For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- userclass
added to existing Modify hosts permission
- usercertificate, userpassword
added to a new permissions
https://fedorahosted.org/freeipa/ticket/4252
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The recent conversions to managed permissions left behind a few
failing tests. Fix them.
Also fix a now incorrect docstring in ipalib.config.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.
Fix the behaviour and cover it in the test suite.
https://fedorahosted.org/freeipa/ticket/4360
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When api.env is loaded, strings that "look like" floats got
auto-converted to floats.
This is wrong, as the conversion to float can lose precision.
Case in point: the api_version (e.g. '2.88') should never be
interpreted as float.
Do not automatically convert to float.
We have two numeric options: startup_timeout and wait_for_dns.
wait_for_dns is already converted to int when used in the code.
Convert startup_timeout to float explicitly when used, so
configuration that specified it with a decimal point continues
to work.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The current code would convert values to DN if the key was
a substring of 'basedn', e.g. 'base' or 'sed'.
Only convert if we're actually dealing with 'basedn'.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This results in the proper message being shown if the client sends
an option the server doesn't have yet.
It also adds the check to commands that override run() but not __call__,
such as `ipa ping`, and to commands run on the server. Adjust tests
for these changes.
https://fedorahosted.org/freeipa/ticket/3963
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users
https://fedorahosted.org/freeipa/ticket/3697
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When the strings are changed again, translators will only need to
re-translate the modified parts.
See: https://fedorahosted.org/freeipa/ticket/3587
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Add API version to constants.py
- Add version option to plugable.py
- Add version to ipa manpage and fix a couple of typos
https://fedorahosted.org/freeipa/ticket/4316
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
- regression in be6edef6e4:
The __ne__ special method was named incorrectly
- regression in 1ea6def129:
The targetattr operator was never compared
Include some new comparison tests.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Validator is no more used in dns plugin
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
