Commit Graph

1211 Commits

Author SHA1 Message Date
Martin Kosek
67d8b434c5 Add trusconfig-show and trustconfig-mod commands
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.

Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/3333
2013-02-11 15:38:22 +01:00
Rob Crittenden
08b84befbc Prevent a crash when no entries are successfully migrated.
It would fail in _update_default_group() because migrate_cnt wasn't
defined in context.

https://fedorahosted.org/freeipa/ticket/3386
2013-02-08 16:23:25 +01:00
Rob Crittenden
53c94361d6 Improve migration performance
Add new users to the default users group in batches of 100. The
biggest overhead of migration is in calculating the modlist when
managing the default user's group and applying the changes. A
significant amount of time can be saved by not doing this on every
add operation.

Some other minor improvements include:

Add a negative cache for groups not found in the remote LDAP server.
Replace call to user_mod with a direct LDAP update.
Catch some occurances of LimitError and handle more gracefully.

I also added some debug logging to report on migration status and
performance.

https://fedorahosted.org/freeipa/ticket/3386
2013-02-05 17:18:13 +01:00
Jan Cholasta
86dde3a38e Add support for RFC 6594 SSHFP DNS records.
https://fedorahosted.org/freeipa/ticket/2642
2013-02-01 09:16:09 -05:00
Martin Kosek
893064f613 Use fully qualified CCACHE names
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.

We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.

https://fedorahosted.org/freeipa/ticket/3381
2013-02-01 08:13:50 +01:00
Martin Kosek
959b276e7d Fix migration for openldap DS
openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.

IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.

https://fedorahosted.org/freeipa/ticket/3372
2013-02-01 08:09:46 +01:00
Jan Cholasta
77bb4b5177 Pylint cleanup.
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.

https://fedorahosted.org/freeipa/ticket/3379
2013-01-29 15:39:49 +01:00
Ana Krivokapic
38dded7db6 Raise ValidationError for incorrect subtree option.
Ticket: https://fedorahosted.org/freeipa/ticket/3233
2013-01-14 14:09:54 +01:00
Martin Kosek
cb7e93bb91 permission-find no longer crashes with --targetgroup
Target Group parameter was not processed correctly which caused
permission-find to always crash when this search parameter was used.
Fix the crash and create a unit test case to avoid future regression.

https://fedorahosted.org/freeipa/ticket/3335
2013-01-11 10:51:31 +01:00
Rob Crittenden
746181a88d Convert uniqueMember members into DN objects.
We were asserting that they should be DN objects but weren't converting
them anywhere.

https://fedorahosted.org/freeipa/ticket/3339
2013-01-11 10:43:38 +01:00
Martin Kosek
86e56b9125 Fix delegation-find command --group handling
A wrong way of handling --group DN object caused Internal Error
for this command. Fix that and also provide unit tests to avoid
another regression.

https://fedorahosted.org/freeipa/ticket/3311
2012-12-19 16:32:15 +01:00
Tomas Babej
389854756b Forbid overlapping rid ranges for the same id range
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.

https://fedorahosted.org/freeipa/ticket/3171
2012-12-17 15:29:35 +01:00
Lynn Root
4d6de44d3d Raise ValidationError when CSR does not have a subject hostname
Raise ValidationError when CSR does not have a subject hostname.

Ticket: https://fedorahosted.org/freeipa/ticket/3123
2012-12-11 12:28:59 +01:00
Lynn Root
173ee4d141 Switch %r specifiers to '%s' in Public errors
This switch drops the preceding 'u' from strings within Public error messages.

This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function.

Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com.

Ticket: https://fedorahosted.org/freeipa/ticket/3121
Ticket: https://fedorahosted.org/freeipa/ticket/2588
2012-12-11 10:52:06 +01:00
Sumit Bose
a9bac3d600 Do not recommend how to configure DNS in error message
The best way to configure DNS depends on the environment and no general
recommendations should be given by the CLI or Web UI. Especially
forwarders should not be recommended by only be option of last resort.

Fixes https://fedorahosted.org/freeipa/ticket/3261
2012-12-03 15:38:34 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Petr Vobornik
1bf537db9e Web UI: disable global forwarding per zone
Web UI part of 'disable global forwaring per zone' effort.

Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 17:46:04 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Alexander Bokovoy
53a9421110 Clarify trust-add help regarding multiple runs against the same domain
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
2012-11-02 16:38:22 +01:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Petr Vobornik
445744206b Fixed incorrect link to browser config after session expiration
Fixed typo in message placeholder.

https://fedorahosted.org/freeipa/ticket/3187
2012-10-24 09:17:26 +02:00
Rob Crittenden
4a97fd0601 Fix requesting certificates that contain subject altnames.
https://fedorahosted.org/freeipa/ticket/3184
2012-10-19 16:16:06 +02:00
Petr Vobornik
fed5bbd298 Simpler instructions to generate certificate
Instructions to generate certificate were simplified.

New instructions:

 1) Create a certificate database or use an existing one. To create a new database:
    # certutil -N -d <database path>
 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
    # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:

https://fedorahosted.org/freeipa/ticket/3056
2012-10-19 14:30:06 +02:00
Alexander Bokovoy
21d893ddde Warn about DNA plugin configuration when working with local ID ranges
https://fedorahosted.org/freeipa/ticket/3116
2012-10-17 12:08:15 +02:00
Alexander Bokovoy
d05e297015 Use PublicError instructions support for trust-add case when domain is not found
https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:31:02 -04:00
Alexander Bokovoy
b3606e3d92 Fix wrong RID for Domain Admins in the examples of trust commands 2012-10-10 14:53:24 +02:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Alexander Bokovoy
e51b7ea2de Handle NotFound exception when establishing trust
Establishing trust implies discovery of the trusted domain's domain controller via DNS.
If DNS discovery is not possible, NotFound exception is raised.

Intercept the exception and process it to help diagnose and fix actual problem:
 - if IPA is managing DNS, suggest to make a forward for the domain's zone
 - otherwise suggest to setup DNS forwarder at upstream DNS server

https://fedorahosted.org/freeipa/ticket/3103
2012-10-09 10:19:33 +02:00
Sumit Bose
fdd3299fa8 ipa-adtrust-install: Add fallback group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:26 -04:00
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Martin Kosek
0c2d0bb2b0 Fill ipakrbprincipalalias on upgrades
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106
2012-10-02 15:17:42 -04:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Tomas Babej
0edeb9b01d Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.

https://fedorahosted.org/freeipa/ticket/3097
2012-10-03 09:39:15 +02:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Martin Kosek
256024db0a Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.

https://fedorahosted.org/freeipa/ticket/2993
2012-09-27 10:43:39 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Alexander Bokovoy
ba5248135c Make sure external group members are listed for the external group
https://fedorahosted.org/freeipa/ticket/2975
2012-09-25 08:21:22 +02:00
Petr Viktorin
0b254e8b1e Always handle NotFound error in dnsrecord-mod
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).

https://fedorahosted.org/freeipa/ticket/3055
2012-09-24 13:55:17 +02:00
Alexander Bokovoy
26baae1fe9 Document use of external group membership 2012-09-20 14:58:32 +02:00
Alexander Bokovoy
21ecf2f287 Add documentation for 'ipa trust' set of commands 2012-09-20 14:57:49 +02:00
Alexander Bokovoy
9d84a3cf49 Fix error messages and use proper ImportError for dcerpc import 2012-09-20 14:57:07 +02:00
Alexander Bokovoy
87a37c8e2f validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
2012-09-20 14:55:34 +02:00
Martin Kosek
459016d12b Fix idrange plugin help
range plugin was renamed to idrange. Update plugin help to reflect
this change.
2012-09-20 10:36:13 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Yuri Chornoivan
8bbb42b410 Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089
2012-09-18 08:45:28 +02:00
Martin Kosek
cd7a85c12c Fix addattr internal error
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.

Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.

https://fedorahosted.org/freeipa/ticket/2429
2012-09-16 17:52:56 -04:00
Rob Crittenden
79b90d1465 Set SELinux default context to unconfined_u:s0-s0:c0.c1023
Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.

https://fedorahosted.org/freeipa/ticket/3045
2012-09-13 12:35:43 +02:00
Tomas Babej
46f09fb8cc Make sure selinuxusemap behaves consistently to HBAC rule
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983
2012-09-12 16:13:17 +02:00
Petr Vobornik
a4ab88445c Reflect API change of SSH store in Web UI
Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object.

Label was changed to reflect that the key don't have to be plain base64 encoded blob.

https://fedorahosted.org/freeipa/ticket/2989
2012-09-06 19:18:22 -04:00
Jan Cholasta
46ad724301 Use OpenSSH-style public keys as the preferred format of SSH public keys.
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

ticket 2932, 2935
2012-09-06 19:11:57 -04:00
Sumit Bose
f33adf22f8 Trust CLI: mark trust-mod for future use
Fixes: https://fedorahosted.org/freeipa/ticket/2968
2012-09-07 16:50:35 +02:00
Sumit Bose
d4ba746003 Trust CLI: return more details of added trust
Fixes: https://fedorahosted.org/freeipa/ticket/2971
2012-09-07 16:50:35 +02:00
Sumit Bose
94ce8ecb9c Trust CLI: Return more details when searching trusts
Fixes https://fedorahosted.org/freeipa/ticket/2970
2012-09-07 16:50:35 +02:00
Sumit Bose
e23acda5b8 Do not create trust if murmur hash is not available and base-id not given
Fixes https://fedorahosted.org/freeipa/ticket/3018
2012-09-07 16:50:35 +02:00
Sumit Bose
fe083fd5bf IDRange CLI: Add documentation
Fixes https://fedorahosted.org/freeipa/ticket/2969
2012-09-07 16:50:35 +02:00
Sumit Bose
67b47a65f2 IDRange CLI: allow to work without arguments
Fixes https://fedorahosted.org/freeipa/ticket/2999
2012-09-07 16:50:35 +02:00
Sumit Bose
377e1267b7 Rename range CLI to idrange 2012-09-07 16:50:35 +02:00
Martin Kosek
1915c2d4dd Cast DNS SOA serial maximum boundary to long
This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.
2012-09-07 15:40:00 +02:00
Rob Crittenden
e4e5bd0595 Set the e-mail attribute using the default domain name by default
https://fedorahosted.org/freeipa/ticket/2810
2012-09-07 13:36:37 +02:00
Martin Kosek
ac6cc479ed Add range safety check for range_mod and range_del
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.

Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.

https://fedorahosted.org/freeipa/ticket/2919
2012-09-06 20:32:07 +02:00
Petr Vobornik
835c7859c5 Update of confirmation of actions
This patch is changing confirmation of actions according to ticket #3035, see the ticket description.

It does following changes:
 * Confirmation of update action was removed.
 * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry.
 * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations.

 https://fedorahosted.org/freeipa/ticket/3035
2012-09-06 17:36:29 +02:00
Martin Kosek
6abe476459 Fix DNS SOA serial parameters boundaries
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).

https://fedorahosted.org/freeipa/ticket/2568
2012-09-06 14:57:48 +02:00
Martin Kosek
47ff46d042 Allow localhost in zone ACIs
Loopback address, "localhost" and "localnets" ACIs are no longer
an issue for bind-dyndb-ldap. Allow them in our validators.
2012-09-06 13:58:36 +02:00
Petr Vobornik
77ad84f47e Added decimal checks to metadata validator
Medatadata validator didn't have check for decimal values. It was added.

https://fedorahosted.org/freeipa/ticket/3052
2012-09-06 10:27:16 +02:00
Petr Vobornik
07cae43484 Fixed metadata serialization of Numbers and DNs
There were following problems:
1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string.
2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended.

https://fedorahosted.org/freeipa/ticket/3052
2012-09-06 10:27:10 +02:00
Petr Vobornik
6a8d6d3fde Notify success on add, delete and update
Notification of success was added to:
 * details facet: update
 * association facet and association widget: add, delete items
 * attribute facet: delete items (notification of add should be handled in entity adder dialog)
 * sudo rule: add, remove option
 * dnsrecord: add, update, delete

https://fedorahosted.org/freeipa/ticket/2977
2012-09-06 09:44:15 +02:00
Tomas Babej
208e6930de Sort policies numerically in pwpolicy-find
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.

https://fedorahosted.org/freeipa/ticket/3039
2012-09-03 21:47:21 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
4f03aed5e6 prevent last admin from being disabled
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.

* Moved the code in del_user to the common subroutine
  check_protected_member() and call it from both user_del and
  user_disable. Note, unlike user_del user_disable does not have a
  'pre' callback therefore the check function is called in
  user_disable's execute routine.

* Make check_protected_member() aware of disabled members. It's not
  sufficient to check which members of the protected group are
  present, one must only consider those members which are enabled.

* Add tests to test_user_plugin.py.

  - verify you cannot delete nor disable the last member of the admin
    group

  - verify when the admin group contains disabled users in addition to
    enabled users only the enabled users are considered when
    determining if the last admin is about to be disabled or deleted.

* Replace duplicated hardcoded values in the tests with variables or
  subroutines, this makes the individual tests a bit more succinct and
  easier to copy/modify.

* Update error msg to reflect either deleting or disabling is an error.

https://fedorahosted.org/freeipa/ticket/2979
2012-09-03 18:11:49 +02:00
John Dennis
557b260550 ipa user-find --manager does not find matches
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.

The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).

It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.

Patch also introduces new unit test to verify.

https://fedorahosted.org/freeipa/ticket/2264
2012-09-03 18:10:17 +02:00
Tomas Babej
7e9eb9caad Fixes different behaviour of permission-mod and show.
Both commands now produce the same output regarding
the attributelevelrights.

https://fedorahosted.org/freeipa/ticket/2875
2012-08-29 16:02:43 -04:00
Petr Vobornik
81007ff385 Successful action notification
User was not notified about success of actions executed from action list, action panel or facet cotrol bar.

This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation).
This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked.

This call is used(directly or indirectly) in:
 * search facets: delete, disable, enable actions
 * details facets: delete action
 * user details facet: reset password action
 * host details facet: unprovision, set OTP actions
 * service details facet: unprovision action
 * host and service details facet: request, revoke, restore certificates actions
 * group details facet: change to POSIX/external actions
 * dns zone details facet: add/remove permission actions

 https://fedorahosted.org/freeipa/ticket/2977
2012-08-29 12:00:06 +02:00
Rob Crittenden
785e80c4fc Restrict the SELinux user map user MLS value to 0-1023
https://fedorahosted.org/freeipa/ticket/3001
2012-08-29 09:29:08 +02:00
Tomas Babej
cb961066aa Improves deletion of PTR records in ipa host-del
Command ipa host-del with --updatedns now can deal both with hosts
which zones are in FQDN form with or without a trailing dot.

https://fedorahosted.org/freeipa/ticket/2809
2012-08-28 16:38:03 +02:00
Martin Kosek
a5c8dcd996 Fix managedBy label for DNS zone
Even though managedBy output parameter was only used for failed host
managedBy memberships, it was defined in global baseldap.py
classes. Incorrect label was then being displayed also for DNS zone
per-zone permission attribute with the same name.

Move managedBy output parameter to host plugin. Define proper managedBy
output parameter in DNS plugin to improve clarity of this attribute.

https://fedorahosted.org/freeipa/ticket/2946
2012-08-26 23:10:25 -04:00
Petr Vobornik
2d63e28c78 Range Web UI
Range web UI was implemented.

It consist of:
 * new menu item - 'ranges' in 'IPA Server' tab
 * new search page
 * new details page

https://fedorahosted.org/freeipa/ticket/2894
2012-08-21 14:35:19 +02:00
Alexander Bokovoy
cea40170f5 Ignore lint errors if pysssd_murmur and samba4 support not installed when building client code.
Since ipalib.plugins.trust has both client-side and server-side code,
this is the only way to properly handle linting errors.
2012-08-15 23:41:19 -04:00
Sumit Bose
59df038f87 trust CLI: add ID range for new trusted domain 2012-08-15 23:41:17 -04:00
Rob Crittenden
b5d0a9fcb2 Validate default user in ordered list when using setattr, require MLS
The MLS was optional in the format, it should be required.

https://fedorahosted.org/freeipa/ticket/2984
2012-08-16 12:52:38 +02:00
Rob Crittenden
bb5788fc7e Raise proper exception when given a bad DN attribute. 2012-08-16 12:52:23 +02:00
Tomas Babej
da55aadf74 Corrects help description of selinuxusermap.
https://fedorahosted.org/freeipa/ticket/2959
2012-08-14 15:46:59 +02:00
Petr Vobornik
d536b3824e Make group posix
New option for creating plain user group posix group. External group can't be made posix.

https://fedorahosted.org/freeipa/ticket/2338
2012-08-14 08:09:35 +02:00
Petr Vobornik
271043ccf7 Make group external
New action for creating plain group external. Posix group can't be made external.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:31 +02:00
Petr Vobornik
44e86aa3bb Add external group
Group can be normal, posix and external. Posix checkbox was removed and was replaced by radio for selecting group type. This adds possibility of adding of external group.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:23 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Jan Cholasta
72cc54bc27 Make --{set,add,del}attr more robust.
This fixes --addattr on single value attributes in add commands and --delattr
on non-unicode attributes in mod commands.

ticket 2954
2012-08-03 14:17:42 +02:00
Jan Cholasta
9bfa905e72 Add --{set,add,del}attr options to commands which are missing them.
ticket 2963
2012-08-03 10:18:30 +02:00
Petr Vobornik
dc79b60ebb PAC Type options for services in Web UI
Following options were added to Web UI
    * PAC Type in service
    * PAC Type in configuration

Testing metadata for objects and commands were regenerated.

https://fedorahosted.org/freeipa/ticket/2958
2012-08-02 10:22:25 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Rob Crittenden
e345ad12eb Fix validator for SELinux user map settings in config plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).

One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.

https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
2012-07-26 23:57:25 -04:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Alexander Bokovoy
2d75d8cc05 ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason'
https://fedorahosted.org/freeipa/ticket/2865
2012-07-18 16:55:51 +03:00
Martin Kosek
854b763675 Enforce CNAME constrains for DNS commands
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.

Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.

https://fedorahosted.org/freeipa/ticket/2601
2012-07-12 17:44:13 -04:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Petr Vobornik
14ac2193fe Add and remove dns per-domain permission in Web UI
This patch adds support for new per-domain permissions to Web UI.

User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.

For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.

Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.

New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.

https://fedorahosted.org/freeipa/ticket/2851
2012-07-11 16:33:10 +02:00
Petr Viktorin
5f69a06d1a Fix batch command error reporting
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.

Fix these problems. Update tests.

https://fedorahosted.org/freeipa/ticket/2874
https://fedorahosted.org/freeipa/ticket/2901
2012-07-11 10:49:02 +02:00
Petr Vobornik
848bd0e9e7 Password policy measurement units.
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.

This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).

Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.

This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.

https://fedorahosted.org/freeipa/ticket/2437
2012-07-10 13:30:38 +02:00
Martin Kosek
5ba8eeb970 Do not change LDAPObject objectclass list
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.

Make sure that the LDAPObject object_class list is not modified during
the __json__ method.

https://fedorahosted.org/freeipa/ticket/2906
2012-07-09 14:53:11 +02:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Petr Vobornik
5b7084aeb5 Web UI password is going to expire in n days notification
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').

Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).

https://fedorahosted.org/freeipa/ticket/2625
2012-06-29 11:55:53 +02:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Ondrej Hamada
8ce7330c53 Change random passwords behaviour
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
2012-06-27 12:58:46 +02:00
Petr Vobornik
ae19cce7ad Trust Web UI
This patch adds Web UI for trusts.

Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.

Adder dialog supports two ways if adding a trust:
1)  adding with domain name, admin name and admin password.
2) adding with domain name, shared secret

Search page shows only list of realm names which are trusts' cns.

Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)

trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.

Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.

https://fedorahosted.org/freeipa/ticket/2829
2012-06-25 18:17:06 +02:00
Alexander Bokovoy
a5cb1961fe Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-25 18:16:15 +02:00
Alexander Bokovoy
c3a7894ab6 Use correct SID attribute for trusted domains
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
2012-06-25 18:15:35 +02:00
Petr Vobornik
37b7b28993 Added password reset capabilities to unauthorized dialog
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.

If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 13:23:44 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Petr Viktorin
9960149e3f Rework the CallbackInterface
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674
2012-06-14 11:09:43 +02:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
Petr Vobornik
88170087e1 Change json serialization to serialize useful data
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
 * mostly CLI specific option attribues are not send.
 * attributes evaluated to false or None are not send
 * options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.

In the end the raw amount of data send is aproximately the same.

This patch is needed for Web UI to determine which option it can use in which commands.

https://fedorahosted.org/freeipa/ticket/2760
2012-06-07 11:22:15 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Martin Kosek
52a9eb7a9c Fix dnszone-mod --forwader option help string
Help should not point to global forwarders but rather to per-zone
conditional forwarders.

https://fedorahosted.org/freeipa/ticket/2717
2012-06-05 10:46:42 +02:00
Martin Kosek
d31f0c2d33 Improve migration NotFound error
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.

User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.

https://fedorahosted.org/freeipa/ticket/2206
2012-06-05 08:51:30 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Petr Vobornik
496fbbd919 Added missing i18n in action list and action panel
This patch adds strings to internal.py which were not translated in action list/panel patches.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:08 +02:00
Petr Vobornik
ea5ae4b1cf User password widget modified.
Currently the user password is shown as follows in the details page:
    Password: Reset Password

This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.

Now password is shown as follows:
    Password: *******   (if set)
    Password:           (if not set)

Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:07 +02:00
Petr Viktorin
c799f6a0bf Add more automount tests
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.

The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.

The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.

Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
2012-05-31 20:16:29 -04:00
Martin Kosek
895203c477 Allow relative DNS name in NS validator
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.

Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.

https://fedorahosted.org/freeipa/ticket/2630
2012-06-01 12:26:57 +02:00
Martin Kosek
6ff5f28142 permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.

Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.

https://fedorahosted.org/freeipa/ticket/2658
2012-06-01 07:51:59 +02:00
Martin Kosek
5b465811ce Add rename option for DNS records
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.

https://fedorahosted.org/freeipa/ticket/2600
2012-05-31 12:45:47 +02:00
Rob Crittenden
8d00d7c130 Enforce sizelimit in permission-find, post_callback returns truncated
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.

We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.

The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.

https://fedorahosted.org/freeipa/ticket/2322
2012-05-30 08:46:21 +02:00
Petr Viktorin
51bd68eaf5 Provide a better error message when deleting nonexistent attributes
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".

https://fedorahosted.org/freeipa/ticket/2699
2012-05-29 00:38:40 -04:00
Petr Viktorin
1af36da933 Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580
2012-05-29 09:23:26 +02:00
Petr Viktorin
ae12575170 Fix the pwpolicy_find post_callback
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.

Use a key function for sorting; cmp is deprecated, slower and
more complicated.

Add a test

https://fedorahosted.org/freeipa/ticket/2726
2012-05-28 16:03:28 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Petr Vobornik
4640f957ad Instructions to generate cert use certutil instead of openssl
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.

https://fedorahosted.org/freeipa/ticket/2725
2012-05-15 10:36:53 +02:00
Petr Viktorin
ece68f381a Check for empty/single value parameters before calling callbacks
https://fedorahosted.org/freeipa/ticket/2701
2012-05-15 10:02:26 +02:00
Rob Crittenden
26ab9a504f Implement permission/aci find by subtree
https://fedorahosted.org/freeipa/ticket/2321
2012-05-15 08:54:22 +02:00
Petr Viktorin
c5689e7faf Do not use extra command options in ACI, permission, selfservice
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for ACI-related plugins.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-14 10:38:07 +02:00
Rob Crittenden
95bb8d0f45 Fix overlapping cn param/option issue, pass cn as aciname in find
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.

The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.

https://fedorahosted.org/freeipa/ticket/2320
2012-05-14 10:07:41 +02:00
Petr Vobornik
719b09fb4e General details facet actions
This patch adds common action button actions for enabling/disabling/deleting object.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Petr Vobornik
8c3eadf978 Action lists
This patch add support fo Action Lists.

Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.

Actions lists are defined on facet level. Facet header takes them from facet.

Action list options
  actions: list of actions
  state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.

State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
 evaluate(record): should return string array which represents the state
 get_description(): human readable representation of a state

Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.

action options:
  name: string, required, name of the option
  label: string, required, human readable name of the option
  enable_cond: string array, states which need to be present in order to run this action
  disable_cond: string array, states which must not be present in order to run this action
  handler: function, contains action's logic
  needs_confirm: boolean, default false, indicates if action needs user confirmation
  confirm_msg: string, default generic message, human readable confirmation message.

Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.

In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Viktorin
1565ce3a8c Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649
2012-05-11 08:14:20 +02:00
Petr Viktorin
c02fcf5d34 Don't fail when adding default objectclasses using config-mod
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.

Regression test included.

https://fedorahosted.org/freeipa/ticket/2706
2012-05-09 09:53:51 +02:00
Jan Cholasta
d9d1967989 Redo boolean value encoding.
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
2012-05-09 09:43:35 +02:00
Petr Viktorin
abef5e8c02 Do not crash on empty --setattr, --getattr, --addattr
Also the unused `append` argument from _convert_2_dict.

https://fedorahosted.org/freeipa/ticket/2680
2012-05-07 17:23:08 +02:00
Petr Viktorin
0206dbe795 Do not crash on empty reverse member options
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.

Use an empty list instead of None (or other false falues, of which we
only use the empty list).

https://fedorahosted.org/freeipa/ticket/2681
2012-05-07 17:21:58 +02:00
Petr Viktorin
c45174d680 Do not use extra command options in the automount plugin
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for the automount plugin and its tests.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-07 14:08:50 +02:00
Ondrej Hamada
343aba2486 Allow one letter net/hostgroups names
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
2012-05-07 08:35:11 +02:00
Rob Crittenden
1a26406db2 Revert "Validate attributes in permission-add"
This reverts commit 1356988b7a.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:55 -04:00
Martin Kosek
b137b71371 Sort password policies properly with --pkey-only
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.

This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.

Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:31:53 +02:00