Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On 28.4.2016 12:19, Tomas Babej wrote: On 04/19/2016 08:20 AM, Jan Cholasta wrote: On 13.4.2016 14:13, Tomas Babej wrote: On 04/13/2016 09:55 AM, Tomas Babej wrote: On 04/07/2016 01:53 PM, Sumit Bose wrote: On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: Hi, On 1.4.2016 16:53, Tomas Babej wrote: Hi, this extends the user ID overrides with capability to store the user certificate. https://fedorahosted.org/freeipa/ticket/4955 The preferred way of managing certificates nowadays is using $OBJ-add-cert and $OBJ-remove-cert commands, you should add them here as well. I would even go as far as not allowing to modify certificates using idoverrideuser-mod - in user-mod and host-mod, it's there just for backward compatibility, which is not the case here. But I don't have a strong opinion on that. For consistency with user-find and host-find, the full certificate blob should not be shown in idoverrideuser-find. You can do that by setting search_display_attributes attribute on the idoverrideuser class appropriately. I tested the current patch with my related patches for SSSD and all is working as expected. bye, Sumit Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Thanks for the reviews, attaching a updated patch that addresses Honza's comments. Tomas Sending an improved version addressing a couple of additional issues. 1) This bit in idoverrideuser_add.pre_callback() is redundant, as the certificate will always be DER here already: # Normalize the certificate to DER format certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] entry_attrs['usercertificate'] = certs_der 2) You need to call convert_usercertificate_pre() in idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in idoverrideuser_{mod,find,show}.post_callback() as well. Honza Updated patch attached, mentioned issues should be fixed, I also removed one redundant import which escaped my careful eye. Thanks, ACK. Added ticket URL and pushed to master: 6adf86378108cdf8b0825277431419a5e803aeb5 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On 04/19/2016 08:20 AM, Jan Cholasta wrote: > On 13.4.2016 14:13, Tomas Babej wrote: >> On 04/13/2016 09:55 AM, Tomas Babej wrote: >>> On 04/07/2016 01:53 PM, Sumit Bose wrote: On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: > Hi, > > On 1.4.2016 16:53, Tomas Babej wrote: >> Hi, >> >> this extends the user ID overrides with capability to store the user >> certificate. >> >> https://fedorahosted.org/freeipa/ticket/4955 > > The preferred way of managing certificates nowadays is using > $OBJ-add-cert > and $OBJ-remove-cert commands, you should add them here as well. > > I would even go as far as not allowing to modify certificates using > idoverrideuser-mod - in user-mod and host-mod, it's there just for > backward > compatibility, which is not the case here. But I don't have a > strong opinion > on that. > > For consistency with user-find and host-find, the full certificate > blob > should not be shown in idoverrideuser-find. You can do that by setting > search_display_attributes attribute on the idoverrideuser class > appropriately. I tested the current patch with my related patches for SSSD and all is working as expected. bye, Sumit > > Honza > > -- > Jan Cholasta > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>> >>> Thanks for the reviews, >>> >>> attaching a updated patch that addresses Honza's comments. >>> >>> Tomas >>> >> >> Sending an improved version addressing a couple of additional issues. > > 1) This bit in idoverrideuser_add.pre_callback() is redundant, as the > certificate will always be DER here already: > > # Normalize the certificate to DER format > certs = options.get('usercertificate', []) > certs_der = [x509.normalize_certificate(c) for c in certs] > entry_attrs['usercertificate'] = certs_der > > > 2) You need to call convert_usercertificate_pre() in > idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in > idoverrideuser_{mod,find,show}.post_callback() as well. > > Honza > Updated patch attached, mentioned issues should be fixed, I also removed one redundant import which escaped my careful eye. Tomas From ecfb6dbfb39120fa1c2caf83fd0d6c22471c212d Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Mar 2016 15:14:10 +0100 Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides --- ACI.txt | 2 +- API.txt | 30 +++-- VERSION | 4 +-- install/share/71idviews.ldif | 2 +- ipalib/plugins/idviews.py| 79 ++-- 5 files changed, 109 insertions(+), 8 deletions(-) diff --git a/ACI.txt b/ACI.txt index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) +aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 3598b08198cae536754259f7463669052efa3f86..b2aec7313b6b9496179beddb68e4a0f5a09608bf 100644 ---
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On 13.4.2016 14:13, Tomas Babej wrote: On 04/13/2016 09:55 AM, Tomas Babej wrote: On 04/07/2016 01:53 PM, Sumit Bose wrote: On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: Hi, On 1.4.2016 16:53, Tomas Babej wrote: Hi, this extends the user ID overrides with capability to store the user certificate. https://fedorahosted.org/freeipa/ticket/4955 The preferred way of managing certificates nowadays is using $OBJ-add-cert and $OBJ-remove-cert commands, you should add them here as well. I would even go as far as not allowing to modify certificates using idoverrideuser-mod - in user-mod and host-mod, it's there just for backward compatibility, which is not the case here. But I don't have a strong opinion on that. For consistency with user-find and host-find, the full certificate blob should not be shown in idoverrideuser-find. You can do that by setting search_display_attributes attribute on the idoverrideuser class appropriately. I tested the current patch with my related patches for SSSD and all is working as expected. bye, Sumit Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Thanks for the reviews, attaching a updated patch that addresses Honza's comments. Tomas Sending an improved version addressing a couple of additional issues. 1) This bit in idoverrideuser_add.pre_callback() is redundant, as the certificate will always be DER here already: # Normalize the certificate to DER format certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] entry_attrs['usercertificate'] = certs_der 2) You need to call convert_usercertificate_pre() in idoverrideuser_mod.pre_callback() and convert_usercertificate_post() in idoverrideuser_{mod,find,show}.post_callback() as well. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On 04/13/2016 09:55 AM, Tomas Babej wrote: > On 04/07/2016 01:53 PM, Sumit Bose wrote: >> On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: >>> Hi, >>> >>> On 1.4.2016 16:53, Tomas Babej wrote: Hi, this extends the user ID overrides with capability to store the user certificate. https://fedorahosted.org/freeipa/ticket/4955 >>> >>> The preferred way of managing certificates nowadays is using $OBJ-add-cert >>> and $OBJ-remove-cert commands, you should add them here as well. >>> >>> I would even go as far as not allowing to modify certificates using >>> idoverrideuser-mod - in user-mod and host-mod, it's there just for backward >>> compatibility, which is not the case here. But I don't have a strong opinion >>> on that. >>> >>> For consistency with user-find and host-find, the full certificate blob >>> should not be shown in idoverrideuser-find. You can do that by setting >>> search_display_attributes attribute on the idoverrideuser class >>> appropriately. >> >> I tested the current patch with my related patches for SSSD and all is >> working as expected. >> >> bye, >> Sumit >> >>> >>> Honza >>> >>> -- >>> Jan Cholasta >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > Thanks for the reviews, > > attaching a updated patch that addresses Honza's comments. > > Tomas > Sending an improved version addressing a couple of additional issues. Tomas From f56129024fecfe1522cd6bd85f7daddfd3bf5129 Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Mar 2016 15:14:10 +0100 Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides --- ACI.txt | 2 +- API.txt | 30 ++-- install/share/71idviews.ldif | 2 +- ipalib/plugins/idviews.py| 82 ++-- 4 files changed, 110 insertions(+), 6 deletions(-) diff --git a/ACI.txt b/ACI.txt index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) +aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 5b75413f930d0e9caaffc68023bed8106d786653..76b260da72533ee88027f72d56a591c7566c72b7 100644 --- a/API.txt +++ b/API.txt @@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: idoverrideuser_add -args: 2,15,3 +args: 2,16,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2446,6 +2446,19 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1,
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On 04/07/2016 01:53 PM, Sumit Bose wrote: > On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: >> Hi, >> >> On 1.4.2016 16:53, Tomas Babej wrote: >>> Hi, >>> >>> this extends the user ID overrides with capability to store the user >>> certificate. >>> >>> https://fedorahosted.org/freeipa/ticket/4955 >> >> The preferred way of managing certificates nowadays is using $OBJ-add-cert >> and $OBJ-remove-cert commands, you should add them here as well. >> >> I would even go as far as not allowing to modify certificates using >> idoverrideuser-mod - in user-mod and host-mod, it's there just for backward >> compatibility, which is not the case here. But I don't have a strong opinion >> on that. >> >> For consistency with user-find and host-find, the full certificate blob >> should not be shown in idoverrideuser-find. You can do that by setting >> search_display_attributes attribute on the idoverrideuser class >> appropriately. > > I tested the current patch with my related patches for SSSD and all is > working as expected. > > bye, > Sumit > >> >> Honza >> >> -- >> Jan Cholasta >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > Thanks for the reviews, attaching a updated patch that addresses Honza's comments. Tomas From bc7a20b942931e43b4d7e4e79b88cae8a113385d Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Mar 2016 15:14:10 +0100 Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides --- ACI.txt | 2 +- API.txt | 30 +++-- install/share/71idviews.ldif | 2 +- ipalib/plugins/idviews.py| 80 ++-- 4 files changed, 108 insertions(+), 6 deletions(-) diff --git a/ACI.txt b/ACI.txt index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) +aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 5b75413f930d0e9caaffc68023bed8106d786653..76b260da72533ee88027f72d56a591c7566c72b7 100644 --- a/API.txt +++ b/API.txt @@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: idoverrideuser_add -args: 2,15,3 +args: 2,16,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2446,6 +2446,19 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) +option: Str('version?', exclude='webui')
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
On Mon, Apr 04, 2016 at 04:27:02PM +0200, Jan Cholasta wrote: > Hi, > > On 1.4.2016 16:53, Tomas Babej wrote: > >Hi, > > > >this extends the user ID overrides with capability to store the user > >certificate. > > > >https://fedorahosted.org/freeipa/ticket/4955 > > The preferred way of managing certificates nowadays is using $OBJ-add-cert > and $OBJ-remove-cert commands, you should add them here as well. > > I would even go as far as not allowing to modify certificates using > idoverrideuser-mod - in user-mod and host-mod, it's there just for backward > compatibility, which is not the case here. But I don't have a strong opinion > on that. > > For consistency with user-find and host-find, the full certificate blob > should not be shown in idoverrideuser-find. You can do that by setting > search_display_attributes attribute on the idoverrideuser class > appropriately. I tested the current patch with my related patches for SSSD and all is working as expected. bye, Sumit > > Honza > > -- > Jan Cholasta > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
Hi, On 1.4.2016 16:53, Tomas Babej wrote: Hi, this extends the user ID overrides with capability to store the user certificate. https://fedorahosted.org/freeipa/ticket/4955 The preferred way of managing certificates nowadays is using $OBJ-add-cert and $OBJ-remove-cert commands, you should add them here as well. I would even go as far as not allowing to modify certificates using idoverrideuser-mod - in user-mod and host-mod, it's there just for backward compatibility, which is not the case here. But I don't have a strong opinion on that. For consistency with user-find and host-find, the full certificate blob should not be shown in idoverrideuser-find. You can do that by setting search_display_attributes attribute on the idoverrideuser class appropriately. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0405] idviews: Add user certificate attribute to user ID overrides
Hi, this extends the user ID overrides with capability to store the user certificate. https://fedorahosted.org/freeipa/ticket/4955 Tomas From 4ab4ac5871f14d164544298fc5763321b8ef7558 Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Mar 2016 15:14:10 +0100 Subject: [PATCH] idviews: Add user certificate attribute to user ID overrides --- ACI.txt | 2 +- API.txt | 6 -- install/share/71idviews.ldif | 2 +- ipalib/plugins/idviews.py| 34 +++--- 4 files changed, 37 insertions(+), 7 deletions(-) diff --git a/ACI.txt b/ACI.txt index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..ae00cf7a1b8e2ea0e33798993bb24dc5f06127e3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -149,7 +149,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S dn: cn=views,cn=accounts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) +aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=ranges,cn=etc,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=views,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 5b75413f930d0e9caaffc68023bed8106d786653..34053640ccc0928ae76d9ae658a55e171478ceab 100644 --- a/API.txt +++ b/API.txt @@ -2429,7 +2429,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: idoverrideuser_add -args: 2,15,3 +args: 2,16,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2446,6 +2446,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False) option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -2485,7 +2486,7 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: idoverrideuser_mod -args: 2,18,3 +args: 2,19,3 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True) arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') @@ -2505,6 +2506,7 @@ option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', required=False) option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False) +option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=True, required=False) option: Str('version?', exclude='webui') output: Entry('result', ,