Add tool tips for buttons in detail view. New tooltips:
Reload - Reload current settings from the server.
Revert - Undo all unsaved changes.
Undo - Undo this change.
Undo all - Undo all changes in this field.
https://fedorahosted.org/freeipa/ticket/5428
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Truncated entries were silently ignored, now a user receives warning.
https://fedorahosted.org/freeipa/ticket/4022
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.
https://fedorahosted.org/freeipa/ticket/5584
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
- `file` was removed in favor of `open`. Switch to the new spelling.
- `buffer` was removed in favor of a buffer protocol (and memoryview),
and `reload` was moved to importlib.
Both are used in py2-only blocks, so just placate PyLint.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, exceptions don't behave as tuples of their arguments;
instead of e[1] it's necessary to use e.args[1].
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Previously the command returned False whenever an exception occured
which caused installed to continue even when there was a problem with
LDAP connection.
https://fedorahosted.org/freeipa/ticket/5564
Reviewed-By: David Kupka <dkupka@redhat.com>
This import statement has been removed in commit
e4075b1fe2. This caused requests for service
certs to fail, since the validation functions from x509 module crashed with
NameError.
https://fedorahosted.org/freeipa/ticket/5561
Reviewed-By: Martin Basti <mbasti@redhat.com>
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Running make with PYTHON=/usr/bin/python3 will build/install the
bits for Python 3.
Executable scripts in ipatests have symlinks Python version suffixes
as per Fedora guidelines. Suffix-less names point to the Python 2 versions.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Check if the zone user wants to add is already resolvable and refuse to
create it if yes. --skip-overlap-check and --force options suppress this check.
https://fedorahosted.org/freeipa/ticket/5087
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Default ldap search limit is now 30 sec by default during upgrade.
Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.
Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.
https://fedorahosted.org/freeipa/ticket/5267
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
Reviewed-By: Petr Spacek <pspacek@redhat.com>
To debug DNS issues other commands should be used like 'dig', 'host',
'nslookup' instead of command 'ipa dns-resolve'.
This command is executed on server side, what may not be helpful with
debugging clients.
'ipa dns-resolve' command is worse copy of host command, users should use
'host' command instead.
dns-resolve is removed from CLI
https://fedorahosted.org/freeipa/ticket/5466
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added commands:
* user-add-manager
* user-remove-manager
* stageuser-add-manager
* stageuser-remove-manager
Commit contains override of convert_attribute_members method in baseuser
class that ensures the managers will be returned in 'manager' attribute
due to backward compatibility instead of 'manager_user' as would be
expected.
https://fedorahosted.org/freeipa/ticket/5344
This patch also fixes: https://fedorahosted.org/freeipa/ticket/5387
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Relative name "record.zone" is being added into zone "zone.",
which is probably a mistake. User probably wanted to either specify
relative name "record" or use FQDN "record.zone.".
Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa
topologysegment-*' commands
* ipa-csreplica-manage del - a user should use ipa-replica-manage del
https://fedorahosted.org/freeipa/ticket/5405
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Added try-except block in dns plugin in order to provide user
friendly message to end user.
https://fedorahosted.org/freeipa/ticket/4811
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The client XML-RPC implementation is tied to rpclib internals,
so with a change in Python it needs to be updated. And rpclib
changed in Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Makes sure that the first check that is performed when trustdomain-del
command is run is that the actual trusted domain exists. This is done to
prevent a subseqent error which might be misleading.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The trust_show command does not raise a properly formatted NotFound
error if the trust is not found, only a generic EmptyResult error
is raised.
This patch makes the trust_show tell us what actually could not be
found.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Instead of searching for all zones to identify the correct reverse zone, we
will first ask the resolver to return the name of zone that should contain the
desired record and then see if IPA manages this zone.
This patch also removes a duplicate function in bindinstance.py that is not
used anywhere.
https://fedorahosted.org/freeipa/ticket/5200
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, the "message" property was removed in favor of calling str().
Add it to PublicMessage, since IPA code depends on it.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Warning user that DNSSEC key master is not installed when commands
dnszone-add, dnszone-mod, dnszone-show when option dnssec=true
https://fedorahosted.org/freeipa/ticket/5290
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.
Ignore such cases and pass along the anchor in the raw format.
https://fedorahosted.org/freeipa/ticket/5322
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 2, numbers prfixed with '0' are parsed as octal,
e.g. '020' -> 16. In Python 3, the prefix is '0o'.
Handle the old syntax for IPA's parameter conversion to keep
backwards compatibility.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Python 3 removes the "message" attribute from exceptions, in favor
of just calling str().
Add it back for IPA's own exception types.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
- Don't encode under Python 3, where shlex would choke on bytes
- Sort the attrs dictionary in export_to_string, so the tests are
deterministic. (The iteration order of dicts was always unspecified,
but was always the same in practice under CPython 2.)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the variable with the currently handled exception is unset
at the end of the except block. (This is done to break reference
cycles, since exception instances now carry tracebacks, which contain
all locals.)
Fix this in baseldap's error handler.
Use a simpler structure for the ipatests.raises utility that only uses the
exception inside the except block.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In python 3 , `bytes` has the buffer interface, and `buffer` was removed.
Also, invalid padding in base64-encoded data raises a ValueError rather
than TypeError.
In tests, use pytest.assert_raises for more correct exception assertions.
Also, get rid of unused imports in the tests
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, different types are generally not comparable (except for equality),
and None can't be compared to None.
Fix cases of these comparisons.
In ipatest.util, give up on sorting lists if the sorting raises a TypeError.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the types module no longer provide alternate names for
built-in types, e.g. `types.StringType` can just be spelled `str`.
NoneType is also removed; it needs to be replaced with type(None)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module is renamed to xmlrpc.client in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The "splittype" and "splithost" functions in urllib.parse
are undocumented and reserved for internal use,
see http://bugs.python.org/issue11009
Use urlsplit instead.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Causes nicer error message when kerberos credentials are not available.
https://fedorahosted.org/freeipa/ticket/5272
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Rename __unicode__ to __str__ in classes which define it and use the
six.python_2_unicode_compatible decorator on them to make them compatible with
both Python 2 and 3.
Additional changes were required for the ipapython.dnsutil.DNSName class,
because it defined both __str__ and __unicode__.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The initial fix of ticket 5247 rejected renames, but left the option
behind for API compatibility. Remove the option now, according to
the consensus that because it never worked, it is fine to remove it.
Fixes: https://fedorahosted.org/freeipa/ticket/5247
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The form`raise Error, value` is deprecated in favor of `raise Error(value)`,
and will be removed in Python 3.
Use the new syntax.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, next() for iterators is a function rather than method.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, raw_input() was renamed to input().
Import the function from six.moves to get the right version.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, filter() returns an iterator.
Use list comprehensions instead.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
`ipa user-del` with `--preserve` option will now process multiple entries and
handle `--continue` option in a manner analogous to `ipa user-del` in normal
mode.
In addition, it is now no longer possible to permanently delete a user by
accidentally running `ipa user-del --preserve` twice.
https://fedorahosted.org/freeipa/ticket/5234https://fedorahosted.org/freeipa/ticket/5236
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g. ECDSA. The patch just renames the occurences to avoid more
confusion in the future.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.
For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.
Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch replaces 'stageuser-add --from-delete' with new command
user-stage.
Original way always required to specify first and last name, and
overall combination of options was hard to manage. The new command
requires only login of deleted user (user-del --preserve).
https://fedorahosted.org/freeipa/ticket/5041
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault-find plugin has two additional arguments to list all
service vaults or user vaults. Since the name of a vault is only unique
for a particular user or service, the commands also print the vault user
or vault service. The virtual attributes were added in rev
01dd951ddc.
Example:
$ ipa vault-find --users
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault user: admin
Vault name: UserVault
Type: standard
Vault user: admin
----------------------------
Number of entries returned 2
----------------------------
$ ipa vault-find --services
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL
Vault name: myvault
Type: standard
Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL
----------------------------
Number of entries returned 2
----------------------------
https://fedorahosted.org/freeipa/ticket/5150
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.
The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA. Remove
the check.
Fixes: https://fedorahosted.org/freeipa/ticket/5205
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.
When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.
Detect such domain collisions early and bail out with an appropriate
error message.
https://fedorahosted.org/freeipa/ticket/4549
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
usercertificate attr was moved from "System Modify Users" to this
new permission.
https://fedorahosted.org/freeipa/ticket/5177
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The reduce function is no longer a built-in in Python 3.
Importing it from functools works on both py2 and py3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The deprecated has_key method will be removed from dicts in Python 3.
For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Python 3 uses double-underscored names for internal function attributes.
In Python 2.7, these names exist as aliases to the old 'func_*' and
'im_*' names.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
also show the message about the way UID/GID ranges are managed in FreeIPA in
the idrange-mod's help message
https://fedorahosted.org/freeipa/ticket/4826
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services
(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.
https://fedorahosted.org/freeipa/ticket/5167
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension. Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.
Also update cert-request to accept CSRs containing this extension.
Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited. Add more information to the ACIError message.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch forces the user management CLI command to store certificates as
userCertificate;binary attribute. The code to retrieve of user information was
modified to enable outputting of userCertificate;binary attribute to the
command line.
The modification also fixes https://fedorahosted.org/freeipa/ticket/5173
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.
https://fedorahosted.org/freeipa/ticket/5171
Reviewed-By: Martin Basti <mbasti@redhat.com>
certprofile-import no longer requires profileId in profile data. Instead
the profile ID from the command line is taken and added to the profile
data internally.
If profileId is set in the profile, then it still has to match the CLI
option.
https://fedorahosted.org/freeipa/ticket/5090
Reviewed-By: Martin Basti <mbasti@redhat.com>
A user can pass file names for password, public and private key files to
the vault plugin. The plugin attempts to read from these files. If any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
* handle not found error
* return new DN
https://fedorahosted.org/freeipa/ticket/5145
Reviewed-By: David Kupka <dkupka@redhat.com>
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.
https://fedorahosted.org/freeipa/ticket/5037
Reviewed-By: Martin Basti <mbasti@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.
https://fedorahosted.org/freeipa/ticket/5146
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.
https://fedorahosted.org/freeipa/ticket/4969
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes regression caused by cd3ca94ff2.
Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server
https://fedorahosted.org/freeipa/ticket/5133
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.
https://fedorahosted.org/freeipa/ticket/5038
Reviewed-By: David Kupka <dkupka@redhat.com>
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.
https://fedorahosted.org/freeipa/ticket/5120
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 62e8002bc4.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
New certificate widget which replaced certificate status widget.
It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.
part of: https://fedorahosted.org/freeipa/ticket/5045
Reviewed-By: Martin Basti <mbasti@redhat.com>
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.
Certificate search facet allows to add a certificate.
User details facet allows to add a certificate.
part of
https://fedorahosted.org/freeipa/ticket/5046
Reviewed-By: Martin Basti <mbasti@redhat.com>
API refactoring caused that session_logout command was not registered.
Commands in ipalib/plugins directory are automatically registered.
Reviewed-By: Martin Basti <mbasti@redhat.com>
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension. Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.
Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it. Use split_any_principal to do the
splitting correctly, also taking realm into account.
Reviewed-By: David Kupka <dkupka@redhat.com>
This reverts commit ea7f392bb9.
The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.
https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This can be either set in IPA config file or specified as
'ipa --skip-version-check [COMMAND]'.
part of https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.
Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--out=FILENAME' option to `certprofile-show'. When given,
it exports the profile configuration from Dogtag and writes it to
the named file.
Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin
https://fedorahosted.org/freeipa/ticket/5097
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
added to commands: doc, proper args, NO_CLI
added to options: default_from, cli_name, cli_short_name and others
https://fedorahosted.org/freeipa/ticket/3129
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new group of commands is introduced that simplifies adding and removing
binary certificates to entries. A general form of the command is
ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB]
Part of http://www.freeipa.org/page/V4/User_Certificates and
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Validation of certificate is now handled by `x509.validate_certificate'.
Revocation of the host and service certificates was factored out to a separate
function.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch extends the API framework with a set of classes which add/remove
values to a single LDAPObject attribute.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Instead of internal error show 'DNS is not configured' message, when a
dns* command is executed.
https://fedorahosted.org/freeipa/ticket/5017
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This change removes the automatic plugins sub-package magic and allows
specifying modules in addition to packages.
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For IPA users and groups we are able to trigger a removal of
any relevant ID overrides in user-del and group-del commands.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.
Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The availability of dcerpc bindings is being checked on the client
side as well, hence we need to define it properly.
https://fedorahosted.org/freeipa/ticket/5025
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Upstream PyKerberos uses a different argument ordering than
from the patch that Fedora/RHEL was carrying for
authGSSClientInit().
Using named arguments provides forwards and backwards
compatibility.
https://fedorahosted.org/freeipa/ticket/5085
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Checks done:
1. check if the topology is not disconnected. In other words if
there are replication paths between all servers.
2. check if servers don't have more than a recommended number of
replication agreements(4)
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-replica-manage del now:
- checks the whole current topology(before deletion), reports issues
- simulates deletion of server and checks the topology again, reports issues
Asks admin if he wants to continue with the deletion if any errors are found.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
In user_del, flags 'permanently' and 'preserve' were replaced with single
bool option 'preserve'
part of: https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the
right node and not the left node. This patch fixes API to match the
behavior.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
direction
- downgrade of direction
These situations are now forbidden in API.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Mod of segment end will be disallowed in topology plugin.
Reasoning (by Ludwig): if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
