Commit Graph

934 Commits

Author SHA1 Message Date
Jan Zeleny
1e9f923c49 Code cleanup
This patch removes two files which seem to be long obsoleted and not
used any more.
2011-02-15 15:50:36 -05:00
Rob Crittenden
cb48ec3508 Ignore case when removing group members.
ticket 944
2011-02-14 10:22:28 -05:00
Rob Crittenden
275998f6bd Add support for tracking and counting entitlements
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
2011-02-02 10:00:38 -05:00
Pavel Zuna
c9ab92f210 Add ldap2 method to retrieve allowed attributes for specified objectClasses.
ldap2.get_allowed_attribute(['posixuser'])

returns a list of unicode all lower case attribute names allowed
for the object class 'posixuser'
2011-01-26 11:38:58 -05:00
Jakub Hrozek
ab2ca8022e Fix assorted bugs found by pylint 2011-01-25 14:01:36 -05:00
Rob Crittenden
fc28fae03f Add some basic filter validation to permissions and disallow empty filters
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.

ticket 808
2011-01-21 10:47:43 -05:00
Simo Sorce
da7eb1155e Move mep templates under cn=etc
Fixes: https://fedorahosted.org/freeipa/ticket/760
2011-01-14 14:06:56 -05:00
Rob Crittenden
6785283568 python-ldap fails gloriously if the search time limit is 0. Don't allow it.
Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.

ticket 752
2011-01-14 09:48:07 -05:00
Rob Crittenden
c7789199f9 Fix output of failed managedby hosts, allow a host to manage itself.
The output problem was a missing label for failed managedby.

This also fixes a call to print_entry that was missing the flags argument.

Add a flag to specify whether a group can be a member of itself, defaulting
to False.

ticket 708
2011-01-11 10:23:31 -05:00
Rob Crittenden
371ce528fb Enable low-level LDAP debugging. 2011-01-11 10:22:09 -05:00
Rob Crittenden
4f2a6e0a25 Don't use Class of Service for account activation, use attribute.
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.

Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.

ticket 568
2011-01-04 17:09:56 -05:00
Simo Sorce
1cf67fe850 Remove common entries when deleting a master.
Fixes: https://fedorahosted.org/freeipa/ticket/550
2010-12-21 17:28:13 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Pavel Zuna
8bd9f1333f Fix search filter generator in ldap2 for NOT operator.
Search filters generated from attributes with multiple values
were incorrect when the NOT operator was used (ldap.MATCH_NONE).
2010-12-08 14:30:47 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Rob Crittenden
4f6d83e9e5 Ensure list of attrs to retrieve is unique, optimize getting indirect members
This fixes search where we were asking for the member attribute 10 or more
times.

When retrieving indirect members make sure we always pass around the
size and time limits so we don't have to look it up with every call to
find_entries()

ticket 557
2010-12-06 11:43:56 -05:00
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00
Rob Crittenden
fcf3cbbe8b Fix NotFound exception in ipa-nis-manage.
The signature of ldap2.get_entry() changed so normalize wasn't being
handled properly so the basedn was always being appended causing our
entry in cn=config to be not found.

ticket 414
2010-11-09 13:33:04 -05:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Adam Young
b4655f1119 find_entries param
Fixes a bug where find_entries was not passed a parameter for filter.
Instead of fixing the call point, this patch adds a defaulty value for the parameter,
so that they can all be passed by name.
2010-10-25 15:21:44 -04:00
Pavel Zuna
5dcf011363 Add fail-safe defaults to time and size limits in ldap2 searches. 2010-10-22 19:53:08 -04:00
Pavel Zuna
dff2ff8300 Disallow RDN change and single-value bypass using setattr/addattr.
When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.

Catch RDN mods and try to return a more reasonable error message.

Ticket #230
Ticket #246
2010-10-18 14:44:42 -04:00
Rob Crittenden
3703062ab2 Use consistent, specific nickname for the IPA CA certificate.
Also fix some imports for sha. We have a compat module for it, use it.

ticket 181
2010-10-01 13:37:34 -04:00
Rob Crittenden
c298560a1e Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.
We lacked good error messages if the user/group container you used doesn't
exist.

Add a --continue option so things can continue if you use a bad user/group
container. This has the side-effect of letting you migrate just users or
groups by using a bad container for the one you don't want.

Fix a Gettext() error when displaying the migrated password message.

ticket 289
2010-09-28 13:39:28 -04:00
Rob Crittenden
38b8532696 Handle search_ext() returning ldap.SUCCESS
In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS.
The search actually was fine and returned data but an exception was returned
and handled (though we didn't know what to do with it). This patch
lets it continue along.

ticket 285
2010-09-28 13:35:41 -04:00
Rob Crittenden
5b3d0f568a Add some tests for using the ldap2 Backend.
Fix a logic problem in ldap2:get_schema() for determining if it
can fetch the schema or not. Normally we only want to do this for servers
but if you pass in your own connection it will use that.
2010-09-24 15:40:56 -04:00
Rob Crittenden
0a47351fd6 Allow the schema to be set once an ldap connection is locked.
When making LDAP calls via api.Backend.ldap2 the ldap2 object will already
be locked by the api.finalize() call. So the first time that
api.Backend.ldap2.connect() is called an error would be thrown that
self.schema cannot be set because the object is ReadOnly. This uses the
documented procedure for working around this lock.

This was preventing the DNS installation to proceed.

ticket #188
2010-09-09 09:05:16 -04:00
Rob Crittenden
6049a25848 Make ldap2 class work as a client library as well.
Move the user-private group caching code out of the global config and
determine the value the first time it is needed.

Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.

Moved the global get_syntax() into a class method so that a schema
can be passed in.

If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).

ticket 63
2010-09-07 15:38:46 -04:00
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
6befd08973 Fix reference to _handle_errors() in remove_principal_key()
It incorrectly was trying to call the class method _handle_errors() instead
of the global function.
2010-08-10 15:03:11 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
18476c9538 Use newer API in ipalib/x509 and add missing import.
The import was only used when running the in-tree lite-server
2010-07-15 11:17:58 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Rob Crittenden
1d635090cb Use the certificate subject base in IPA when requesting certs in certmonger.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.
2010-04-23 04:57:40 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
70049496e3 Remove older MITM fixes to make compatible with dogtag 1.3.3
We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
2010-04-19 10:04:25 -04:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00
John Dennis
b75d06e189 localize doc strings
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()

Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.

Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
2010-03-08 21:10:36 -07:00
Jason Gerard DeRose
942919bef7 Consolidate to single WSGI entry point 2010-03-01 20:21:38 -07:00
Pavel Zuna
3785ec49ab Convert integer and boolean values to unicode, don't leave them as str. 2010-02-17 10:56:08 -05:00
Rob Crittenden
8a4ab2a0e5 Move the HTTP/S request code to a common library
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.

These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
2010-02-09 03:26:01 -07:00
John Dennis
487e1cadc8 fix error message to be i18n translator friendly
This error message was producing a warning from xgettext
because there were multiple substations in the string.
In some languages it may be necessary to reorder the
substitutions for a proper translation, this is only
possible if the substitutions use named values.
2010-02-03 14:43:31 -05:00
Rob Crittenden
dc55240fe8 Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
2010-02-02 14:02:46 -05:00
Rob Crittenden
b7cda86697 Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
2010-01-27 17:01:26 -05:00
Pavel Zuna
c092f3780d Fix schema loading in the ldap backend. 2010-01-27 16:24:20 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
8376979aa7 Allow cospriority to be updated and fix description of priority ordering
Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
2010-01-19 17:02:13 -05:00
Pavel Zuna
e1c1f077c0 Improve modlist generation in ldap2. Some code cleanup as bonus.
ldap2._generate_modlist now uses more sophisticated means to decide
when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE.

MOD_REPLACE is always used for single value attributes and never
for multi value.
2010-01-11 12:27:04 -07:00
Rob Crittenden
b8016807eb Use the caIPAserviceCert profile for issuing service certs.
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.

This is the first step of allowing the subject to be set at
installation time.

Also fix 2 more issues related to the return results migration.
2010-01-08 13:36:16 -07:00
Rob Crittenden
c3f9ec14d9 Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
2009-12-16 19:26:59 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
John Dennis
ee909d871c rebase dogtag clean-up patch 2009-12-09 01:57:08 -07:00
Pavel Zuna
f3bd9bfb59 Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it. 2009-12-02 13:04:00 +01:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
John Dennis
ce3df4f74a Make NotImplementedError in rabase return the correct function name
ipaserver/plugins/rabase.py |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)
2009-11-19 16:18:45 -05:00
Rob Crittenden
6e5c15b1db Gracefully handle a valid kerberos ticket for a deleted entry.
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
2009-11-19 14:37:41 -05:00
Pavel Zuna
f5d63dbecc Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.
Previously we only filtered None values, but it turns out that's not enough.
2009-11-18 14:34:16 -05:00
Rob Crittenden
bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
Jason Gerard DeRose
c4b7b70636 Add mod_python adapter and some UI tuning 2009-10-27 21:38:13 -06:00
Rob Crittenden
725656119c Remove a bunch of unused imports, general cleanup 2009-10-25 22:54:55 -06:00
Rob Crittenden
aa2183578c Add can_add() and can_delete() GER helpers 2009-10-21 03:11:45 -06:00
Jason Gerard DeRose
f58ff2921d Giant webui patch take 2 2009-10-13 11:28:00 -06:00
Rob Crittenden
aa7792a000 Add option to not normalize a DN when adding/updating a record.
The KDC ldap plugin is very picky about the format of DNs. It does
not allow spacing between elements so we can't normalize it.
2009-10-05 12:57:31 -06:00
Rob Crittenden
0d70c68395 Fix aci plugin, enhance aci parsing capabilities, add user group support
- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
  in the regex altogether. This now lets us handle all current ACIs in IPA
  (some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
  can write attributes x,y,z in group B). It is actually quite a lot more
  flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
2009-09-28 22:27:42 -06:00
Rob Crittenden
e4877c946f Only initialize the API once in the installer
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors

525303
2009-09-28 22:17:01 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
4f4d57cd30 Use the same variable name in the response as the dogtag plugin 2009-09-24 17:42:26 -04:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Rob Crittenden
eca7cdc94a Raise more specific error when an Objectclass Violation occurs Fix the virtual plugin to work with the new backend 2009-09-14 09:46:39 -04:00
Rob Crittenden
2c3bca7e74 Remove deprecated comment on plugin naming conventions 2009-09-14 09:46:35 -04:00
Pavel Zuna
356375ef18 Make ldap2.add_entry proof to None values, because python-ldap hate'em. 2009-09-08 13:38:25 -04:00
Pavel Zuna
91d01a532a Introduce a list of attributes for which only MOD_REPLACE operations are generated. 2009-08-28 13:18:21 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
Pavel Zuna
b4d173d844 Fix bug in _get_syntax (it was always returning None).
Also prevent a few cases of double processing of arguments.
2009-08-03 23:01:44 -06:00
Pavel Zuna
3b613091bb Import explode_dn from ldap.functions for backward compatibility with older version of python-ldap. Fix bug in add_entry_to_group.
Resolves 510149
2009-07-08 12:15:58 -04:00
Rob Crittenden
45a40635bb Add class variable to indicate whether SSL is required or not.
Older python-ldap versions will crash if you call ldap.get_option()
on a value that has not been set.
2009-07-07 22:57:23 -04:00
Pavel Zuna
f59cab1ccd Fix bug in ldap2.modify_password and make adding/removing members slightly more efficient. 2009-07-07 22:56:56 -04:00
Pavel Zuna
79ac9c6c78 Add conversion of attribute name synonyms when generating modlists. 2009-06-15 13:11:44 -04:00
Pavel Zuna
ad54fc3399 Add support for incomplete (truncated) search results.
ldap2.find_entries now returns a tuple containing 2 values. First,
a list of entries (dn, entry_attrs), Second, the truncated flag. If
the truncated flag is True, search results hit a server limitation
and are incomplete.

This patch also removes decoding of non-string scalar python types into
unicode (they are left unchanged).
2009-06-15 11:18:55 -04:00
Pavel Zuna
6e84f08143 Fix bugs in ldap2. 2009-06-12 15:10:57 -04:00
Pavel Zuna
87bfd6b21a Fix bug in ldap2.normalize_dn.
DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries.
2009-06-10 11:51:15 -04:00
Pavel Zuna
85bc20b0df Make it easier to search for a single entry by attribute value (find_entry_by_attr). Fix minor search filter generation issues. 2009-05-26 13:40:46 -04:00
Pavel Zuna
708fe4dfe5 Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 base classes and use encode_args/decode_retval where applicable. 2009-05-22 15:58:00 -06:00
Rob Crittenden
762d38a734 Fix password setting on python 2.4 systems (it doesn't like None for oldpw) 2009-05-21 22:43:10 -04:00
Rob Crittenden
e5bec4ae39 Schema change so the nisnetgroup triples work properly.
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
2009-05-19 09:54:17 -04:00
Rob Crittenden
252e9b61eb Fix a comment and some typos 2009-05-13 14:18:01 -04:00
Pavel Zuna
8eabf068fb Make search filter generation a bit safer. Minor bug fixes/code improvements. 2009-04-30 16:17:44 -04:00
Pavel Zuna
24790748fe Add method to generate DN from attribute directly, without making RDN first. 2009-04-30 13:27:49 -04:00
Rob Crittenden
b7438c3da2 Use XML rather than string routines to handle response from dogtag Remove trailing CR/LF from the password file 2009-04-28 17:16:18 -04:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Pavel Zuna
5fa7c76f72 Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore. 2009-04-23 10:23:28 -04:00
Pavel Zuna
32ad0ab011 Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add member to a group. 2009-04-22 15:18:51 -04:00
Pavel Zuna
9943b80841 Change ldap2.__handle_errors into the global _handle_errors function. 2009-04-22 15:17:32 -04:00
Pavel Zuna
58c10898c7 Make it possible to construct partial match filters using make_filter_* methods. Add missing _sasl_auth variable. 2009-04-22 15:17:28 -04:00
Rob Crittenden
cf8ed7b77a Convert the RA plugin to use nsslib and remove the configure methods 2009-04-20 14:01:24 -04:00
Rob Crittenden
fdf03cb07b Remove unwanted white space 2009-04-20 13:59:41 -04:00
Rob Crittenden
64fa3dd4c3 Finish work replacing the errors module with errors2
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
2009-04-20 13:58:26 -04:00
Rob Crittenden
ab73041174 Renaming the backend ldap plugin to ldapapi.py to prevent module import issues 2009-04-06 13:52:32 -04:00
Pavel Zuna
82bc30d17e Use full OID for LDAP SYNTAX identification. Don't convert Booleans and Integers into respective python types as their ranges might not match. Rename module-scope functions. 2009-04-06 11:23:25 -04:00
root
dc3547cd7b Add new LDAP backend plugin. 2009-04-03 14:08:13 -04:00
Rob Crittenden
484eff1016 Implement an installer for the Dogtag certificate system.
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.

What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs

What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
2009-04-03 14:06:09 -04:00
Jason Gerard DeRose
a6294ba041 Renamed remaining plugins still using f_* b_* convention 2009-04-01 10:34:57 -04:00
Rob Crittenden
cf09aab18b Allow a search using only the exact search filter 2009-03-25 11:02:52 -04:00
Rob Crittenden
be0cac932a Update objectclasses for groups, by default not posix groups.
This change depends on DS bugs 487574 and 487725. Groups cannot be
promoted properly without these fixed. It will fail with an
Object Class violation because gidNumber isn't set.
2009-02-27 23:18:19 -05:00
Jason Gerard DeRose
7e23ee7cc6 Removed 'Assert False' that was mistakingly left in cert.py; small cleanup in cert.py and ra.py imports 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
4ab133c3cb Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
e0fe732318 Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
0e6e11d2e3 Cleaned up ra.revoke_certificate() and ra.take_certificate_off_hold(); added more tests in integration.py 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
80df8f6e15 Some cleanup in ra.request_certificate() 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
1518772d75 More work on ra.check_request_status() and ra.get_certificate() 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
97c04c491b Continued cleanup cert/ra plugins 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
d7a1e61da3 Fixed a few problems in ra.py backend plugin 2009-02-17 16:03:09 -05:00
Jason Gerard DeRose
a8c3f054d4 Started cleanup work on ra plugin; fixed problem in api.bootstrap() when process does not have permision to open log file 2009-02-17 16:03:08 -05:00
Jason Gerard DeRose
ad901da259 Renamed b_ra.py plugin module to ra.py 2009-02-17 16:03:08 -05:00
Rob Crittenden
2df3ef411d Fix AttributeError on python 2.4 when referencing _ldap.dn 2009-02-13 14:12:34 -05:00
Jakub Hrozek
ee87a281b5 Add make_xxx_dn routines for policy 2009-02-10 14:10:35 -05:00
Jakub Hrozek
9fe026b47d Fix the default search scope 2009-02-10 14:10:12 -05:00
Jakub Hrozek
58ae191a5a Allow specifying search scope in {ldap,servercore}.search 2009-02-09 13:13:18 -05:00
Jason Gerard DeRose
c2b0c80140 Started work on a much simplified mod_python server 2009-02-03 15:29:05 -05:00
Jason Gerard DeRose
0211c76cd0 Fixed some of the test_xmlrpc unit tests 2009-02-03 15:29:05 -05:00
Rob Crittenden
5717c9d668 Applied Rob's errors patch 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
a0aebd46a1 Got new ldap connection working using Connectible.connect() 2009-02-03 15:29:04 -05:00
Jason Gerard DeRose
db0168f7af Started reworking CLI class into cli plugin 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
0cfb0e191a Removed the depreciated Context and LazyContext classes 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
9f48612a56 Sundry work getting ready to switch to new XML-RPC client/server code 2009-02-03 15:29:00 -05:00
Rob Crittenden
e4b9be209e Make the membership attribute an argument and add new method entry.delAttr()
We need a way to say "this attribute is blank, delete it." delAttr does this.

There are now several attributes to which we add "members" to so make the
attribute for storing members configurable, defaulting to 'member'
2009-01-19 10:40:11 -05:00
Jakub Hrozek
1d1a44bd70 Fix typo in b_ra: elf.ca_port -> self.ca_port 2009-01-12 19:32:59 +01:00
Jason Gerard DeRose
5e6ea11178 Fixed ldap and ra plugin 'name'e' problem 2009-01-08 15:35:01 -07:00
Jason Gerard DeRose
7442ad2e27 Renamed ipa_server/ to ipaserver/ and tests/test_ipa_server/ to tests/test_ipaserver 2009-01-04 18:44:16 -07:00