IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-01 11:47:11 -06:00
Code Issues Packages Projects Releases Wiki Activity
2,732 Commits 11 Branches 59 Tags 60 MiB
f1f9c37a55
Commit Graph

1121 Commits

Author SHA1 Message Date
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy. 
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
 2009-10-05 13:29:55 -06:00
Rob Crittenden
97dfa586de Make primary_key optional. 
The pwpolicy plugin doesn't have a primary key but can still take advantage
of other parts of the framework.
 2009-10-05 13:28:24 -06:00
Rob Crittenden
0d70c68395 Fix aci plugin, enhance aci parsing capabilities, add user group support 
- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
  in the regex altogether. This now lets us handle all current ACIs in IPA
  (some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
  can write attributes x,y,z in group B). It is actually quite a lot more
  flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
 2009-09-28 22:27:42 -06:00
Rob Crittenden
30f9f77727 Fix Python 2.6 deprecation warning with the md5 import. Use hashlib instead. 2009-09-28 15:30:22 -06:00
Pavel Zuna
944371a38c Make the host plugin use baseldap classes. 2009-09-28 15:00:27 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain 
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
 2009-09-24 17:45:49 -06:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend 
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
 2009-09-15 10:01:08 -04:00
Rob Crittenden
bb09db2228 Explicitly set verbosity off in the XML-RPC client 
This is so I don't have to hunt for where to set this to True when doing
low-level client debugging.
 2009-09-14 09:46:42 -04:00
Rob Crittenden
eca7cdc94a Raise more specific error when an Objectclass Violation occurs Fix the virtual plugin to work with the new backend 2009-09-14 09:46:39 -04:00
Pavel Zuna
d0b3ba4523 Fix typos and minor bugs in baseldap. Add --all to LDAPUpdate. 
Also, member attributes are now mapped to 'member user', 'member group',
etc. instead of 'member users', 'member groups'. In other words,
the second word is now taken from LDAPObject.object_name instead of
LDAPObject.object_name_plural.
 2009-09-11 09:21:51 -04:00
Rob Crittenden
df17e42216 Many SELinux fixes: ldapi, ctypes and dogtag 
ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.
 2009-09-10 11:40:59 -04:00
Pavel Zuna
b80e773c1d Automatically generate an auto.master map for new automount location. 
Also, add the automountlocation-show command for completeness sake.
 2009-09-10 10:06:27 -04:00
Pavel Zuna
fa140e7f2a Remove parent_key parameter kwarg. 
Also replace a TYPE_ERROR with ValidationError.
 2009-09-10 10:01:05 -04:00
Pavel Zuna
9fcd431477 Add support for different automount maps per location. 2009-09-10 10:00:50 -04:00
Pavel Zuna
e0f3e765db Fix: Object.params_minus_pk was invalid when there was no primary_key. 2009-09-09 09:56:34 -04:00
Pavel Zuna
2147a845cf Improve ipalib.plugins.baseldap classes. 
- remove obsolete code related to PluginProxy
- remove parent_key attribute, for the purpose of nested objects
  the parent's primary key is retrieved automatically
- added support for auto-generating of UUIDs
- make use of the improved attribute printing in CLI
- make LDAPDelete delete all sub-entries, not just one-level
- minor bug fixes
 2009-09-09 09:55:35 -04:00
Pavel Zuna
6f37d139cb Remove obsolete CRUD base classes as they aren't used anymore. 2009-09-08 13:43:33 -04:00
Pavel Zuna
34970fef5e Improve attribute printing in the CLI. 
- allow choice between single/multiple value per line
- word wrapping
 2009-09-08 13:41:54 -04:00
Pavel Zuna
f294bee09d Fix bug in dns_find - execute() returned different value than expected. 2009-09-08 13:39:06 -04:00
Jason Gerard DeRose
5e871a0abb Fleshed out krb plugin and added example of scripting against Python API 2009-08-31 15:47:14 -06:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework. 
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
 2009-08-27 13:36:58 -04:00
Rob Crittenden
7a7041045e Fix service_mod and add a test case 2009-08-26 09:51:15 -04:00
Rob Crittenden
dacfddfdc8 Remove Python 2.6 BaseException.message deprecation warning 2009-08-20 15:16:52 -06:00
Rob Crittenden
d9c54cd83e Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker 
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
 2009-08-12 13:18:15 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects 
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
 2009-08-10 16:38:42 -06:00
Jason Gerard DeRose
c0f558d98b Removed PluginProxy and all its uses 2009-08-05 12:18:51 -04:00
Pavel Zuna
b7b9f9b6a6 Add options in baseldap classes to display unaltered LDAP entries. 
The options in question is '--raw'.
 2009-08-05 09:20:49 -04:00
Jason Gerard DeRose
22493eef21 Fix three broken unit tests 2009-08-04 00:21:26 -06:00
Pavel Zuna
322d8238a0 All-around improvements to baseldap.py classes. 
- attribute re-mapping, ordering and hiding
  (Enables plugins to completely hide LDAP internals from users
   and full localisation of command output.)
- translation of member DNs into object names
  (No more DNs when listing group members etc.)
- support for "singleton" LDAP objects
  (Objects like "pwpolicy"; not accessed by primary key.)
- new base classes for commands: LDAPModMember, LDAPAddMember
  and LDAPRemoveMember
  (Providing support for objects with 'member'-like attributes.)
- LDAPSearch implicit exit code changed to 1 when nothing is found
 2009-08-03 23:08:21 -06:00
Pavel Zuna
b20c69dec7 Prevent double encoding/decoding when processing compound types. 2009-08-03 23:00:17 -06:00
Pavel Zuna
104d02e167 Enable attribute re-mapping and ordering when printing entries. 
Also print multiple values on one line separated by commas.
 2009-08-03 22:56:06 -06:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA 
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
 2009-07-15 09:00:01 -04:00
Rob Crittenden
904e555404 Catch and handle HTTP exceptions (like 401, 404, etc) 2009-07-15 08:59:58 -04:00
Rob Crittenden
c0b6a78040 Require a password only once when it is passed in via a pipe 2009-07-10 16:47:35 -04:00
Rob Crittenden
d6e1e15fcd Add a one-character option for parameters 2009-07-10 16:46:34 -04:00
Rob Crittenden
fe84ffd0f1 Add a return value to exceptions. 
Returning the exception value doesn't work because a shell return value
is in the range of 0-255.

The default return value is 1 which means "something went wrong." The only
specific return value implemented so far is 2 which is "not found".
 2009-07-10 16:44:54 -04:00
Rob Crittenden
0e29dd7226 Add textui function to display and prompt user for selection for *-find. 
Since we may end up executing a *-show when an entry is selected we need
to defer destroying the connection context.
 2009-07-10 16:44:22 -04:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. 
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
 2009-07-10 16:41:05 -04:00
Pavel Zuna
551648b8a9 Change command names from *group-del-member to *group-remove-member. 
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
 2009-07-09 13:25:19 -06:00
Pavel Zuna
34b5b0d563 Fix bug: number of found entries was reported incorrectly in some plugins. 2009-07-02 13:33:05 -04:00
Pavel Zuna
537ba4034d Make basegroup-{add, del}-member print failed members with error descriptions. 2009-07-02 13:33:05 -04:00
Pavel Zuna
5e4c0014df Fix bug: when deleting hosts, their services where deleted incorrectly 2009-07-02 13:33:04 -04:00
Pavel Zuna
3c5988d078 Remove outstanding 2's from plugins. 2009-07-02 13:33:04 -04:00
Pavel Zuna
da461998c1 Add automount plugin. 2009-07-02 13:33:03 -04:00
Pavel Zuna
57123f2a99 Fix minor bugs, typos, etc. discovered by unit tests in plugins. 2009-07-02 13:33:03 -04:00
Pavel Zuna
341a47f5a3 Fix bug in basegroup and passwd plugins (incorrect use of find_entry_by_attr). 2009-07-02 13:33:02 -04:00
Pavel Zuna
4b6a6c405c Rename *-create/*-delete commands to *-add/*-del respectively. 2009-07-02 13:33:02 -04:00
Pavel Zuna
c2d2344268 Replace references to basegroup2 in taskgroup plugin. 2009-07-02 13:33:02 -04:00
Pavel Zuna
b6cfae46e4 Rename plugins2 to plugins. 2009-07-02 13:33:02 -04:00
Pavel Zuna
e1e1db9c9f Rename plugins2 files (remove '2' suffix'). 2009-07-02 13:33:01 -04:00
Pavel Zuna
8c7883364c Remove use_ldap2 constant. 2009-07-02 13:33:01 -04:00
Pavel Zuna
ebdebe802d Remove all references to use_ldap2. 2009-07-02 13:33:01 -04:00
Pavel Zuna
3ce00484f4 Always use new LDAP backend when creating context. 2009-07-02 13:33:00 -04:00
Pavel Zuna
4b993782e6 Delete plugins using old LDAP backend. 2009-07-02 13:33:00 -04:00
rcrit
9352d2fc10 Add a local implementation of httplib.SSLFile and httplib.FakeSocket 
Python 2.6 changed its internal implementation which makes it difficult
to override in a way that is backwards compatible.

508953
 2009-07-01 08:51:23 -04:00
Rob Crittenden
e46fd3401e Two new arguments for the help built-in command: topics and commands 
ipa help topics will show all topics (equivalent to ipa help)
ipa help commands will show list of all available commands
 2009-06-15 14:03:12 -04:00
Rob Crittenden
b83badd73b Fix typo in variable name, object_classs->object_class 2009-06-15 13:55:58 -04:00
Pavel Zuna
2ff4b3906f Change plugins2 using find_entries to support incomplete (truncated) search results. 2009-06-15 11:19:04 -04:00
Pavel Zuna
48e1f47ed1 Add new set of base classes for plugins using LDAP. 2009-06-15 11:18:59 -04:00
Pavel Zuna
ad54fc3399 Add support for incomplete (truncated) search results. 
ldap2.find_entries now returns a tuple containing 2 values. First,
a list of entries (dn, entry_attrs), Second, the truncated flag. If
the truncated flag is True, search results hit a server limitation
and are incomplete.

This patch also removes decoding of non-string scalar python types into
unicode (they are left unchanged).
 2009-06-15 11:18:55 -04:00
Pavel Zuna
473e03d2f7 Add host plugin port to new LDAP backend. 2009-06-12 15:53:25 -04:00
Pavel Zuna
b8fdcb3a0b Add passwd plugin port to new LDAP backend. 2009-06-10 11:55:09 -04:00
Pavel Zuna
a5292b2280 Add ACI plugin port to new LDAP backend. 2009-06-10 11:55:03 -04:00
Pavel Zuna
8edaff5266 Generate crud.Search arguments with get_args. 2009-06-10 11:53:20 -04:00
Pavel Zuna
dc23be6878 Make get_dn parameter list more generic. Fix Attribute name regex. 
The old name regex made it impossible to have Attribute instances with
names composed of more than two words separated by underscores.
 2009-06-10 11:53:14 -04:00
Pavel Zuna
4b08770b78 Add 'parent_key' kwarg in Param class. 2009-06-10 11:53:10 -04:00
Pavel Zuna
c47d716e95 Modify PluginProxy to use __public__ defined in derived classes instead of base classes. 2009-06-10 11:53:07 -04:00
Pavel Zuna
789fec4381 Add service plugin port to new LDAP backend. 2009-06-10 11:51:49 -04:00
Pavel Zuna
cda0f85ce5 Fix bug in Encoder where tuples were encoded into lists. Fix Encoder and Command.args_options_2_entry unit tests. 2009-06-10 11:51:10 -04:00
Rob Crittenden
16f19990ae Fix plugin API errors 2009-06-03 09:49:14 -04:00
Rob Crittenden
3e8aac875f Fix the help text 2009-06-03 09:46:42 -04:00
Pavel Zuna
83f45cc541 Fix DS ACI parsing. 2009-06-02 16:20:48 -04:00
Pavel Zuna
90cc00feab Make delegation plugin consistent with plugins2 and use new Crud methods. 2009-06-02 16:20:44 -04:00
Pavel Zuna
66d291001a Remove unused reference to old LDAP backend in join plugin. 2009-06-02 16:20:41 -04:00
Pavel Zuna
a1548bc670 Fix bug where List parameters where always cloned with keywords parsed from name. 2009-06-02 16:20:35 -04:00
Pavel Zuna
b29006dd0a Add pwpolicy plugin port to new LDAP backend. 2009-05-27 10:02:50 -04:00
Pavel Zuna
924010cfc9 Add defaultoptions plugin port to new LDAP backend. 2009-05-26 14:50:31 -04:00
Pavel Zuna
13b55b5a52 Add taskgroup plugin port to new LDAP backend. 2009-05-26 14:50:28 -04:00
Pavel Zuna
5a8573129c Add rolegroup plugin port to new LDAP backend. 2009-05-26 14:50:26 -04:00
Pavel Zuna
56e001fd88 Add new env variables: container_taskgroup, container_rolegroup and container_netgroup. 2009-05-26 14:50:24 -04:00
Rob Crittenden
0353be6810 Dogtag keeps telling me to use port 9444 and not 9443, use it. 2009-05-26 14:25:52 -04:00
Pavel Zuna
a92e440218 Clone options of crud.Update and crud.Search with autofill=False. 2009-05-26 13:36:58 -04:00
Pavel Zuna
37a391cd78 Make plugins2 use lowercase when reffering to LDAP attributes. 2009-05-22 15:58:09 -06:00
Pavel Zuna
9468c9fca8 Fix bug where finalized IPA object where trying to modify their member variables in Encoder methods. 2009-05-22 15:57:27 -06:00
Rob Crittenden
cac8ebb866 Fix typo, occured -> occurred 2009-05-21 22:43:07 -04:00
Rob Crittenden
067b5c122c Add a format to the generic KerberosError class 2009-05-21 15:37:12 -06:00
Rob Crittenden
13696ae18b Raise an exception if the certificate chain is not returned from the CA 2009-05-21 17:34:00 -04:00
Pavel Zuna
eec367b0c8 Fix bug in group2-mod command. 
posixGroup object class was added to the group entry incorrectly when modifying gid number.
 2009-05-21 15:22:58 -06:00
Rob Crittenden
fe012f4ff2 Fix a few issues introduced by the new Param.use_in_context() patch 2009-05-21 14:33:23 -04:00
Jason Gerard DeRose
7e58b29a92 Completed Param.use_in_context() functionality, which is now used by Command and Object 2009-05-21 14:32:45 -04:00
Pavel Zuna
7b93f7bbd7 Add netgroup plugin port to new LDAP backend. 2009-05-20 16:46:56 -06:00
Pavel Zuna
75a70af943 Add hostgroup plugin port to new LDAP backend. 2009-05-20 16:46:48 -06:00
Pavel Zuna
1e55b0a1ab Fix counting of successfully added members. Add checks for use_ldap2 in group2. Some cosmetic changes. 2009-05-20 16:46:39 -06:00
Pavel Zuna
a3ae5047f3 Add group plugin port to new LDAP backend. 2009-05-20 16:46:28 -06:00
Jason Gerard DeRose
3a4828b372 Fixed doctest for errors.NotFound 2009-05-19 13:53:45 -06:00
Jason Gerard DeRose
4f9224774f Added Param 'include' and 'exclude' kwargs; added frontend.UsesParams base class with methods implementing the filtering to restrict params to only certain contexts 2009-05-19 13:49:15 -06:00
Pavel Zuna
9437fc669e Add Encoder base class and method decorators to encode arguments/decode return values. Also - unit tests. 2009-05-19 09:56:39 -04:00
Rob Crittenden
e5bec4ae39 Schema change so the nisnetgroup triples work properly. 
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
 2009-05-19 09:54:17 -04:00
Jason Gerard DeRose
87480b7bde Re-enable doctest, fix broken docstrings 2009-05-13 14:22:09 -04:00
Rob Crittenden
5e3cdb9643 Remove all services when a host is removed Revoke certificate (if any) when a service is removed 2009-05-13 14:17:21 -04:00
Rob Crittenden
014f3ff1c6 Improve revocation_reason argument 2009-05-13 14:17:03 -04:00
Rob Crittenden
1c31b5bc08 Add a reason to the NotFound exception so we can provide more robust errors 2009-05-13 14:16:44 -04:00
Jason Gerard DeRose
ae38a2461f Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed 2009-05-11 16:17:08 -04:00
Rob Crittenden
0d6aaef2e1 We decided not to issue a certificate on join 2009-05-07 10:54:21 -04:00
Rob Crittenden
8f1df0fe8a Store the new certificate in a service record. Clean up some argument names to match the current standard. 2009-05-07 10:54:14 -04:00
Rob Crittenden
0d538b20f2 Make MalformedServicePrincipal take a reason arg and add Base64DecodeError 2009-05-06 11:29:11 -04:00
Rob Crittenden
5405c01025 Add validator and normalizer for service principals Add --certificate argument Update default objectclasses Use the crud.Search method for service-find 2009-05-06 11:28:49 -04:00
Rob Crittenden
c0020955a5 Some minor cosmetic changes 2009-05-04 18:01:06 -04:00
Rob Crittenden
a7a16272b1 When reading a password, if there is no tty, read from stdin instead. 
This will allow one to pipe a password in:

echo -e "secret123\secret123\n" | ipa password someuser
 2009-05-04 17:43:14 -04:00
Rob Crittenden
d4076915cd Add posixGroup to the objectclass list if gidnumber is set 
498335
 2009-05-04 17:43:00 -04:00
Rob Crittenden
c8ee910ff6 Issue an SSL server cert when joining the IPA domain 2009-05-04 17:41:06 -04:00
Rob Crittenden
8424ea8c03 A class for dealing with a temporary NSS certificate database 2009-05-04 16:56:12 -04:00
Pavel Zuna
36c239cda4 Add DNS management plugin port to the new ldap backend. 2009-04-30 16:17:49 -04:00
Pavel Zuna
9992b23a08 Change help interface to display builtin commands and a list of topics based on plugin modules. 2009-04-30 15:55:16 -04:00
Pavel Zuna
75b551fd5e Use right attribute name for e-mail in user2 plugin. 2009-04-30 13:50:05 -04:00
Rob Crittenden
21ccdec860 Add missing required attribute, nisdomainname 2009-04-30 13:26:27 -04:00
Rob Crittenden
536b215078 Use correct attribute for e-mail address 
Resolves 498269
 2009-04-29 13:51:47 -04:00
Jason Gerard DeRose
3f4a0a2d77 Fixed cli.run() catching SystemExit exception under Python2.4 
Resolves BZ #498088
 2009-04-28 22:29:10 -04:00
David O'Brien
763c7ef914 trivial update to standardize terms in docstring 2009-04-28 13:32:01 -04:00
Rob Crittenden
298d5fbce4 Import the RequiresRoot error and make note to replace this at some point 2009-04-24 16:22:22 -04:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Pavel Zuna
596d410471 Make LDAP entry output slightly nicer, don't print u's in front of unicode strings etc. 2009-04-23 10:25:51 -04:00
Pavel Zuna
4e48e1fbf7 Introduce AlreadyGroupMember exception, raised when a member is attempted to be re-added to a group. 2009-04-22 15:18:47 -04:00
Pavel Zuna
af82879009 Add user plugin port with some bugs fixed to the new LDAP backend. 2009-04-22 15:16:51 -04:00
Pavel Zuna
9ecbd845d4 Add conditional (env.use_ldap2 is True) modifications required by new LDAP backend. 2009-04-22 15:14:24 -04:00
Pavel Zuna
ff0819b189 Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging. 2009-04-22 15:12:39 -04:00
Rob Crittenden
64fa3dd4c3 Finish work replacing the errors module with errors2 
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
 2009-04-20 13:58:26 -04:00
Rob Crittenden
a9387b48e6 Handle GSSAPI exceptions more gracefully 2009-04-20 13:44:08 -04:00
Rob Crittenden
e6171404bf Make parentmap a autofill variable and add tests when parentmap is not passed 2009-04-13 15:22:49 -04:00
Rob Crittenden
8821d8cac3 Fill in default values for os and platform 2009-04-13 14:54:16 -04:00
root
6ca80e312a Add 'container_hbac' env variable. 2009-04-03 14:07:30 -04:00
Rob Crittenden
484eff1016 Implement an installer for the Dogtag certificate system. 
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.

What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs

What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
 2009-04-03 14:06:09 -04:00
Jason Gerard DeRose
a6294ba041 Renamed remaining plugins still using f_* b_* convention 2009-04-01 10:34:57 -04:00
Rob Crittenden
d6814f3aae Implement a few new targets for ACIs 
Also switch to the StrEnum parameter type for some options so we let the
framework do the enforcement
 2009-03-25 11:03:03 -04:00
Rob Crittenden
1b1f9af01c Add a 'showall' command so one can pick from a list of tasks to add to a role 2009-03-25 11:02:49 -04:00
Rob Crittenden
5aed824a6c Use tuples instead of lists for class variables 2009-03-25 11:02:47 -04:00
Rob Crittenden
233a4cb5fd Raise a more specific error when a user lacks the proper permissions. 
The info part of the message will contain details on what permission
failed on what attribute.
 2009-03-25 11:02:44 -04:00
Rob Crittenden
65e6259075 Always print the dn first when printing an entry 2009-03-25 11:02:42 -04:00
Rob Crittenden
a8a2664190 Add new type List that converts delimited values into a tuple 2009-03-20 09:29:44 -04:00
Rob Crittenden
c39a29e0cf Converted to use new baseclass, remove the one with the f_ prefix 2009-03-20 09:28:26 -04:00
Rob Crittenden
b627f50121 Convert to use the new basegroup framework 2009-03-20 09:28:18 -04:00
Rob Crittenden
9bc1419ac0 Convert to use the new basegroup framework 2009-03-20 09:28:16 -04:00
Rob Crittenden
33df0a3915 Convert to use the new basegroup framework 2009-03-20 09:28:14 -04:00
Rob Crittenden
1445a36026 Modify the taskgroup plugin to use the new group baseclass and add tests 2009-03-20 09:28:12 -04:00
Rob Crittenden
a55c5d6bcd New plugin to handle role groups 
Role groups will be part of the ACI system. It will let one create broad
categories of permissions. Things like: helpdesk, user admin, group admin,
whatever.
 2009-03-20 09:28:09 -04:00
Rob Crittenden
5e2e3fd17d Add generic base class that will most of the heavy lifting for groups 2009-03-20 09:28:06 -04:00
Rob Crittenden
8d796eedee kw is supposed to contain just lower-case values 2009-03-19 16:02:12 -04:00
Rob Crittenden
51193923f1 kw is supposed to contain just lower-case values 2009-03-19 16:02:09 -04:00
Rob Crittenden
bc056cda2d Update the ACI class to be more robust and the beginnings of an ACI plugin 
The ACI plugin is really  meant for developers to help manage the ACIs.
It may or may not be shipped. If it is it will be disabled by default.
It is very much a shoot-in-foot problem waiting to happen.
 2009-03-18 15:47:06 -04:00
Rob Crittenden
4c5806b4b4 Fix some minor issues in group and service plugins 2009-03-17 14:52:38 -04:00
Rob Crittenden
6fa330662a Add taskgroups plugin 
Taskgroups are what we grant permission to with the new ACI system.
 2009-03-17 14:52:17 -04:00
Jason Gerard DeRose
13ff27e9ec Fixed Executioner.execute() so that its 'name' argument doesn't conflict with a param called 'name' (which is a valid param name) 2009-03-13 10:31:00 -04:00
Rob Crittenden
eb0601a19c Plugin to handle IPA configuration 2009-03-04 09:56:16 -05:00
Rob Crittenden
7933a196a1 Set a minimum value for password policy integers 2009-03-04 09:56:13 -05:00
Rob Crittenden
dbbae00b17 Add maxvalue and minvalue kwargs and rules to Int and Float 2009-03-03 17:49:15 -05:00
Rob Crittenden
bd9f7cd720 Fix some netgroup issues related to not all groups being posixGroups 2009-02-27 23:18:35 -05:00
Rob Crittenden
be0cac932a Update objectclasses for groups, by default not posix groups. 
This change depends on DS bugs 487574 and 487725. Groups cannot be
promoted properly without these fixed. It will fail with an
Object Class violation because gidNumber isn't set.
 2009-02-27 23:18:19 -05:00
Jason Gerard DeRose
1359618e7e Fixed broken autfill logic in cli.prompt_interactively() 2009-02-27 12:58:32 -05:00
Rob Crittenden
3fdf9abfce Enforce netgroup uniqueness, allow netgroups to be members of netgroups 
When adding an entry, convert a constraint violation of "already exists"
into a DuplicateEntry exception so the user gets a useful response
 2009-02-27 12:57:21 -05:00
Rob Crittenden
af0c0c309d Added tofiles command and some documentation to the automount plugin 2009-02-24 16:54:28 -05:00
Pavel Zuna
e913d7483b Fix multivalue params requiring default to be of type self.type instead of tuple. 2009-02-23 13:49:26 -05:00
Pavel Zuna
016b82250e Add ipalib.frontend.Command method to build an entry from params with attribute=True. 
Often plugins need to build LDAP entries from params. This should make things a bit easier.
Crud methods (Create, Retrieve, Update, Delete, Search) have attribute=True by default.
And it also works for multivalue params.
 2009-02-23 13:49:21 -05:00
Rob Crittenden
f2abe05398 Use OpenSSL for SSL instead of the built-in python version. 2009-02-20 10:40:54 -05:00
Rob Crittenden
b53edad254 raise exceptions in the proper form 2009-02-20 10:40:50 -05:00
Rob Crittenden
1a8ec58602 Utility function to get the local hostname 2009-02-19 10:09:24 -05:00
Rob Crittenden
83d5987db9 A new exception for requiring root, RootRequired 2009-02-19 10:09:21 -05:00
Rob Crittenden
4476f6b939 The start of machine join 2009-02-19 10:09:07 -05:00
Rob Crittenden
5a6d2dd0d9 Print out multi-valued values one per-line instead of comman-delimited 2009-02-19 10:08:52 -05:00
Rob Crittenden
ccf703a2b6 Add new users as a member of the default group 2009-02-19 10:08:11 -05:00
Rob Crittenden
fb3f86f703 Add --all option to show/find, add default attrs to show, cleanup output 2009-02-19 10:07:39 -05:00
Jason Gerard DeRose
7e23ee7cc6 Removed 'Assert False' that was mistakingly left in cert.py; small cleanup in cert.py and ra.py imports 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
4ab133c3cb Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
e0fe732318 Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
97c04c491b Continued cleanup cert/ra plugins 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
b5b2e55be5 Add pattern matching to Str and Bytes 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
18cecdc515 Removed depreciated xmlrpc_marshal() and xmlrpc_unmarshal() functions 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
336c4c2caf Removed depreciated ipalib/plugins/b_xmlrpc.py module 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
a8c3f054d4 Started cleanup work on ra plugin; fixed problem in api.bootstrap() when process does not have permision to open log file 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
d9d5e8b2d5 Some cleanup in cert plugins module, changed to shorter command names all starting with cert_* 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
eb73a4fef5 Renamed f_ra.py plugin to cert.py 2009-02-17 16:03:07 -05:00
Jakub Hrozek
079f89d461 Add application frontend plugin 2009-02-10 14:10:54 -05:00
Jakub Hrozek
328f8d0bf8 Add policy-related container constants 2009-02-10 14:10:45 -05:00
Rob Crittenden
6b34f07720 Remove some duplicated code that was moved to ipaserver and use it Remove some unused files 2009-02-06 15:04:42 -05:00
Rob Crittenden
2d7e0de5ea Get merged tree into an installalble state. 
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.

The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.
 2009-02-03 15:29:20 -05:00
Jason Gerard DeRose
3274577cd6 Finished small tweaks to get new ipaserver.xmlrpc() mod_python handler working 2009-02-03 15:29:05 -05:00
Jason Gerard DeRose
c2b0c80140 Started work on a much simplified mod_python server 2009-02-03 15:29:05 -05:00
Jason Gerard DeRose
91ca06f079 Added doodle for version vars in ipalib.__init__ 2009-02-03 15:29:05 -05:00
Jason Gerard DeRose
92a150b4f1 Some tweaks in user plugins, ported to new crud base classes 2009-02-03 15:29:05 -05:00
Jason Gerard DeRose
0211c76cd0 Fixed some of the test_xmlrpc unit tests 2009-02-03 15:29:05 -05:00
Rob Crittenden
5717c9d668 Applied Rob's errors patch 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
48a278047d Mostly got the test_xmlrpc/ tests working again 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
77e782e2cb Fixed bug I introduced in KerbTransport; started work on lite-xmlrpc.py to add client address to context 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
a0aebd46a1 Got new ldap connection working using Connectible.connect() 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
231f0bd65a Finished reworked cli.CLI class into cli.cli plugin 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
db0168f7af Started reworking CLI class into cli plugin 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
9efda29d60 Added docstring to Connectible class 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
66b6029e40 Ported xmlclient to subclass from Connectible 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
0a3ae60038 Ported xmlserver to subclass from Executioner 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
0cfb0e191a Removed the depreciated Context and LazyContext classes 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
f7375bb609 Added stuff for managing connections and new Executioner backend base class 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
e0b00d5981 Removed depreciated import of errors in frontend.py 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
0313f03277 Added ServiceError (KerberosError) and make rpc.KerbTransport raise it if appropriate 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
114b6b8577 Added some missing parameter unit tests; added docstring about Command._repr_iter() and Param.safe_value() 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
7a0f969a47 CLI now logs trace if it catches a non-public error and then exists with an InternalError; other CLI cleanup 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
c0bc2451dd Fixed another small CLI decoding problem (multivalue args in a tuple now work) 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
e537dc89cb Fixed a few problems in the CLI interactive prompting (wont prompt for Flag now) 2009-02-03 15:29:02 -05:00
Jason Gerard DeRose
244346dbcb More work on xmlrpc stuff, started migrated more code to use errors2 instead of errors 2009-02-03 15:29:01 -05:00
Jason Gerard DeRose
833088955c More xmlrpc tweaks: xmlserver.execute() now logs non-public exceptions; xmlclient.forward() now handles socket error; fixed some Python 2.4 problems in lite-xmlrpc2.py 2009-02-03 15:29:01 -05:00
Jason Gerard DeRose
24b6cb89d4 Further migration toward new xmlrcp code; fixed problem with unicode Fault.faultString; fixed problem where ServerProxy method was not called correctly 2009-02-03 15:29:01 -05:00
Jason Gerard DeRose
9f48612a56 Sundry work getting ready to switch to new XML-RPC client/server code 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
46c10d4608 Removed bogus CLI.set_defaults() method that was causing non-required values to get filled in 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
12c4879613 Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
6aadeb9aea Added Object.params_minus() method; various small tweaks 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
529819b02b Renamed f_misc.py plugin module to misc.py 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
f3a84683d2 Removed depreciated Command.args_to_kw() method; updated CLI to use Command.args_options_2_params() instead 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
ae39dece13 Added Command.args_options_2_params() method and its unit tests 2009-02-03 15:29:00 -05:00
Jason Gerard DeRose
4febb4dd14 Started roughing out new crud base classes 2009-02-03 15:28:59 -05:00
Jason Gerard DeRose
6e53d03c69 Command.takes_options and Command.takes_args class attributes can now also be a callable 2009-02-03 15:28:59 -05:00
Jason Gerard DeRose
5d82e3b35a Changed ipauuid.py docstring slightly so epydoc formats it correctly 2009-01-21 13:36:53 -07:00
Jason Gerard DeRose
0c95e86cf3 Removed doctest +ELLIPSIS directive from some examples in ipauuid.py that didn't need it 2009-01-21 13:22:22 -07:00
Jason Gerard DeRose
c4702f3a1e Fixed some Python2.4 issues in ipauuid.py doctests 2009-01-21 13:08:30 -07:00
Jason Gerard DeRose
5616af19b1 Merge branch 'master' of git://git.engineering.redhat.com/users/rcritten/freeipa2 2009-01-21 12:42:40 -07:00
Jason Gerard DeRose
f22f3eabb2 Fixed Param.validate() so that self.query is checked after self.required 2009-01-20 09:38:39 -07:00
Jason Gerard DeRose
55fba5420d Added rpc.xmlclient backend plugin for forwarding; added corresponding unit tests 2009-01-19 21:10:42 -07:00
Rob Crittenden
aba16941ee Skip doc testing of the uuid module since by nature it changes every time 2009-01-19 10:40:12 -05:00
Rob Crittenden
98ab09fafc Initial implementation of netgroups 2009-01-19 10:40:12 -05:00
Rob Crittenden
8154131ce1 Use correct function for outputing a string 2009-01-19 10:40:11 -05:00
Rob Crittenden
bc40686b7f Fix rule definition to match new API 2009-01-19 10:40:11 -05:00
Rob Crittenden
e708765d61 Include local copy of UUID generator for Python 2.4. 
Python 2.5+ has a built-in RFC 4122-compliant UUID generator. Include a
copy of this file in our library and import it in a way that it will
work with Python 2.4.
 2009-01-19 10:40:11 -05:00
Jason Gerard DeRose
bae9dd7c07 Added example to StrEnum docstring 2009-01-18 16:03:02 -07:00
Jason Gerard DeRose
364e05def1 Added missing enumerable parameters 2009-01-18 15:55:56 -07:00
Jason Gerard DeRose
7514f96173 New Param: fixed metavar bug in cli.py 2009-01-16 11:07:21 -07:00
Jason Gerard DeRose
462bac3c13 Added docstring cross-references between rpc and rpcserver modules 2009-01-16 01:56:39 -07:00
Jason Gerard DeRose
0227a12949 Added docstrings to the new rpc.xml_dumps() and rcp.xml_loads() functions 2009-01-16 01:23:55 -07:00
Jason Gerard DeRose
6be5e4a0a5 ipalib.rpc: now using allow_none=True after conversation with Rob; added xml_dumps() and xml_loads() functions; some name cleanup 2009-01-15 23:52:50 -07:00
Jason Gerard DeRose
4d4fa694ee Small change in ipalib.cli to check if param is a Password instance instead of calling depreciated ispasswd() method 2009-01-14 23:15:46 -07:00
Jason Gerard DeRose
fdda31c50b Fixed a problem in the host plugin module; added not in TODO about using Param.query 2009-01-14 22:59:44 -07:00
Jason Gerard DeRose
a10144be24 Updated service plugins module to where it can at least be imported 2009-01-14 22:35:13 -07:00
Jason Gerard DeRose
86b7ebf717 Updated ra plugins module to where it can at least be imported 2009-01-14 22:29:59 -07:00
Jason Gerard DeRose
a41a7f406f Updated pwpolicy plugins module to where it can at least be imported 2009-01-14 22:25:45 -07:00
Jason Gerard DeRose
ec86208a90 Updated passwd plugins module to where it can at least be imported 2009-01-14 22:19:31 -07:00
Jason Gerard DeRose
64c072b7b3 Updated hostgroup plugins module to where it can at least be imported 2009-01-14 22:10:09 -07:00
Jason Gerard DeRose
ec14fbfbc5 Updated host plugins module to where it can at least be imported 2009-01-14 21:55:04 -07:00
Jason Gerard DeRose
29e5a58795 Updated group plugins module to where it can at least be imported 2009-01-14 21:23:20 -07:00
Jason Gerard DeRose
39068ab7ca Fixed automount plugins module to where it can at least be imported 2009-01-14 21:11:14 -07:00
Jason Gerard DeRose
0327b83899 New Param: all docstring examples now pass under doctests 2009-01-14 20:36:17 -07:00
Jason Gerard DeRose
cd3508bace New Param: added Param.query kwarg for crud operations like Retrieve and Search where criteria should not be validated 2009-01-14 14:04:05 -07:00
Jason Gerard DeRose
79422d0489 All unit tests now working (except for doctests and Rob's xmlrpc tests) 2009-01-14 13:51:37 -07:00