Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.
https://fedorahosted.org/freeipa/ticket/4294
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When serial numbers were generated with $RANDOM, there
could be collisions.
Use sequential numbers instead.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.
https://fedorahosted.org/freeipa/ticket/4239
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.
Also, do not reset ipapermbindruletype when updating an existing
managed permission.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.
Also, $SUFFIX itself can now be read anonymously.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.
selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.
This change is Fedora 20+.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This change allow us to use proper two way binding between a field and
a widget. In previous implementation field was not changed if something
changed the value of a widget in 'update'. Now listeners are notified
when the widget value is changed by: calling 'update', 'set_value'
or by user change.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Hidden was used only in ACI. There is no reason to have two properties
which are negations of each other.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
This is a Web UI wide change. Fields and Widgets binding was refactored
to enable proper two-way binding between them. This should allow to have
one source of truth (field) for multiple consumers - widgets or something
else. One of the goal is to have fields and widget implementations
independent on each other. So that one could use a widget without field
or use one field for multiple widgets, etc..
Basically a fields logic was split into separate components:
- adapters
- parsers & formatters
- binder
Adapters
- extract data from data source (FreeIPA RPC command result)
- prepares them for commands.
Parsers
- parse extracted data to format expected by field
- parse widget value to format expected by field
Formatters
- format field value to format suitable for widgets
- format field value to format suitable for adapter
Binder
- is a communication bridge between field and widget
- listens to field's and widget's events and call appropriate methods
Some side benefits:
- better validation reporting in multivalued widget
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
ipa-client-automount calls automountlocation-show command during the
process. Unfortunately, FreeIPA commands are forward compatible only
and thus fail the installer.
Similarly to ipa-client-install, call XML-RPC interface directly
with version fixed to 2.0 (command was already available at that
version) to fix the failure.
https://fedorahosted.org/freeipa/ticket/4290
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages
by equivalents from rpc module.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
- moves RPC code from ipa.js to it's own module
- part of ongoing effort where the ultimate goal is to get rid of ipa.js
and IPA namespace
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When some module used 'freeipa/navigation' it pulled the entire Web UI
because navigation depended on app.
This patch splits the app into two modules: app and app_container.
App specifies the entities which are part of final application.
app_container module represents the application boot classes. Navigation
now depends on app_container.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
python-pyasn1 and python-qrcode were imported by ipalib but not
required by python subpackage.
https://fedorahosted.org/freeipa/ticket/4275
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In test_trust.py, several tests did case sensitive search on the output of
the ipa idrange-show command. This could cause false negatives.
Part of: https://fedorahosted.org/freeipa/ticket/4267
Reviewed-By: Martin Kosek <mkosek@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
