Commit Graph

471 Commits

Author SHA1 Message Date
Jan Cholasta
bd440d515e Fix uses of O=REALM instead of the configured certificate subject base.
ticket 2521
2012-03-26 20:29:26 -04:00
Jan Cholasta
0024024897 Parse zone indices in IPv6 addresses in CheckedIPAddress.
If a zone index is present in an IPv6 address, it is ignored.

ticket 2138
2012-03-27 12:03:16 +02:00
Petr Viktorin
0b01751c1b Use valid argument names in tests
Some of our tests used unintended extra options, or options with
misspelled, wrongly copy-pasted or otherwise bad names. These are
ignored, so the intended argument was treated as missing. The test
itself can still pass but may be rendered ineffective or fragile.

This only fixes those of such errors that appear in the test suite.
Fixing code in the framework and actual rejecting of unknown
arguments is deferred for later (ticket #2509).
2012-03-25 18:05:33 -04:00
Rob Crittenden
a672483118 Fix unit tests to work with new comma-support, validation requirements 2012-03-26 09:29:27 +02:00
Martin Kosek
5b8e1e8c62 Harden raw record processing in DNS plugin
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.

This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.

All these use cases were also covered by new unit tests.

https://fedorahosted.org/freeipa/ticket/2551
2012-03-22 19:30:13 +01:00
Martin Kosek
19b2af8e52 Fix precallback validators in DNS plugin
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.

This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.

https://fedorahosted.org/freeipa/ticket/2550
2012-03-22 17:27:09 +01:00
Ondrej Hamada
a58cbb985e Search allowed attributes in superior objectclasses
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
2012-03-22 17:13:39 +01:00
Rob Crittenden
d14438405a Fix test failure testing rename with an invalid hostname.
Validation is going to catch the invalid hostname before the mod is tried.
2012-03-21 17:48:59 -04:00
Petr Viktorin
dddebe2350 Only split CSV in the client, quote instead of escaping
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')

That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.

Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.

Also, document Param's csv arguments, and update tests.

https://fedorahosted.org/freeipa/ticket/2417
https://fedorahosted.org/freeipa/ticket/2227
2012-03-20 20:03:54 -04:00
Martin Kosek
9b562f7377 Add missing global options in dnsconfig
Add a support for new global options in bind-dyndb-ldap, that is:
 * idnsforwardpolicy: Default policy for conditional forwarding
 * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
   updates
 * idnszonerefresh: Default interval between regular polls of the
   name server for new DNS zones

https://fedorahosted.org/freeipa/ticket/2439
2012-03-20 15:40:08 +01:00
Petr Viktorin
c14a2d8245 Use nose tools to check for exceptions
Some of our tests checked for exceptions using an error-prone
try block: they allowed the expected exception to pass, but sometimes
forgot an else block, so the test passed when an exception wasn't
thrown.

This changes the tests to use the appropriate nose tools (raises,
assert_raises).
For consistency, tests that had a correct else block are also changed.

Also fix some test problems that were hidden by the above:
- in some sudorule and HBAC tests, change the *_add_user argument name
  from `users` to `user`
- don't remove HBAC testing data while it was still used
2012-03-19 16:33:35 +01:00
Rob Crittenden
35521ad6bb Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
2012-03-19 16:09:09 +01:00
Petr Viktorin
7a5ca16c74 Remove ipausers' gidnumber from tests
The ipausers group is no longer a POSIX group by default.
Reflect that in the tests.
2012-03-14 23:59:54 -04:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Petr Viktorin
e9d68a7b00 Don't crash when searching with empty relationship options
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.

These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).

https://fedorahosted.org/freeipa/ticket/2479
2012-03-13 23:28:53 -04:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Rob Crittenden
8fdb181c7a Make hostnames adhere to new standards in hbactest plugin tests 2012-03-01 21:53:29 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Rob Crittenden
6c3e908232 Make hostnames adhere to new standards in HBAC tests 2012-03-01 05:16:59 -05:00
Rob Crittenden
5e01ed1325 subclass HTTP_Status from plugable.Plugin, fix not_found tests
HTTP_Status needs to subclass from Plugin because it does its own logging.

Add tests for other methods of HTTP_Status
2012-02-29 21:04:10 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00
Ondrej Hamada
1356988b7a Validate attributes in permission-add
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
2012-02-28 18:22:24 -05:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Rob Crittenden
7d7322de2e Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
Apply this to hostgroup names as well since they can be linked.

https://fedorahosted.org/freeipa/ticket/2221
2012-02-27 00:06:44 -05:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Rob Crittenden
d4a1dc5712 Don't allow IPA master hosts or important services be deleted.
Deleting these would cause the IPA master to blow up.

For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.

https://fedorahosted.org/freeipa/ticket/2425
2012-02-23 20:17:12 +01:00
Petr Viktorin
8125c11a8d Add extra checking function to XMLRPC test framework
This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add
ability in test framework to compare two values in result)
in a general way: adding an optional extra_check key to the test
dict, so a custom checking function with access to the whole result
can be called.

The particular test mentioned in that issue, checking that the
uidnumber and gidnumber for new isers are the same, is added.

Also, this adds a docstring to the Declarative class.

And finally, the test dictionary is passed to check() via keyword
arguments, preventing spelling mistakes in keys from going unnoticed.
2012-02-19 20:10:46 -05:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Petr Viktorin
d706c411ef Honor default home directory and login shell in user_add
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.

https://fedorahosted.org/freeipa/ticket/2332

The login shell had the same problem. Again this patch removes the
client-side default and adds a test.

Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
2012-02-09 18:11:57 +01:00
Ondrej Hamada
616d543a54 Memberof attribute control and update
Checking of parameters used by _make_aci funcion was rewritten.
Additional attributes of ACI(type, attribute, memberof, targetgroup,
subtree, filter) could be unset.

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305
2012-02-08 10:43:25 +01:00
Rob Crittenden
304b70843a Consolidate external member code into two functions in baseldap.py
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.

https://fedorahosted.org/freeipa/ticket/1734
2012-02-08 09:12:53 +01:00
Martin Kosek
cf12f3106a Fix raw format for ACI commands
ACI plugins (permission, selfservice and delegation) were not
prepared to serve ACIs in a raw format, i.e. raw "aci" attribute
taken from LDAP. This patch fixes all these plugins and their
commands to provide provide this format. Few ACI raw format unit
tests were added for all these plugins.

https://fedorahosted.org/freeipa/ticket/2010
https://fedorahosted.org/freeipa/ticket/2223
https://fedorahosted.org/freeipa/ticket/2228
https://fedorahosted.org/freeipa/ticket/2232
2012-02-03 17:04:51 +01:00
Martin Kosek
e1fecfaf6a Add SRV record target validator
Add missing SRV record target validator to filter out possible
user errors.

https://fedorahosted.org/freeipa/ticket/2308
2012-02-03 16:25:53 +01:00
Martin Kosek
cb4b2e6fac Fix NSEC record conversion
NSEC record needs special treatment as it is not composed from
a fixed set of DNS parts divided by space, but it contains
a multivalued DNS part "types" containing a list of RR types
it covers.

There was already a special method for parsing raw NSEC record
to DNS parts, but the other direction was missing. This patch
adds special NSEC convertor to fix this issue.

https://fedorahosted.org/freeipa/ticket/2307
2012-02-03 16:25:26 +01:00
Martin Kosek
e41282fbc6 Fix TXT record parsing
TXT record validation fails to parse the record if it contains
spaces. Standard DNS part parser uses a space to divide record
parts. A special parser thus need to be implemented for this RR
type.

https://fedorahosted.org/freeipa/ticket/2306
2012-02-03 16:24:54 +01:00
Martin Kosek
0b9279a30a Add missing managing hosts filtering options
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
  --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
  --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
    in HOSTS are returned

https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 10:17:39 -06:00
Rob Crittenden
52e3488b75 Add support for storing MAC address in host entries.
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.

It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>

I tested nslcd and it only returned one macaddress value.

https://fedorahosted.org/freeipa/ticket/1132
2012-01-26 14:11:33 +01:00
Rob Crittenden
dbd87af80b Fix deletion of HBAC Rules when there are SELinux user maps defined
When deleting an HBAC rule we need to ensure that an SELinux user
map isn't pointing at it. We need to take what is the cn of the HBAC
rule and see if that rule exists, then return the dn to that rule.

The search was not being done properly and wasn't enforcing uniqueness.
It could have returned partial matches as well (so tests for the
search test).

https://fedorahosted.org/freeipa/ticket/2269
2012-01-24 21:09:09 -05:00
Martin Kosek
ef68c02c6a Fix selfservice-find crashes
Ignore empty options when performing an ACI search so that the
find command does not crash. Update ipa(1) man page to mention
this common behavior of find commands.

https://fedorahosted.org/freeipa/ticket/2011
https://fedorahosted.org/freeipa/ticket/2012
2012-01-24 16:52:41 +01:00
Martin Kosek
092dd8db12 Replace float with Decimal
Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.

This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.

In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.

https://fedorahosted.org/freeipa/ticket/2260
2012-01-20 08:13:44 +01:00
Rob Crittenden
2c1f21a14b In sudo when the category is all do not allow members, and vice versa.
This is what we already do in the HBAC plugin, this ports it to Sudo.

If a category (user, host, etc) is u'all' then we don't allow individual
members be added. Conversely if there are members we don't allow the
category be set to u'all'.

https://fedorahosted.org/freeipa/ticket/1440
2012-01-18 10:02:50 +01:00
Martin Kosek
7f6c9ac04c Add missing --pkey-only option for selfservice and delegation
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.

Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."

https://fedorahosted.org/freeipa/ticket/2092
2012-01-16 20:08:13 +01:00
Martin Kosek
d50618f6bd Restore ACI when aci_mod fails
aci_mod command is composed of 2 ACI commands: aci_del which
deletes the old ACI and aci_add which adds the new modified ACI.
However, if aci_add command fails then both new and the old ACI
are lost. Old ACI must be restored in this case.

https://fedorahosted.org/freeipa/ticket/2013
https://fedorahosted.org/freeipa/ticket/2014
2012-01-13 21:55:07 +01:00
Martin Kosek
52ea3a6b29 Refactor dnsrecord processing
Current DNS record processing architecture has many flaws,
including custom execute() methods which does not take advantage
of base LDAP commands or nonstandard and confusing DNS record
option processing.

This patch refactors DNS record processing with the following
improvements:
 * Every DNS record has now own Parameter type. Each DNS record
   consists from one or more "parts" which are also Parameters.
   This architecture will enable much easier implementation of
   future per-DNS-type API.
 * Validation is now not written as a separate function for
   every parameter but is delegated to DNS record parts.
 * Normalization is also delegated to DNS record parts.
 * Since standard LDAP base commands execute method is now used,
   dnsrecord-add and dnsrecord-mod correctly supports --setattr
   and --addattr options.
 * In order to prevent confusion unsupported DNS record types
   are now hidden. They are still present in the plugin so that
   old clients receive proper validation error.

The patch also contains several fixes:
 * Fix domain-name validation and normalization- allow domain
   names that are not fully qualified. For example --cname-rec=bar
   is a valid domain-name for bind which will translate it then
   as bar.<owning-domain>. This change implies, that fully qualified
   domain names must end with '.'.
 * Do not let user accidentally remove entire zone with command
   "ipa dnsrecord-del @ --del-all".
 * Fix --ttl and --class option processing in dnsrecord-add and
   dnsrecord-mod.

All API changes are compatible with clients without this patch.

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 09:43:05 +01:00
Ondrej Hamada
0e037f24ce HBAC test optional sourcehost option
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
2012-01-09 08:49:10 +02:00