Commit Graph

1870 Commits

Author SHA1 Message Date
Petr Vobornik
d536b3824e Make group posix
New option for creating plain user group posix group. External group can't be made posix.

https://fedorahosted.org/freeipa/ticket/2338
2012-08-14 08:09:35 +02:00
Petr Vobornik
271043ccf7 Make group external
New action for creating plain group external. Posix group can't be made external.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:31 +02:00
Petr Vobornik
44e86aa3bb Add external group
Group can be normal, posix and external. Posix checkbox was removed and was replaced by radio for selecting group type. This adds possibility of adding of external group.

https://fedorahosted.org/freeipa/ticket/2895
2012-08-14 08:09:23 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Jan Cholasta
72cc54bc27 Make --{set,add,del}attr more robust.
This fixes --addattr on single value attributes in add commands and --delattr
on non-unicode attributes in mod commands.

ticket 2954
2012-08-03 14:17:42 +02:00
Jan Cholasta
9bfa905e72 Add --{set,add,del}attr options to commands which are missing them.
ticket 2963
2012-08-03 10:18:30 +02:00
Petr Vobornik
dc79b60ebb PAC Type options for services in Web UI
Following options were added to Web UI
    * PAC Type in service
    * PAC Type in configuration

Testing metadata for objects and commands were regenerated.

https://fedorahosted.org/freeipa/ticket/2958
2012-08-02 10:22:25 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Rob Crittenden
e345ad12eb Fix validator for SELinux user map settings in config plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).

One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.

https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
2012-07-26 23:57:25 -04:00
Rob Crittenden
429edcfb72 Support per-principal sessions and handle session update failures
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return "Key has been revoked".

Wrap the operations in a try/except so we can ignore keyring failures.

This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.

https://fedorahosted.org/freeipa/ticket/2880
2012-07-18 16:05:08 -04:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Alexander Bokovoy
2d75d8cc05 ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason'
https://fedorahosted.org/freeipa/ticket/2865
2012-07-18 16:55:51 +03:00
Martin Kosek
854b763675 Enforce CNAME constrains for DNS commands
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.

Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.

https://fedorahosted.org/freeipa/ticket/2601
2012-07-12 17:44:13 -04:00
Martin Kosek
378238b14e Warn user if an ID range with incorrect size was created
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.

However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:39 +02:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Petr Vobornik
14ac2193fe Add and remove dns per-domain permission in Web UI
This patch adds support for new per-domain permissions to Web UI.

User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.

For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.

Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.

New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.

https://fedorahosted.org/freeipa/ticket/2851
2012-07-11 16:33:10 +02:00
Petr Viktorin
5f69a06d1a Fix batch command error reporting
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.

Fix these problems. Update tests.

https://fedorahosted.org/freeipa/ticket/2874
https://fedorahosted.org/freeipa/ticket/2901
2012-07-11 10:49:02 +02:00
Petr Vobornik
848bd0e9e7 Password policy measurement units.
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.

This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).

Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.

This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.

https://fedorahosted.org/freeipa/ticket/2437
2012-07-10 13:30:38 +02:00
Martin Kosek
5ba8eeb970 Do not change LDAPObject objectclass list
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.

Make sure that the LDAPObject object_class list is not modified during
the __json__ method.

https://fedorahosted.org/freeipa/ticket/2906
2012-07-09 14:53:11 +02:00
Rob Crittenden
e5b6260008 Centralize timeout for waiting for servers to start.
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
2012-07-02 17:08:58 -04:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Petr Vobornik
5b7084aeb5 Web UI password is going to expire in n days notification
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').

Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).

https://fedorahosted.org/freeipa/ticket/2625
2012-06-29 11:55:53 +02:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Ondrej Hamada
8ce7330c53 Change random passwords behaviour
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
2012-06-27 12:58:46 +02:00
Petr Viktorin
3021b3e9d5 Improve output validation
We only checked the length of Command output dictionaries. A misspelled
key in would not be caught.

Fix the problem by checking if the sets of keys are equal.

Add a test. Split the test methods into more manageable pieces.

https://fedorahosted.org/freeipa/ticket/2860
2012-06-25 22:04:14 -04:00
Petr Viktorin
ec5115a155 Typo fixes 2012-06-25 21:35:11 -04:00
Petr Vobornik
ae19cce7ad Trust Web UI
This patch adds Web UI for trusts.

Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.

Adder dialog supports two ways if adding a trust:
1)  adding with domain name, admin name and admin password.
2) adding with domain name, shared secret

Search page shows only list of realm names which are trusts' cns.

Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)

trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.

Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.

https://fedorahosted.org/freeipa/ticket/2829
2012-06-25 18:17:06 +02:00
Alexander Bokovoy
a5cb1961fe Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-25 18:16:15 +02:00
Alexander Bokovoy
c3a7894ab6 Use correct SID attribute for trusted domains
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
2012-06-25 18:15:35 +02:00
Petr Vobornik
37b7b28993 Added password reset capabilities to unauthorized dialog
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.

If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 13:23:44 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Martin Kosek
1484ccc404 Decimal parameter conversion and normalization
Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.

Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
 * exponential: when False, decimal number is normalized to its
                non-exponential form
 * numberclass: a set of allowed decimal number classes
                (e.g. +Infinity, -Normal, ...) that are enforced
                for every Decimal parameter value

https://fedorahosted.org/freeipa/ticket/2705
2012-06-17 21:59:54 -04:00
Rob Crittenden
54135ecd9a Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331
2012-06-14 14:02:26 +02:00
Petr Viktorin
9960149e3f Rework the CallbackInterface
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674
2012-06-14 11:09:43 +02:00
Martin Kosek
ce97d6f8e7 Enable persistent search by default
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.

Make this mechanism default in ipa-server-install and ipa-dns-istall.

https://fedorahosted.org/freeipa/ticket/2524
2012-06-10 21:23:15 -04:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
Petr Vobornik
88170087e1 Change json serialization to serialize useful data
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
 * mostly CLI specific option attribues are not send.
 * attributes evaluated to false or None are not send
 * options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.

In the end the raw amount of data send is aproximately the same.

This patch is needed for Web UI to determine which option it can use in which commands.

https://fedorahosted.org/freeipa/ticket/2760
2012-06-07 11:22:15 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Martin Kosek
52a9eb7a9c Fix dnszone-mod --forwader option help string
Help should not point to global forwarders but rather to per-zone
conditional forwarders.

https://fedorahosted.org/freeipa/ticket/2717
2012-06-05 10:46:42 +02:00
Martin Kosek
d31f0c2d33 Improve migration NotFound error
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.

User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.

https://fedorahosted.org/freeipa/ticket/2206
2012-06-05 08:51:30 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Petr Vobornik
496fbbd919 Added missing i18n in action list and action panel
This patch adds strings to internal.py which were not translated in action list/panel patches.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:08 +02:00
Petr Vobornik
ea5ae4b1cf User password widget modified.
Currently the user password is shown as follows in the details page:
    Password: Reset Password

This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.

Now password is shown as follows:
    Password: *******   (if set)
    Password:           (if not set)

Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.

https://fedorahosted.org/freeipa/ticket/2248
2012-06-04 10:45:07 +02:00
Petr Viktorin
c799f6a0bf Add more automount tests
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.

The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.

The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.

Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
2012-05-31 20:16:29 -04:00