freeipa

mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Author	SHA1	Message	Date
Nathaniel McCallum	b3a6701e73	Catch USBError during YubiKey location https://fedorahosted.org/freeipa/ticket/4693 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-11-25 16:44:00 +01:00
David Kupka	56ca47d535	Fix error message for nonexistent members and add tests. https://fedorahosted.org/freeipa/ticket/4643 Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-11-24 16:04:57 +01:00
Rob Crittenden	5c0ad221e8	Use NSS protocol range API to set available TLS protocols Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-24 13:09:44 +00:00
David Kupka	35dad9684b	Fix --{user,group}-ignore-attribute in migration plugin. Ignore case in attribute names. https://fedorahosted.org/freeipa/ticket/4620 Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-11-20 16:49:13 +01:00
Martin Basti	310e46452c	Fix warning message should not contain CLI commands Message is now universal for both CLI and WebUI Ticket: https://fedorahosted.org/freeipa/ticket/4647 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-11-19 15:20:55 +01:00
Nathaniel McCallum	3c900ba7a8	Enable QR code display by default in otptoken-add This is possible because python-qrcode's output now fits in a standard terminal. Also, update ipa-otp-import and otptoken-add-yubikey to disable QR code output as it doesn't make sense in these contexts. https://fedorahosted.org/freeipa/ticket/4703 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-11-19 14:26:00 +01:00
Nathaniel McCallum	c38e2d7394	Ensure users exist when assigning tokens to them https://fedorahosted.org/freeipa/ticket/4642 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-13 16:18:41 +01:00
Nathaniel McCallum	93ff9ec087	Improve otptoken help messages https://fedorahosted.org/freeipa/ticket/4689 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-11-13 15:32:52 +01:00
David Kupka	b032debd23	Produce better error in group-add command. https://fedorahosted.org/freeipa/ticket/4611 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-13 13:07:22 +00:00
Petr Vobornik	3d11de4849	idrange: include raw range type in output iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-11-11 10:56:16 +01:00
Petr Vobornik	95a492caec	ranges: prohibit setting --rid-base with ipa-trust-ad-posix type We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. No schema change is done. https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-11-11 10:56:16 +01:00
Endi S. Dewata	80a8df3f19	Modififed NSSConnection not to shutdown existing database. The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-11-11 09:09:19 +01:00
Martin Basti	e971fad5c1	Fix dns zonemgr validation regression https://fedorahosted.org/freeipa/ticket/4663 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-27 15:55:34 +01:00
Alexander Bokovoy	d6b28f29ec	Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides https://fedorahosted.org/freeipa/ticket/4664 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-24 15:54:43 +02:00
Martin Basti	5e1172f560	fix forwarder validation errors Fix tests, validation in dnsconfig mod, wuser warning Reviewed-By: Petr Spacek <pspacek@redhat.com>	2014-10-21 15:55:09 +02:00
Jan Cholasta	2a4ba3d3cc	DNSSEC: remove container_dnssec_keys Reviewed-By: Martin Basti <mbasti@redhat.com>	2014-10-21 12:23:39 +02:00
Martin Basti	10725033c6	DNSSEC: change link to ipa page Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	5556b7f50e	DNSSEC: ACI Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	ca030a089f	DNSSEC: validate forwarders Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Martin Basti	30bc3a55cf	DNSSEC: platform paths and services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-21 12:23:03 +02:00
Alexander Bokovoy	bd98ab0356	Support idviews in compat tree Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-10-20 16:47:49 +02:00
Petr Vobornik	df1ed11b48	webui: do not offer ipa users to Default Trust View https://fedorahosted.org/freeipa/ticket/4616 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-10-20 12:29:10 +02:00
Petr Vobornik	741c31c2b4	webui: allow --force in dnszone-mod and dnsrecord-add Allow to use --force when changing authoritative nameserver address in DNS zone. Same for dnsrecord-add for NS record. https://fedorahosted.org/freeipa/ticket/4573 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-10-20 12:06:02 +02:00
Petr Vobornik	d8f05d8841	webui: management of keytab permissions https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-10-20 10:13:47 +02:00
Nathaniel McCallum	560606a991	Display token type when viewing token When viewing a token from the CLI or UI, the type of the token should be displayed. https://fedorahosted.org/freeipa/ticket/4563 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-20 09:59:19 +02:00
Petr Vobornik	43d3593873	webui: add link to OTP token app - display info message which points user to FreeOTP project page - the link or the text can be easily changed by a plugin if needed https://fedorahosted.org/freeipa/ticket/4469 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-10-17 15:53:34 +02:00
Petr Vobornik	49fde3b047	idviews: error out if appling Default Trust View on hosts https://fedorahosted.org/freeipa/ticket/4615 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-17 14:28:13 +02:00
Petr Vobornik	59ee6314af	keytab manipulation permission management Adds new API: ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service\|host-mod\|show outputs these attrs only with --all option as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 Reviewed-By: Jan Cholasta <jcholast@redhat.com>	2014-10-17 14:11:35 +02:00
Jan Cholasta	608851d3f8	Check LDAP instead of local configuration to see if IPA CA is enabled The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>	2014-10-17 12:53:11 +02:00
Nathaniel McCallum	284792e7d8	Remove token vendor, model and serial defaults These defaults are pretty useless and cause more confusion than they are worth. The serial default never worked anyway. And now that we are displaying the token type separately, there is no reason to doubly record these data points. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-16 17:55:39 +02:00
Martin Kosek	061f7ff331	Raise better error message for permission added to generated tree https://fedorahosted.org/freeipa/ticket/4523 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>	2014-10-16 16:00:18 +02:00
Alexander Bokovoy	5ec23ccb5f	Allow override of gecos field in ID views Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-13 12:08:50 +02:00
Alexander Bokovoy	b50524b10c	Allow user overrides to specify GID of the user Resolves https://fedorahosted.org/freeipa/ticket/4617 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-13 12:08:50 +02:00
Alexander Bokovoy	ca42d3469a	Allow user overrides to specify SSH public keys Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-13 12:08:50 +02:00
Alexander Bokovoy	63be2ee9f0	Support overridding user shell in ID views Reviewed-By: Petr Vobornik <pvoborni@redhat.com>	2014-10-13 12:08:50 +02:00
Jan Cholasta	8e602eaf46	Remove misleading authorization error message in cert-request with --add https://fedorahosted.org/freeipa/ticket/4540 Reviewed-By: Martin Kosek <mkosek@redhat.com>	2014-10-08 09:21:37 +02:00
Martin Kosek	3b8a7883de	Sudorule RunAsUser should work with external groups https://fedorahosted.org/freeipa/ticket/4600 Reviewed-By: Tomas Babej <tbabej@redhat.com>	2014-10-02 11:06:47 +02:00
Petr Vobornik	00d598bab0	webui: add link from host to idview https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-09-30 10:47:03 +02:00
Petr Vobornik	2cc78acf9b	webui: facet group labels for idview's facets https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-09-30 10:47:03 +02:00
Petr Vobornik	ae5a34cbbc	webui: new ID views section https://fedorahosted.org/freeipa/ticket/4535 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>	2014-09-30 10:47:03 +02:00
Tomas Babej	51816930a6	idviews: Make sure only regular IPA objects are allowed to be overriden Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	902655da59	idviews: Display the list of hosts when using --all Enumerating hosts is a potentially expensive operation (uses paged search to list all the hosts the ID view applies to). Show the list of the hosts only if explicitly asked for (or asked for --all). Do not display with --raw, since this attribute does not exist in LDAP. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	47268575c9	idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor When resolving non-existent objects, domain validator will raise ValidationError. We need to anticipate and properly handle this case. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	dbf8d97ecf	idviews: Make sure the dict.get method is not abused for MUST attributes Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	13089eae52	idviews: Handle Default Trust View properly in the framework Make sure that: 1.) IPA users cannot be added to the Default Trust View 2.) Default Trust View cannot be deleted or renamed Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	2131187ea9	idviews: Make description optional for the ID View object Description of any object should not be required. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	1d6f591cc5	idviews: Fix casing of ID Views to be consistent Replace all occurences of "ID view(s)" with "ID View(s)". Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	277b762d36	idviews: Add ipaOriginalUid For slapi-nis plugin, we need to cache the original uid value of the user in the override object. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	3ff410d3a7	idviews: Resolve anchors to object names in idview-show When running idview-show, users will expect a proper object name instead of a object anchor. Make sure the anchors are resolved to the object names unless --raw option was passed. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00
Tomas Babej	c1f51cff02	idviews: Raise NotFound errors if object to override could not be found If the object user wishes to override cannot be found, we should properly raise a NotFound error. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>	2014-09-30 10:42:06 +02:00

1 2 3 4 5 ...

2497 Commits