Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.
The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.
https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA. Raise NotFound if the cert with the given
serial was not issued by the nominated CA.
Also default the --ca option of cert-show to the IPA CA.
Add commentary to cert-status to explain why it does not use the
--ca option.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change user_status from a method of user to a method of a new userstatus
class, which defines the extra attributes returned by user_status.
This fixes user_status CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Allow multiple incompatible versions of a plugin using the same name. The
current plugins are assumed to be version '1'.
The unique identifier of plugins was changed from plugin name to plugin
name and version. By default, the highest version available at build time
is used. If the plugin is an unknown remote plugin, version of '1' is used
by default.
https://fedorahosted.org/freeipa/ticket/4427
Reviewed-By: David Kupka <dkupka@redhat.com>
Properly mark `cn` as primary key of `automember` object.
This fixes automember crashing on output validation expecting primary key
value of None.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When client requests schema it can list fingerprints of cached schemas
and server responds with SchemaUpToDate exception specifying fingeprint
of schema to use.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow search by certificate data or file in cert-find.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Get owner information from LDAP in cert-show and cert-find. Allow search by
owner in cert-find.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Implement cert as an object with methods rather than a bunch of loosely
related commands.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Support object classes defined by object plugins in API schema.
Added new commands `class-show` and `class-find` to retrieve information
about object classes. `param-show` and `param-find` now support both
commands and classes.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Capture the server API rather than client API in API.txt. Client API may be
affected by client-side plugins and thus may not correspond to what is
transmitted over the wire.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.
`server-del` nows performs these actions:
* check topology connectivity
* check that at least one CA/DNS server and DNSSec masters are left
after removal
* cleanup all LDAP entries/attributes exposing information about the master
* cleanup master DNS records
* remove master and service principals
* remove master entry from LDAP
* check that all segments pointing to the master were removed
`server-del` now accepts the following options:
* `--force`: force master removal even if it doesn't exist
* `--ignore-topology-disconnect`: ignore errors arising from disconnected
topology before and after master removal
* `--ignore-last-of-role`: remove master even if it is last DNS server,
and DNSSec key master. The last CA will *not* be removed regardless of
this option.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.
https://fedorahosted.org/freeipa/ticket/5689http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).
server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.
http://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This patch implements the `serverroles` API plugin which introduces the
following commands:
* server-role-show SERVER ROLE: show status of a single role on a server
* server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
find role(s) SERVROLE and return their status on IPA
masters. If --server option is given, the query is limited to this
server. --status options filters the output by status [enabled vs.
configurer vs. absent]
https://fedorahosted.org/freeipa/ticket/5181http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Part of https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.
The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.
Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
location-show returns list of servers curently assigned to the location
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Server find, server show, server mod should work with IPA locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add a set of plugins for API schema introspection. This includes:
* a set of commands for command introspection
(`command_find`, `command_show`, `command_defaults`),
* a set of commands for command param introspection
(`param_find`, `param_show`),
* a set of commands for command output introspection
(`output_find`, `output_show`),
* a set of commands for help topic introspection
(`topic_find`, `topic_show`),
* a command to get the full API schema in one call (`schema`).
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Introduce new `deprecated` Param keywork argument. Setting it to True on a
param has the same effect as using DeprecatedParam. This allows deprecating
params while retaining their type information.
Revert all DeprecatedParam params back to their original definition and set
`deprecated` to True.
Remove the now unused DeprecatedParam class.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Copy arguments of vault_{add,mod,archive,retrieve} from
vault_{add,mod,archive,retrieve}_internal.
Also add missing LDAPCreate arguments to vault_add_internal.
This will make it possible to move the commands to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace code which references the DNSRecord and dnsrecord classes with
equivalent code which uses only generic data structures.
This will make it possible to move client code to ipaclient without
dnsrecord bits, DNSRecord and all its subclasses.
The conversion from record value to structured record can't be done on the
client without DNSRecord and subclasses. Introduce a new internal command
dnsrecord_split_parts to do the job on the server when necessary.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Change Param formatting to:
* always use quantified names rather than the `required` and `multivalue`
kwargs,
* ignore kwargs with default value,
* ignore kwargs related to validation, as validation is now strictly
server-side,
* ignore the `attribute` and `primary_key` kwargs, as they are relevant
only on object params,
* ignore the `include` and `exclude` kwargs, as makeapi takes into account
only params available in the 'cli' context,
* ignore the unused `csv` kwarg.
Format optional Output arguments as kwargs.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Check if the zone user wants to add is already resolvable and refuse to
create it if yes. --skip-overlap-check and --force options suppress this check.
https://fedorahosted.org/freeipa/ticket/5087
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Added commands:
* user-add-manager
* user-remove-manager
* stageuser-add-manager
* stageuser-remove-manager
Commit contains override of convert_attribute_members method in baseuser
class that ensures the managers will be returned in 'manager' attribute
due to backward compatibility instead of 'manager_user' as would be
expected.
https://fedorahosted.org/freeipa/ticket/5344
This patch also fixes: https://fedorahosted.org/freeipa/ticket/5387
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The initial fix of ticket 5247 rejected renames, but left the option
behind for API compatibility. Remove the option now, according to
the consensus that because it never worked, it is fine to remove it.
Fixes: https://fedorahosted.org/freeipa/ticket/5247
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch replaces 'stageuser-add --from-delete' with new command
user-stage.
Original way always required to specify first and last name, and
overall combination of options was hard to manage. The new command
requires only login of deleted user (user-del --preserve).
https://fedorahosted.org/freeipa/ticket/5041
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault-find plugin has two additional arguments to list all
service vaults or user vaults. Since the name of a vault is only unique
for a particular user or service, the commands also print the vault user
or vault service. The virtual attributes were added in rev
01dd951ddc.
Example:
$ ipa vault-find --users
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault user: admin
Vault name: UserVault
Type: standard
Vault user: admin
----------------------------
Number of entries returned 2
----------------------------
$ ipa vault-find --services
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL
Vault name: myvault
Type: standard
Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL
----------------------------
Number of entries returned 2
----------------------------
https://fedorahosted.org/freeipa/ticket/5150
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.
https://fedorahosted.org/freeipa/ticket/5171
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
API refactoring caused that session_logout command was not registered.
Commands in ipalib/plugins directory are automatically registered.
Reviewed-By: Martin Basti <mbasti@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.
Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--out=FILENAME' option to `certprofile-show'. When given,
it exports the profile configuration from Dogtag and writes it to
the named file.
Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A new group of commands is introduced that simplifies adding and removing
binary certificates to entries. A general form of the command is
ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB]
Part of http://www.freeipa.org/page/V4/User_Certificates and
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Checks done:
1. check if the topology is not disconnected. In other words if
there are replication paths between all servers.
2. check if servers don't have more than a recommended number of
replication agreements(4)
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
direction
- downgrade of direction
These situations are now forbidden in API.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Mod of segment end will be disallowed in topology plugin.
Reasoning (by Ludwig): if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
New commands have been added to archive and retrieve
data into and from a vault, also to retrieve the
transport certificate.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree]
which allows the user to specify LDAP search depth for users and groups.
'onelevel' was the hard-coded level before this patch and is still
default. Specify 'subtree' to search nested OUs for users and groups.
https://fedorahosted.org/freeipa/ticket/2547
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.
https://fedorahosted.org/freeipa/ticket/3644
Reviewed-By: Martin Basti <mbasti@redhat.com>
Update the framework to support multiple host and service
certificates.
host-mod and service-mod revoke existing certificates that are not
included in the modified entry. Using addattr=certificate=... will
result in no certificates being revoked.
The existing behaviour of host-disable, host-del, service-disable
and service-del (revoke existing certificate) is preserved but now
applies to all certificates in the host or service entry.
Also update host-show and service-show to write all the principal's
certificates to the file given by the ``--out=FILE`` option.
Part of: http://www.freeipa.org/page/V4/User_Certificateshttps://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa server-find
ipa server-show FQDN
These commands display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
add user plugin commands : user-undel
user-undel: moves a user from delete container to the active container
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
change user plugin commands : user-find
user-find support of --preserved option to show preserved (aka deleted) users
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
