Commit Graph

264 Commits

Author SHA1 Message Date
Petr Viktorin
801b2fd458 permission CLI: rename --permissions to --right
The old name is kept as a deprecated alias.

https://fedorahosted.org/freeipa/ticket/4231

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-21 12:49:21 +01:00
Petr Viktorin
3120a6833e permission plugin: Output the extratargetfilter virtual attribute
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it

Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.

Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.

Write support will be added in a subsequent patch.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Nathaniel McCallum
21ff4f920e Rework how otptoken defaults are handled
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.

Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Martin Basti
efffcfdbc2 migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243
2013-12-02 13:30:12 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00
Ana Krivokapic
d97386de5b Add automember rebuild command
Add a new command to IPA CLI: ipa automember-rebuild

The command integrates the automember rebuild membership task functionality
into IPA CLI. It makes it possible to rebuild automember membership for
groups/hostgroups.

Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Nathaniel McCallum
3f85f09a83 Add support for managing user auth types
https://fedorahosted.org/freeipa/ticket/3368
2013-11-08 12:48:15 +01:00
Ana Krivokapic
196c4b5f53 Fix tests which fail after ipa-adtrust-install
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852
2013-08-28 16:45:57 +02:00
Martin Kosek
49a621a257 Bump 3.4 development version to 3.3.90 2013-08-08 17:25:43 +02:00
Martin Kosek
f988e422eb Become 3.3.0 2013-08-08 15:03:05 +02:00
Martin Kosek
e6654110c4 Become 3.3.0 Beta 2 2013-08-07 14:18:18 +02:00
Ana Krivokapic
6e28e709ed Add new command compat-is-enabled
Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:43 +02:00
Tomas Babej
f954f2d1b9 Limit pwpolicy maxlife to 20000 days
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.

Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).

https://fedorahosted.org/freeipa/ticket/3817
2013-08-05 17:50:31 +02:00
Martin Kosek
5b54451e0e Become 3.3.0 Beta 1 2013-07-24 13:37:46 +02:00
Jan Cholasta
b7f10d9fe6 Add new hidden command option to suppress processing of membership attributes.
https://fedorahosted.org/freeipa/ticket/3706
2013-07-23 13:13:54 +02:00
Tomas Babej
e4437a3e7f Add --range-type option that forces range type of the trusted domain
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.

When --range-type option is not specified, the range type should be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650
2013-07-11 12:39:28 +03:00
Ana Krivokapic
91a5d3349b Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.

Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.

Add tests to cover the new functionality

https://fedorahosted.org/freeipa/ticket/3634
2013-06-24 14:30:06 +02:00
Ana Krivokapic
b1321e95d7 Deprecate options --dom-sid and --dom-name in idrange-mod
https://fedorahosted.org/freeipa/ticket/3636
2013-05-31 14:21:12 +02:00
Rob Crittenden
b30b3bcccd Bump version for development branch to 3.2.99 2013-05-10 15:05:08 -04:00
Rob Crittenden
da6573917f Become 3.2.0 2013-05-10 09:30:08 -04:00
Martin Kosek
5af2e1779a Add userClass attribute for hosts
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
2013-04-26 10:20:17 -04:00
Rob Crittenden
5484b32d13 Become 3.2.0 Beta 1 2013-04-16 11:06:36 -04:00
Ana Krivokapic
b8b573a966 Deprecate HBAC source hosts from CLI
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.

Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).

https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Ana Krivokapic
ff52c25ae2 Fix output for some CLI commands
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.

https://fedorahosted.org/freeipa/ticket/3503
2013-04-11 15:57:45 +02:00
Martin Kosek
f770556946 Become 3.2.0 Prerelease 1 2013-04-02 17:24:39 +02:00
Jan Cholasta
5f26d2c6db Add Kerberos ticket flags management to service and host plugins.
https://fedorahosted.org/freeipa/ticket/3329
2013-03-29 16:34:46 +01:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Martin Kosek
54a53bca48 Bump FreeIPA version for development branch
Current master branch represents future release of FreeIPA (3.2).
Bump VERSION so that current development packages are not being
updated with freeipa-3.1.x packages already released in downstream
repositories.
2013-02-25 13:42:05 +01:00
Petr Viktorin
42300eb55b Rename the "messages" Output of the i18n_messages command to "texts"
This is to prevent a fatal name clash wih the new common "messages" Output.

Since i18n_messages is an internal plugin, the change does not affect
our public API.
2013-02-21 16:26:09 +01:00
Petr Viktorin
24bca144a8 Add client capabilities, enable messages
The API version the client sends can now be used to check what the client
expects or is capable of.

All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.

The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.

If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)

Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.

Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
2013-02-21 16:26:09 +01:00
Rob Crittenden
462beacc9d Implement the cert-find command for the dogtag CA backend.
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.

dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.

The search operation is unauthenticated

Design page: http://freeipa.org/page/V3/Cert_find

https://fedorahosted.org/freeipa/ticket/2528
2013-02-19 11:52:33 -05:00
Ana Krivokapic
3253a30541 Add list of domains associated to our realm to cn=etc
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:15:46 +02:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Martin Kosek
67d8b434c5 Add trusconfig-show and trustconfig-mod commands
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.

Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/3333
2013-02-11 15:38:22 +01:00
Tomas Babej
7f27a18b51 Relax restriction for leading/trailing whitespaces in *-find commands
All *-find commands now enable leading/trailing whitespaces in the
search phrase. Behaviour has been implemented directly into
crud.Search class. IPA_API_VERSION_MINOR incremented to 45.

https://fedorahosted.org/freeipa/ticket/2981
2012-12-11 12:34:28 +01:00
Lynn Root
9ee8e11164 Added the ability to do Beta versioning
The VERSION file and Makefile now handles beta versioning when given an argument.

Ticket: https://fedorahosted.org/freeipa/ticket/2893
2012-12-11 11:02:11 +01:00
Rob Crittenden
585b91df3b Become IPA 3.1.0 2012-12-10 13:28:35 -05:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Martin Kosek
1ed8ba6a75 Avoid uninstalling dependencies during package lifetime
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.

Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.

https://fedorahosted.org/freeipa/ticket/3189
2012-10-25 15:35:58 -04:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Jan Cholasta
46ad724301 Use OpenSSH-style public keys as the preferred format of SSH public keys.
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

ticket 2932, 2935
2012-09-06 19:11:57 -04:00
Martin Kosek
6abe476459 Fix DNS SOA serial parameters boundaries
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).

https://fedorahosted.org/freeipa/ticket/2568
2012-09-06 14:57:48 +02:00
Rob Crittenden
fb2a36d517 Become IPA v3 beta 2 (3.0.0.pre2) 2012-08-15 23:58:17 -04:00
Jan Cholasta
9bfa905e72 Add --{set,add,del}attr options to commands which are missing them.
ticket 2963
2012-08-03 10:18:30 +02:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Rob Crittenden
6fb802152a Become IPA v3 beta 1 (3.0.0.pre1) 2012-07-01 18:07:11 -04:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Martin Kosek
5b465811ce Add rename option for DNS records
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.

https://fedorahosted.org/freeipa/ticket/2600
2012-05-31 12:45:47 +02:00
Petr Viktorin
1af36da933 Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580
2012-05-29 09:23:26 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Petr Viktorin
6e5c8b25bf Limit permission and selfservice names to alphanumerics, -, _, space
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.

https://fedorahosted.org/freeipa/ticket/2585
2012-04-09 20:56:29 -04:00
Rob Crittenden
51b34d5c42 Make revocation_reason required when revoking a certificate.
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.

https://fedorahosted.org/freeipa/ticket/2597
2012-04-05 08:51:30 +02:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Martin Kosek
9b562f7377 Add missing global options in dnsconfig
Add a support for new global options in bind-dyndb-ldap, that is:
 * idnsforwardpolicy: Default policy for conditional forwarding
 * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
   updates
 * idnszonerefresh: Default interval between regular polls of the
   name server for new DNS zones

https://fedorahosted.org/freeipa/ticket/2439
2012-03-20 15:40:08 +01:00
Rob Crittenden
763265f28e Fix API.txt and VERSION to reflect new sudoOrder option. 2012-03-01 22:24:26 -05:00
Ondrej Hamada
73249140fc Migration warning when compat enabled
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
2012-02-29 18:30:03 -05:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Rob Crittenden
44c69ef33e Make ipaconfigstring modifiable by users.
Convert from a freeform string into a enumeration.

Only values currently allowed are AllowLMhash and AllowNThash.

To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.

https://fedorahosted.org/freeipa/ticket/1433
2012-02-09 08:29:09 +01:00
Martin Kosek
f411ed1e47 Add data field for A6 record
Since A6 is an obsolete RR type, no DNS part option was created.
This is, however, not consistent with the rest of per-type API
and may cause problems. This patch adds at least a DNS part for
raw A6 record data so that the record type is treated consistently.

This patch also fixes interactive mode for A6 records. Their data
were not detected correctly as dnsrecord_add didn't expect
a number in DNS part option name.

https://fedorahosted.org/freeipa/ticket/2309
2012-02-03 16:26:20 +01:00
Martin Kosek
0b9279a30a Add missing managing hosts filtering options
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
  --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
  --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
    in HOSTS are returned

https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 10:17:39 -06:00
Rob Crittenden
52e3488b75 Add support for storing MAC address in host entries.
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.

It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>

I tested nslcd and it only returned one macaddress value.

https://fedorahosted.org/freeipa/ticket/1132
2012-01-26 14:11:33 +01:00
Martin Kosek
7f6c9ac04c Add missing --pkey-only option for selfservice and delegation
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.

Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."

https://fedorahosted.org/freeipa/ticket/2092
2012-01-16 20:08:13 +01:00
Martin Kosek
a22620c832 Create per-type DNS API
Use new structured DNSRecord parameters to generate per-type API
for all supported DNS RR types. This should help significantly
the end-user with manipulating complex DNS record type (MX, LOC,
etc.).

All enhancements are integrated to current DNS record commands:

1) dnsrecord-add
  - Records can be either entered as a raw value (e.g. --mx-rec=
    "1 srv1.example.com" for MX record) or per-part:
    --mx-preference=1 --mx-exchanger=srv1.example.com
  - CLI interactive help behavior was changed. It will ask for
    a record type and then ask for all DNS record part values
    (e.g. MX Preference value, MX Exchanger value).

2) dnsrecord-mod
  - This command can now operate in 2 modes. When only a raw DNS
    record is entered (e.g. --mx-rec="1 srv1.example.com") it
    operates in standard mode and replaces any previous mxrecord
    value with the --mx-rec value.

    When any structured parameter (e.g. --mx-preference) is passed
    it modifies just the specified parts of one mxrecord value
    referred by --mx-rec:
      --mx-rec="1 srv1.example.com" --mx-preference=2
  - New interactive help has been implemented. It will ask for a
    record to be modified (in the same manner as dnsrecord-del)
    and then let user change DNS record part(s) for chosen
    records.

3) All dnsrecord-* commands have now --structured option
  - When this option is passed, instead of displaying raw DNS values
    all DNS records are parsed and displayed per-part. Example:

$ ipa dnsrecord-show example.com @ --structured
  Record name: @
  Records:
    Record type: MX
    Record data: 0 server1.example.com.
    MX Preference: 0
    MX Exchanger: server1.example.com.

    Record type: NS
    Record data: ns1.example.com.
    NS Hostname: ns1.example.com.

All API changes are compatible with clients without this patch.

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 09:44:00 +01:00
Ondrej Hamada
0e037f24ce HBAC test optional sourcehost option
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
2012-01-09 08:49:10 +02:00
Ondrej Hamada
da4b4fc4d9 User-add random password support
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.

Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).

I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.

https://fedorahosted.org/freeipa/ticket/1979
2011-12-12 00:17:07 -05:00
Jan Cholasta
135ccf89de Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.

Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.

ticket 2007
2011-11-30 17:08:35 +01:00
Martin Kosek
1b0b9645d1 Add --delattr option to complement --setattr/--addattr
Add a --delattr option to round out multi-valued attribute
manipulation. The new option is available for all LDAPUpdate based
commands. --delattr is evaluated last, it can remove any value
present either in --addattr/--setattr option or in current LDAP
object.

--*attr processing was completely refactored and placed to one
independent function available for all baseldap commands. For this
purpose a missing common base class for all baseldap commands has
been implemented. The new class should serve not only for --*attr
processing but also for other common baseldap methods and
attributes.

This approach will also benefit other custom commands based neither
on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr
option processing when needed.

https://fedorahosted.org/freeipa/ticket/1929
2011-11-29 10:08:28 +01:00
Martin Kosek
843c0787b7 Fix DNS zone --allow-dynupdate option behavior
--allow-dynupdate was implemented as a Flag parameter type, which
is not convenient for LDAP attributes. When a DNS zone with
permitted dynamic updates was modified and the --allow-dynupdate
flag was not set, dynamic updates were turned off.

This patch changes the option type to Bool parameter type which
behaves according to user expectations when modifying the zone.

https://fedorahosted.org/freeipa/ticket/2039
2011-11-09 15:31:50 +01:00
Martin Kosek
a486f49a37 Create pkey-only option for find commands
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.

This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.

https://fedorahosted.org/freeipa/ticket/1262
2011-10-27 14:17:51 +00:00
Martin Kosek
2aa63fe4a9 Improve handling of GIDs when migrating groups
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.

Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.

https://fedorahosted.org/freeipa/ticket/1866
2011-10-11 23:24:00 -04:00
Rob Crittenden
bd227b3562 Require current password when using passwd to change your own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808
2011-10-04 15:16:15 +02:00
Simo Sorce
c386773484 Set VERSION to 2.99.0 on the 3.0 development branch 2011-08-18 16:59:20 -04:00
Rob Crittenden
293f0fab0b Become IPA 2.1.0 2011-08-15 00:34:48 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Jan Cholasta
b203756a88 Add ability to specify DNS reverse zone name by IP network address.
In order for this to work, chaining of parameters through
default_from is made possible.

ticket 1474
2011-07-15 02:21:23 -04:00
Martin Kosek
0cb65fd9f6 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
2011-07-13 15:06:13 +02:00
Martin Kosek
e6c68e9993 Add DNS record modification command
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.

This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
 - modify a DNS record value (note than DNS record can hold multiple values
   and those will be overwritten)
 - remove a DNS record when an empty value is passed

New tests for this new command have been added to the CLI test suite.

https://fedorahosted.org/freeipa/ticket/1137
2011-07-12 14:20:16 -04:00
Jan Cholasta
67b807d640 Replace the 'private' option in netgroup-find with 'managed'.
The 'private' option is kept in to maintain API compatibility, but
is hidden from the user.

ticket 1120
2011-06-28 01:57:11 -04:00
Jr Aquino
44cdf8ef54 Raise DuplicateEntry Error when adding a duplicate sudo option
https://fedorahosted.org/freeipa/ticket/1276
https://fedorahosted.org/freeipa/ticket/1277
https://fedorahosted.org/freeipa/ticket/1308

Added new Exception: AttrValueNotFound
Fixed XML Test for Sudorule remove_option
1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule)
1277 (Raise DuplicateEntry Error when adding a duplicate sudo option)
1308 (Make sudooption a required option for sudorule_remove_option)
2011-06-16 19:21:07 -04:00
Martin Kosek
058e3d0306 Add ignore lists to migrate-ds command
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.

This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.

Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).

https://fedorahosted.org/freeipa/ticket/1266
2011-06-15 08:36:32 +02:00
Rob Crittenden
bee4e6a85a Remove automountinformation as part of the DN for automount.
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.

So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.

Multiple direct maps are still supported and for those the info is
always required.

ticket 1229
2011-06-13 22:59:27 -04:00
Jr Aquino
d7c60205a6 Add sudorule and hbacrule to memberof and indirectmemberof attributes
Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
2011-06-06 13:14:38 -04:00
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Rob Crittenden
cc87bc3f28 Bump version to 2.0.90 to distinguish between 2.0.x 2011-05-03 10:51:36 -04:00
Rob Crittenden
316efbc32f postalCode should be a string not an integer.
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.

This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.

Bump the API version to 2.1.

ticket 1150
2011-04-05 21:51:34 -04:00
Rob Crittenden
446a4ca439 Become IPA 2.0.0 2011-03-24 16:28:53 -04:00
Rob Crittenden
dcf7a18b4e Become IPA v2 RC 3 (2.0.0.rc3) 2011-03-10 10:00:13 -05:00
Rob Crittenden
22a503785e Become IPA v2 RC 2 (2.0.0.rc2) 2011-02-23 22:14:42 -05:00
Rob Crittenden
94395b2661 Become IPA v2 RC 1 (2.0.0.rc1) 2011-02-14 20:12:05 -05:00
Rob Crittenden
ec0911e61b Become IPA v2 beta 2 (2.0.0.pre2) 2011-02-10 11:16:56 -05:00
Rob Crittenden
c69d8084c1 Add API version and have server reject incompatible clients.
This patch contains 2 parts.

The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.

The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).

To determine the API version of the server from a client use the ping
command.

ticket 584
2011-01-14 14:26:22 -05:00
Rob Crittenden
e4c94320cb Become IPA v2 beta 1 (2.0.0.pre1) 2010-12-22 14:36:37 -05:00
Rob Crittenden
6a6db10dbc Become IPA v2 alpha 5 (1.9.0.pre5) 2010-11-09 15:03:20 -05:00
Rob Crittenden
a0dfbc069d Become IPA v2 alpha 4 (1.9.0.pre4) 2010-07-15 11:25:39 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
caf32115ec Become IPA v2 alpha 3 (1.9.0.pre3) 2010-05-07 13:22:39 -04:00
Rob Crittenden
28d8bd6e69 Become IPA v2 alpha 2 (1.9.0.pre2) 2010-02-18 11:29:16 -05:00
Rob Crittenden
23b800a879 Back down to version 1.9.0 in preparation for release of first alpha.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
2009-10-26 13:55:01 -04:00
Rob Crittenden
a2c99b0360 Bump version to 2.0.0pre1 2009-05-11 16:26:55 -04:00
Simo Sorce
818cafdd4d Bump up version number to 1.2.0 2008-11-13 11:20:06 -05:00
Simo Sorce
9648da8f5f Fix versioning for configure.ac and ipa-python/setup.py
Fix make maintainer-clean

Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)

Version 1.1.0 was released some times ago, bump up to 1.1.1
2008-08-11 18:31:05 -04:00
Simo Sorce
e9b96cdabb Move version to 1.1.0 in preparation for new patch release 2008-06-11 09:21:18 -04:00
Rob Crittenden
5ad2af3429 Redo the way versioning works in freeIPA.
The file VERSION is now the sole-source of versioning.

The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.

By default a GIT build is done. To do a non-GIT build do:

 $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no

When updating the version you can run this to regenerate the version:

 $ make version-update

The version can be determined in Python by using ipaserver.version.VERSION
2008-05-05 13:53:57 -04:00