Commit Graph

396 Commits

Author SHA1 Message Date
Endi S. Dewata
fa75959486 Fixed parameter for user city.
Previously the user's city parameter is defined to use the 'locality'
attribute. This was a problem because the attribute would be returned
as 'l' by the directory server causing a mismatch. Now the parameter
has been changed to use the 'l' attribute.
2011-02-18 10:10:35 -05:00
Martin Kosek
e5d57d237b HBAC plugin inconsistent output
This patch adds a proper summary text to HBAC command which is
then printed out in CLI. Now, HBAC plugin output is consistent
with other plugins.

https://fedorahosted.org/freeipa/ticket/596
2011-02-16 10:39:16 -05:00
Rob Crittenden
81020a2ffa A mod command should not be able to remove a required attribute.
Some attribute enforcement is done by schema, others should be done
by the required option in a Parameter. description, for example, is
required by many plugins but not the schema. We need to enforce in the
framework that required options are provided.

After all the setattr/addattr work is done run through the modifications
and ensure that no required values will be removed.

ticket 852
2011-02-14 14:46:29 -05:00
Rob Crittenden
cb48ec3508 Ignore case when removing group members.
ticket 944
2011-02-14 10:22:28 -05:00
Rob Crittenden
3ac3130fc9 Convert json strings to unicode when they are unmarshalled.
This patch removes some individual work-arounds of converting strings
to unicode, they only masked the problem. String values are not
passed to the validator or normalizers so things like adding the
realm automatically to services weren't happening.

ticket 941
2011-02-11 13:36:15 -05:00
Rob Crittenden
c187b276ad Fix test failures caused by the performance patch.
It isn't safe to assume there is an environment or mode in any given
object. Only skip the extra work if the object explicitly has production
in it.
2011-02-10 13:52:29 -05:00
Rob Crittenden
0188158a76 Use correct LDAP attributes for city and state.
Also add a unit test for address.

Ticket 889
2011-02-02 16:53:32 -05:00
Rob Crittenden
c6ef39b2c0 Add new schema to store information about permissions.
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.

ticket 853
2011-02-01 16:00:41 -05:00
Martin Kosek
685c516e88 Permission rename test failing
This patch fixes test for Permission plugin - mainly permission-mod
part. Description field that the tests expected and which was
removed in ticket 792 was removed from the tests.

https://fedorahosted.org/freeipa/ticket/892
2011-02-01 15:43:12 -05:00
Rob Crittenden
4b7e5721d4 Fix changing membergroup in a delegation.
This is mostly due to inconsistent option name usage but also due
to the aci plugin not always treating memberof as a special kind
of filter.

ticket 869
2011-02-01 11:59:24 -05:00
Rob Crittenden
bf4f77d985 Rename permissions and privileges to be more readable.
This also drops description from permissions since it seems redundant and
fixes up the help text a little.

ticket 792
2011-01-31 13:17:38 -05:00
Martin Kosek
f72d8e506a ipa permission-mod --rename does not work
This patch fixes nonfunctional rename operation in permission
plugin. Also makes sure, that no change is made to the underlying
ACI in pre_callback() when the target permission already exists.

Several tests for the rename operation have been created to ensure
that the it won't break again unnoticed.

https://fedorahosted.org/freeipa/ticket/814
2011-01-28 23:51:09 -05:00
Jakub Hrozek
0a6b1c4bce Enforce that all NS records are resolvable
Bind cannot load a zone if any of its name server records is not
resolvable.

https://fedorahosted.org/freeipa/ticket/838
2011-01-28 11:44:38 -05:00
Jakub Hrozek
a641f1f23d Delete the whole DNS record with no parameters
Error out when deleting a nonexistent DNS record

Also fixes the DNS unit tests.

https://fedorahosted.org/freeipa/ticket/816
https://fedorahosted.org/freeipa/ticket/829
2011-01-28 11:44:38 -05:00
Jakub Hrozek
70a9e04f04 Enforce uniqueness on (key,info) pairs in automount keys
https://fedorahosted.org/freeipa/ticket/293
2011-01-25 11:13:10 -05:00
Rob Crittenden
96469fbc88 Fix failed tests. API for utcoffset changed and strings are more robust.
In Python 2.7 the API for time.utcoffset() changed.

We do more automatic conversions of strings so need to loosen the tests
a bit.
2011-01-24 14:34:38 -05:00
Jan Zeleny
01f907c01b Move HBAC services and service groups to cn=hbac
https://fedorahosted.org/freeipa/ticket/762
2011-01-18 11:48:57 -05:00
Simo Sorce
25cfddcbe1 Move sudo related data all under cn=sudo
Fixes: https://fedorahosted.org/freeipa/ticket/773
2011-01-17 11:46:45 -05:00
Rob Crittenden
c69d8084c1 Add API version and have server reject incompatible clients.
This patch contains 2 parts.

The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.

The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).

To determine the API version of the server from a client use the ping
command.

ticket 584
2011-01-14 14:26:22 -05:00
Jr Aquino
1ea31a0cff fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570 2011-01-12 11:40:47 -05:00
Rob Crittenden
6f58f38748 Display the entries that failed when deleting with --continue.
We collected the failures but didn't report it back. This changes the
API of most delete commands so rather than returning a boolean it returns
a dict with the only current key as failed.

This also adds a new parameter flag, suppress_empty. This will try to
not print values that are empty if included. This makes the output of
the delete commands a bit prettier.

ticket 687
2011-01-10 10:32:10 -05:00
Jan Zeleny
bfc338d81c Rename hbac module to hbacrule
The renaming follows previous discussion on mailing list and it leads to
name compatibility with other plugins (e.g. sudorule). It is also
necessary for following changes in ipa help.
2011-01-07 09:42:34 -05:00
Jr Aquino
fc8f7f9da8 SUDO plugin support for external hosts and users https://fedorahosted.org/freeipa/ticket/570 2010-12-21 12:29:46 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
ffd467bd7e Translate the membergroup dn into a group name.
Drop filter from the output, it is superfluous.

ticket 634
2010-12-20 15:18:42 -05:00
Jakub Hrozek
ffc6031ad7 Allow RDN changes from CLI
https://fedorahosted.org/freeipa/ticket/397
2010-12-20 11:27:46 -05:00
Rob Crittenden
34534a026f Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
2010-12-17 18:04:37 -05:00
Rob Crittenden
ffc967b47a Fix a slew of tests.
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
2010-12-17 17:01:57 -05:00
Rob Crittenden
cd7b64103b Add group to group delegation plugin.
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.

ticket 532
2010-12-13 20:15:46 -05:00
Jr Aquino
ced639eb99 tests for sudo run as user or group https://fedorahosted.org/freeipa/ticket/570 2010-12-13 17:56:13 -05:00
Rob Crittenden
ba8d21f5ae Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.

We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added

ticket 567
2010-12-13 09:53:29 -05:00
Rob Crittenden
e8e274c9e0 Properly handle multi-valued attributes when using setattr/addattr.
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.

I've added some simple tests for setattr and addattr.

ticket 565
2010-12-10 13:42:47 -05:00
Rob Crittenden
5330280f08 Fix automount tests 2010-12-08 17:28:35 -05:00
Rob Crittenden
4c09809ea8 Add plugin for manage self-service ACIs
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.

Right now only ACIs in the basedn can be managed with this plugin.

ticket 531
2010-12-08 13:51:10 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Rob Crittenden
bfb3e46996 Remove accessTime from HBAC.
ticket 545
2010-12-06 11:42:13 -05:00
Pavel Zuna
5db7c4ec34 Add new version of DNS plugin: complete rework with baseldap + unit tests.
Ticket #36
Ticket #450
2010-12-01 21:32:09 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Rob Crittenden
d4f25453e1 Add managedby to Host entries
This will allow others to provision on behalf of the host.

ticket 280
2010-11-19 10:31:42 -05:00
Rob Crittenden
2046eddb7a Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.

This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.

ticket 297
2010-11-19 10:31:42 -05:00
Simo Sorce
629e9520e0 Revert tests code to use the old uuid format. 2010-11-15 11:47:27 -05:00
Rob Crittenden
6f5cd3232a user-enable/disable improvements
Always display the account enable/disable status.

Don't ignore the exceptions when a user is already enabled or disabled.

Fix the exception error messages to use the right terminology.

In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.

ticket 392
2010-11-04 12:49:33 -04:00
Rob Crittenden
72cf73b6b6 Output ACI's broken out into attributes rather than a single text field
Also add validation to the List parameter type.

ticket 357
2010-11-04 12:48:45 -04:00
Jr Aquino
c99fda0d1e Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes. 2010-11-03 10:23:40 -04:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Rob Crittenden
03de1b89ca Implement nested netgroups and include summaries for the commands.
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.

ticket 209
2010-10-29 14:03:15 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
c1dfb50ee9 Remove group nesting from the HBAC service groups
ticket 389
2010-10-28 17:34:34 -04:00
Rob Crittenden
33802ab712 Use context to decide which name to return on RequirementsErrors
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).

If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.

ticket 187
2010-10-28 16:06:06 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Simo Sorce
c51ce61e4d UUIDs: remove uuid python plugin and let DS always autogenerate
merge in remove uuid
2010-10-28 07:58:31 -04:00
Rob Crittenden
0e4e1f4bbd Fix two failing tests.
The first test is a mismatch in the sample output of an exception.

The second test adds certificate information output to the service plugin.
2010-10-22 21:45:37 -04:00
Pavel Zuna
42c78a383d Add flag to group-find to only search on private groups.
ticket #251
2010-10-20 17:38:03 -04:00
Rob Crittenden
391d66e4af Fix _merge_from_file test 2010-10-18 15:52:20 -04:00
Rob Crittenden
d2a9ccf407 Accept an incoming certificate as either DER or base64 in the service plugin.
The plugin required a base64-encoded certificate and always decoded it
before processing. This doesn't work with the UI because the json module
decodes binary values already.

Try to detect if the incoming value is base64-encoded and decode if
necessary. Finally, try to pull the cert apart to validate it. This will
tell us for sure that the data is a certificate, regardless of the format
it came in as.

ticket 348
2010-10-08 13:15:03 -04:00
Rob Crittenden
bed6e81935 If an HBAC category is 'all' don't allow individual objects to be added.
Basically, make 'all' mutually exclusive. This makes debugging lots easier.
If say usercat='all' there is no point adding specific users to the rule
because it will always apply to everyone.

ticket 164
2010-10-08 10:11:41 -04:00
Pavel Zuna
6606b2a9c5 Rename user-lock and user-unlock to user-enable user-disable.
Ticket #165
2010-10-06 09:20:44 -04:00
Jr Aquino
bfd2e383dc Added modifications to the sudorule plugin to reflect the schema update. 2010-10-05 21:37:59 -04:00
Rob Crittenden
f94a3d1751 Fix a couple of test cases broken by the POSIX group change.
They were made as non-POSIX originally, keep them that way.
2010-10-04 09:53:42 -04:00
Rob Crittenden
f906aaf376 Groups are now created as POSIX by default.
ticket 241
2010-10-01 14:16:36 -04:00
Rob Crittenden
88bd2a0a45 Fix LDAP client backend failing test case 2010-10-01 13:42:32 -04:00
Jr Aquino
af48654cbc Add plugins for Sudo Commands, Command Groups and Rules 2010-09-27 22:38:06 -04:00
Rob Crittenden
5b3d0f568a Add some tests for using the ldap2 Backend.
Fix a logic problem in ldap2:get_schema() for determining if it
can fetch the schema or not. Normally we only want to do this for servers
but if you pass in your own connection it will use that.
2010-09-24 15:40:56 -04:00
Rob Crittenden
86c4970d11 Fix the ipa-ldap-updater tests.
We dropped the schema for ipaContainer so use nsContainer instead.

ticket 121
2010-09-10 16:52:31 -04:00
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
e225ad4341 Add support for ldap:///self bind rules
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.

ticket 80
2010-08-19 10:49:42 -04:00
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
719592a209 Fix user tests to handle managed entries
We now enable managed entries by default and need to account for it
in the expected output.
2010-08-10 16:41:28 -04:00
Rob Crittenden
768cb29afe Check to see if the command is available before running command tests. 2010-08-06 15:33:32 -04:00
Rob Crittenden
35cbbde5bf Fix RPC tests. The method comes back as a unicode from xmlrpclib. 2010-08-06 15:32:53 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
252b73fb3e Skip the i18n test if the test language has not been built 2010-08-06 15:32:00 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Rob Crittenden
4ea34d5910 Add framework for other command-line tests, starting with ipa-getkeytab. 2010-08-06 13:12:02 -04:00
Rob Crittenden
e874b41c5b Fix this test to work from source tree root
It would work if you ran the test from its location in tests/test_ipalib
but this isn't the most common method. If you want to run it individually
you can do:

$  ./make-test tests/test_ipalib/test_text.py
2010-08-06 13:11:05 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
563c7cde40 Add some basic tests for ipalib/x509 2010-07-29 10:45:11 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
c9e0b43d53 Add test to ensure that a certificate we issue is actually stored properly. 2010-07-13 09:28:03 -04:00
Rob Crittenden
7f9485f5bf Change expected aci summary from Updated to Modify in test cases 2010-07-06 15:39:44 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
1dad0758ce Use new service schema for HBAC tests 2010-05-17 13:48:44 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
John Dennis
5b9d1ee180 Add gettext translation test using test language. 2010-04-16 10:56:48 -04:00
Jason Gerard DeRose
918721c1d0 XML-RPC signature change 2010-03-30 15:10:58 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Rob Crittenden
d13fcb6a0c Ensure that the group policy priority is unique.
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
2010-03-19 07:13:33 -06:00
Jason Gerard DeRose
c350f84134 Finish deferred translation mechanism 2010-03-16 11:41:22 -06:00