Commit Graph

536 Commits

Author SHA1 Message Date
Simo Sorce
d5c269c8eb Merge upstream and fix bad suffix in default-aci 2007-11-18 14:27:25 -05:00
Simo Sorce
b51f4b28ec - Set correct values in ipa.conf during client install so that admin tools can
reach the xml-rpc server.
- Assume the kdc/ldap server == xml-rpc server for v1.


Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:18:36 -05:00
Simo Sorce
de5a54ef75 - Set correct values in ipa.conf during client install so that admin tools can
reach the xml-rpc server.
- Assume the kdc/ldap server == xml-rpc server for v1.


Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:18:36 -05:00
Simo Sorce
0a5a952c1b - Report correct information back to users when policies prevent a successful
password change.
- Fix some minor error

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:17:26 -05:00
Simo Sorce
598b05569b - Report correct information back to users when policies prevent a successful
password change.
- Fix some minor error

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:17:26 -05:00
Simo Sorce
ae97fcf94d - Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration

- Introduce 3 kind of password change: normal, admin, and ds manager
   - normal require adherence to policies
   - admin does not but password is immediately expired
   - ds manager can just change the password any way he likes.

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:16:11 -05:00
Karl MacMillan
a7d1987ec3 Added tag mileston_4_1 for changeset bda291e79a4f 0001-01-01 00:00:00 +00:00
Karl MacMillan
27b93a6944 Small fix from Rob to pwd-extop-plugin 0001-01-01 00:00:00 +00:00
Simo Sorce
f35ec78d56 - Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration

- Introduce 3 kind of password change: normal, admin, and ds manager
   - normal require adherence to policies
   - admin does not but password is immediately expired
   - ds manager can just change the password any way he likes.

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:16:11 -05:00
Rob Crittenden
1967aafa39 Implement the password policy UI and finish IPA policy UI
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
  dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
    ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
    ipaGroupSearchFields: cn,description
    ipaSearchTimeLimit: 2
    ipaSearchRecordsLimit: 0
    ipaCustomFields:
    ipaHomesRootDir: /home
    ipaDefaultLoginShell: /bin/sh
    ipaDefaultPrimaryGroup: ipausers
    ipaMaxUsernameLength: 8
    ipaPwdExpAdvNotify: 4
This could use some optimization.
2007-11-16 12:59:32 -05:00
Rob Crittenden
0a3ed69746 Completely remove attributes when delattr argument in ipa-groupmod 2007-11-15 14:44:09 -05:00
Rob Crittenden
b01c468e8c Completely remove attributes when delattr argument 2007-11-15 14:39:54 -05:00
Rob Crittenden
49aa82e932 Use same labels as UI for ipa-finduser and ipa-findgroup
Add -a option to ipa-findgroup to print all attributes
2007-11-15 14:20:50 -05:00
Rob Crittenden
3e24df161b Replace references to Person and People with User and Users 2007-11-15 13:13:35 -05:00
Karl MacMillan
816b3e2ea5 Add memberof-task.ldif. 0001-01-01 00:00:00 +00:00
Rob Crittenden
949b4a0bf7 Check for existance of of the target file in update_file. It used to silently
fail if the file it was to update didn't exist.
2007-11-15 11:09:17 -05:00
Rob Crittenden
6f268a185c Broke invididual Requires and BuildRequires onto separate lines and
reordered them
Added python-tgexpandingformwidget as a dependency
Require at least fedora-ds-base 1.1
2007-11-15 10:57:26 -05:00
Rob Crittenden
bfcc044db2 If unable to connect to the XML-RPC server print a more useful error msg. 2007-11-15 10:27:59 -05:00
Karl MacMillan
29c0668e98 Bump versions for release. 0001-01-01 00:00:00 +00:00
Simo Sorce
51a5130227 Properly increment kvno and keep recent key material around
This is necessary for services that need to be able to respond
to requests from client that acquired a service ticket just before
a password change.
2007-10-31 10:52:44 -04:00
Karl MacMillan
4d96b37de1 Initialize memberof patch from Pete Rowley. 0001-01-01 00:00:00 +00:00
Rob Crittenden
abdd344073 Remove reference to a bogus system and make the error message more generic 2007-11-14 14:11:29 -05:00
Rob Crittenden
02e5a6599b Forgot to include FQDN in the substitition list 2007-11-13 17:51:29 -05:00
Rob Crittenden
cb0476f223 Make the group cn an editable field though protected by default.
Fix some issues with the multi-value to single-value reversion.
2007-11-14 23:33:49 -05:00
Rob Crittenden
83dd42797e Include multi-value fields on the Add Person page
Remove multi-valued cn from groups
2007-11-14 17:50:46 -05:00
Rob Crittenden
3e715a04cf Add an editors group. This is used to generally grant access for users
to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
2007-11-14 10:49:03 -05:00
Simo Sorce
7502ebe479 Initial implementation of policies support.
This patch uses the kerberos schema policy, this is the same policy used by
kadmin.
While this patch allows for krbPwdPolicy objects anywhere the kldap module
will make the kdc fail to provide tickets if the "krbPwdPolicyReference"
points to any object that is not a child of cn=<REALM>,cn=kerberos,dc=....
To let us set policies anywhere in the tree I enabled the code to actually
look at parent entries and the user entry itself and specify policies directly
on these objects by adding the krbPwdPolicy objectclass to them (I know its
structural but DS seem to allow multiple Structural classes on the same
entry).
The only side effect is that kadmin will not understand this, but we don't
want to use kadmin anyway as it does not understand way too many things about the
directory.

I've tested a few scenarios and all seem working as expected, but further
testing is welcome of course.
2007-11-13 16:21:03 -05:00
Rob Crittenden
bd78fe0687 Add more fields to the IPA Policy form 2007-11-13 15:36:52 -05:00
Rob Crittenden
83dd26c6e3 Remove non-existent files from Makefile targets 2007-11-13 17:24:00 -05:00
Rob Crittenden
eecbaf91e2 Use the dna plugin to automatically assign uid
Set gid to the group "ipausers"
Add the user to this default group
2007-11-13 15:03:20 -05:00
Rob Crittenden
79544637d6 The e-mail field should not be required. 2007-11-13 15:49:06 -05:00
Rob Crittenden
5011f64243 Restrict access to some parts of the UI to those in the admins group 2007-11-13 11:15:07 -05:00
Rob Crittenden
cd489f0a73 Allow a user or group to change an attribute in its RDN
Add secretary to the list of indexes otherwise RDN changing could be slow
Port --addattr, --setattr and --delattr from usermod to groupmod
2007-11-12 23:11:55 -05:00
Rob Crittenden
99b84bfd01 Handle ldap.UNWILLING_TO_PERFORM more gracefully 2007-11-09 16:34:52 -05:00
Rob Crittenden
f7358533d0 Add the capability to completely delete a user from the database. The
default remains to inactivate them.
2007-11-09 15:45:11 -05:00
Rob Crittenden
d9194cdd09 Don't continue if a kerberos credentials cache is not available
forked-model detection was incorrect.
Both of these return an error instead of raising one
2007-11-09 14:55:41 -05:00
Rob Crittenden
b7506a5ea6 Fix editing groups when cn is a single-valued field
Fix some error messages that were printing the entire detail message
2007-11-09 14:01:28 -05:00
Rob Crittenden
705d68ddcb Require uniqueness in the name/comment field of delegations
Fix error reporting in the UI to include the detailed message
Sort delegations by name when displaying them
Update the name field from "Name" to "Delegation Name"
2007-11-09 13:58:36 -05:00
Rob Crittenden
6f03dde1ab Underline columns on sort results page so users will know it is a link
Restore the CSS to display the up/down arrow on sort columns
2007-11-12 15:14:35 -05:00
Rob Crittenden
547e6e920e Redirect to the FQDN otherwise kerberos auth may fail 2007-11-12 14:47:48 -05:00
Rob Crittenden
e1ca8c235c Initial support for policy editing
More work is needed as the values are currently hardcoded and not saved
2007-11-12 14:19:05 -05:00
Rob Crittenden
e9dfbfa773 Enable multi-value field support for some attributes on the edit pages
Better error reporting in the GUI
Include a document describing how multi-valued fields work
2007-11-08 22:12:42 -05:00
Karl MacMillan
45346ee3ab Remove multi-value set/add in ipa-usermod.
Calling --add multiple times will accomplish the same
thing without the need for handling splits on ",".
0001-01-01 00:00:00 +00:00
Karl MacMillan
39dcd194ca Allow setting of lib directory to correct non-rpm builds on x86_64.
With this patch you will need to run:
  make autogen LIBDIR=/usr/lib64
Also works for 'make all'.
0001-01-01 00:00:00 +00:00
Karl MacMillan
27f0aab667 Rename memberOf to group_members in xml-rpc interface. 0001-01-01 00:00:00 +00:00
Karl MacMillan
3b66d27383 Allow set/add/del to be called multiple times.
Allow the --set/add/del options to be called multiple
times during the same invocation. Also add more robust
checking of errors.
0001-01-01 00:00:00 +00:00
Rob Crittenden
303d5ebad9 Have the GUI use memberOf() instead of looping through the member DNs
Fix a bug in the local transport version of memberOf()
2007-10-31 10:08:16 -04:00
Rob Crittenden
1d6e88565c Add memberOf API call to the XML-RPC interface
Make find-groups use memberOf to have a prettier dispaly of members
2007-10-30 15:07:02 -04:00
Rob Crittenden
402274af4b Allow adding, setting, deleting arbitrary attributes 2007-10-31 09:32:25 -04:00
Pete Rowley
1871e8dbf6 Add user self service aci 2007-10-29 14:52:19 -07:00