Commit Graph

5590 Commits

Author SHA1 Message Date
Petr Viktorin
7336a176b4 Add the version option to all Commands
Several Commands were missing the 'version' option. Add it to those
that were missing it.

Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.

When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).

Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).

Design page: http://freeipa.org/page/V3/Messages
Tickets:
  https://fedorahosted.org/freeipa/ticket/2732
  https://fedorahosted.org/freeipa/ticket/3294
2013-02-21 16:26:09 +01:00
Petr Vobornik
246bc3f3ea Web UI build profile updated
freeipa.profile was updated accordingly to contain all modules in dojo layer.

This change removes expected errors during the build and therefore it won't confuse others during rpm build. It also helps during development because developer will notice real dependency errors (those not specified this way).
2013-02-21 14:11:51 +01:00
Petr Vobornik
75eee33ed9 Allow to specify modules for which builder doesn't raise dependency error
One can specify module ids provided by other means (already built layer file) in providedMids array of build profile file's package section. Builder then ignores dependency errors for specified modules. This allows to build layers without source codes of their dependencies, with no expected errors raised.

Example:

packages:[
    {
        name: "freeipa",
        location: "freeipa",
        providedMids: [
            'dojo/_base/declare',
            'dojo/_base/lang',
            'dojo/_base/array',
            'dojo/Stateful'
            //etc
        ]
    }
],
2013-02-21 14:11:46 +01:00
Petr Vobornik
28551ae541 Develop.js extended
Develop.js contains code useful only for debugging. It is not part of FreeIPA
release.

Is loaded by typing require(['freeipa/develop']); in browser JS console.
It adds IPA global variable and provide easier way of loading AMD modules into
window.ipadev[providedNameOrModuleName] variable.

https://fedorahosted.org/freeipa/ticket/112
2013-02-21 14:11:43 +01:00
Martin Kosek
167406fb59 Use fixed test domain in realmdomains test
Random domain name may bring undererministic behavior. It also breaks
the test on some systems as string.lowercase is locale dependent and
can return non-ASCII letters and thus later break the unicode encoding
and raise UnicodeDecodeError.

Use a fixed domain in "test" TLD instead. This domain is guaranteed to
be not existent.
2013-02-21 13:47:44 +01:00
Martin Kosek
a41e10f0eb Avoid internal error when user is not Trust admin
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.

When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.

https://fedorahosted.org/freeipa/ticket/3390
2013-02-20 13:23:58 -05:00
Petr Viktorin
981c9f10ee Update sudocmd ACIs to use targetfilter
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
2013-02-20 17:35:20 +01:00
Petr Viktorin
a694e61f42 Prevent a sudo command from being deleted if it is a member of a sudo rule
Tests included.
2013-02-20 17:35:16 +01:00
Petr Viktorin
d66898405b Use ipauniqueid for the RDN of sudo commands
Since sudo commands are case-sensitive, we can't use 'sudocmd'
as the RDN.

Tests for case-sensitive behavior included

https://fedorahosted.org/freeipa/ticket/2482
2013-02-20 17:34:51 +01:00
Petr Viktorin
1821fa0aab Check SSH connection in ipa-replica-conncheck
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.

The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.

https://fedorahosted.org/freeipa/ticket/3402
2013-02-19 17:04:10 -05:00
Tomas Babej
5b64cde92a Prevent changing protected group's name using --setattr
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354
2013-02-19 16:56:46 -05:00
Rob Crittenden
462beacc9d Implement the cert-find command for the dogtag CA backend.
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.

dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.

The search operation is unauthenticated

Design page: http://freeipa.org/page/V3/Cert_find

https://fedorahosted.org/freeipa/ticket/2528
2013-02-19 11:52:33 -05:00
Martin Kosek
74c11d88ae Add autodiscovery section in ipa-client-install man pages
Explain how autodiscovery and failover works and which options
are important for these elements.

https://fedorahosted.org/freeipa/ticket/3383
2013-02-19 11:13:41 -05:00
Jan Cholasta
cfbdeebe66 Run interactive_prompt callbacks after CSV values are split.
https://fedorahosted.org/freeipa/ticket/3334
2013-02-19 11:08:11 -05:00
Alexander Bokovoy
1c68c3edff ipasam: use base scope when fetching domain information about own domain
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.

Required for https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:16:19 +02:00
Ana Krivokapic
3253a30541 Add list of domains associated to our realm to cn=etc
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:15:46 +02:00
Petr Viktorin
8fcc8bc8d5 In topic help text, mention how to get help for commands
This should prevent user confusion when topic help is requested
unintentionally, for example with `ipa help ping`.

See https://fedorahosted.org/freeipa/ticket/3247
2013-02-18 13:07:26 -05:00
Petr Viktorin
614082e6a6 Add tests for the help command & --help options
Move the parser setup from bootstrap_with_global_options to bootstrap,
so all API objects have access to it.

Add some CLI tests for the help system.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
abe26d55c8 Parse command arguments before creating a context
This allows users to run `ipa COMMAND --help` even without
Kerberos credentials.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
f16c100f1e Mention ipa COMMAND --help as the preferred way to get command help
This avoids the problem with ambiguous command/topic names.

No functionality is changed; `ipa help <COMMAND>` still works as before
if there's no topic with the same name.

https://fedorahosted.org/freeipa/ticket/3247
2013-02-18 13:07:17 -05:00
Petr Viktorin
de1c4eeae2 Add command summary to ipa COMMAND --help output
This makes the output identical to `ipa help COMMAND`.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
6ac0e9b90f Simplify ipa help topics output
This brings the output closer to `ipa help commands` and removes
extraneous information.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
5ee2216f49 Store the OptionParser in the API, use it to print unified help messages
Make `ipa -h` and `ipa help` output the same message.

Since `ipa -h` output is generated by the OptionParser, we need to make
the parser available. Store it in `api.parser`.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
1e2437ece1 Print help to stderr on error
Whenever a command is used incorrectly, it should output
an error message (and possibly additional help) to stderr.

This patch adds a parameter to a bunch of places to allow
selecting either stdout or stderr for help output, and makes
badly called commands output to stderr only.

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:17 -05:00
Petr Viktorin
5f5b4c3e5e Improve ipa --help output
Fix the usage string to match actual usage.

Add command description.

Put information about `ipa help topics` etc. to the epilog,
instead of using empty option groups. Use a custom formatter
to preserve newlines.

Add the -h/--help option manually to ensure consistent case
(capital S).

Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
2013-02-18 13:07:16 -05:00
Jakub Hrozek
d73dd4b683 Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
https://fedorahosted.org/freeipa/ticket/3132
2013-02-18 16:50:28 +01:00
Tomas Babej
559a87017a Add option to specify SID using domain name to idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133
2013-02-18 16:37:07 +01:00
sbose
3f8778890e ipa-kdb: Free talloc autofree context when module is closed
Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.

This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.

Fixes https://fedorahosted.org/freeipa/ticket/3410
2013-02-14 10:11:26 +01:00
Martin Kosek
dfad4396ff ipa-kdb: fix retry logic in ipadb_deref_search
This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).

https://fedorahosted.org/freeipa/ticket/3413
2013-02-14 10:09:52 +01:00
Martin Kosek
93ea8a6ac3 ipa-kdb: remove memory leaks
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.

https://fedorahosted.org/freeipa/ticket/3413
2013-02-14 10:09:48 +01:00
Martin Kosek
b8079f9ed4 Fix hbachelp examples formatting
Add correct labeling of matched/nonmatched output attributes. Also
make sure that "\" is not interpreted as newline escape character
but really as a "\" character.
2013-02-14 08:38:11 +01:00
Martin Kosek
85d16ad7de Add support for AD users to hbactest command
How this works:
  1. When a trusted domain user is tested, AD GC is searched
     for the user entry Distinguished Name
  2. The user entry is then read from AD GC and its SID and SIDs
     of all its assigned groups (tokenGroups attribute) are retrieved
  3. The SIDs are then used to search IPA LDAP database to find
     all external groups which have any of these SIDs as external
     members
  4. All these groups having these groups as direct or indirect
     members are added to hbactest allowing it to perform the search

LIMITATIONS:
- only Trusted Admins group members can use this function as it
  uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
  of the trusted domain

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
d79aac855b Do not hide SID resolver error in group-add-member
When group-add-member does not receive any resolved trusted domain
object SID, it raises an exception which hides any useful error
message passed by underlying resolution methods. Remove the exception
to reveal this error messages to user.

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
e60e80e2b6 Generalize AD GC search
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.

Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
Martin Kosek
4c4418fb9e Test NetBIOS name clash before creating a trust
Give a clear message about what is wrong with current Trust settings
before letting AD to return a confusing error message.

https://fedorahosted.org/freeipa/ticket/3193
2013-02-13 13:05:04 +01:00
Martin Kosek
45c0dd7448 ipa-adtrust-install should ask for SID generation
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.

https://fedorahosted.org/freeipa/ticket/3195
2013-02-12 17:28:42 +01:00
Martin Kosek
994e2cda39 ipa-sam: Fill SID blacklist when trust is added
Fill incoming and outgoing trust LDAP entry with default SID
blacklist value.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:52 +01:00
Martin Kosek
827ea50566 ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.

LIMITATION: SID blacklist list is not used yet.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:47 +01:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Martin Kosek
e08307d3fa ipa-kdb: reinitialize LDAP configuration for known realms
ipa-kdb did not reinitialize trusted domain configuration when it
was loaded to ipa-kdb. However, admin then would have to restart
krb5kdc if he wanted to apply the change to running krb5kdc service.

Run ipadb_reinit_mspac unconditionally every time when trusted domain
is loaded. Among the already configured 1 minute grace time, also
add a quick check if there is at least one configured trusted domain
before reinitializing the mspac structure.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:28 +01:00
Martin Kosek
ce90a4538b ipa-kdb: avoid ENOMEM when all SIDs are filtered out
When all SIDs in info3.sids structure were filtered out, we tried
to talloc_realloc to zero memory size. talloc_realloc then returned
NULL pointer and filter_login_info returned with ENOMEM.

The code now rather frees the SID array and set info3.sidcount to
correct value.
2013-02-12 10:37:23 +01:00
Martin Kosek
e234edc995 ipa-kdb: add sentinel for LDAPDerefSpec allocation
Without sentinel in place, ldap_create_deref_control_value executed
an invalid read in unallocated memory.
2013-02-12 10:37:13 +01:00
Martin Kosek
67d8b434c5 Add trusconfig-show and trustconfig-mod commands
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.

Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/3333
2013-02-11 15:38:22 +01:00
Martin Kosek
f7e27b5475 Fix permission_find test error
Remove extraneous memberindirect_role attribute from permission_find
unit test to avoid false negative test result.
2013-02-08 16:57:38 +01:00
Rob Crittenden
08b84befbc Prevent a crash when no entries are successfully migrated.
It would fail in _update_default_group() because migrate_cnt wasn't
defined in context.

https://fedorahosted.org/freeipa/ticket/3386
2013-02-08 16:23:25 +01:00
Tomas Babej
0e8a329048 Prevent integer overflow when setting krbPasswordExpiration
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
2013-02-08 15:54:21 +01:00
Jan Cholasta
1d35043e46 Raise ValidationError on invalid CSV values.
https://fedorahosted.org/freeipa/ticket/3323
2013-02-08 15:16:37 +01:00
Rob Crittenden
cbb262dc07 Add LDAP server fallback to client installer
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388
2013-02-07 16:49:31 -05:00
Ana Krivokapic
076775a0f8 Take into consideration services when deleting replicas
When deleting a replica from IPA domain:
* Abort if the installation is about to be left without CA
* Warn if the installation is about to be left without DNS

Ticket: https://fedorahosted.org/freeipa/ticket/2879
2013-02-06 16:20:37 -05:00
Petr Viktorin
b27267b00a Don't add another nsDS5ReplicaId on updates if one already exists
Modify update file to use default: rather than add: in
cn=replication,cn=etc,$SUFFIX.

Drop quotes around nsDS5ReplicaRoot because default: values
are not parsed as CSV.

https://fedorahosted.org/freeipa/ticket/3394
2013-02-06 12:22:00 +01:00