Commit Graph

1278 Commits

Author SHA1 Message Date
Nathaniel McCallum
70e2217d73 Use super() properly to avoid an exception
https://fedorahosted.org/freeipa/ticket/4099

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 16:01:22 +01:00
Petr Viktorin
773e006ddd permission plugin: Do not assume attribute-level rights for new attributes are present
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-21 14:33:49 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Petr Viktorin
78b657b02d Add permission_filter_objectclasses for explicit type filters
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
0824d12c95 permission-mod: Do not copy member attributes to new entry
Fixes: https://fedorahosted.org/freeipa/ticket/4178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-20 12:33:36 +01:00
Petr Spacek
2af96d1c0b Fix regular expression for LOC records in DNS.
- Fractional parts of integers are not mandatory.
- Expressions containing only size or only size + horizontal precision
  are allowed.
- N/S/W/E handling was fixed.

See RFC 1876 section 3 for details.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-18 15:51:11 +01:00
Nathaniel McCallum
a2ae2918dd Fix generation of invalid OTP URIs
https://fedorahosted.org/freeipa/ticket/4169

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-13 19:43:29 +01:00
Nathaniel McCallum
9cf311db1d Fix OTP token names/labels
https://fedorahosted.org/freeipa/ticket/4171

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-13 19:43:29 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
2f3ab2914a permission plugin: Generate ACIs in the plugin
Construct the ACI string from permission entry directly
in the permission plugin.

This is the next step in moving away from ipalib.aci.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
15995d1f38 permission plugin: Convert options in execute, not args_options_2_params
With this change, shortcut options like memberof and type will be
aplied on the server, not on the client.
This will allow us to pass more information than just updated options.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
419f3ad627 Permission plugin fixes
- Fix i18n for plugin docstring
- Fix error when the aci attribute is not present on an entry
- Fix error when raising exception for ACI not found

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Martin Basti
8ede71fd84 DNS classless support for reverse domains
Now users can add reverse zones in classless form:
0/25.1.168.192.in-addr.arpa.
0-25.1.168.192.in-addr.arpa.

128/25 NS ns.example.com.
10 CNAME 10.128/25.1.168.192.in-addr.arpa.

Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-11 17:21:11 +01:00
Martin Basti
1adeb68182 PTR records can be added without specify FQDN zone name
Now adding PTR records will accept zones both with and without end dot.

Ticket: https://fedorahosted.org/freeipa/ticket/4151
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-02-11 16:33:53 +01:00
Jan Cholasta
4e207b4c88 Remove sourcehostcategory from the default HBAC rule.
https://fedorahosted.org/freeipa/ticket/4158

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-06 16:46:24 +01:00
Martin Kosek
03ba31b8ca Migration does not add users to default group
When users with missing default group were searched, IPA suffix was
not passed so these users were searched in a wrong base DN. Thus,
no user was detected and added to default group.

https://fedorahosted.org/freeipa/ticket/4141

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-05 16:47:37 +01:00
Jan Cholasta
c2bd6f365d Convert remaining frontend code to LDAPEntry API. 2014-01-24 20:38:15 +01:00
Jan Cholasta
a5f322cb7b Get original entry state from LDAP in LDAPUpdate. 2014-01-24 20:29:31 +01:00
Petr Vobornik
622f9ab11f Trust domains Web UI
Add Web UI counterpart of following CLI commands:

* trust-fetch-domains Refresh list of the domains associated with the trust
* trustdomain-del Remove infromation about the domain associated with the trust.
* trustdomain-disable Disable use of IPA resources by the domain of the trust
* trustdomain-enable Allow use of IPA resources by the domain of the trust
* trustdomain-find Search domains of the trust

https://fedorahosted.org/freeipa/ticket/4119
2014-01-21 12:24:54 +01:00
Petr Vobornik
0b428b8326 About dialog
https://fedorahosted.org/freeipa/ticket/4018
2014-01-21 12:04:04 +01:00
Martin Kosek
511a5f248b Hide trust-resolve command
We do not need to expose a public FreeIPA specific interface to resolve
SIDs to names. The interface is only used internally to resolve SIDs
when external group members are listed. Additionally, the command interface
is not prepared for regular user and can give rather confusing results.

Hide it from CLI. The API itself is still accessible and compatible with
older clients.

https://fedorahosted.org/freeipa/ticket/4113
2014-01-20 18:24:09 +01:00
Alexander Bokovoy
fcd9a66b16 group-show: resolve external members of the groups
Perform SID to name conversion for existing external members of the
groups if trust is configured.

https://bugzilla.redhat.com/show_bug.cgi?id=1054391
https://fedorahosted.org/freeipa/ticket/4123
2014-01-20 09:48:42 +01:00
Martin Kosek
894cb7b8f0 Remove missing VERSION warning in dnsrecord-mod
dnsrecord-mod may call dnsrecord-delentry command when all records
are deleted. However, the version was not passwd to delentry and
it resulted in a warning.

https://fedorahosted.org/freeipa/ticket/4120
2014-01-17 09:29:52 +01:00
Simo Sorce
088fbad353 Stop adding a default password policy reference
Both the password plugin and the kdb driver code automatically fall
back to the default password policy.
so stop adding an explicit reference to user objects and instead rely on the
fallback.
This way users created via the framework and users created via winsync plugin
behave the same way wrt password policies and no surprises will happen.

Also in case we need to change the default password policy DN this will allow
just code changes instead of having to change each user entry created, and
distinguish between the default policy and explicit admin changes.

Related: https://fedorahosted.org/freeipa/ticket/4085
2014-01-16 09:00:35 +01:00
Alexander Bokovoy
0cad0fa111 trustdomain-find: report status of the (sub)domain
Show status of each enumerated domain

trustdomain-find shows list of domains associated with the trust.
Each domain except the trust forest root can be enabled or disabled
with the help of trustdomain-enable and trustdomain-disable commands.

https://fedorahosted.org/freeipa/ticket/4096
2014-01-15 16:19:26 +01:00
Alexander Bokovoy
0e2cda9da7 trust-fetch-domains: create ranges for new child domains
When trust is added, we do create ranges for discovered child domains.
However, this functionality was not available through
'trust-fetch-domains' command.

Additionally, make sure non-existing trust will report proper error in
trust-fetch-domains.

https://fedorahosted.org/freeipa/ticket/4111
https://fedorahosted.org/freeipa/ticket/4104
2014-01-15 15:43:40 +01:00
Martin Kosek
7cc8c3b14b Add missing example to sudorule
https://fedorahosted.org/freeipa/ticket/4090
2014-01-15 11:01:36 +01:00
Rob Crittenden
0070c0feda Change the way we determine if the host has a password set.
When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.

https://fedorahosted.org/freeipa/ticket/4102
2014-01-15 10:02:49 +01:00
Jan Cholasta
24d85f15ee Use old entry state in LDAPClient.update_entry.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Martin Kosek
faa820f39e hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.

https://fedorahosted.org/freeipa/ticket/3803
2014-01-10 12:55:44 +01:00
Petr Viktorin
4a64a1f18b Allow anonymous and all permissions
Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
2014-01-07 09:56:41 +01:00
Petr Viktorin
d7f5d58d35 Use new registration API in the privilege plugin 2014-01-07 09:56:36 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Petr Viktorin
1a9beac1be permission_find: Do not fail for ipasearchrecordslimit=-1
ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
2013-12-17 12:29:56 +01:00
Petr Viktorin
acede580e1 Remove default from the ipapermlocation option
The value from my machine ended up wired into API.txt,
so builds on other machines would fail.

Correct the mistake.
2013-12-13 16:32:39 +01:00
Petr Viktorin
d38748d64f Make sure SYSTEM permissions can be retreived with --all --raw
Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
2013-12-13 15:08:52 +01:00
Petr Viktorin
7fc35ced1d permission plugin: Ensure ipapermlocation (subtree) always exists 2013-12-13 15:08:52 +01:00
Petr Viktorin
53caa7aca2 Roll back ACI changes on failed permission updates 2013-12-13 15:08:52 +01:00
Petr Viktorin
f47669a5b9 Verify ACIs are added correctly in tests
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
2013-12-13 15:08:52 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Alexander Bokovoy
73e7a6c409 trust: fix get_dn() to distinguish creating and re-adding trusts
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.

Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.

https://fedorahosted.org/freeipa/ticket/4067
2013-12-11 13:33:15 +01:00
Jan Cholasta
36502a6367 Fix internal error in the user-status command.
https://fedorahosted.org/freeipa/ticket/4066
2013-12-10 15:34:45 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Martin Basti
efffcfdbc2 migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243
2013-12-02 13:30:12 +01:00
Alexander Bokovoy
32df84f04b subdomains: Use AD admin credentials when trust is being established
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.

When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.

Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.

Fixes https://fedorahosted.org/freeipa/ticket/4046
2013-11-29 13:13:55 +01:00
Petr Viktorin
1e836d2d0c Switch client to JSON-RPC
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.

The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.

The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).

Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.

For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.

Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
2013-11-26 16:59:59 +01:00
Tomas Babej
63d4f30686 trusts: Do not pass base-id to the subdomain ranges
For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.

In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.

https://fedorahosted.org/freeipa/ticket/4041
2013-11-22 08:47:49 +01:00
Petr Viktorin
56e3e12f12 Break long doc string in the Host plugin
Also split the translations in French and Ukraininan

Part of https://fedorahosted.org/freeipa/ticket/3587
2013-11-21 10:34:25 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00