists need to be filter. The filter is currently hidden, with a
hyperlink that reads 'filter' to unhide it. Each keystroke in this filter
performs an AJAX request to the server.
There are bugs on the server side that block some of the functionality from
completing
Creating a Permission requires one of 4 target types. The add dialog in this
version assumes the user will want to create a filter type. They can change
this on the edit page.
Most search results come back with the values as arrays, but ACIs seem not to.
Search and details both required special code to handle non-arrays.
The unit tests now make use of the 'module' aspect of QUnit. This means that
future unit test will also need to specify the module. The advantage is that
multiple tests can share a common setup and teardown.
Bugs that need to be fixed before this works 100% are
https://fedorahosted.org/freeipa/ticket/634https://fedorahosted.org/freeipa/ticket/633
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
