Commit Graph

1250 Commits

Author SHA1 Message Date
Tomas Babej
389854756b Forbid overlapping rid ranges for the same id range
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.

https://fedorahosted.org/freeipa/ticket/3171
2012-12-17 15:29:35 +01:00
Lynn Root
4d6de44d3d Raise ValidationError when CSR does not have a subject hostname
Raise ValidationError when CSR does not have a subject hostname.

Ticket: https://fedorahosted.org/freeipa/ticket/3123
2012-12-11 12:28:59 +01:00
Lynn Root
173ee4d141 Switch %r specifiers to '%s' in Public errors
This switch drops the preceding 'u' from strings within Public error messages.

This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function.

Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com.

Ticket: https://fedorahosted.org/freeipa/ticket/3121
Ticket: https://fedorahosted.org/freeipa/ticket/2588
2012-12-11 10:52:06 +01:00
Sumit Bose
a9bac3d600 Do not recommend how to configure DNS in error message
The best way to configure DNS depends on the environment and no general
recommendations should be given by the CLI or Web UI. Especially
forwarders should not be recommended by only be option of last resort.

Fixes https://fedorahosted.org/freeipa/ticket/3261
2012-12-03 15:38:34 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Petr Vobornik
1bf537db9e Web UI: disable global forwarding per zone
Web UI part of 'disable global forwaring per zone' effort.

Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 17:46:04 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Alexander Bokovoy
53a9421110 Clarify trust-add help regarding multiple runs against the same domain
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
2012-11-02 16:38:22 +01:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Petr Vobornik
445744206b Fixed incorrect link to browser config after session expiration
Fixed typo in message placeholder.

https://fedorahosted.org/freeipa/ticket/3187
2012-10-24 09:17:26 +02:00
Rob Crittenden
4a97fd0601 Fix requesting certificates that contain subject altnames.
https://fedorahosted.org/freeipa/ticket/3184
2012-10-19 16:16:06 +02:00
Petr Vobornik
fed5bbd298 Simpler instructions to generate certificate
Instructions to generate certificate were simplified.

New instructions:

 1) Create a certificate database or use an existing one. To create a new database:
    # certutil -N -d <database path>
 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
    # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:

https://fedorahosted.org/freeipa/ticket/3056
2012-10-19 14:30:06 +02:00
Alexander Bokovoy
21d893ddde Warn about DNA plugin configuration when working with local ID ranges
https://fedorahosted.org/freeipa/ticket/3116
2012-10-17 12:08:15 +02:00
Alexander Bokovoy
d05e297015 Use PublicError instructions support for trust-add case when domain is not found
https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:31:02 -04:00
Alexander Bokovoy
b3606e3d92 Fix wrong RID for Domain Admins in the examples of trust commands 2012-10-10 14:53:24 +02:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Alexander Bokovoy
e51b7ea2de Handle NotFound exception when establishing trust
Establishing trust implies discovery of the trusted domain's domain controller via DNS.
If DNS discovery is not possible, NotFound exception is raised.

Intercept the exception and process it to help diagnose and fix actual problem:
 - if IPA is managing DNS, suggest to make a forward for the domain's zone
 - otherwise suggest to setup DNS forwarder at upstream DNS server

https://fedorahosted.org/freeipa/ticket/3103
2012-10-09 10:19:33 +02:00
Sumit Bose
fdd3299fa8 ipa-adtrust-install: Add fallback group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:26 -04:00
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Martin Kosek
0c2d0bb2b0 Fill ipakrbprincipalalias on upgrades
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106
2012-10-02 15:17:42 -04:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Tomas Babej
0edeb9b01d Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.

https://fedorahosted.org/freeipa/ticket/3097
2012-10-03 09:39:15 +02:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Martin Kosek
256024db0a Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.

https://fedorahosted.org/freeipa/ticket/2993
2012-09-27 10:43:39 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Alexander Bokovoy
ba5248135c Make sure external group members are listed for the external group
https://fedorahosted.org/freeipa/ticket/2975
2012-09-25 08:21:22 +02:00
Petr Viktorin
0b254e8b1e Always handle NotFound error in dnsrecord-mod
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).

https://fedorahosted.org/freeipa/ticket/3055
2012-09-24 13:55:17 +02:00
Alexander Bokovoy
26baae1fe9 Document use of external group membership 2012-09-20 14:58:32 +02:00
Alexander Bokovoy
21ecf2f287 Add documentation for 'ipa trust' set of commands 2012-09-20 14:57:49 +02:00
Alexander Bokovoy
9d84a3cf49 Fix error messages and use proper ImportError for dcerpc import 2012-09-20 14:57:07 +02:00
Alexander Bokovoy
87a37c8e2f validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
2012-09-20 14:55:34 +02:00
Martin Kosek
459016d12b Fix idrange plugin help
range plugin was renamed to idrange. Update plugin help to reflect
this change.
2012-09-20 10:36:13 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Yuri Chornoivan
8bbb42b410 Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089
2012-09-18 08:45:28 +02:00
Martin Kosek
cd7a85c12c Fix addattr internal error
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.

Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.

https://fedorahosted.org/freeipa/ticket/2429
2012-09-16 17:52:56 -04:00
Rob Crittenden
79b90d1465 Set SELinux default context to unconfined_u:s0-s0:c0.c1023
Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.

https://fedorahosted.org/freeipa/ticket/3045
2012-09-13 12:35:43 +02:00
Tomas Babej
46f09fb8cc Make sure selinuxusemap behaves consistently to HBAC rule
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983
2012-09-12 16:13:17 +02:00
Petr Vobornik
a4ab88445c Reflect API change of SSH store in Web UI
Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object.

Label was changed to reflect that the key don't have to be plain base64 encoded blob.

https://fedorahosted.org/freeipa/ticket/2989
2012-09-06 19:18:22 -04:00
Jan Cholasta
46ad724301 Use OpenSSH-style public keys as the preferred format of SSH public keys.
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

ticket 2932, 2935
2012-09-06 19:11:57 -04:00
Sumit Bose
f33adf22f8 Trust CLI: mark trust-mod for future use
Fixes: https://fedorahosted.org/freeipa/ticket/2968
2012-09-07 16:50:35 +02:00
Sumit Bose
d4ba746003 Trust CLI: return more details of added trust
Fixes: https://fedorahosted.org/freeipa/ticket/2971
2012-09-07 16:50:35 +02:00
Sumit Bose
94ce8ecb9c Trust CLI: Return more details when searching trusts
Fixes https://fedorahosted.org/freeipa/ticket/2970
2012-09-07 16:50:35 +02:00
Sumit Bose
e23acda5b8 Do not create trust if murmur hash is not available and base-id not given
Fixes https://fedorahosted.org/freeipa/ticket/3018
2012-09-07 16:50:35 +02:00
Sumit Bose
fe083fd5bf IDRange CLI: Add documentation
Fixes https://fedorahosted.org/freeipa/ticket/2969
2012-09-07 16:50:35 +02:00
Sumit Bose
67b47a65f2 IDRange CLI: allow to work without arguments
Fixes https://fedorahosted.org/freeipa/ticket/2999
2012-09-07 16:50:35 +02:00
Sumit Bose
377e1267b7 Rename range CLI to idrange 2012-09-07 16:50:35 +02:00
Martin Kosek
1915c2d4dd Cast DNS SOA serial maximum boundary to long
This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.
2012-09-07 15:40:00 +02:00
Rob Crittenden
e4e5bd0595 Set the e-mail attribute using the default domain name by default
https://fedorahosted.org/freeipa/ticket/2810
2012-09-07 13:36:37 +02:00
Martin Kosek
ac6cc479ed Add range safety check for range_mod and range_del
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.

Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.

https://fedorahosted.org/freeipa/ticket/2919
2012-09-06 20:32:07 +02:00
Petr Vobornik
835c7859c5 Update of confirmation of actions
This patch is changing confirmation of actions according to ticket #3035, see the ticket description.

It does following changes:
 * Confirmation of update action was removed.
 * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry.
 * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations.

 https://fedorahosted.org/freeipa/ticket/3035
2012-09-06 17:36:29 +02:00
Martin Kosek
6abe476459 Fix DNS SOA serial parameters boundaries
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).

https://fedorahosted.org/freeipa/ticket/2568
2012-09-06 14:57:48 +02:00
Martin Kosek
47ff46d042 Allow localhost in zone ACIs
Loopback address, "localhost" and "localnets" ACIs are no longer
an issue for bind-dyndb-ldap. Allow them in our validators.
2012-09-06 13:58:36 +02:00
Petr Vobornik
77ad84f47e Added decimal checks to metadata validator
Medatadata validator didn't have check for decimal values. It was added.

https://fedorahosted.org/freeipa/ticket/3052
2012-09-06 10:27:16 +02:00
Petr Vobornik
07cae43484 Fixed metadata serialization of Numbers and DNs
There were following problems:
1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string.
2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended.

https://fedorahosted.org/freeipa/ticket/3052
2012-09-06 10:27:10 +02:00
Petr Vobornik
6a8d6d3fde Notify success on add, delete and update
Notification of success was added to:
 * details facet: update
 * association facet and association widget: add, delete items
 * attribute facet: delete items (notification of add should be handled in entity adder dialog)
 * sudo rule: add, remove option
 * dnsrecord: add, update, delete

https://fedorahosted.org/freeipa/ticket/2977
2012-09-06 09:44:15 +02:00
Tomas Babej
208e6930de Sort policies numerically in pwpolicy-find
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.

https://fedorahosted.org/freeipa/ticket/3039
2012-09-03 21:47:21 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
4f03aed5e6 prevent last admin from being disabled
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.

* Moved the code in del_user to the common subroutine
  check_protected_member() and call it from both user_del and
  user_disable. Note, unlike user_del user_disable does not have a
  'pre' callback therefore the check function is called in
  user_disable's execute routine.

* Make check_protected_member() aware of disabled members. It's not
  sufficient to check which members of the protected group are
  present, one must only consider those members which are enabled.

* Add tests to test_user_plugin.py.

  - verify you cannot delete nor disable the last member of the admin
    group

  - verify when the admin group contains disabled users in addition to
    enabled users only the enabled users are considered when
    determining if the last admin is about to be disabled or deleted.

* Replace duplicated hardcoded values in the tests with variables or
  subroutines, this makes the individual tests a bit more succinct and
  easier to copy/modify.

* Update error msg to reflect either deleting or disabling is an error.

https://fedorahosted.org/freeipa/ticket/2979
2012-09-03 18:11:49 +02:00
John Dennis
557b260550 ipa user-find --manager does not find matches
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.

The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).

It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.

Patch also introduces new unit test to verify.

https://fedorahosted.org/freeipa/ticket/2264
2012-09-03 18:10:17 +02:00
Tomas Babej
7e9eb9caad Fixes different behaviour of permission-mod and show.
Both commands now produce the same output regarding
the attributelevelrights.

https://fedorahosted.org/freeipa/ticket/2875
2012-08-29 16:02:43 -04:00
Petr Vobornik
81007ff385 Successful action notification
User was not notified about success of actions executed from action list, action panel or facet cotrol bar.

This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation).
This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked.

This call is used(directly or indirectly) in:
 * search facets: delete, disable, enable actions
 * details facets: delete action
 * user details facet: reset password action
 * host details facet: unprovision, set OTP actions
 * service details facet: unprovision action
 * host and service details facet: request, revoke, restore certificates actions
 * group details facet: change to POSIX/external actions
 * dns zone details facet: add/remove permission actions

 https://fedorahosted.org/freeipa/ticket/2977
2012-08-29 12:00:06 +02:00
Rob Crittenden
785e80c4fc Restrict the SELinux user map user MLS value to 0-1023
https://fedorahosted.org/freeipa/ticket/3001
2012-08-29 09:29:08 +02:00
Tomas Babej
cb961066aa Improves deletion of PTR records in ipa host-del
Command ipa host-del with --updatedns now can deal both with hosts
which zones are in FQDN form with or without a trailing dot.

https://fedorahosted.org/freeipa/ticket/2809
2012-08-28 16:38:03 +02:00
Martin Kosek
a5c8dcd996 Fix managedBy label for DNS zone
Even though managedBy output parameter was only used for failed host
managedBy memberships, it was defined in global baseldap.py
classes. Incorrect label was then being displayed also for DNS zone
per-zone permission attribute with the same name.

Move managedBy output parameter to host plugin. Define proper managedBy
output parameter in DNS plugin to improve clarity of this attribute.

https://fedorahosted.org/freeipa/ticket/2946
2012-08-26 23:10:25 -04:00
Petr Vobornik
2d63e28c78 Range Web UI
Range web UI was implemented.

It consist of:
 * new menu item - 'ranges' in 'IPA Server' tab
 * new search page
 * new details page

https://fedorahosted.org/freeipa/ticket/2894
2012-08-21 14:35:19 +02:00
Alexander Bokovoy
cea40170f5 Ignore lint errors if pysssd_murmur and samba4 support not installed when building client code.
Since ipalib.plugins.trust has both client-side and server-side code,
this is the only way to properly handle linting errors.
2012-08-15 23:41:19 -04:00
Sumit Bose
59df038f87 trust CLI: add ID range for new trusted domain 2012-08-15 23:41:17 -04:00
Rob Crittenden
b5d0a9fcb2 Validate default user in ordered list when using setattr, require MLS
The MLS was optional in the format, it should be required.

https://fedorahosted.org/freeipa/ticket/2984
2012-08-16 12:52:38 +02:00
Rob Crittenden
bb5788fc7e Raise proper exception when given a bad DN attribute. 2012-08-16 12:52:23 +02:00
Tomas Babej
da55aadf74 Corrects help description of selinuxusermap.
https://fedorahosted.org/freeipa/ticket/2959
2012-08-14 15:46:59 +02:00
Petr Vobornik
d536b3824e Make group posix
New option for creating plain user group posix group. External group can't be made posix.

https://fedorahosted.org/freeipa/ticket/2338
2012-08-14 08:09:35 +02:00
Petr Vobornik
271043ccf7 Make group external
New action for creating plain group external. Posix group can't be made external.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:31 +02:00
Petr Vobornik
44e86aa3bb Add external group
Group can be normal, posix and external. Posix checkbox was removed and was replaced by radio for selecting group type. This adds possibility of adding of external group.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:23 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Jan Cholasta
72cc54bc27 Make --{set,add,del}attr more robust.
This fixes --addattr on single value attributes in add commands and --delattr
on non-unicode attributes in mod commands.

ticket 2954
2012-08-03 14:17:42 +02:00
Jan Cholasta
9bfa905e72 Add --{set,add,del}attr options to commands which are missing them.
ticket 2963
2012-08-03 10:18:30 +02:00
Petr Vobornik
dc79b60ebb PAC Type options for services in Web UI
Following options were added to Web UI
    * PAC Type in service
    * PAC Type in configuration

Testing metadata for objects and commands were regenerated.

https://fedorahosted.org/freeipa/ticket/2958
2012-08-02 10:22:25 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Rob Crittenden
e345ad12eb Fix validator for SELinux user map settings in config plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).

One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.

https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
2012-07-26 23:57:25 -04:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Alexander Bokovoy
2d75d8cc05 ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason'
https://fedorahosted.org/freeipa/ticket/2865
2012-07-18 16:55:51 +03:00
Martin Kosek
854b763675 Enforce CNAME constrains for DNS commands
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.

Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.

https://fedorahosted.org/freeipa/ticket/2601
2012-07-12 17:44:13 -04:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Petr Vobornik
14ac2193fe Add and remove dns per-domain permission in Web UI
This patch adds support for new per-domain permissions to Web UI.

User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.

For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.

Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.

New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.

https://fedorahosted.org/freeipa/ticket/2851
2012-07-11 16:33:10 +02:00
Petr Viktorin
5f69a06d1a Fix batch command error reporting
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.

Fix these problems. Update tests.

https://fedorahosted.org/freeipa/ticket/2874
https://fedorahosted.org/freeipa/ticket/2901
2012-07-11 10:49:02 +02:00
Petr Vobornik
848bd0e9e7 Password policy measurement units.
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.

This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).

Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.

This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.

https://fedorahosted.org/freeipa/ticket/2437
2012-07-10 13:30:38 +02:00
Martin Kosek
5ba8eeb970 Do not change LDAPObject objectclass list
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.

Make sure that the LDAPObject object_class list is not modified during
the __json__ method.

https://fedorahosted.org/freeipa/ticket/2906
2012-07-09 14:53:11 +02:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Petr Vobornik
5b7084aeb5 Web UI password is going to expire in n days notification
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').

Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).

https://fedorahosted.org/freeipa/ticket/2625
2012-06-29 11:55:53 +02:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Ondrej Hamada
8ce7330c53 Change random passwords behaviour
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
2012-06-27 12:58:46 +02:00
Petr Vobornik
ae19cce7ad Trust Web UI
This patch adds Web UI for trusts.

Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.

Adder dialog supports two ways if adding a trust:
1)  adding with domain name, admin name and admin password.
2) adding with domain name, shared secret

Search page shows only list of realm names which are trusts' cns.

Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)

trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.

Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.

https://fedorahosted.org/freeipa/ticket/2829
2012-06-25 18:17:06 +02:00
Alexander Bokovoy
a5cb1961fe Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-25 18:16:15 +02:00
Alexander Bokovoy
c3a7894ab6 Use correct SID attribute for trusted domains
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
2012-06-25 18:15:35 +02:00
Petr Vobornik
37b7b28993 Added password reset capabilities to unauthorized dialog
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.

If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 13:23:44 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Petr Viktorin
9960149e3f Rework the CallbackInterface
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674
2012-06-14 11:09:43 +02:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
Petr Vobornik
88170087e1 Change json serialization to serialize useful data
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
 * mostly CLI specific option attribues are not send.
 * attributes evaluated to false or None are not send
 * options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.

In the end the raw amount of data send is aproximately the same.

This patch is needed for Web UI to determine which option it can use in which commands.

https://fedorahosted.org/freeipa/ticket/2760
2012-06-07 11:22:15 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Martin Kosek
52a9eb7a9c Fix dnszone-mod --forwader option help string
Help should not point to global forwarders but rather to per-zone
conditional forwarders.

https://fedorahosted.org/freeipa/ticket/2717
2012-06-05 10:46:42 +02:00
Martin Kosek
d31f0c2d33 Improve migration NotFound error
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.

User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.

https://fedorahosted.org/freeipa/ticket/2206
2012-06-05 08:51:30 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Petr Vobornik
496fbbd919 Added missing i18n in action list and action panel
This patch adds strings to internal.py which were not translated in action list/panel patches.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:08 +02:00
Petr Vobornik
ea5ae4b1cf User password widget modified.
Currently the user password is shown as follows in the details page:
    Password: Reset Password

This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.

Now password is shown as follows:
    Password: *******   (if set)
    Password:           (if not set)

Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:07 +02:00
Petr Viktorin
c799f6a0bf Add more automount tests
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.

The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.

The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.

Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
2012-05-31 20:16:29 -04:00
Martin Kosek
895203c477 Allow relative DNS name in NS validator
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.

Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.

https://fedorahosted.org/freeipa/ticket/2630
2012-06-01 12:26:57 +02:00
Martin Kosek
6ff5f28142 permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.

Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.

https://fedorahosted.org/freeipa/ticket/2658
2012-06-01 07:51:59 +02:00
Martin Kosek
5b465811ce Add rename option for DNS records
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.

https://fedorahosted.org/freeipa/ticket/2600
2012-05-31 12:45:47 +02:00
Rob Crittenden
8d00d7c130 Enforce sizelimit in permission-find, post_callback returns truncated
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.

We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.

The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.

https://fedorahosted.org/freeipa/ticket/2322
2012-05-30 08:46:21 +02:00
Petr Viktorin
51bd68eaf5 Provide a better error message when deleting nonexistent attributes
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".

https://fedorahosted.org/freeipa/ticket/2699
2012-05-29 00:38:40 -04:00
Petr Viktorin
1af36da933 Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580
2012-05-29 09:23:26 +02:00
Petr Viktorin
ae12575170 Fix the pwpolicy_find post_callback
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.

Use a key function for sorting; cmp is deprecated, slower and
more complicated.

Add a test

https://fedorahosted.org/freeipa/ticket/2726
2012-05-28 16:03:28 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Petr Vobornik
4640f957ad Instructions to generate cert use certutil instead of openssl
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.

https://fedorahosted.org/freeipa/ticket/2725
2012-05-15 10:36:53 +02:00
Petr Viktorin
ece68f381a Check for empty/single value parameters before calling callbacks
https://fedorahosted.org/freeipa/ticket/2701
2012-05-15 10:02:26 +02:00
Rob Crittenden
26ab9a504f Implement permission/aci find by subtree
https://fedorahosted.org/freeipa/ticket/2321
2012-05-15 08:54:22 +02:00
Petr Viktorin
c5689e7faf Do not use extra command options in ACI, permission, selfservice
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for ACI-related plugins.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-14 10:38:07 +02:00
Rob Crittenden
95bb8d0f45 Fix overlapping cn param/option issue, pass cn as aciname in find
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.

The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.

https://fedorahosted.org/freeipa/ticket/2320
2012-05-14 10:07:41 +02:00
Petr Vobornik
719b09fb4e General details facet actions
This patch adds common action button actions for enabling/disabling/deleting object.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Petr Vobornik
8c3eadf978 Action lists
This patch add support fo Action Lists.

Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.

Actions lists are defined on facet level. Facet header takes them from facet.

Action list options
  actions: list of actions
  state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.

State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
 evaluate(record): should return string array which represents the state
 get_description(): human readable representation of a state

Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.

action options:
  name: string, required, name of the option
  label: string, required, human readable name of the option
  enable_cond: string array, states which need to be present in order to run this action
  disable_cond: string array, states which must not be present in order to run this action
  handler: function, contains action's logic
  needs_confirm: boolean, default false, indicates if action needs user confirmation
  confirm_msg: string, default generic message, human readable confirmation message.

Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.

In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Viktorin
1565ce3a8c Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649
2012-05-11 08:14:20 +02:00
Petr Viktorin
c02fcf5d34 Don't fail when adding default objectclasses using config-mod
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.

Regression test included.

https://fedorahosted.org/freeipa/ticket/2706
2012-05-09 09:53:51 +02:00
Jan Cholasta
d9d1967989 Redo boolean value encoding.
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
2012-05-09 09:43:35 +02:00
Petr Viktorin
abef5e8c02 Do not crash on empty --setattr, --getattr, --addattr
Also the unused `append` argument from _convert_2_dict.

https://fedorahosted.org/freeipa/ticket/2680
2012-05-07 17:23:08 +02:00
Petr Viktorin
0206dbe795 Do not crash on empty reverse member options
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.

Use an empty list instead of None (or other false falues, of which we
only use the empty list).

https://fedorahosted.org/freeipa/ticket/2681
2012-05-07 17:21:58 +02:00
Petr Viktorin
c45174d680 Do not use extra command options in the automount plugin
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for the automount plugin and its tests.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-07 14:08:50 +02:00
Ondrej Hamada
343aba2486 Allow one letter net/hostgroups names
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
2012-05-07 08:35:11 +02:00
Rob Crittenden
1a26406db2 Revert "Validate attributes in permission-add"
This reverts commit 1356988b7a.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:55 -04:00
Martin Kosek
b137b71371 Sort password policies properly with --pkey-only
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.

This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.

Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:31:53 +02:00
Jan Cholasta
3ba9cc8eb4 Refactor exc_callback invocation.
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).

Add some extra checks to existing exception callbacks.
2012-04-26 09:00:30 +02:00
Rob Crittenden
d7f7bb11df Update docs for user-status, always show disabled, time for each server.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.

Always display the enabled/disabled status.

Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.

https://fedorahosted.org/freeipa/ticket/2162
2012-04-23 10:20:34 +02:00
John Dennis
885bb07bb1 Fix name error in hbactest
Ticket #2512

In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.

The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.

The fix is to use the correct variables.

At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
2012-04-19 15:22:49 +02:00
Jan Cholasta
c043a65728 Fix internal error when renaming user with an empty string.
ticket 2629
2012-04-18 09:03:53 +02:00
Martin Kosek
88927fb78b Do not fail migration because of duplicate groups
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.

https://fedorahosted.org/freeipa/ticket/2644
2012-04-17 00:20:31 -04:00
Martin Kosek
a663e83cb2 Raise proper exception when LDAP limits are exceeded
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
2012-04-16 23:23:57 -04:00
John Dennis
72efa64c81 don't append basedn to container if it is included
ticket #2566

When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.

This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.
2012-04-16 22:26:49 -04:00
Ondrej Hamada
6f7224f252 Fix empty external member processing
Validation of external member was failing for empty strings because of
wrong condition.

https://fedorahosted.org/freeipa/ticket/2447
2012-04-17 16:22:37 +02:00
Martin Kosek
568de5027b Fix dnsrecord_add interactive mode
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.

https://fedorahosted.org/freeipa/ticket/2641
2012-04-15 18:37:18 -04:00
Martin Kosek
0acdae0b4d Return correct record name in DNS plugin
When dnsrecord-add or dnsrecord-mod commands are used on a root
zone record (it has a special name "@"), a zone name is returned
instead of a special name "@". This confuses DNS part of Web UI
which is then not able to manipulate records in the root zone
when these commands are used.

This patch fixes these 2 commands to return correct value when
a root zone is modified.

https://fedorahosted.org/freeipa/ticket/2627
https://fedorahosted.org/freeipa/ticket/2628
2012-04-16 16:11:33 +02:00
John Dennis
d317c2a0d1 Validate DN & RDN parameters for migrate command
Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.
2012-04-16 08:35:03 +02:00
Ondrej Hamada
2584e9be67 Unable to rename permission object
The update was failing because of the case insensitivity of permission
object DN. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2571
2012-04-11 22:29:04 -04:00
Petr Viktorin
6d0e4e58fc Fix expected error messages in tests
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.

Minor changes:

Make netgroup-mod's NotFound message consistent with other objects
and methods.

In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.

https://fedorahosted.org/freeipa/ticket/2549
2012-04-10 21:05:45 -04:00
Petr Vobornik
e9b79cc1e1 Removal of memberofindirect_permissons from privileges
Problem:
In the Privilege page, can list Permissions. This "Shows Results" for "Direct
Membership". But there is an option to list this for "Indirect Membership"
also.
There isn't a way to nest permissions, so this option is not needed.

Solution:
This patch removes the memberofindirect_persmission definition from server plugin. It fixes the problem in Web UI.

https://fedorahosted.org/freeipa/ticket/2611
2012-04-09 22:12:39 -04:00
Petr Viktorin
1431c80b3c Convert --setattr values for attributes marked no_update
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.

Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.

https://fedorahosted.org/freeipa/ticket/2616
2012-04-09 21:54:07 -04:00
Petr Viktorin
6e5c8b25bf Limit permission and selfservice names to alphanumerics, -, _, space
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.

https://fedorahosted.org/freeipa/ticket/2585
2012-04-09 20:56:29 -04:00
Petr Vobornik
db24a831d4 DNS forward policy: checkboxes changed to radio buttons
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.

Checkboxes were changed to radios.

https://fedorahosted.org/freeipa/ticket/2599
2012-04-10 15:44:05 +02:00
Petr Vobornik
26abd05d5e Reworked netgroup Web UI to allow setting user/host category
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.

The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.

https://fedorahosted.org/freeipa/ticket/2578
2012-04-10 13:19:13 +02:00
Jan Cholasta
dcea80fc17 Check configured maximum user login length on user rename.
ticket 2587
2012-04-08 17:10:39 -04:00
Ondrej Hamada
d75bffccd6 Confusing default user groups
Added 'fallback' into the labels for default automember group and
hostgroup.

https://fedorahosted.org/freeipa/ticket/2354
2012-04-08 16:48:54 -04:00
Rob Crittenden
7e26517840 Add missing comma to list of services that cannot be disabled.
https://fedorahosted.org/freeipa/ticket/2487
2012-04-05 22:18:27 +02:00
Jan Cholasta
cdebb29fec Check whether the default user group is POSIX when adding new user with --noprivate.
ticket 2572
2012-04-05 15:04:45 +02:00
Rob Crittenden
51b34d5c42 Make revocation_reason required when revoking a certificate.
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.

https://fedorahosted.org/freeipa/ticket/2597
2012-04-05 08:51:30 +02:00
Petr Viktorin
8a7d7aaf81 Defer conversion and validation until after --{add,del,set}attr are handled
--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.

Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).

Tests included.

Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418

Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408
2012-04-03 17:43:27 -04:00
Petr Viktorin
2b077f7b0d Test the batch plugin
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).

The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
2012-04-03 16:19:59 -04:00
Rob Crittenden
b55c98f1c5 Don't create private groups for migrated users, check for valid gidnumber
Migrated users don't get a private group, there is no safe way to verify
that the namespace is correct without redoing the uidnumber as well.

Verify that the GID at least points to a valid group on the remote server
and warn if it doesn't (this doesn't guarantee that the group gets migrated
but at least we try).

If the remote entry has no gidNumber then don't migrate that user. We
don't know why that user is non-POSIX, it could be a special user used
for auth, for example.

Add a loginshell if the remote user doesn't have one.

https://fedorahosted.org/freeipa/ticket/2562
2012-04-03 09:04:10 +02:00
Martin Kosek
944aacc7d5 Improve automount indirect map error message
When user does not pass a name of parent map in
automountmap-add-indirect command, auto.master is used as
a default. However, when auto.master does not exist in a given
location, we raise NotFound error with a name of a location instead
of a name of the missing automount map.

https://fedorahosted.org/freeipa/ticket/2387
2012-03-28 22:44:02 -04:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Jan Cholasta
a2299070c8 Change parameters to use only default_from for dynamic default values.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
2012-03-28 14:04:31 +02:00
Jan Cholasta
5a55e11a25 Fix the procedure for getting default values of command parameters.
The parameters used in default_from of other parameters are now
properly validated before the default_from is called.

ticket 1847
2012-03-28 14:03:27 +02:00
Martin Kosek
ef21a286f0 Fix dnsrecord-del interactive mode
User was not able to select multiple values in dnsrecord-del
interactive mode.

https://fedorahosted.org/freeipa/ticket/2581
2012-03-27 18:02:47 +02:00
Martin Kosek
52aa008b87 Improve user awareness about dnsconfig
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.

This patch adds more information about global DNS configuration
options in install scripts and DNS module help.

https://fedorahosted.org/freeipa/ticket/2525
2012-03-26 00:33:45 -04:00
Ondrej Hamada
cfafc415f3 Typos in FreeIPA messages
Rebased patch sent by Yuri Chornoivan (yurchor@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.

https://fedorahosted.org/freeipa/ticket/2526
2012-03-23 16:59:12 +01:00
Martin Kosek
9578f67572 Fix default SOA serial format
RFC 1912 recommends format YYYYMMDDnn, we used YYYYDDMMnn.

https://fedorahosted.org/freeipa/ticket/2567
2012-03-23 16:55:12 +01:00
Martin Kosek
11ef670835 Avoid deleting DNS zone when a context is reused
When dnsrecord-del pre_callback detects that the record does
not contain any records, it sets a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del commands share the same context (and this is
the case of "ipa-replica-manage del $MASTER" DNS cleanup), it
may reuse a positive flag from previous dnsrecord-del command
and delete the root DNS zone record and thus effectively delete
the zone.

This patch makes sure that this flag is always initialized to a
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to "keys" parameter and thus confuse
developers.

https://fedorahosted.org/freeipa/ticket/2503
2012-03-23 16:08:17 +01:00
Rob Crittenden
98a99cbca8 Normalize the primary key value to lowercase during migration.
https://bugzilla.redhat.com/show_bug.cgi?id=804609
2012-03-22 21:47:01 +01:00
Rob Crittenden
b9c3eb79a9 Fix attributes that contain DNs when migrating.
Some attributes, like secretary and manager, may point to other LDAP
entries. We need to fix these during migration.

https://fedorahosted.org/freeipa/ticket/2562
2012-03-22 21:46:27 +01:00
Martin Kosek
5b8e1e8c62 Harden raw record processing in DNS plugin
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.

This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.

All these use cases were also covered by new unit tests.

https://fedorahosted.org/freeipa/ticket/2551
2012-03-22 19:30:13 +01:00
Martin Kosek
19b2af8e52 Fix precallback validators in DNS plugin
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.

This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.

https://fedorahosted.org/freeipa/ticket/2550
2012-03-22 17:27:09 +01:00
Petr Vobornik
661d82ad75 DNS forwarder validator
DNS forwarder's value can consist of IP address and a port.

The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.

https://fedorahosted.org/freeipa/ticket/2490
2012-03-20 17:32:18 +01:00
Martin Kosek
9b562f7377 Add missing global options in dnsconfig
Add a support for new global options in bind-dyndb-ldap, that is:
 * idnsforwardpolicy: Default policy for conditional forwarding
 * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
   updates
 * idnszonerefresh: Default interval between regular polls of the
   name server for new DNS zones

https://fedorahosted.org/freeipa/ticket/2439
2012-03-20 15:40:08 +01:00
Martin Kosek
9d0ef96c67 Allow port numbers for idnsForwarders
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]

https://fedorahosted.org/freeipa/ticket/2462
2012-03-20 15:37:53 +01:00
Rob Crittenden
f18cfd7de8 Use a consistent parameter name in errors, defaulting to cli_name.
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.

https://fedorahosted.org/freeipa/ticket/1418
2012-03-20 09:06:52 +01:00
Petr Vobornik
646a4ccde3 Content is no more overwritten by error message
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.

This patch creates a containter for an error message. On error,  report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.

From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.

Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.

Reproduction:
 1) display any nested entity - ie DNS record
 2) delete its parent pkey from path - &dnszone-pkey=example.com
 3) reload the page with this path

https://fedorahosted.org/freeipa/ticket/2449
2012-03-19 18:37:19 +01:00
Rob Crittenden
35521ad6bb Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
2012-03-19 16:09:09 +01:00
Petr Vobornik
97e440bf4b Better hbactest validation message
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.

When a link is clicked user is redirected to value's facet.

https://fedorahosted.org/freeipa/ticket/2182
2012-03-15 16:08:16 +01:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Petr Viktorin
e9d68a7b00 Don't crash when searching with empty relationship options
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.

These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).

https://fedorahosted.org/freeipa/ticket/2479
2012-03-13 23:28:53 -04:00
Martin Kosek
0cb9882be9 Fix migration plugin compat check
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
   and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
   raises an error and thus breaks the migration
This patch fixes both issues.

https://fedorahosted.org/freeipa/ticket/2508
2012-03-11 23:50:06 -04:00
Petr Viktorin
79d4a34cc9 Mark most config options as required
IPA assumes most config options are present, but allowed the user
to delete them. This patch marks them as required.

https://fedorahosted.org/freeipa/ticket/2159
2012-03-12 17:16:57 +01:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Martin Kosek
1d09cdf634 Improve dnsrecord interactive help
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:

1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.

2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.

https://fedorahosted.org/freeipa/ticket/2386
2012-03-01 22:12:25 -05:00
Martin Kosek
640dee7caa Add help for new structured DNS framework
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.

https://fedorahosted.org/freeipa/ticket/2382
2012-03-01 21:58:51 -05:00
Martin Kosek
eeee8e1c6e Fix encoding for setattr/addattr/delattr
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.

https://fedorahosted.org/freeipa/ticket/2418
2012-03-01 21:50:52 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Rob Crittenden
d5c9f7bcaa Add status command to retrieve user lockout status
This information is not replicated so pull from all IPA masters
and display the status across all servers.

https://fedorahosted.org/freeipa/ticket/2162
2012-03-02 16:28:54 +01:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Ondrej Hamada
73249140fc Migration warning when compat enabled
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
2012-02-29 18:30:03 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
Martin Kosek
fab033b949 Improve FQDN handling in DNS and host plugins
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.

This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.

As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.

https://fedorahosted.org/freeipa/ticket/2420
2012-02-29 19:06:18 +01:00