When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
The messages module contains message classes that can be added
to a RPC response to provide additional information or warnings.
This patch adds only the module with a single public message,
VersionMissing, and unit tests.
Since message classes are very similar to public errors, some
functionality and unit tests were shared.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732https://fedorahosted.org/freeipa/ticket/3294
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_findhttps://fedorahosted.org/freeipa/ticket/2528
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
Move the parser setup from bootstrap_with_global_options to bootstrap,
so all API objects have access to it.
Add some CLI tests for the help system.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
This avoids the problem with ambiguous command/topic names.
No functionality is changed; `ipa help <COMMAND>` still works as before
if there's no topic with the same name.
https://fedorahosted.org/freeipa/ticket/3247
Make `ipa -h` and `ipa help` output the same message.
Since `ipa -h` output is generated by the OptionParser, we need to make
the parser available. Store it in `api.parser`.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
Whenever a command is used incorrectly, it should output
an error message (and possibly additional help) to stderr.
This patch adds a parameter to a bunch of places to allow
selecting either stdout or stderr for help output, and makes
badly called commands output to stderr only.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
Fix the usage string to match actual usage.
Add command description.
Put information about `ipa help topics` etc. to the epilog,
instead of using empty option groups. Use a custom formatter
to preserve newlines.
Add the -h/--help option manually to ensure consistent case
(capital S).
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Add correct labeling of matched/nonmatched output attributes. Also
make sure that "\" is not interpreted as newline escape character
but really as a "\" character.
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
When group-add-member does not receive any resolved trusted domain
object SID, it raises an exception which hides any useful error
message passed by underlying resolution methods. Remove the exception
to reveal this error messages to user.
https://fedorahosted.org/freeipa/ticket/2997
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.
Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.
https://fedorahosted.org/freeipa/ticket/2997
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/3333
Add new users to the default users group in batches of 100. The
biggest overhead of migration is in calculating the modlist when
managing the default user's group and applying the changes. A
significant amount of time can be saved by not doing this on every
add operation.
Some other minor improvements include:
Add a negative cache for groups not found in the remote LDAP server.
Replace call to user_mod with a direct LDAP update.
Catch some occurances of LimitError and handle more gracefully.
I also added some debug logging to report on migration status and
performance.
https://fedorahosted.org/freeipa/ticket/3386
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.
IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.
https://fedorahosted.org/freeipa/ticket/3372
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.
https://fedorahosted.org/freeipa/ticket/3379
Check to see if NSS is initialized before trying to do so again.
If we are temporarily creating a certificate be sure to delete it in order
to remove references to it and avoid NSS shutdown issues.
In the certificate load validator shut down NSS if we end up initializing
it. I'm not entirely sure why but this prevents a later shutdown issue
if we are passed the --ca-cert-file option.
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Target Group parameter was not processed correctly which caused
permission-find to always crash when this search parameter was used.
Fix the crash and create a unit test case to avoid future regression.
https://fedorahosted.org/freeipa/ticket/3335
A wrong way of handling --group DN object caused Internal Error
for this command. Fix that and also provide unit tests to avoid
another regression.
https://fedorahosted.org/freeipa/ticket/3311
When multiple servers are avilable we were simply suppressing information on
why a connection failed.
Log it as 'info' so that it is possible to diagnose issues more easily.
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.
https://fedorahosted.org/freeipa/ticket/3171
All *-find commands now enable leading/trailing whitespaces in the
search phrase. Behaviour has been implemented directly into
crud.Search class. IPA_API_VERSION_MINOR incremented to 45.
https://fedorahosted.org/freeipa/ticket/2981
In summary this patch does:
* Follow the defined rules for cookies when:
- receiving a cookie (process the attributes)
- storing a cookie (store cookie + attributes)
- sending a cookie
+ validate the cookie domain against the request URL
+ validate the cookie path against the request URL
+ validate the cookie expiration
+ if valid then send only the cookie, no attribtues
* Modifies how a request URL is stored during a XMLRPC
request/response sequence.
* Refactors a bit of the request/response logic to allow for making
the decision whether to send a session cookie instead of full
Kerberous auth easier.
* The server now includes expiration information in the session cookie
it sends to the client. The server always had the information
available to prevent using an expired session cookie. Now that
expiration timestamp is returned to the client as well and now the
client will not send an expired session cookie back to the server.
* Adds a new module and unit test for cookies (see below)
Formerly we were always returning the session cookie no matter what
the domain or path was in the URL. We were also sending the cookie
attributes which are for the client only (used to determine if to
return a cookie). The attributes are not meant to be sent to the
server and the previous behavior was a protocol violation. We also
were not checking the cookie expiration.
Cookie library issues:
We need a library to create, parse, manipulate and format cookies both
in a client context and a server context. Core Python has two cookie
libraries, Cookie.py and cookielib.py. Why did we add a new cookie
module instead of using either of these two core Python libaries?
Cookie.py is designed for server side generation but can be used to
parse cookies on the client. It's the library we were using in the
server. However when I tried to use it in the client I discovered it
has some serious bugs. There are 7 defined cookie elements, it fails
to correctly parse 3 of the 7 elements which makes it unusable because
we depend on those elements. Since Cookie.py was designed for server
side cookie processing it's not hard to understand how fails to
correctly parse a cookie because that's a client side need. (Cookie.py
also has an awkward baroque API and is missing some useful
functionality we would have to build on top of it).
cookielib.py is designed for client side. It's fully featured and obeys
all the RFC's. It would be great to use however it's tightly coupled
with another core library, urllib2.py. The http request and response
objects must be urllib2 objects. But we don't use urllib2, rather we use
httplib because xmlrpclib uses httplib. I don't see a reason why a
cookie library should be so tightly coupled to a protocol library, but
it is and that means we can't use it (I tried to just pick some isolated
entrypoints for our use but I kept hitting interaction/dependency problems).
I decided to solve the cookie library problems by writing a minimal
cookie library that does what we need and no more than that. It is a
new module in ipapython shared by both client and server and comes
with a new unit test. The module has plenty of documentation, no need
to repeat it here.
Request URL issues:
We also had problems in rpc.py whereby information from the request
which is needed when we process the response is not available. Most
important was the requesting URL. It turns out that the way the class
and object relationships are structured it's impossible to get this
information. Someone else must have run into the same issue because
there was a routine called reconstruct_url() which attempted to
recreate the request URL from other available
information. Unfortunately reconstruct_url() was not callable from
inside the response handler. So I decided to store the information in
the thread context and when the request is received extract it from
the thread context. It's perhaps not an ideal solution but we do
similar things elsewhere so at least it's consistent. I removed the
reconstruct_url() function because the exact information is now in the
context and trying to apply heuristics to recreate the url is probably
not robust.
Ticket https://fedorahosted.org/freeipa/ticket/3022
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
The best way to configure DNS depends on the environment and no general
recommendations should be given by the CLI or Web UI. Especially
forwarders should not be recommended by only be option of last resort.
Fixes https://fedorahosted.org/freeipa/ticket/3261
Web UI part of 'disable global forwaring per zone' effort.
Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy.
https://fedorahosted.org/freeipa/ticket/3209
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.
Few lines to help added to explain the feature to users too.
https://fedorahosted.org/freeipa/ticket/3209
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.
Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.
Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.
Unit tests were updated to test the new format.
https://fedorahosted.org/freeipa/ticket/3204
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.
https://fedorahosted.org/freeipa/ticket/3180
Instructions to generate certificate were simplified.
New instructions:
1) Create a certificate database or use an existing one. To create a new database:
# certutil -N -d <database path>
2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
# certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:
https://fedorahosted.org/freeipa/ticket/3056
When long additional text should follow the error message, one can
supply instructions parameter to a class derived from PublicError.
This will cause following text added to the error message:
Additional instructions:
<additional text>
`instructions' optional parameter could be a list or anything that coerces
into unicode(). List entries will be joined with '\n'.
https://fedorahosted.org/freeipa/ticket/3167
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.
https://fedorahosted.org/freeipa/ticket/3147
Establishing trust implies discovery of the trusted domain's domain controller via DNS.
If DNS discovery is not possible, NotFound exception is raised.
Intercept the exception and process it to help diagnose and fix actual problem:
- if IPA is managing DNS, suggest to make a forward for the domain's zone
- otherwise suggest to setup DNS forwarder at upstream DNS server
https://fedorahosted.org/freeipa/ticket/3103
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].
Old configuration method was moved to ssbrowser.html.
Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.
The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
This patch addresses two issues:
1. If a client is previously enrolled in an IPA server and the server
gets re-installed then the client machine may still have a keyring
entry for the old server. This can cause a redirect from the
session URI to the negotiate one. As a rule, always clear the keyring
when enrolling a new client.
2. We save the NSS dbdir in the connection so that when creating a new
session we can determine if we need to re-initialize NSS or not. Most
of the time we do not. The dbdir was not always being preserved between
connections which could cause an NSS_Shutdown() to happen which would
fail because of existing usage. This preserves the dbdir information when
a new connection is created as part of the session mechanism.
https://fedorahosted.org/freeipa/ticket/3108
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.
Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.
https://fedorahosted.org/freeipa/ticket/3106
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.
https://fedorahosted.org/freeipa/ticket/3098
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.
https://fedorahosted.org/freeipa/ticket/3097
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.
Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).
https://fedorahosted.org/freeipa/ticket/2184
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.
Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
Do not print list of possible values as "%r" but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.
https://fedorahosted.org/freeipa/ticket/2869
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.
Fix this error and add a check for empty DNS labels to the validator
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.
https://fedorahosted.org/freeipa/ticket/2993
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.
Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).
https://fedorahosted.org/freeipa/ticket/2790
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).
https://fedorahosted.org/freeipa/ticket/3055
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.
Test case has been added to cover the new default.
https://fedorahosted.org/freeipa/ticket/2461
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.
Once trust is added, status of it is never stored anywhere.
https://fedorahosted.org/freeipa/ticket/2763
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
https://fedorahosted.org/freeipa/ticket/2846
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.
Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.
https://fedorahosted.org/freeipa/ticket/2429
Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it.
Discovered after "Cast DNS SOA serial maximum boundary to long"
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983
Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object.
Label was changed to reflect that the key don't have to be plain base64 encoded blob.
https://fedorahosted.org/freeipa/ticket/2989
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.
Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.
Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.
ticket 2932, 2935
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.
Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.
https://fedorahosted.org/freeipa/ticket/2919
This patch is changing confirmation of actions according to ticket #3035, see the ticket description.
It does following changes:
* Confirmation of update action was removed.
* Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry.
* New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations.
https://fedorahosted.org/freeipa/ticket/3035
Numeric parameters in ipalib were limited by XMLRPC boundaries for
integer (2^31-1) which is too low for some LDAP attributes like DNS
SOA serial field.
Transfer numbers which are not in XMLRPC boundary as a string and not
as a number to workaround this limitation. Int parameter had to be
updated to also accept Python's long type as valid int type.
https://fedorahosted.org/freeipa/ticket/2568
There were following problems:
1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string.
2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended.
https://fedorahosted.org/freeipa/ticket/3052
Notification of success was added to:
* details facet: update
* association facet and association widget: add, delete items
* attribute facet: delete items (notification of add should be handled in entity adder dialog)
* sudo rule: add, remove option
* dnsrecord: add, update, delete
https://fedorahosted.org/freeipa/ticket/2977
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.
https://fedorahosted.org/freeipa/ticket/3039
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.
In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.
Use ScriptError instead of NotFoundError in bindinstance install.
https://fedorahosted.org/freeipa/ticket/1953
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.
* Moved the code in del_user to the common subroutine
check_protected_member() and call it from both user_del and
user_disable. Note, unlike user_del user_disable does not have a
'pre' callback therefore the check function is called in
user_disable's execute routine.
* Make check_protected_member() aware of disabled members. It's not
sufficient to check which members of the protected group are
present, one must only consider those members which are enabled.
* Add tests to test_user_plugin.py.
- verify you cannot delete nor disable the last member of the admin
group
- verify when the admin group contains disabled users in addition to
enabled users only the enabled users are considered when
determining if the last admin is about to be disabled or deleted.
* Replace duplicated hardcoded values in the tests with variables or
subroutines, this makes the individual tests a bit more succinct and
easier to copy/modify.
* Update error msg to reflect either deleting or disabling is an error.
https://fedorahosted.org/freeipa/ticket/2979
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.
The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).
It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.
Patch also introduces new unit test to verify.
https://fedorahosted.org/freeipa/ticket/2264
User was not notified about success of actions executed from action list, action panel or facet cotrol bar.
This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation).
This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked.
This call is used(directly or indirectly) in:
* search facets: delete, disable, enable actions
* details facets: delete action
* user details facet: reset password action
* host details facet: unprovision, set OTP actions
* service details facet: unprovision action
* host and service details facet: request, revoke, restore certificates actions
* group details facet: change to POSIX/external actions
* dns zone details facet: add/remove permission actions
https://fedorahosted.org/freeipa/ticket/2977
Even though managedBy output parameter was only used for failed host
managedBy memberships, it was defined in global baseldap.py
classes. Incorrect label was then being displayed also for DNS zone
per-zone permission attribute with the same name.
Move managedBy output parameter to host plugin. Define proper managedBy
output parameter in DNS plugin to improve clarity of this attribute.
https://fedorahosted.org/freeipa/ticket/2946
Group can be normal, posix and external. Posix checkbox was removed and was replaced by radio for selecting group type. This adds possibility of adding of external group.
https://fedorahosted.org/freeipa/ticket/2895
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670https://fedorahosted.org/freeipa/ticket/1671https://fedorahosted.org/freeipa/ticket/1672https://fedorahosted.org/freeipa/ticket/1673https://fedorahosted.org/freeipa/ticket/1674https://fedorahosted.org/freeipa/ticket/1392https://fedorahosted.org/freeipa/ticket/2872
Following options were added to Web UI
* PAC Type in service
* PAC Type in configuration
Testing metadata for objects and commands were regenerated.
https://fedorahosted.org/freeipa/ticket/2958
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938https://fedorahosted.org/freeipa/ticket/2940
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return "Key has been revoked".
Wrap the operations in a try/except so we can ignore keyring failures.
This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.
https://fedorahosted.org/freeipa/ticket/2880
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.
Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.
https://fedorahosted.org/freeipa/ticket/2601
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.
However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.
https://fedorahosted.org/freeipa/ticket/2892
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.
iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
This patch adds support for new per-domain permissions to Web UI.
User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.
For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.
Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.
New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.
https://fedorahosted.org/freeipa/ticket/2851
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.
Fix these problems. Update tests.
https://fedorahosted.org/freeipa/ticket/2874https://fedorahosted.org/freeipa/ticket/2901
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.
This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).
Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.
This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.
https://fedorahosted.org/freeipa/ticket/2437
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.
Make sure that the LDAPObject object_class list is not modified during
the __json__ method.
https://fedorahosted.org/freeipa/ticket/2906
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.
A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.
https://fedorahosted.org/freeipa/ticket/2375https://fedorahosted.org/freeipa/ticket/2610
Make permission commands not pass options that the underlying ACI commands
do not understand.
Update tests.
Remove some extraneous imports of the `copy` module.
https://fedorahosted.org/freeipa/ticket/2885
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.
https://fedorahosted.org/freeipa/ticket/2664
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/2799
Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.
https://fedorahosted.org/freeipa/ticket/2800
We only checked the length of Command output dictionaries. A misspelled
key in would not be caught.
Fix the problem by checking if the sets of keys are equal.
Add a test. Split the test methods into more manageable pieces.
https://fedorahosted.org/freeipa/ticket/2860
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.
Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.
Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.
Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).
https://fedorahosted.org/freeipa/ticket/2509
Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.
Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
* exponential: when False, decimal number is normalized to its
non-exponential form
* numberclass: a set of allowed decimal number classes
(e.g. +Infinity, -Normal, ...) that are enforced
for every Decimal parameter value
https://fedorahosted.org/freeipa/ticket/2705
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
exc_callback, pre_callback etc) were registered on every
instantiation.
Fix: Do not register callbacks in __init__; instead return the
method when asked for it.
- The calling code had to distinguish between bound methods and
plain functions by checking the 'im_self' attribute.
Fix: Always return the "default" callback as an unbound method.
Registered callbacks now always take the extra `self` argument,
whether they happen to be bound methods or not.
Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
looks up missing attributes in superclasses, callbacks could
get attached to a superclass if it was instantiated early enough. *
Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
Fix: Create generic register_callback and get_callback mehods,
move LDAP-specific code to BaseLDAPCommand
Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.
* https://fedorahosted.org/freeipa/ticket/2674
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.
https://fedorahosted.org/freeipa/ticket/2564
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
* mostly CLI specific option attribues are not send.
* attributes evaluated to false or None are not send
* options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.
In the end the raw amount of data send is aproximately the same.
This patch is needed for Web UI to determine which option it can use in which commands.
https://fedorahosted.org/freeipa/ticket/2760
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.
User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.
https://fedorahosted.org/freeipa/ticket/2206
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for ACI-related plugins.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.
The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.
https://fedorahosted.org/freeipa/ticket/2320
This patch add support fo Action Lists.
Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.
Actions lists are defined on facet level. Facet header takes them from facet.
Action list options
actions: list of actions
state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.
State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
evaluate(record): should return string array which represents the state
get_description(): human readable representation of a state
Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.
action options:
name: string, required, name of the option
label: string, required, human readable name of the option
enable_cond: string array, states which need to be present in order to run this action
disable_cond: string array, states which must not be present in order to run this action
handler: function, contains action's logic
needs_confirm: boolean, default false, indicates if action needs user confirmation
confirm_msg: string, default generic message, human readable confirmation message.
Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.
In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.
https://fedorahosted.org/freeipa/ticket/2247
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.
Regression test included.
https://fedorahosted.org/freeipa/ticket/2706
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.
Use an empty list instead of None (or other false falues, of which we
only use the empty list).
https://fedorahosted.org/freeipa/ticket/2681
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for the automount plugin and its tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.
https://fedorahosted.org/freeipa/ticket/1966
This reverts commit 1356988b7a.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.
This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.
Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.
https://fedorahosted.org/freeipa/ticket/2676
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).
Add some extra checks to existing exception callbacks.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.
Always display the enabled/disabled status.
Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.
https://fedorahosted.org/freeipa/ticket/2162
Ticket #2512
In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.
The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.
The fix is to use the correct variables.
At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.
https://fedorahosted.org/freeipa/ticket/2644
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.
This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
ldap2.find_entry_by_attr instead of NotFound error
This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.
https://fedorahosted.org/freeipa/ticket/2606
ticket #2566
When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.
This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.
https://fedorahosted.org/freeipa/ticket/2641
When dnsrecord-add or dnsrecord-mod commands are used on a root
zone record (it has a special name "@"), a zone name is returned
instead of a special name "@". This confuses DNS part of Web UI
which is then not able to manipulate records in the root zone
when these commands are used.
This patch fixes these 2 commands to return correct value when
a root zone is modified.
https://fedorahosted.org/freeipa/ticket/2627https://fedorahosted.org/freeipa/ticket/2628
Ticket #2555
We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.
* add parameter validation functions validate_dn_param() and
validate_rdn_param() to ipalib.util. Those functions simply invoke
the DN or RDN constructor from our dn module passing it the string
representation. If the constructor does not throw an error it's
valid.
* Add the parameter validation function pointers to the Param objects
in the migrate command.
* Make the usercontainer and groupcontainer parameters required.
passing --usercontainer= on the command line will produce
ipa: ERROR: 'user_container' is required
* Fix _get_search_bases() so if a container dn is empty it it just
uses the base dn alone instead of faulting (currently
bullet-proofing because now the containers are required).
* Update the doc for usercontainer and groupcontainer to reflect the
fact they are DN's not RDN's. A RDN can only be one level and it
should be possible to have a container more than one RDN removed
from the base.
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.
Minor changes:
Make netgroup-mod's NotFound message consistent with other objects
and methods.
In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.
https://fedorahosted.org/freeipa/ticket/2549
Problem:
In the Privilege page, can list Permissions. This "Shows Results" for "Direct
Membership". But there is an option to list this for "Indirect Membership"
also.
There isn't a way to nest permissions, so this option is not needed.
Solution:
This patch removes the memberofindirect_persmission definition from server plugin. It fixes the problem in Web UI.
https://fedorahosted.org/freeipa/ticket/2611
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.
Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.
https://fedorahosted.org/freeipa/ticket/2616
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.
https://fedorahosted.org/freeipa/ticket/2585
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.
Checkboxes were changed to radios.
https://fedorahosted.org/freeipa/ticket/2599
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.
The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.
https://fedorahosted.org/freeipa/ticket/2578
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.
https://fedorahosted.org/freeipa/ticket/2597
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).
The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
Migrated users don't get a private group, there is no safe way to verify
that the namespace is correct without redoing the uidnumber as well.
Verify that the GID at least points to a valid group on the remote server
and warn if it doesn't (this doesn't guarantee that the group gets migrated
but at least we try).
If the remote entry has no gidNumber then don't migrate that user. We
don't know why that user is non-POSIX, it could be a special user used
for auth, for example.
Add a loginshell if the remote user doesn't have one.
https://fedorahosted.org/freeipa/ticket/2562
When user does not pass a name of parent map in
automountmap-add-indirect command, auto.master is used as
a default. However, when auto.master does not exist in a given
location, we raise NotFound error with a name of a location instead
of a name of the missing automount map.
https://fedorahosted.org/freeipa/ticket/2387
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2448
'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.
For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.
Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2447
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.
To make this possible cli.run is broken up into several pieces.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
When dnsrecord-del pre_callback detects that the record does
not contain any records, it sets a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del commands share the same context (and this is
the case of "ipa-replica-manage del $MASTER" DNS cleanup), it
may reuse a positive flag from previous dnsrecord-del command
and delete the root DNS zone record and thus effectively delete
the zone.
This patch makes sure that this flag is always initialized to a
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to "keys" parameter and thus confuse
developers.
https://fedorahosted.org/freeipa/ticket/2503
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.
This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.
All these use cases were also covered by new unit tests.
https://fedorahosted.org/freeipa/ticket/2551
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.
This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.
https://fedorahosted.org/freeipa/ticket/2550
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')
That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.
Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.
Also, document Param's csv arguments, and update tests.
https://fedorahosted.org/freeipa/ticket/2417https://fedorahosted.org/freeipa/ticket/2227
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
Add a support for new global options in bind-dyndb-ldap, that is:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
https://fedorahosted.org/freeipa/ticket/2439
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]
https://fedorahosted.org/freeipa/ticket/2462
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.
https://fedorahosted.org/freeipa/ticket/1418
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
in_server controls how a method is dispatched, it should not also control
what plugins are imported.
This suppresses the error message "session memcached servers not running."
https://fedorahosted.org/freeipa/ticket/2499
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
raises an error and thus breaks the migration
This patch fixes both issues.
https://fedorahosted.org/freeipa/ticket/2508
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.
https://fedorahosted.org/freeipa/ticket/2484
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:
1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.
2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.
https://fedorahosted.org/freeipa/ticket/2386
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.
https://fedorahosted.org/freeipa/ticket/2382
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.
https://fedorahosted.org/freeipa/ticket/2418
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.
This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.
Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.
Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.
When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.
Fixes: http://fedorahosted.org/freeipa/ticket/2472
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.
'--with-compat' is new flag. If it is set, the compat status is ignored.
https://fedorahosted.org/freeipa/ticket/2274
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.
Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).
Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.
Add a test to ensure that nowhitespace is actually enforced.
https://fedorahosted.org/freeipa/ticket/2115
Related: https://fedorahosted.org/freeipa/ticket/2089
Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285https://fedorahosted.org/freeipa/ticket/1286https://fedorahosted.org/freeipa/ticket/1287
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.
This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.
As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.
https://fedorahosted.org/freeipa/ticket/2420
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.
This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.
https://fedorahosted.org/freeipa/ticket/2384
When an invalid record type is entered during dnsrecord-add
interactive mode, user is provided with a list of allowed values
(record types). However, the provided list contains also
unsupported record types (APL, DHCID, etc.) and any attempt to add
such records would end with error. This patch limits the list
to supported record types only.
https://fedorahosted.org/freeipa/ticket/2378
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.
New tests were also added to the unit-tests.
https://fedorahosted.org/freeipa/ticket/2293
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919https://fedorahosted.org/freeipa/ticket/2314
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.
New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.
https://fedorahosted.org/freeipa/ticket/2351
New attributes were added to DNS zone details facet.
Attributes:
idnsallowquery
idnsallowtransfer
idnsforwarders
idnsforwardpolicy
idnsallowsyncptr
New network address validator created for idnsallowquery and idnsallowtransfer attributes.
Network address validator also added to dnszone adder dialog - from_ip field.
https://fedorahosted.org/freeipa/ticket/2351
Improve AttrValueNotFound exception error message raised in the DNS
module when a deleted (modified) attribute value is not found
in a record. In order to be consistent with previous DNS module
implementation this error message should include an attribute
label instead of an attribute name.
https://fedorahosted.org/freeipa/ticket/2377
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.
* Reduced the default session_auth_duration from 1 hour to 20 minutes.
* Replaced the sesssion write_timestamp with the access_timestamp and
update the access_timestamp whenever the session data is created,
retrieved, or written.
* Modify set_session_expiration_time to handle both an inactivity
timeout and a fixed duration.
* Introduce KerberosSession as a mixin class to share session
duration functionality with all classes manipulating session data
with Kerberos auth. This is both the non-RPC login class and the RPC
classes.
* Update make-lint to handle new classes.
* Added session_auth_duration_type config item.
* Updated default.conf.5 man page for new session_auth_duration_type item.
* Removed these unused config items: mount_xmlserver,
mount_jsonserver, webui_assets_dir
https://fedorahosted.org/freeipa/ticket/2392
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.
This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.
https://fedorahosted.org/freeipa/ticket/2394
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.
This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):
ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse
This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).
Few modification were done to new DNS API to support this feature:
- Refactor --ip-address option handling from host-add and place it
to dns.py to be used by both modules
- Add support for "extra" per-type options
- Hide DNS record part options in dnsrecord_find command as they
have no effect for this command
https://fedorahosted.org/freeipa/ticket/2009
We verify user and group default objectclasses when changing them
to be sure that required objectclasses aren't being dropped. We need
to ignore virtual attributes or it will raise an error because they
aren't defined in schema.
https://fedorahosted.org/freeipa/ticket/2406
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.
As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.
This patch adds an API for this control.
https://fedorahosted.org/freeipa/ticket/2176
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.
https://fedorahosted.org/freeipa/ticket/2108
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
Deleting these would cause the IPA master to blow up.
For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.
https://fedorahosted.org/freeipa/ticket/2425
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.
The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.
A minor fix restores errors.py's ability print out the list of
errors when run as a script.
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
Fix wrong handling of strings in --setattr/--addattr/--delattr.
These changes make it possible to use Bytes in --setattr/--addattr/
--delattr without errors.
Fixes managing SSH keys on command-line
https://fedorahosted.org/freeipa/ticket/754
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
* hbacrule: Internationalize HBAC rule "all" category exceptions
https://fedorahosted.org/freeipa/ticket/2267
* hbactest: Use internationalized names (doc) instead of names
for output items
Also don't convert result to bool, `not` does it implicitly
* ipalib.output: Internationalize descriptions of some standard entries
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).
Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.
https://fedorahosted.org/freeipa/ticket/2332
The login shell had the same problem. Again this patch removes the
client-side default and adds a test.
Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
Convert from a freeform string into a enumeration.
Only values currently allowed are AllowLMhash and AllowNThash.
To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.
https://fedorahosted.org/freeipa/ticket/1433
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.
https://fedorahosted.org/freeipa/ticket/1734
The example mistakenly showed how to allow "employees" to edit
addresses of "managers".
This fixes the example by switching the two options.
https://fedorahosted.org/freeipa/ticket/2317
Indirect automount nesting is achieved by adding a key that references
another map. This isn't heirarchical, in fact, you can have multiple
duplicate keys all pointing at the same map, which itself is mounted
in other places. It can be a real mess if you want.
In any case, a submount map has its information set to
"-fstype=autofs <type>:<map>"
The type can be any valid automount type: file, nis, yp, ldap, etc. We
are going to hardcode ldap in when we create these using
automountmap-add-indirect. If a user wants a different type they can
create the key themselves (or edit it later).
Here is an example of creating a submount:
$ ipa automountlocation-add baltimore
$ ipa automountmap-add-indirect baltimore auto.share --mount=/share
$ ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.sub
$ ipa automountkey-add baltimore auto.sub --key=share --info=attic:/share
$ ls /share/sub/share
builds lost+found
This looks like:
etc/auto.master:
/- /etc/auto.direct
/share /etc/auto.share
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.share:
sub -fstype=autofs ldap:auto.sub
maps not connected to /etc/auto.master:
---------------------------
/etc/auto.sub:
share attic:/share
I've also added a catch-all when using the tofiles function. We were
missing any maps that weren't attached to auto.master. They will now
be shown along with whatever keys they have.
https://fedorahosted.org/freeipa/ticket/1268
CLI command help contains a documentation for all options that can
be passed to commands. However, help strings for positional
arguments are not included.
This patch uses an OptionParser description field to list all
command arguments as OptionParser does not have a native support
to provide such information to user.
https://fedorahosted.org/freeipa/ticket/1974
Improve migration help topic so that it easier understandable:
- Add missing list of Topic commands
- Add one more example to demonstrate migration abilities
- Add breaks to too long lines to improve readibility
https://fedorahosted.org/freeipa/ticket/2174
When a new DNS record is being added to DNS zone via command
ipa dnsrecord-add ZONE @
and the target ZONE does not exist it returns ObjectclassViolation
which may confuse users. Make sure that standard DNS Zone NotFound
exception is returned.
https://fedorahosted.org/freeipa/ticket/2270
Since A6 is an obsolete RR type, no DNS part option was created.
This is, however, not consistent with the rest of per-type API
and may cause problems. This patch adds at least a DNS part for
raw A6 record data so that the record type is treated consistently.
This patch also fixes interactive mode for A6 records. Their data
were not detected correctly as dnsrecord_add didn't expect
a number in DNS part option name.
https://fedorahosted.org/freeipa/ticket/2309
NSEC record needs special treatment as it is not composed from
a fixed set of DNS parts divided by space, but it contains
a multivalued DNS part "types" containing a list of RR types
it covers.
There was already a special method for parsing raw NSEC record
to DNS parts, but the other direction was missing. This patch
adds special NSEC convertor to fix this issue.
https://fedorahosted.org/freeipa/ticket/2307
TXT record validation fails to parse the record if it contains
spaces. Standard DNS part parser uses a space to divide record
parts. A special parser thus need to be implemented for this RR
type.
https://fedorahosted.org/freeipa/ticket/2306
These two situations in netgroup-add need to be distinguished:
1) Netgroup cannot be added because a hostgroup with the same name
created a colliding managed netgroup
2) Another native netgroup with the same name exists
This patch checks the colliding netgroup and raise appropriate
error message based on this finding.
https://fedorahosted.org/freeipa/ticket/2069
The user details page was modified to show the password expiration
date next to the existing password field.
Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.
Ticket #2064
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
* refresh page in browser (takes really long on slow vpns)
* search facet: change filter, find, change filter back, find
* entity details: go to search, select other entry, go back to search, select original entry
* association facet: same as entity details
These are unconvenient methods.
This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.
https://fedorahosted.org/freeipa/ticket/2051
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
--man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
--not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
in HOSTS are returned
https://fedorahosted.org/freeipa/ticket/1675
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.
It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>
I tested nslcd and it only returned one macaddress value.
https://fedorahosted.org/freeipa/ticket/1132
When deleting an HBAC rule we need to ensure that an SELinux user
map isn't pointing at it. We need to take what is the cn of the HBAC
rule and see if that rule exists, then return the dn to that rule.
The search was not being done properly and wasn't enforcing uniqueness.
It could have returned partial matches as well (so tests for the
search test).
https://fedorahosted.org/freeipa/ticket/2269
All DNS record part options in dnsrecord commands need to be
optional so that all of them are not required in every dnsrecord
command. However, FreeIPA API then does not include an information
which DNS record part options are optional in term of creating
a new DNS record. For example, LOC record option "latitude seconds"
is not needed to add a new LOC record.
This patch adds a flag "dnsrecord_optional" to all such options so
that this information is available for any other UI reading the
FreeIPA API.
https://fedorahosted.org/freeipa/ticket/2208
This patch modifies the status attributes in users, DNS zones,
HBAC/sudo rules, HBAC test, and SELinux User Map to use the same
label (i.e. Status) and values (i.e. Enabled/Disabled). The method
to change the status will be modified separately.
Ticket #2247
host-add command allows to add a host and its IP address via
--ip-address option. When the address is invalid, it throws
an error and refuses to operate. However, the invalid IP address
error message is always the same which is not right as it forces
a user to guess the reason of rejection (loopback address,
link-local address or invalid address at all was passed, etc.).
This patch changes host-add validator to print the error message.
https://fedorahosted.org/freeipa/ticket/2229
