Re: [Freeipa-devel] [PATCH 0069] Manage ipa-otpd.socket by IPA
On 06/06/2013 12:51 PM, Tomas Babej wrote: > Hi, > > Adds a new simple service called OtpdInstance, that manages > ipa-otpd.socket service. Added to server/replica installer > and ipa-upgradeconfig script. > > https://fedorahosted.org/freeipa/ticket/3680 > > Tomas > Tested with server/replica install and upgrades. Both worked fine. ACK. Pushed to master, ipa-3-2. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 03:07 PM, Tomas Babej wrote: > On 06/03/2013 01:10 PM, Tomas Babej wrote: >> Hi, >> >> Default list of attributes that are checked with 7-bit plugin >> for being 7-bit clean includes userPassword. Consecutively, one >> is unable to set passwords that contain non-ascii characters. >> >> https://fedorahosted.org/freeipa/ticket/3640 >> >> Tomas > > Proper explanation and missing newline added. > > Updated patch attached. > > Tomas > Works for me. ACK, pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0030] Require rid-base and secondary-rid-base options in idrange-add when trust exists
On 05/31/2013 07:35 PM, Ana Krivokapic wrote: On 05/28/2013 04:49 PM, Ana Krivokapic wrote: Hello, This patch addresseshttps://fedorahosted.org/freeipa/ticket/3634 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This updated patch applies on top of tbabej's patches 0053-0055. As suggested by Tomás( (https://www.redhat.com/archives/freeipa-devel/2013-May/msg00352.html), I refactored support of "mock" LDAP objects to tests/util, and modified test_range_plugin and test_cli to use it. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I looked thoroughly at the issue here.. The ticket is a little bit confusing about that, but you need to require primary/secondary rid base for the range after ipa-adtrust-install has been run. Currently, the way your patch works, the bases are required only if at least one trust exists. [root@vm-002 labtool]# ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log [snip] Setup complete [snip] [root@vm-002 labtool]# ipa idrange-add local First Posix ID of the range: 10 Number of IDs in the range: 20 -- Added ID range "local" -- Range name: local First Posix ID of the range: 10 Number of IDs in the range: 20 Range type: local domain range After adding the trust, everything works ok: [root@vm-002 labtool]# ipa trust-find --- 1 trust matched --- Realm name: test Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-259319770-2312917334-591429603 Trust type: Active Directory domain [root@vm-002 labtool]# ipa idrange-add local First Posix ID of the range: 10 Number of IDs in the range: 10 First RID of the corresponding RID range: 10 First RID of the secondary RID range: 20 -- Added ID range "local" -- Range name: local First Posix ID of the range: 10 Number of IDs in the range: 10 First RID of the corresponding RID range: 10 First RID of the secondary RID range: 20 Range type: local domain range We should require for primary/secondary rid base after ipa-adtrust-install has been run even if no trust is established. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On 06/06/2013 03:45 PM, Jan Pazdziora wrote:
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote:
Hello,
The attached patch should improve handling of client re-enrollment
related options of ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3686
[...]
+if options.keytab and options.principal:
+root_logger.error("Options 'principal' and 'keytab' cannot be used "
+ "together.")
+return CLIENT_INSTALL_ERROR
+
I know that this check only explains what happens later in the code
but isn't using custom principal _plus_ a keytab for that principal
a valid combination? Right now, it's either principal + password, or
keytab and from that keytab a specific host/* principal. Can't it be
ptincipal + keytab?
Currently only the host keytab is supported. This is described
in the man pages / or shows up with --help option, so there should
be no confusion.
See http://www.freeipa.org/page/V3/Forced_client_re-enrollment
The use case was to have a way how to automatically re-enroll
a host that would not need sticking admin's password in the script.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
Jan Pazdziora wrote:
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote:
Hello,
The attached patch should improve handling of client re-enrollment
related options of ipa-client-install.
https://fedorahosted.org/freeipa/ticket/3686
[...]
+if options.keytab and options.principal:
+root_logger.error("Options 'principal' and 'keytab' cannot be used "
+ "together.")
+return CLIENT_INSTALL_ERROR
+
I know that this check only explains what happens later in the code
but isn't using custom principal _plus_ a keytab for that principal
a valid combination? Right now, it's either principal + password, or
keytab and from that keytab a specific host/* principal. Can't it be
ptincipal + keytab?
You do raise an interesting point. I think the assumption is that there
is only one principal in the keytab.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote:
> Hello,
>
> The attached patch should improve handling of client re-enrollment
> related options of ipa-client-install.
>
> https://fedorahosted.org/freeipa/ticket/3686
[...]
>
> +if options.keytab and options.principal:
> +root_logger.error("Options 'principal' and 'keytab' cannot be used "
> + "together.")
> +return CLIENT_INSTALL_ERROR
> +
I know that this check only explains what happens later in the code
but isn't using custom principal _plus_ a keytab for that principal
a valid combination? Right now, it's either principal + password, or
keytab and from that keytab a specific host/* principal. Can't it be
ptincipal + keytab?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 Prevent error when running IPA commands with su/sudo
On 06/06/2013 12:58 PM, Ana Krivokapic wrote: Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/3685. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0035 Prevent error when running IPA commands with su/sudo
Hello,
This patch fixes https://fedorahosted.org/freeipa/ticket/3685.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From b4e5ba853ee3c4c1aa60024786b2f5bb5c828fa5 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Thu, 6 Jun 2013 12:52:08 +0200
Subject: [PATCH] Prevent error when running IPA commands with su/sudo
https://fedorahosted.org/freeipa/ticket/3685
---
ipalib/plugable.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index fe09d3a6b489da1e8b3ce31a154c0aea239ddcda..aaa0dea480f092e32815c525751359f056936e3c 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -490,6 +490,11 @@ def bootstrap(self, parser=None, **overrides):
stream=sys.stderr,
level=level,
format=LOGGING_FORMAT_STDERR)])
+
+if not parser:
+parser = self.build_global_parser()
+object.__setattr__(self, 'parser', parser)
+
# Add file handler:
if self.env.mode in ('dummy', 'unit_test'):
return # But not if in unit-test mode
@@ -503,7 +508,6 @@ def bootstrap(self, parser=None, **overrides):
log.error('Could not create log_dir %r', log_dir)
return
-
level = 'info'
if self.env.debug:
level = 'debug'
@@ -516,10 +520,6 @@ def bootstrap(self, parser=None, **overrides):
log.error('Cannot open log file %r: %s', self.env.log, e)
return
-if not parser:
-parser = self.build_global_parser()
-object.__setattr__(self, 'parser', parser)
-
def build_global_parser(self, parser=None, context=None):
"""
Add global options to an optparse.OptionParser instance.
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0069] Manage ipa-otpd.socket by IPA
Hi,
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
Tomas
From 75f60ae7dcba5af8e0b055c971a970662120cf3c Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 5 Jun 2013 15:48:35 +0200
Subject: [PATCH] Manage ipa-otpd.socket by IPA
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
---
install/tools/ipa-replica-install | 6 ++
install/tools/ipa-server-install | 12 +---
install/tools/ipa-upgradeconfig| 29 ++---
ipapython/platform/fedora16/service.py | 1 +
ipaserver/install/otpdinstance.py | 25 +
ipaserver/install/service.py | 17 +
6 files changed, 68 insertions(+), 22 deletions(-)
create mode 100644 ipaserver/install/otpdinstance.py
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 04cad42f6e4c16ee8e4b5076e96dc24bd887828f..209ca850f6c559c28ab8f3f6b4686234a04d0892 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -35,6 +35,7 @@ from ipapython import ipautil
from ipaserver.install import dsinstance, installutils, krbinstance, service
from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
from ipaserver.install import memcacheinstance
+from ipaserver.install import otpdinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
from ipaserver.install.installutils import (HostnameLocalhost, resolve_host,
ReplicaConfig, expand_replica_info, read_replica_info ,get_host_name,
@@ -667,6 +668,11 @@ def main():
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
+
+otpd = otpdinstance.OtpdInstance()
+otpd.create_instance('OTPD', config.host_name, config.dirman_password,
+ ipautil.realm_to_suffix(config.realm_name))
+
if CA:
CA.configure_certmonger_renewal()
CA.import_ra_cert(dir + "/ra.p12")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 3e18c8e002275d984fbb81a0a46f81b38e49916e..b90613295a2e9744575e9313929816e50e298926 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -49,6 +49,7 @@ from ipaserver.install import ntpinstance
from ipaserver.install import certs
from ipaserver.install import cainstance
from ipaserver.install import memcacheinstance
+from ipaserver.install import otpdinstance
from ipaserver.install import sysupgrade
from ipaserver.install import service, installutils
@@ -513,6 +514,7 @@ def uninstall():
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
memcacheinstance.MemcacheInstance().uninstall()
+otpdinstance.OtpdInstance().uninstall()
ipaservices.restore_network_configuration(fstore, sstore)
fstore.restore_all_files()
try:
@@ -1092,11 +1094,15 @@ def main():
# generated
ds.add_cert_to_service()
-# Create a HTTP instance
-
memcache = memcacheinstance.MemcacheInstance()
-memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name))
+memcache.create_instance('MEMCACHE', host_name, dm_password,
+ ipautil.realm_to_suffix(realm_name))
+otpd = otpdinstance.OtpdInstance()
+otpd.create_instance('OTPD', host_name, dm_password,
+ ipautil.realm_to_suffix(realm_name))
+
+# Create a HTTP instance
http = httpinstance.HTTPInstance(fstore)
if options.http_pkcs12:
http.create_instance(
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 8e9357f20fe7c9a88908def6a2e3b2104f07d73a..4e9216964a045b5a87c22f6eb87bb1844f4adce9 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -48,6 +48,7 @@ from ipaserver.install import bindinstance
from ipaserver.install import service
from ipaserver.install import cainstance
from ipaserver.install import certs
+from ipaserver.install import otpdinstance
from ipaserver.install import sysupgrade
@@ -925,17 +926,23 @@ def main():
uninstall_selfsign(ds, http)
-memcache = memcacheinstance.MemcacheInstance()
-memcache.ldapi = True
-memcache.realm = api.env.realm
-try:
-if not memcache.is_configured():
-# 389-ds needs to be running to create the memcache instance
-# because we record the new service in cn=masters.
-ds.start()
-memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
-except ipalib.errors.DuplicateEn
Re: [Freeipa-devel] [PATCHES 0061-0063] Extend ID range types
On Thu, 06 Jun 2013, Tomas Babej wrote: From 0580d3c03319c72d731d0598b19e633fc536b866 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 30 May 2013 14:07:09 +0200 Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647 You need also to fix bootstrap template as ipaRangeType now is mandatory attribute for the range class: - add objectClass: top ipaIDrange ipaDomainIDRange add cn: VDA.LI_id_range add ipaBaseID: 139340 add ipaIDRangeSize: 20 adding new entry "cn=VDA.LI_id_range,cn=ranges,cn=etc,dc=vda,dc=li" 2013-06-06T09:56:07Z DEBUG stderr=ldap_initialize( ldap://red.espoo.vda.li:389/??base ) ldap_add: Object class violation (65) additional info: missing attribute "ipaRangeType" required by object class "ipaIDrange" 2013-06-06T09:56:07Z CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpkOLzK2 -H ldap://red.espoo.vda.li:389 -x -D cn=Directory Manager -y /tmp/tmpHb7d4F' returned non-zero exit status 65 2013-06-06T09:56:07Z DEBUG duration: 3 seconds -- -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On 06/05/2013 04:14 PM, Ana Krivokapic wrote: Hello, The attached patch should improve handling of client re-enrollment related options of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3686 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
Hi,
Adds --use-posix option to ipa trust-add command. It takes two
allowed values:
'yes' : the 'ipa-ad-trust-posix' range type is enforced
'no' : the 'ipa-ad-trust' range type is enforced
When --use-posix option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
Tomas
From 58e1c5892125bcef70b204562fd0824c181809e1 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 5 Jun 2013 11:51:27 +0200
Subject: [PATCH] Add --use-posix option that forces trusted range type
Adds --use-posix option to ipa trust-add command. It takes two
allowed values:
'yes' : the 'ipa-ad-trust-posix' range type is enforced
'no' : the 'ipa-ad-trust' range type is enforced
When --use-posix option is not specified, the range type shold be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
---
API.txt | 3 ++-
ipalib/plugins/trust.py | 42 +-
2 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/API.txt b/API.txt
index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..9dff02906fddd9078519b11610c8930bdfe32070 100644
--- a/API.txt
+++ b/API.txt
@@ -3340,7 +3340,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
output: Output('summary', (, ), None)
output: Output('value', , None)
command: trust_add
-args: 1,12,3
+args: 1,13,3
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3353,6 +3353,7 @@ option: Str('realm_server?', cli_name='server')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Password('trust_secret?', cli_name='trust_secret', confirm=False)
option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=(u'ad',))
+option: StrEnum('use_posix?', cli_name='use_posix', values=(u'yes', u'no'))
option: Str('version?', exclude='webui')
output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (, ), None)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..db72f005595f4e1e992be588725cff72669403fa 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -290,6 +290,12 @@ sides.
default=20,
autofill=True
),
+StrEnum('use_posix?',
+cli_name='use_posix',
+label=_('Use POSIX attributes in ID range for the '
+'trusted domain'),
+values=(u'yes', u'no'),
+),
)
msg_summary = _('Added Active Directory trust for realm "%(value)s"')
@@ -330,23 +336,40 @@ sides.
dom_sid = new_obj['result']['ipanttrusteddomainsid'][0];
range_name = keys[-1].upper()+'_id_range'
+range_type = None
+
+# Force the given range type if --use-posix option was used
+if 'use_posix' in options:
+if options['use_posix'] == 'yes':
+range_type = u'ipa-ad-trust-posix'
+elif options['use_posix'] == 'no':
+range_type = u'ipa-ad-trust'
try:
-old_range = api.Command['idrange_show'](range_name)
+old_range = api.Command['idrange_show'](range_name, raw=True)
except errors.NotFound, e:
old_range = None
if old_range:
-old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0];
+old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
+old_range_type = old_range['result']['iparangetype'][0]
-if old_dom_sid == dom_sid:
-return
-
-raise errors.ValidationError(name=_('range exists'),
-error=_('ID range with the same name but different ' \
-'domain SID already exists. The ID range for ' \
+if old_dom_sid != dom_sid:
+raise errors.ValidationError(name=_('range exists'),
+error=_('ID range with the same name but different '
+'domain SID already exists. The ID range for '
'the new trusted domain must be created manually.'))
+if range_type is not None:
+if range_type != old_range_type:
+raise errors.ValidationError(name=_('range type change'),
+error=_('ID range for the trusted domain already exists, '
+'but it has a different type. Please remove the '
+'old range manually, or do not enforce type '
+'via --use-posix option.'))
+
+return
+
if 'base_id' in options:
base_id = options[
Re: [Freeipa-devel] [PATCHES 0061-0063] Extend ID range types
On 06/05/2013 02:53 PM, Tomas Babej wrote:
On 06/03/2013 05:00 PM, Tomas Babej wrote:
Hi,
Sending rebased versions on top of current master.
Tomas
Hi,
A rebase was needed again.
I also fixed a bug in the update plugin, since it used case-sensitive
comparison of objectclasses.
Updated patcheset attached.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Patcheset updated with the changes required for the patch 67.
Tomas
From de961306fc4582c0e63d28f42ad60df6e956443b Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 30 May 2013 14:12:52 +0200
Subject: [PATCH] Extend idrange commands to support new range origin types
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
---
API.txt | 7 ++---
ipalib/plugins/idrange.py | 74 ++-
2 files changed, 63 insertions(+), 18 deletions(-)
diff --git a/API.txt b/API.txt
index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..1313460de66d8e12fc7a068cda0cf30658bcdd1b 100644
--- a/API.txt
+++ b/API.txt
@@ -1969,7 +1969,7 @@ option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False,
option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True)
option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False)
-option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False)
+option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1994,7 +1994,7 @@ option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', mul
option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False)
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False)
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, query=True, required=False)
+option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2006,7 +2006,7 @@ output: ListOfEntries('result', (, ), Gettext('A list
output: Output('summary', (, ), None)
output: Output('truncated', , None)
command: idrange_mod
-args: 1,14,3
+args: 1,13,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -2016,7 +2016,6 @@ option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', m
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False)
option: DeprecatedParam('ipanttrusteddomainname?')
option: DeprecatedParam('ipanttrusteddomainsid?')
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, required=False)
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 73628795aaa069b436371be3d9c989e97916f1f6..ad15ec73872ef2894b48d7f618c4ef7f3d5a840a 100644
---
