Commit Graph

83 Commits

Author SHA1 Message Date
Petr Viktorin
49e45f28a2 Add managed read permissions to group
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 17:14:29 +02:00
Petr Viktorin
78b657b02d Add permission_filter_objectclasses for explicit type filters
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Jan Cholasta
c2bd6f365d Convert remaining frontend code to LDAPEntry API. 2014-01-24 20:38:15 +01:00
Alexander Bokovoy
fcd9a66b16 group-show: resolve external members of the groups
Perform SID to name conversion for existing external members of the
groups if trust is configured.

https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
2014-01-20 09:48:42 +01:00
Petr Vobornik
e64db8cbc2 Filter groups by type (POSIX, non-POSIX, external)
Added flag for each groups type: --posix, --nonposix, --external to group-find command.

Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup

https://fedorahosted.org/freeipa/ticket/3483
2013-04-09 19:00:30 +02:00
Ana Krivokapic
66356f0daf Improve error messages for external group members
When adding a duplicate member to a group, an error message is issued,
informing the user that the entry is already a member of the group.
Similarly, when trying to delete an entry which is not a member,
an error message is issued, informing the user that the entry is not
a member of the group. These error messages were missing in case of
external members.

This patch also adds support for using the AD\name or name@ad.domain.com
format in ipa group-remove-member command. This format was supported in
group-add-member, but not in group-remove-member.

Unit test file covering these cases was also added.

https://fedorahosted.org/freeipa/ticket/3254
2013-03-14 11:44:24 -04:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Petr Viktorin
f2f1ed63f5 Update plugin docstrings (topic help) to reflect dropped CSV support
https://fedorahosted.org/freeipa/ticket/3352
2013-02-22 17:20:35 +01:00
Petr Viktorin
5752b35d16 Update argument docs to reflect dropped CSV support
https://fedorahosted.org/freeipa/ticket/3352
2013-02-22 17:20:35 +01:00
Martin Kosek
a41e10f0eb Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.

When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.

https://fedorahosted.org/freeipa/ticket/3390
2013-02-20 13:23:58 -05:00
Tomas Babej
5b64cde92a Prevent changing protected group's name using --setattr
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354
2013-02-19 16:56:46 -05:00
Martin Kosek
d79aac855b Do not hide SID resolver error in group-add-member
When group-add-member does not receive any resolved trusted domain
object SID, it raises an exception which hides any useful error
message passed by underlying resolution methods. Remove the exception
to reveal this error messages to user.

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
e60e80e2b6 Generalize AD GC search
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.

Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Sumit Bose
fdd3299fa8 ipa-adtrust-install: Add fallback group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:26 -04:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Alexander Bokovoy
ba5248135c Make sure external group members are listed for the external group
https://fedorahosted.org/freeipa/ticket/2975
2012-09-25 08:21:22 +02:00
Alexander Bokovoy
26baae1fe9 Document use of external group membership 2012-09-20 14:58:32 +02:00
Alexander Bokovoy
9d84a3cf49 Fix error messages and use proper ImportError for dcerpc import 2012-09-20 14:57:07 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
Jan Cholasta
3ba9cc8eb4 Refactor exc_callback invocation.
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).

Add some extra checks to existing exception callbacks.
2012-04-26 09:00:30 +02:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Martin Kosek
16d88d79ad Add gidnumber minvalue
Do not accept invalid GID values in IPA user/group plugins.

https://fedorahosted.org/freeipa/ticket/2335
2012-02-23 21:00:15 -05:00
Rob Crittenden
181e6da9d8 Mark some attributes required to match the schema.
This makes no changes to the functionality in the command-line or
GUI because these all have defaults anyway. This is mostly to show
them properly in the UI and prevent someone from trying to erase the
value (and getting a nasty schema error in response).

https://fedorahosted.org/freeipa/ticket/2015
2011-12-05 22:29:02 -05:00
Rob Crittenden
06a9b7d9af Clarify usage of --posix argument in group plugin.
Contributed by Jérôme Fenal
2011-11-16 18:42:40 -05:00
John Dennis
1b4eab0411 ticket 1669 - improve i18n docstring extraction
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.

Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.

We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.

It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.

However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.

Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.

class foo(Command):
    '''
    The foo command takes out the garbage.
    '''

Would become:

class foo(Command):
    __doc__ = _('The foo command takes out the garbage.')

But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.

In summary what this patch does is:

* Remove the use of pygettext (modification to install/po/Makefile.in)

* Replace every docstring with an explicit assignment to __doc__ where
  the rhs of the assignment is an i18n marking function.

* Single line docstrings appearing in multi-line string literals
  (e.g. ''' or """) were replaced with single line string literals
  because the multi-line literals were introducing unnecessary
  whitespace and newlines in the string extracted for translation. For
  example:

  '''
  The foo command takes out the garbage.
  '''

  Would appear in the translation catalog as:

"\n
  The foo command takes out the garbage.\n
  "

  The superfluous whitespace and newlines are confusing to translators
  and requires us to strip leading and trailing whitespace from the
  translation at run time.

* Import statements were moved from below the docstring to above
  it. This was necessary because the i18n markers are imported
  functions and must be available before the the doc is
  parsed. Technically only the import of the i18n markers had to
  appear before the doc but stylistically it's better to keep all the
  imports together.

* It was observed during the docstring editing process that the
  command documentation was inconsistent with respect to the use of
  periods to terminate a sentence. Some doc had a trailing period,
  others didn't. Consistency was enforced by adding a period to end of
  every docstring if one was missing.
2011-08-24 23:13:16 -04:00
Endi S. Dewata
4bd85ceb90 Fixed label capitalization
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.

Ticket #1424
2011-07-14 11:44:48 -04:00
Endi S. Dewata
b2c5b2b4b5 Fixed object_name and object_name_plural internationalization
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.

Ticket #1435
2011-07-12 16:33:08 -04:00
Endi S. Dewata
58eec70884 Removed invalid associations.
The following invalid associations have been removed:
 - group's memberindirect netgroup and role
 - hostgroup's memberofindirect host

Ticket #1366
Ticket #1367
2011-07-01 00:59:34 -04:00
Endi S. Dewata
8d9575605d Added singular entity labels.
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.

The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.

Ticket #1249
2011-06-27 12:11:22 -04:00
Jr Aquino
d7c60205a6 Add sudorule and hbacrule to memberof and indirectmemberof attributes
Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
2011-06-06 13:14:38 -04:00
Rob Crittenden
4d0e739345 Fix style and grammatical issues in built-in command help.
There is a rather large API.txt change but it is only due to changes
in the doc string in parameters.

ticket 729
2011-03-04 11:09:43 -05:00
Rob Crittenden
2f82112bb3 Add handling for indirect memberof other entries.
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.

I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.

ticket 966
2011-02-21 11:21:23 -05:00
Martin Kosek
c9ff669cdd Inconsistent error message for ipa group-detach
When attempting to detach a private group that doesn't exist, the
error message returned is not consistent with the error returned by
the other topic commands. This patch adds a standard message.

https://fedorahosted.org/freeipa/ticket/291
2011-02-03 10:33:22 -05:00
Jakub Hrozek
ab2ca8022e Fix assorted bugs found by pylint 2011-01-25 14:01:36 -05:00
Pavel Zuna
d6d579ead4 Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.

After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.

You can do this for example:

# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins

# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global

# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
2011-01-04 21:56:38 -05:00
Rob Crittenden
4d6cd89258 In meta data make ACI attributes lower-case, sorted. Add possible attributes.
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).

To make the list easier to handle sort it and make it all lower-case.

Fix a couple of missed camel-case attributes in the default ACI list.

ticket 641
2010-12-21 13:00:15 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Pavel Zuna
3a9210f06f Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Example:
ipa group-find --no-users=admin

Only direct members are taken into account.

Ticket #288
2010-12-20 12:28:45 -05:00
Rob Crittenden
6c393e53b0 This is the second half of a patch. Only the part that had to be
re-based got pushed for some reason.

Use better description for group names in help and always prompt for members

When running <foo>-[add|remove]-member completely interactively it didn't
prompt for managing membership, it just reported that 0 members were
handled which was rather confusing.

This will work via a shell if you want to echo too:

$ echo "" | ipa group-add-member g1

This returns 0 members because nothing is read for users or group members.

$ echo -e "g1\nadmin\n" | ipa group-add-member

This adds the user admin to the group g1. It adds it as a user because
user membership is prompted for first.

ticket 415
2010-12-02 16:29:26 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Rob Crittenden
88133ab43c Create user private groups with a uniqueid.
If we don't then we need to add it when a group is detached causing
aci issues.

I had to move where we create the UPG template until after the DS
restart so the schema is available.

ticket 542
2010-11-30 09:52:05 -05:00
Pavel Zuna
5060fdfade Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
2010-11-23 21:29:08 -05:00
Rob Crittenden
53d1553755 Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.

ticket 250
2010-11-19 13:47:09 -05:00
Rob Crittenden
25469cf4f1 Increase # of chars in users and groups to 255 and default username to 32.
ticket 434
2010-11-12 17:25:40 -05:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00