Commit Graph

2893 Commits

Author SHA1 Message Date
Jan Zeleny
813b675268 Remove reference to ipa_webgui
Reference was removed from ipa-server-install(1) man page.
Ticket: #330
2010-11-03 10:25:07 -04:00
Jr Aquino
c99fda0d1e Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes. 2010-11-03 10:23:40 -04:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Adam Young
aff2816d20 group_remove_memeber.json
meta data for testing and developmemt
2010-10-29 23:55:45 -04:00
Jakub Hrozek
228b0ea656 Remove extra --prompt-all from ipa(1) man page
http://fedorahosted.org/freeipa/ticket/328
2010-10-29 14:45:50 -04:00
Rob Crittenden
03de1b89ca Implement nested netgroups and include summaries for the commands.
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.

ticket 209
2010-10-29 14:03:15 -04:00
Adam Young
6df16f3a10 delete associations
Uses code very similar to the search code for deleting associations
Had to modify how we were configuring for bulk so that the logic for delete matched the logic for enroll

Fixed unit test and removed the 'new' from the associator call
2010-10-29 17:12:55 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
c1dfb50ee9 Remove group nesting from the HBAC service groups
ticket 389
2010-10-28 17:34:34 -04:00
Simo Sorce
4f8e4482b3 pwd-plugin: Always use a special salt by default.
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
2010-10-28 17:18:03 -04:00
Simo Sorce
79c39339da pwd-plugin: fix slapi log target in logging functions 2010-10-28 17:17:59 -04:00
Rob Crittenden
33802ab712 Use context to decide which name to return on RequirementsErrors
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).

If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.

ticket 187
2010-10-28 16:06:06 -04:00
Rob Crittenden
ff636984ab Add option to generate random one-time password for hosts for bulk enrollment
ticket 228
2010-10-28 15:27:58 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
47629a604d Retrieve Get Effective Rights output with LDAPRetrieve
The output is a pure python dict so is really only useful when used with
--all so it is required.

Updated to return a string for rights as opposed to a list.  Terser, reducing the wire size by a factor of 3.5
2010-10-28 14:35:34 -04:00
Endi S. Dewata
de3cc334ed Dialog boxes for AJAX, HTTP, and IPA errors.
The ipa_cmd() has been modified to identity the type of the error
it has received and display the error using the right dialog box.
The dialog box can be customized further to display the appropriate
amount of information for each type of error.
2010-10-28 13:11:51 -04:00
Endi S. Dewata
528145d5df Framework for custom UI
This patch introduces a new framework for implementing custom UI.
It consists of the following classes:

Main:
 - IPA: global namespace and object repository
 - ipa_entity: base class for entities
 - ipa_facet: base class for facets

Add dialog:
 - ipa_add_dialog: default add dialog
 - ipa_add_field: the fields used in the dialog

Search facet:
 - ipa_search_facet: default search facet
 - ipa_search_column: the columns in the search result

Details facet:
 - ipa_details_facet: default details facet
 - ipa_details_section: the sections in the details facet
 - ipa_details_field: the fields in the details facet

Association facet:
 - ipa_association_facet: default association facet
 - ipa_association_config: the association configurations

To use this framework, create a class extending the ipa_entity (e.g.
ipa_hbac). Use the create_* methods to create add dialog, search facet,
details facet, and association facet. The fields/columns for the dialog
and facets can be specified using the init() function. Custom UI can be
defined by overwriting the base methods (e.g. setup, save, load).
The entity must be added into the repository using IPA.add_entity().

The original ipa_entity_setup() has been generalized by moving facet-
specific codes into the corresponding facet. Some facet names are still
hard-coded. This will be fixed in follow-up patches.

Some global variables have been removed because their function has been
replaced by the object repository:
 - ipa_entity_add_list
 - ipa_entity_search_list
 - ipa_entity_details_list
 - window_hash_cache

Some functions and variables have been moved into IPA namespace:
 - ipa_json_url -> IPA.json_url
 - ipa_use_static_files -> IPA.use_static_files
 - ipa_ajax_options -> IPA.ajax_options
 - ipa_objs -> IPA.metadata
 - ipa_messages -> IPA.messages
 - ipa_dialog -> IPA.error_dialog
 - ipa_init() -> IPA.init()

Initially the HBAC and Service entities have been rewritten to use the
new framework. The DNS is partially converted, the ipa_records_facet
is used to define custom records facet.

Other entities can still work using the old framework. The old framework
has been modified to be a wrapper for the new framework. Eventually all
entities will be converted to use the new framework.

Some unit tests have been modified to use the new framework.
2010-10-28 09:28:17 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Pavel Zuna
93290c8a72 Add LDAPObject setting to handle different attributes for RDN and PKEY. 2010-10-28 07:58:31 -04:00
Simo Sorce
c51ce61e4d UUIDs: remove uuid python plugin and let DS always autogenerate
merge in remove uuid
2010-10-28 07:58:31 -04:00
Simo Sorce
1bfd0f8791 ipa_uuid: prevent false positives on modifies
If a modify operation does not specify our attribute then we need to short
circuit the loop, otherwise on enforcing we will return an error by mistake if
we are not Directory Manager because generate is false if the attr is not
found.
2010-10-28 07:58:31 -04:00
Simo Sorce
99a7f83c3c ipa_uuid: Handle generation of the uuid when it is a RDN 2010-10-28 07:58:31 -04:00
Simo Sorce
2a141bf2c1 ipa-uuid: Add enforce mode
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
2010-10-28 07:58:31 -04:00
Simo Sorce
7fc6dfbcac ipa-uuid: Code cleanups
Remove one level of indentation from the main function by jumping
to the end immediately if the configuration list is empty.
Other minor style cleanups.
2010-10-28 07:58:31 -04:00
Simo Sorce
1233a7aff3 ipa-uuid: safer unlock handling
This allows the code in the for loop to error out without worrying of
forgetting to unlock the config entries.
2010-10-28 07:58:31 -04:00
Simo Sorce
2d63522d48 ipa-uuid: Reset generate flag at every cycle
Avoid false positives if more than one uuid attribute is generated
in the same entry.
2010-10-28 07:58:31 -04:00
Simo Sorce
56724fa024 ipa-uuid: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
3f1293582f ipa-modrdn: Remove unused functions 2010-10-28 07:58:31 -04:00
Simo Sorce
874dc15c5d ipa-modrdn: Enable plugin to handle krbPrincipalName on renames 2010-10-28 07:58:31 -04:00
Simo Sorce
984942ee49 Add new plugin used to modify related attributes after a modrdn operation. 2010-10-28 07:58:31 -04:00
Adam Young
97bcbdec2f Field Errors Uses the pattern field of the metat data to see if the input for a given field is valid. If not, displays a red box with the contents of pattern_msg
To test this, I artificially modified the meta data for the Group description field
2010-10-28 03:06:28 -04:00
Adam Young
43212caf5d association header
header was missing on the association pages.
2010-10-26 20:03:42 -04:00
Rob Crittenden
9afedcb683 Error out when configure finds missing dependencies
ticket 315
2010-10-26 15:39:43 -04:00
Rob Crittenden
6abc4186b4 Change SUDO command attr to be case sensitive
* Fixed comments
* Added attribute
* Fixed objectclass
2010-10-26 13:23:10 -04:00
Adam Young
038ae18a8a whoami goodbye
Removing the whoami plugin, as it has been wrapped up into the user plugin
2010-10-26 10:20:32 -04:00
Adam Young
d866399bee dns work
without the details change
including changes from Reviewboard https://fedorahosted.org/reviewboard/r/96/

Fixed pages that use unspecified (krb ticket policy, config)
Facet name comes out of the facet, not hard coded.
2010-10-25 15:55:40 -04:00
Adam Young
b4655f1119 find_entries param
Fixes a bug where find_entries was not passed a parameter for filter.
Instead of fixing the call point, this patch adds a defaulty value for the parameter,
so that they can all be passed by name.
2010-10-25 15:21:44 -04:00
Adam Young
88c88d9504 sample data for DNS 2010-10-25 11:47:19 -04:00
Adam Young
476d1947a9 remove rule for inc files. 2010-10-25 11:45:17 -04:00
Rob Crittenden
0e4e1f4bbd Fix two failing tests.
The first test is a mismatch in the sample output of an exception.

The second test adds certificate information output to the service plugin.
2010-10-22 21:45:37 -04:00
Rob Crittenden
b270542863 Grant /usr/sbin/ipa_kpasswd "name_bind" access.
Requires selinux-policy-3.6.32-123 on F12
Requires selinux-policy-3.7.19-40 on F13

ticket 73
2010-10-22 21:43:00 -04:00
Rob Crittenden
9726941e3d Disallow writes on serverHostName and memberOf
serverHostName because this is tied to the FQDN so should only be changed
on a host rename (which we don't do).

memberOf because the plugin should do this. Directly manging this attribute
would be pretty dangerous and confusing.

Also remove a redundant aci granting the admins group write access to
users and groups. They have it with through the "admins can modify any
entry" aci.

tickets 300, 304
2010-10-22 21:41:01 -04:00
Rob Crittenden
6220b53893 Set default encoding to utf-8, use unicode when printing output.
The Gettext() object only does the lookup when you print it as a unicode.

ticket 308
2010-10-22 21:39:53 -04:00
Rob Crittenden
0ef9d88104 Add default python encoding module to reset default from ascii to utf-8
Also clean up some duplicate files in the rpm for the UI.
2010-10-22 21:39:20 -04:00
Pavel Zuna
5dcf011363 Add fail-safe defaults to time and size limits in ldap2 searches. 2010-10-22 19:53:08 -04:00
Adam Young
ae76022df5 Multivalue fixes
Strikethrough is now a toggle
undo resets value to blank for new entries.
2010-10-22 19:51:54 -04:00
Simo Sorce
9018b601cd ipa-uuid: enable plugin in IPA 2010-10-22 17:22:46 -04:00
Simo Sorce
3a05149201 ipa-uuid: DNA-like plugin that generates uuids 2010-10-22 17:22:40 -04:00
Simo Sorce
f6a50c49ad Handle cases where ntpd options are scattered on multiple lines 2010-10-22 17:22:34 -04:00