Commit Graph

190 Commits

Author SHA1 Message Date
Christian Heimes
dcb33e44e7 Optimize user-add by caching ldap2.has_upg()
The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.

context is cleared after every request.

Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-12-05 15:07:57 +01:00
Alexander Bokovoy
ef67dece52 ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Christian Heimes
f89e501ee1 Handle races in replica config
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.

ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-07-12 15:26:25 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Fraser Tweedale
b466172d68 ldap2: fix implementation of can_add
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS.  Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.

Update the ldap2.can_add implementation to perform the add
permission check properly.  Also update call sites accordingly.

Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix.  This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.

Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-09 08:57:41 +01:00
Fraser Tweedale
4daac52ddd ipaldap: allow GetEffectiveRights on individual operations
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis.  Also update
ldap2.get_effective_rights to use this new API.

Part of: https://pagure.io/freeipa/issue/6609

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-09 08:57:41 +01:00
Christian Heimes
c1f275f9eb Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.

Remove some old code for compatibility with very old python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Stanislav Laznicka
436d2de456 ldap2: don't use decode() on str instance
This was causing issues when adding/removing a CA in the
CA plugin.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-14 14:06:09 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
4736fef6bb ldap2: remove URI argument from ldap2 constructor
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Alexander Bokovoy
7324451834 ldap2: use LDAP whoami operation to retrieve bind DN for current connection
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-22 17:19:22 +01:00
Jan Cholasta
8fdd7a9ffc backend plugins: fix crashes in development mode
Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.

Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.

https://pagure.io/freeipa/issue/6625

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:06:22 +01:00
Martin Basti
a93b2bea5c py3: remove_entry_from_group: attribute name must be string
Do not encode attribute names

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
b37d18288d py3: can_read: attributelevelrights is already string
Remove decode() as it causes error in py3 because the attribute is
already string not bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
49333058c8 py3: get_effective_rights: values passed to ldap must be bytes
Values passed to LDAP must be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
0a1d7f2e01 py3: add_entry_to_group: attribute name must be string not bytes
With bytes as attribute name pyldap raises type error

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Tomas Krizek
41098e3f7b ldap2: modify arguments for create_connection
* Remove unused and obsolete function arguments:
    * tls_certfile
    * tls_keyfile
    * debug_level
* Rename tls_cacertfile to cacert (same as name in LDAPClient)
* Set cacert to constants.CACERT by default.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
36d95472d9 ldap2: change default bind_dn
Set default bind_dn to cn=directory manager.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
e2780b2106 ldap2: change default time/size limit
* Set default time_limit and size_limit in ldap2 to unlimited.
* Set time_limit and size_limit to None in backend. This will respect
    ipaconfig values.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
60e38ecc7f ipaldap: merge external_bind into LDAPClient
* Rename do_external_bind to external_bind
* Remove user_name argument in  external_bind() and always set it
    to effective user name

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Jan Cholasta
bed546ee82 ipalib, ipaserver: migrate all plugins to Registry-based registration
Do not use the deprecated API.register method.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Martin Babinsky
1f0959735f differentiate between limit types when LDAP search exceeds configured limits
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Martin Basti
2a1a3c498a Upgrade: increase time limit for upgrades
Default ldap search limit is now 30 sec by default during upgrade.

Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.

Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.

https://fedorahosted.org/freeipa/ticket/5267

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-01 08:51:44 +01:00
Martin Basti
7f0d018c66 fix caching in get_ipa_config
Different opbject types were compared thus always result of comparation
was False and caching does not work.

https://fedorahosted.org/freeipa/ticket/5463

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-19 16:43:52 +01:00
Gabe
65e958fda4 Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
https://fedorahosted.org/freeipa/ticket/4023

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-22 08:00:16 +02:00
Jan Cholasta
198908ec78 ldap: Make ldap2 connection management thread-safe again
This fixes the connection code in LDAPClient to not store the LDAP connection
in an attribute of the object, which in combination with ldap2's per-thread
connections lead to race conditions resulting in connection failures. ldap2
code was updated accordingly.

https://fedorahosted.org/freeipa/ticket/5268

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-04 13:31:46 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Jan Cholasta
e39fe4ed31 plugable: Pass API to plugins on initialization rather than using set_api
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Petr Vobornik
7d10547ae3 allow to call ldap2.destroy_connection multiple times
A regression fix.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-05-07 18:13:57 +02:00
Petr Vobornik
4364ac08c5 speed up indirect member processing
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.

New implementation reduces the search only to entries which have members.

Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.

https://fedorahosted.org/freeipa/ticket/4947

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-04-27 05:55:04 +00:00
Jan Cholasta
955885d8d9 ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-04-16 06:58:31 +00:00
Jan Cholasta
e1f7bcfbea ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-04-16 06:58:31 +00:00
Jan Cholasta
32505157ea ldap: Use LDAPClient bind and unbind methods in ldap2
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-04-16 06:58:31 +00:00
Jan Cholasta
8f263df245 ldap: Use LDAPClient connection management in ldap2
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-04-16 06:58:31 +00:00
Jan Cholasta
02e1ebe07c ldap: Add connection management to LDAPClient
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-04-16 06:58:31 +00:00
Martin Basti
b92136cba2 Fix ldap2 shared connection
Since API is not singleton anymore, ldap2 connections should not be
shared by default.

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-04-02 12:26:04 +00:00
Jan Cholasta
d7ef7e1ca0 ldap2: Use self API instance instead of ipalib.api
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-03-05 11:01:36 +01:00
Petr Viktorin
73b2d0a81d ldap2 indirect membership processing: Use global limits if greater than per-query ones
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.

For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.

https://fedorahosted.org/freeipa/ticket/4398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-14 16:04:58 +02:00
Nathaniel McCallum
14b38b7704 Add /session/token_sync POST support
This HTTP call takes the following parameters:
 * user
 * password
 * first_code
 * second_code
 * token (optional)

Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.

https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 15:55:24 +02:00
Petr Vobornik
7fca783ec5 ldap2: add otp support to modify_password
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
4f89decc9a ldap2.has_upg: Raise an error if the UPG definition is not found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-29 16:22:37 +02:00
Petr Viktorin
988b2cebf4 ldap2.find_entries: Do not modify attrs_list in-place
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-26 12:39:33 +02:00
Jan Cholasta
792c3f9c8c Always use real entry DNs for memberOf in ldap2.
https://fedorahosted.org/freeipa/ticket/4192

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-24 14:30:23 +01:00
Jan Cholasta
d6c3d3f57a Store old entry state in dict rather than LDAPEntry.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
bc3f3381c6 Convert remaining backend code to LDAPEntry API. 2013-12-16 14:44:19 +01:00
Jan Cholasta
4050e553c3 Remove unused method get_api of the ldap2 plugin.
https://fedorahosted.org/freeipa/ticket/3971
2013-11-27 13:46:42 +01:00
Jan Cholasta
97445b2df3 Refactor indirect membership processing.
A single LDAP search is now used instead of one search per member.

https://fedorahosted.org/freeipa/ticket/3971
2013-11-27 13:46:42 +01:00