Re: [Freeipa-devel] [PATCH 0069] Manage ipa-otpd.socket by IPA
On 06/06/2013 12:51 PM, Tomas Babej wrote: > Hi, > > Adds a new simple service called OtpdInstance, that manages > ipa-otpd.socket service. Added to server/replica installer > and ipa-upgradeconfig script. > > https://fedorahosted.org/freeipa/ticket/3680 > > Tomas > Tested with server/replica install and upgrades. Both worked fine. ACK. Pushed to master, ipa-3-2. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 03:07 PM, Tomas Babej wrote: > On 06/03/2013 01:10 PM, Tomas Babej wrote: >> Hi, >> >> Default list of attributes that are checked with 7-bit plugin >> for being 7-bit clean includes userPassword. Consecutively, one >> is unable to set passwords that contain non-ascii characters. >> >> https://fedorahosted.org/freeipa/ticket/3640 >> >> Tomas > > Proper explanation and missing newline added. > > Updated patch attached. > > Tomas > Works for me. ACK, pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0030] Require rid-base and secondary-rid-base options in idrange-add when trust exists
On 05/31/2013 07:35 PM, Ana Krivokapic wrote: On 05/28/2013 04:49 PM, Ana Krivokapic wrote: Hello, This patch addresseshttps://fedorahosted.org/freeipa/ticket/3634 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel This updated patch applies on top of tbabej's patches 0053-0055. As suggested by Tomás( (https://www.redhat.com/archives/freeipa-devel/2013-May/msg00352.html), I refactored support of "mock" LDAP objects to tests/util, and modified test_range_plugin and test_cli to use it. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I looked thoroughly at the issue here.. The ticket is a little bit confusing about that, but you need to require primary/secondary rid base for the range after ipa-adtrust-install has been run. Currently, the way your patch works, the bases are required only if at least one trust exists. [root@vm-002 labtool]# ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log [snip] Setup complete [snip] [root@vm-002 labtool]# ipa idrange-add local First Posix ID of the range: 10 Number of IDs in the range: 20 -- Added ID range "local" -- Range name: local First Posix ID of the range: 10 Number of IDs in the range: 20 Range type: local domain range After adding the trust, everything works ok: [root@vm-002 labtool]# ipa trust-find --- 1 trust matched --- Realm name: test Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-259319770-2312917334-591429603 Trust type: Active Directory domain [root@vm-002 labtool]# ipa idrange-add local First Posix ID of the range: 10 Number of IDs in the range: 10 First RID of the corresponding RID range: 10 First RID of the secondary RID range: 20 -- Added ID range "local" -- Range name: local First Posix ID of the range: 10 Number of IDs in the range: 10 First RID of the corresponding RID range: 10 First RID of the secondary RID range: 20 Range type: local domain range We should require for primary/secondary rid base after ipa-adtrust-install has been run even if no trust is established. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On 06/06/2013 03:45 PM, Jan Pazdziora wrote: On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote: Hello, The attached patch should improve handling of client re-enrollment related options of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3686 [...] +if options.keytab and options.principal: +root_logger.error("Options 'principal' and 'keytab' cannot be used " + "together.") +return CLIENT_INSTALL_ERROR + I know that this check only explains what happens later in the code but isn't using custom principal _plus_ a keytab for that principal a valid combination? Right now, it's either principal + password, or keytab and from that keytab a specific host/* principal. Can't it be ptincipal + keytab? Currently only the host keytab is supported. This is described in the man pages / or shows up with --help option, so there should be no confusion. See http://www.freeipa.org/page/V3/Forced_client_re-enrollment The use case was to have a way how to automatically re-enroll a host that would not need sticking admin's password in the script. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
Jan Pazdziora wrote: On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote: Hello, The attached patch should improve handling of client re-enrollment related options of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3686 [...] +if options.keytab and options.principal: +root_logger.error("Options 'principal' and 'keytab' cannot be used " + "together.") +return CLIENT_INSTALL_ERROR + I know that this check only explains what happens later in the code but isn't using custom principal _plus_ a keytab for that principal a valid combination? Right now, it's either principal + password, or keytab and from that keytab a specific host/* principal. Can't it be ptincipal + keytab? You do raise an interesting point. I think the assumption is that there is only one principal in the keytab. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote: > Hello, > > The attached patch should improve handling of client re-enrollment > related options of ipa-client-install. > > https://fedorahosted.org/freeipa/ticket/3686 [...] > > +if options.keytab and options.principal: > +root_logger.error("Options 'principal' and 'keytab' cannot be used " > + "together.") > +return CLIENT_INSTALL_ERROR > + I know that this check only explains what happens later in the code but isn't using custom principal _plus_ a keytab for that principal a valid combination? Right now, it's either principal + password, or keytab and from that keytab a specific host/* principal. Can't it be ptincipal + keytab? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 Prevent error when running IPA commands with su/sudo
On 06/06/2013 12:58 PM, Ana Krivokapic wrote: Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/3685. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0035 Prevent error when running IPA commands with su/sudo
Hello, This patch fixes https://fedorahosted.org/freeipa/ticket/3685. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From b4e5ba853ee3c4c1aa60024786b2f5bb5c828fa5 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Thu, 6 Jun 2013 12:52:08 +0200 Subject: [PATCH] Prevent error when running IPA commands with su/sudo https://fedorahosted.org/freeipa/ticket/3685 --- ipalib/plugable.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index fe09d3a6b489da1e8b3ce31a154c0aea239ddcda..aaa0dea480f092e32815c525751359f056936e3c 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -490,6 +490,11 @@ def bootstrap(self, parser=None, **overrides): stream=sys.stderr, level=level, format=LOGGING_FORMAT_STDERR)]) + +if not parser: +parser = self.build_global_parser() +object.__setattr__(self, 'parser', parser) + # Add file handler: if self.env.mode in ('dummy', 'unit_test'): return # But not if in unit-test mode @@ -503,7 +508,6 @@ def bootstrap(self, parser=None, **overrides): log.error('Could not create log_dir %r', log_dir) return - level = 'info' if self.env.debug: level = 'debug' @@ -516,10 +520,6 @@ def bootstrap(self, parser=None, **overrides): log.error('Cannot open log file %r: %s', self.env.log, e) return -if not parser: -parser = self.build_global_parser() -object.__setattr__(self, 'parser', parser) - def build_global_parser(self, parser=None, context=None): """ Add global options to an optparse.OptionParser instance. -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0069] Manage ipa-otpd.socket by IPA
Hi, Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680 Tomas From 75f60ae7dcba5af8e0b055c971a970662120cf3c Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Jun 2013 15:48:35 +0200 Subject: [PATCH] Manage ipa-otpd.socket by IPA Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680 --- install/tools/ipa-replica-install | 6 ++ install/tools/ipa-server-install | 12 +--- install/tools/ipa-upgradeconfig| 29 ++--- ipapython/platform/fedora16/service.py | 1 + ipaserver/install/otpdinstance.py | 25 + ipaserver/install/service.py | 17 + 6 files changed, 68 insertions(+), 22 deletions(-) create mode 100644 ipaserver/install/otpdinstance.py diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 04cad42f6e4c16ee8e4b5076e96dc24bd887828f..209ca850f6c559c28ab8f3f6b4686234a04d0892 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -35,6 +35,7 @@ from ipapython import ipautil from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs from ipaserver.install import memcacheinstance +from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager from ipaserver.install.installutils import (HostnameLocalhost, resolve_host, ReplicaConfig, expand_replica_info, read_replica_info ,get_host_name, @@ -667,6 +668,11 @@ def main(): krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) + +otpd = otpdinstance.OtpdInstance() +otpd.create_instance('OTPD', config.host_name, config.dirman_password, + ipautil.realm_to_suffix(config.realm_name)) + if CA: CA.configure_certmonger_renewal() CA.import_ra_cert(dir + "/ra.p12") diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 3e18c8e002275d984fbb81a0a46f81b38e49916e..b90613295a2e9744575e9313929816e50e298926 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -49,6 +49,7 @@ from ipaserver.install import ntpinstance from ipaserver.install import certs from ipaserver.install import cainstance from ipaserver.install import memcacheinstance +from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade from ipaserver.install import service, installutils @@ -513,6 +514,7 @@ def uninstall(): krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() memcacheinstance.MemcacheInstance().uninstall() +otpdinstance.OtpdInstance().uninstall() ipaservices.restore_network_configuration(fstore, sstore) fstore.restore_all_files() try: @@ -1092,11 +1094,15 @@ def main(): # generated ds.add_cert_to_service() -# Create a HTTP instance - memcache = memcacheinstance.MemcacheInstance() -memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) +memcache.create_instance('MEMCACHE', host_name, dm_password, + ipautil.realm_to_suffix(realm_name)) +otpd = otpdinstance.OtpdInstance() +otpd.create_instance('OTPD', host_name, dm_password, + ipautil.realm_to_suffix(realm_name)) + +# Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_pkcs12: http.create_instance( diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 8e9357f20fe7c9a88908def6a2e3b2104f07d73a..4e9216964a045b5a87c22f6eb87bb1844f4adce9 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -48,6 +48,7 @@ from ipaserver.install import bindinstance from ipaserver.install import service from ipaserver.install import cainstance from ipaserver.install import certs +from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade @@ -925,17 +926,23 @@ def main(): uninstall_selfsign(ds, http) -memcache = memcacheinstance.MemcacheInstance() -memcache.ldapi = True -memcache.realm = api.env.realm -try: -if not memcache.is_configured(): -# 389-ds needs to be running to create the memcache instance -# because we record the new service in cn=masters. -ds.start() -memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm)) -except ipalib.errors.DuplicateEn
Re: [Freeipa-devel] [PATCHES 0061-0063] Extend ID range types
On Thu, 06 Jun 2013, Tomas Babej wrote: From 0580d3c03319c72d731d0598b19e633fc536b866 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 30 May 2013 14:07:09 +0200 Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647 You need also to fix bootstrap template as ipaRangeType now is mandatory attribute for the range class: - add objectClass: top ipaIDrange ipaDomainIDRange add cn: VDA.LI_id_range add ipaBaseID: 139340 add ipaIDRangeSize: 20 adding new entry "cn=VDA.LI_id_range,cn=ranges,cn=etc,dc=vda,dc=li" 2013-06-06T09:56:07Z DEBUG stderr=ldap_initialize( ldap://red.espoo.vda.li:389/??base ) ldap_add: Object class violation (65) additional info: missing attribute "ipaRangeType" required by object class "ipaIDrange" 2013-06-06T09:56:07Z CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpkOLzK2 -H ldap://red.espoo.vda.li:389 -x -D cn=Directory Manager -y /tmp/tmpHb7d4F' returned non-zero exit status 65 2013-06-06T09:56:07Z DEBUG duration: 3 seconds -- -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0034 Improve handling of options in ipa-client-install
On 06/05/2013 04:14 PM, Ana Krivokapic wrote: Hello, The attached patch should improve handling of client re-enrollment related options of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3686 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
Hi, Adds --use-posix option to ipa trust-add command. It takes two allowed values: 'yes' : the 'ipa-ad-trust-posix' range type is enforced 'no' : the 'ipa-ad-trust' range type is enforced When --use-posix option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 Tomas From 58e1c5892125bcef70b204562fd0824c181809e1 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 5 Jun 2013 11:51:27 +0200 Subject: [PATCH] Add --use-posix option that forces trusted range type Adds --use-posix option to ipa trust-add command. It takes two allowed values: 'yes' : the 'ipa-ad-trust-posix' range type is enforced 'no' : the 'ipa-ad-trust' range type is enforced When --use-posix option is not specified, the range type shold be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 --- API.txt | 3 ++- ipalib/plugins/trust.py | 42 +- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..9dff02906fddd9078519b11610c8930bdfe32070 100644 --- a/API.txt +++ b/API.txt @@ -3340,7 +3340,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: Output('value', , None) command: trust_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -3353,6 +3353,7 @@ option: Str('realm_server?', cli_name='server') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Password('trust_secret?', cli_name='trust_secret', confirm=False) option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=(u'ad',)) +option: StrEnum('use_posix?', cli_name='use_posix', values=(u'yes', u'no')) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..db72f005595f4e1e992be588725cff72669403fa 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -290,6 +290,12 @@ sides. default=20, autofill=True ), +StrEnum('use_posix?', +cli_name='use_posix', +label=_('Use POSIX attributes in ID range for the ' +'trusted domain'), +values=(u'yes', u'no'), +), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -330,23 +336,40 @@ sides. dom_sid = new_obj['result']['ipanttrusteddomainsid'][0]; range_name = keys[-1].upper()+'_id_range' +range_type = None + +# Force the given range type if --use-posix option was used +if 'use_posix' in options: +if options['use_posix'] == 'yes': +range_type = u'ipa-ad-trust-posix' +elif options['use_posix'] == 'no': +range_type = u'ipa-ad-trust' try: -old_range = api.Command['idrange_show'](range_name) +old_range = api.Command['idrange_show'](range_name, raw=True) except errors.NotFound, e: old_range = None if old_range: -old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]; +old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0] +old_range_type = old_range['result']['iparangetype'][0] -if old_dom_sid == dom_sid: -return - -raise errors.ValidationError(name=_('range exists'), -error=_('ID range with the same name but different ' \ -'domain SID already exists. The ID range for ' \ +if old_dom_sid != dom_sid: +raise errors.ValidationError(name=_('range exists'), +error=_('ID range with the same name but different ' +'domain SID already exists. The ID range for ' 'the new trusted domain must be created manually.')) +if range_type is not None: +if range_type != old_range_type: +raise errors.ValidationError(name=_('range type change'), +error=_('ID range for the trusted domain already exists, ' +'but it has a different type. Please remove the ' +'old range manually, or do not enforce type ' +'via --use-posix option.')) + +return + if 'base_id' in options: base_id = options[
Re: [Freeipa-devel] [PATCHES 0061-0063] Extend ID range types
On 06/05/2013 02:53 PM, Tomas Babej wrote: On 06/03/2013 05:00 PM, Tomas Babej wrote: Hi, Sending rebased versions on top of current master. Tomas Hi, A rebase was needed again. I also fixed a bug in the update plugin, since it used case-sensitive comparison of objectclasses. Updated patcheset attached. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patcheset updated with the changes required for the patch 67. Tomas From de961306fc4582c0e63d28f42ad60df6e956443b Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 30 May 2013 14:12:52 +0200 Subject: [PATCH] Extend idrange commands to support new range origin types Following values of ipaRangeType attribute are supported and translated accordingly in the idrange commands: 'ipa-local': 'local domain range' 'ipa-ad-winsync': 'Active Directory winsync range' 'ipa-ad-trust': 'Active Directory domain range' 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes' 'ipa-ipa-trust': 'IPA trust range' Part of https://fedorahosted.org/freeipa/ticket/3647 --- API.txt | 7 ++--- ipalib/plugins/idrange.py | 74 ++- 2 files changed, 63 insertions(+), 18 deletions(-) diff --git a/API.txt b/API.txt index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..1313460de66d8e12fc7a068cda0cf30658bcdd1b 100644 --- a/API.txt +++ b/API.txt @@ -1969,7 +1969,7 @@ option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False, option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True) option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False) option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False) -option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False) +option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust')) option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('setattr*', cli_name='setattr', exclude='webui') @@ -1994,7 +1994,7 @@ option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', mul option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False) option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False) option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False) -option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, query=True, required=False) +option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust')) option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -2006,7 +2006,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: idrange_mod -args: 1,14,3 +args: 1,13,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -2016,7 +2016,6 @@ option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', m option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False) option: DeprecatedParam('ipanttrusteddomainname?') option: DeprecatedParam('ipanttrusteddomainsid?') -option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, required=False) option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 73628795aaa069b436371be3d9c989e97916f1f6..ad15ec73872ef2894b48d7f618c4ef7f3d5a840a 100644 ---