Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To be able to better deal with the conflicting user / group names, we split the
idoverride objects in the two types. This simplifies the implementation greatly,
as we no longer need to set proper objectclasses on each idoverride-mod operation.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Improve usability of the ID overrides by allowing user to specify the common name of
the object he wishes to override. This is subsequently converted to the ipaOverrideAnchor,
which serves as a stable reference for the object.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also fixes incorrect error catching for UnicodeDecodeError.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When renaming a object to the same name, errors.EmptyModList is raised.
This is not properly handled, and can cause other modifications in the
LDAPUpdate command to be ignored.
https://fedorahosted.org/freeipa/ticket/4548
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.
https://fedorahosted.org/freeipa/ticket/4387
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Admins email (SOA RNAME) is autofilled with value 'hostmaster'. Bind
will automaticaly append zone part.
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Option --name-server is changing only SOA MNAME, this option has no more
effect to NS records
Option --ip-addres is just ignored
A warning message is sent after use these options
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This option haven't been working, it is time to remove it.
Ticket: https://fedorahosted.org/freeipa/ticket/3414
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
dnszone-remove-permission should raise NotFound error if permission was
not found (regression of 21c829ff).
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The host-del command did not accept --continue option, since the
takes_options was overriden and did not take the options from LDAPDelete.
Fix the behaviour.
https://fedorahosted.org/freeipa/ticket/4473
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.
https://fedorahosted.org/freeipa/ticket/4534
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add 'Add OTP Token' action to user action menu.
This option is disabled in self-service when viewing other users.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This substantially reduces the FreeIPA dependencies and allows
QR codes to fit in a standard terminal.
https://fedorahosted.org/freeipa/ticket/4430
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Make validation more strict
* DS, NS, DNAME owners should not be a wildcard domanin name
* zone name should not be a wildcard domain name
Ticket: https://fedorahosted.org/freeipa/ticket/4488
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Also, remove the attempt to load the objectClasses when absent. This
never makes sense during an add operation.
https://fedorahosted.org/freeipa/ticket/4455
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Make error message more meaningful when a password policy is added for a non
existing group.
https://fedorahosted.org/freeipa/ticket/4334
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Make ipa trust-add command interactive for realm_admin and realm_passwd
- Fix 'Active directory' typo to 'Active Directory'
https://fedorahosted.org/freeipa/ticket/3034
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Tooltips were added to "User authentication types" and "Default user
authentication types" to describe their relationship and a meaning of
not-setting a value.
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- add info icons to distinguish and classify the messages.
- add info text for OTP fields
- fix login instruction inaccuracy related to position of login button
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
When creating or modifying otptoken check that token validity start is not after
validity end.
https://fedorahosted.org/freeipa/ticket/4244
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to
pass the validation tests, however, they are not implemented nor
checked by the 389 server plugin.
https://fedorahosted.org/freeipa/ticket/4323
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Returning non-unicode causes serialization into base64 which causes havoc
in Web UI.
https://fedorahosted.org/freeipa/ticket/4454
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Web UI doesn't always know what are the possible attributes
for target object. This will allow to add custom attributes
if necessary.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Adds filter field to attribute box in permissions for better user
experience. User can then quickly find the desired attribute.
Initial version of the patch authored by: Adam Misnyovszki
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
DS returns the string "none" when no rights were found. All clients
would need to special-case this value when checking the rights.
Return empty string instead.
https://fedorahosted.org/freeipa/ticket/4359
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.
https://fedorahosted.org/freeipa/ticket/4423
Reviewed-By: Petr Spacek <pspacek@redhat.com>
For ipatokennotbefore and ipatokennotafter attributes use DateTime
parameter class instead of Str, since these are represented as
LDAP Generalized Time in LDAP.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.
Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Host Administrators could not write to service keytab attribute and
thus they could not run the host-disable command.
https://fedorahosted.org/freeipa/ticket/4284
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Call user-unlock command from Web UI.
It will unlock displayed user on current master.
https://fedorahosted.org/freeipa/ticket/4407
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The following attributes were missing from the list of default attributes:
* externalhost
* ipasudorunasextuser
* ipasudorunasextgroup
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
dns(forward)zone-add/remove-permission can work with permissions with
relative zone name
Ticket:https://fedorahosted.org/freeipa/ticket/4383
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)
Related to: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- userclass
added to existing Modify hosts permission
- usercertificate, userpassword
added to a new permissions
https://fedorahosted.org/freeipa/ticket/4252
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.
Fix the behaviour and cover it in the test suite.
https://fedorahosted.org/freeipa/ticket/4360
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users
https://fedorahosted.org/freeipa/ticket/3697
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When the strings are changed again, translators will only need to
re-translate the modified parts.
See: https://fedorahosted.org/freeipa/ticket/3587
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Validator is no more used in dns plugin
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Validator is no more used in dns plugin
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Records data are always returned as string
* Attributes idnsname, idnssoamname, idnssoarname are returned as
* DNSName, with
option --raw as string
* option --raw returns all IDN domains punycoded
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Zone is stored as an absolute name (ipa never support relative
* zonenames)
* compatible with relative zone names as was before
* PTR target can be relative domain name
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modified functions to use DNSName type
* Removed unused functions
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix: classes didnt inherite params from parent correctly
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
An ACIError is now raised if:
- the user doesn't have permission to read any one of the ticket policy
attributes on the requested entry
(checked using attribute-level rights)
- any ticket policy attribute from the default policy is not available
(either not readable, or not there at all)
(only checked if these are accessed, i.e. when the user entry doesn't
override all of the defaults, or when requesting the global policy)
https://fedorahosted.org/freeipa/ticket/4354
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since user_add checks the UPG definition to see if UPG is enabled,
user admins need read access to add users correctly.
All attributes are allowed since UPG Definition is an extensibleObject;
the needed attributes are not in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.
Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.
This assumes that the anonymous read ACI will be removed in a "new" IPA.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Creating tokens for yourself is the most common operation. Making this the
default optimizes for the common case.
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Specifying the default in the LDAP Object causes the parameter to be specified
for non-add operations. This is especially problematic when performing the
modify operation as it causes the primary key to change for every
modification.
https://fedorahosted.org/freeipa/ticket/4227
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.
Part of: https://fedorahosted.org/freeipa/ticket/3306
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With global read ACI removed, some of the trust and trustdomain
attributes are not available. Make trust plugin resilient to these
missing attributes and let it return the available information.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A single permission is added to cover trust, trustconfig, and trustdomain.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These attributes contain secrets for the trusts and should not be returned
by default.
Also, search_display_attributes is modified to better match default_attributes
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For backward compatibility, the values are converted to unicode, unless the
attribute is binary or the conversion fails.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.
This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A single permission is added to cover automountlocation,
automountmap, and automountkey.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.
https://fedorahosted.org/freeipa/ticket/4239
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is a Web UI wide change. Fields and Widgets binding was refactored
to enable proper two-way binding between them. This should allow to have
one source of truth (field) for multiple consumers - widgets or something
else. One of the goal is to have fields and widget implementations
independent on each other. So that one could use a widget without field
or use one field for multiple widgets, etc..
Basically a fields logic was split into separate components:
- adapters
- parsers & formatters
- binder
Adapters
- extract data from data source (FreeIPA RPC command result)
- prepares them for commands.
Parsers
- parse extracted data to format expected by field
- parse widget value to format expected by field
Formatters
- format field value to format suitable for widgets
- format field value to format suitable for adapter
Binder
- is a communication bridge between field and widget
- listens to field's and widget's events and call appropriate methods
Some side benefits:
- better validation reporting in multivalued widget
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
The 'top' objectclass is added by DS if not present. On every
update the managed permission updater compared the object_class
list with the state from LDAP, saw that there's an extra 'top'
value, and tried deleting it.
Add 'top' to the list to match the entry in LDAP.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Previously the search term was only applied to the name.
Fix it so that it filters results based on any attribute.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --memberof logic tried to convert the value of a (memberof=...)
filter to a DN, which failed with filters like (memberof=*).
Do not try to set memberof if the value is not a DN.
A test will be added in a subsequent patch.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The extratargetfilter behaves exactly like targetfilter, so that e.g.
ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.
Part of the work for https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Extend the permission-add and permission-mod commands to process
extratargetfilter.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it
Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.
Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.
Write support will be added in a subsequent patch.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.
https://fedorahosted.org/freeipa/ticket/4247
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
this patch implements:
- output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion.
- datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date.
- utc formatter replaced with new datetime formatter
- datetime_validator introduced
- new datetime field, extension of text field, which by default uses datetime formatter and validator
Dojo was regenerated to include dojo/string module
https://fedorahosted.org/freeipa/ticket/4194
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).
This needs to be added to the documentation:
When using 'ipa trust-add ad.domain --trust-secret', one has to manually
validate incoming trust using forest trust properties in AD Domains and
Trusts tool.
Once incoming trust is validated at AD side, use IPA command
'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
From this point on the trust should be usable.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This makes searching faster if there are many legacy permissions present.
The root entry (which contains all legacy permission ACIs) is only
looked up once.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.
https://fedorahosted.org/freeipa/ticket/4212
Reviewed-By: Martin Kosek <mkosek@redhat.com>
RFC 4226 states the following in section 4:
R6 - The algorithm MUST use a strong shared secret. The length of
the shared secret MUST be at least 128 bits. This document
RECOMMENDs a shared secret length of 160 bits.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.
Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
forest trust
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.
https://fedorahosted.org/freeipa/ticket/4196
Reviewed-By: Martin Kosek <mkosek@redhat.com>
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.
https://fedorahosted.org/freeipa/ticket/4121
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Fractional parts of integers are not mandatory.
- Expressions containing only size or only size + horizontal precision
are allowed.
- N/S/W/E handling was fixed.
See RFC 1876 section 3 for details.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Construct the ACI string from permission entry directly
in the permission plugin.
This is the next step in moving away from ipalib.aci.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
With this change, shortcut options like memberof and type will be
aplied on the server, not on the client.
This will allow us to pass more information than just updated options.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Fix i18n for plugin docstring
- Fix error when the aci attribute is not present on an entry
- Fix error when raising exception for ACI not found
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Now users can add reverse zones in classless form:
0/25.1.168.192.in-addr.arpa.
0-25.1.168.192.in-addr.arpa.
128/25 NS ns.example.com.
10 CNAME 10.128/25.1.168.192.in-addr.arpa.
Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When users with missing default group were searched, IPA suffix was
not passed so these users were searched in a wrong base DN. Thus,
no user was detected and added to default group.
https://fedorahosted.org/freeipa/ticket/4141
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Add Web UI counterpart of following CLI commands:
* trust-fetch-domains Refresh list of the domains associated with the trust
* trustdomain-del Remove infromation about the domain associated with the trust.
* trustdomain-disable Disable use of IPA resources by the domain of the trust
* trustdomain-enable Allow use of IPA resources by the domain of the trust
* trustdomain-find Search domains of the trust
https://fedorahosted.org/freeipa/ticket/4119
We do not need to expose a public FreeIPA specific interface to resolve
SIDs to names. The interface is only used internally to resolve SIDs
when external group members are listed. Additionally, the command interface
is not prepared for regular user and can give rather confusing results.
Hide it from CLI. The API itself is still accessible and compatible with
older clients.
https://fedorahosted.org/freeipa/ticket/4113
dnsrecord-mod may call dnsrecord-delentry command when all records
are deleted. However, the version was not passwd to delentry and
it resulted in a warning.
https://fedorahosted.org/freeipa/ticket/4120
Both the password plugin and the kdb driver code automatically fall
back to the default password policy.
so stop adding an explicit reference to user objects and instead rely on the
fallback.
This way users created via the framework and users created via winsync plugin
behave the same way wrt password policies and no surprises will happen.
Also in case we need to change the default password policy DN this will allow
just code changes instead of having to change each user entry created, and
distinguish between the default policy and explicit admin changes.
Related: https://fedorahosted.org/freeipa/ticket/4085
Show status of each enumerated domain
trustdomain-find shows list of domains associated with the trust.
Each domain except the trust forest root can be enabled or disabled
with the help of trustdomain-enable and trustdomain-disable commands.
https://fedorahosted.org/freeipa/ticket/4096