Commit Graph

59 Commits

Author SHA1 Message Date
Pavel Zuna
74ad4f3d7d Fix updating of DNS records by the host plugin.
Fix #799
2011-01-18 12:46:53 -05:00
Pavel Zuna
2bb944bea7 Fix crash when building DN of host with name ending with period.
Fix #797
2011-01-18 12:46:53 -05:00
Jakub Hrozek
12c67b99e0 Rename DNS2 to DNS 2011-01-14 17:26:48 -05:00
Jakub Hrozek
3711261802 Port installer and host plugin to the new DNS plugin
* move ipa dns-resolve to the new plugin
* port the installer and the host plugin to the new interface
* remove the old plugin
2011-01-14 17:26:48 -05:00
Jakub Hrozek
f67d3cd32d Use correct option name in host plugin 2011-01-12 17:21:27 -05:00
Rob Crittenden
c7789199f9 Fix output of failed managedby hosts, allow a host to manage itself.
The output problem was a missing label for failed managedby.

This also fixes a call to print_entry that was missing the flags argument.

Add a flag to specify whether a group can be a member of itself, defaulting
to False.

ticket 708
2011-01-11 10:23:31 -05:00
Jan Zeleny
1fb2ccf105 Rename --ipaddr option of host-add command
The option is renamed to --ip-address to be consistent with
ipa-replica-prepare.

https://fedorahosted.org/freeipa/ticket/655
2011-01-07 05:09:14 -05:00
Adam Young
b730eb356f facet nesting
correctly nest the facet groups
change 'parent' to 'member of' for facet group
2011-01-07 04:44:56 -05:00
Martin Kosek
39a9361210 Handle error messages during Host operations
Only a generic error message were displayed when a non-existing
host was passed to host-del or host-disable operations.

This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.

https://fedorahosted.org/freeipa/ticket/303
2011-01-06 11:10:31 -05:00
Pavel Zuna
d6d579ead4 Improve filtering of enrollments search results.
This is required for effective filtering of enrollments search
results in the webUI and also gives an edge to the CLI.

After this patch, each LDAPObject can define its relationships
to other LDAPObjects. For now, this is used only for filtering
search results by enrollments, but there are probably more
benefits to come.

You can do this for example:

# search for all users not enrolled in group admins
ipa user-find --not-in-groups=admins

# search for all groups not enrolled in group global with user Pavel
ipa group-find --users=Pavel --not-in-groups=global

# more examples:
ipa group-find --users=Pavel,Jakub --no-users=Honza
ipa hostgroup-find --hosts=webui.pzuna
2011-01-04 21:56:38 -05:00
Rob Crittenden
91f4bb4ae5 Remove unnecessary options from host-del.
For some reason it was inheriting LDAPCreate.options...

ticket 652
2011-01-04 16:55:14 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Jakub Hrozek
d7d77a749c import NSPRError in host.py 2010-12-20 10:46:37 -05:00
Jan Zeleny
a1a8e7c138 Added option --no-reverse to add-host
When adding a host with specific IP address, the operation would fail in
case IPA doesn't own the reverse DNS. This new option overrides the
check for reverse DNS zone and falls back to different IP address
existence check.

https://fedorahosted.org/freeipa/ticket/417
2010-12-20 10:45:27 -05:00
Rob Crittenden
34534a026f Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
2010-12-17 18:04:37 -05:00
Rob Crittenden
5f8a9b9849 Add --out option to service, host and cert-show to save the cert to a file.
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.

ticket 473
2010-12-13 09:58:26 -05:00
Rob Crittenden
be3c8e8c02 Don't import from ipaserver when not in a server context.
ticket 579
2010-12-11 12:50:17 -05:00
Rob Crittenden
8a63315ef3 Provide list of available attributes for use in ACI UI.
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.

ticket 446
2010-12-03 13:01:42 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Pavel Zuna
5060fdfade Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
2010-11-23 21:29:08 -05:00
Rob Crittenden
6d51a48af8 Add ability to add/remove DNS records when adding/removing a host entry.
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.

For IPv4 it will create an A and a PTR DNS record.

IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.

When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.

ticket 238
2010-11-23 18:23:29 -05:00
Rob Crittenden
d4f25453e1 Add managedby to Host entries
This will allow others to provision on behalf of the host.

ticket 280
2010-11-19 10:31:42 -05:00
Rob Crittenden
2046eddb7a Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.

This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.

ticket 297
2010-11-19 10:31:42 -05:00
Rob Crittenden
ff636984ab Add option to generate random one-time password for hosts for bulk enrollment
ticket 228
2010-10-28 15:27:58 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Endi S. Dewata
2c5f3cfd60 Host certificate management
The service certificate management UI has been generalized and moved
into certificate.js. The host details page is now using the same code
to manage certificates. The host.py has been modified to return host
certificate info.

The Get/Revoke/View buttons behavior has been modified such that they
are visible only if there is a valid certificate. The Get dialog box
has been fixed to show the correct certificate header and footer.

The ipa.css has been modified to store the style of the status bullets.
New unit tests for certificate has been added. The test data has been
modified to include sample host certificate.
2010-10-20 09:33:44 -04:00
Rob Crittenden
4b6b710ba6 Update command documentation based on feedback from docs team.
ticket #158
2010-08-27 13:31:04 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
901ccc1393 First pass at per-command documentation 2010-06-22 13:58:04 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Pavel Zuna
41312ca166 Code cleanup: remove unused stuff, take 1. 2010-03-01 16:53:30 -05:00
Jason Gerard DeRose
8c46e09735 Translatable Param.label, Param.doc 2010-02-24 02:47:39 -07:00
Pavel Zuna
5db8ebb48e Replace incorrect use of str.index with str.find in host plugin. 2010-02-23 17:54:52 -05:00
Rob Crittenden
58746226d4 Use the Output tuple to determine the order of output
The attributes displayed is now dependant upon their definition in
a Param. This enhances that, giving some level of control over how
the result is displayed to the user.

This also fixes displaying group membership, including failures of
adding/removing entries.

All tests pass now though there is still one problem. We need to
return the dn as well. Once that is fixed we just need to comment
out all the dn entries in the tests and they should once again
pass.
2010-02-15 13:10:11 -07:00
Jason Gerard DeRose
069763c5c6 Add Object.label class attribute, enable in webUI 2010-02-12 17:07:37 -05:00
Pavel Zuna
f262a132be Use 'l' instead of 'localityname' in host plugin.
It seems that 'localityname' and 'locality' aliases were dropped in
newer versions of DS.
2010-01-14 16:02:16 -05:00
Pavel Zuna
ce87e04af0 Make host objects aware of their membership and that l==localityName. 2010-01-14 16:01:22 -05:00
Pavel Zuna
74a5384169 Add --all to LDAPCreate and make LDAP commands always display default attributes. 2010-01-11 13:28:05 -05:00
Rob Crittenden
af20a1a2da Handle base64-encoded certificates better, import missing function 2009-12-18 05:18:50 -07:00
Rob Crittenden
c3f9ec14d9 Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
2009-12-16 19:26:59 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
Pavel Zuna
944371a38c Make the host plugin use baseldap classes. 2009-09-28 15:00:27 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Pavel Zuna
34b5b0d563 Fix bug: number of found entries was reported incorrectly in some plugins. 2009-07-02 13:33:05 -04:00
Pavel Zuna
5e4c0014df Fix bug: when deleting hosts, their services where deleted incorrectly 2009-07-02 13:33:04 -04:00
Pavel Zuna
57123f2a99 Fix minor bugs, typos, etc. discovered by unit tests in plugins. 2009-07-02 13:33:03 -04:00
Pavel Zuna
4b6a6c405c Rename *-create/*-delete commands to *-add/*-del respectively. 2009-07-02 13:33:02 -04:00