Commit Graph

4735 Commits

Author SHA1 Message Date
Rob Crittenden
7d7322de2e Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
Apply this to hostgroup names as well since they can be linked.

https://fedorahosted.org/freeipa/ticket/2221
2012-02-27 00:06:44 -05:00
Petr Viktorin
a09063cbb8 Make sure the nolog argument to ipautil.run is not a bare string
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.

This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.

https://fedorahosted.org/freeipa/ticket/2419
2012-02-26 23:26:54 -05:00
Martin Kosek
7fe63f8233 Add SSHFP update policy for existing zones
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.

This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.

https://fedorahosted.org/freeipa/ticket/2394
2012-02-27 18:04:19 +01:00
Martin Kosek
dc47f77dc1 Add client hostname requirements to man
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.

https://fedorahosted.org/freeipa/ticket/1967
2012-02-27 17:50:46 +01:00
Rob Crittenden
e9ed7f7ca1 Don't run restorecon if SELinux is disabled or not present.
Also check for the existence of restorecon. This may be overkill but
it will prevent a client installation from failing for no good reason.

https://fedorahosted.org/freeipa/ticket/2368
2012-02-27 17:37:08 +01:00
Martin Kosek
306bdccfa4 Sanitize UDP checks in conncheck
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master->replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062
2012-02-26 18:08:59 -05:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Rob Crittenden
357cb654fa Make sure 389-ds is running when adding memcache service in upgrade.
Adding the memcache service requires 389-ds to be running because we
add an entry to cn=masters.

https://fedorahosted.org/freeipa/ticket/2411
2012-02-26 17:03:22 -05:00
Rob Crittenden
de9a22b3f3 Remove unused kpasswd.keytab and ldappwd files if they exist.
These were used by ipa_kpasswd and krb5-server-ldap respectivily.

https://fedorahosted.org/freeipa/ticket/2397
2012-02-27 14:48:26 +01:00
Rob Crittenden
5c7cd8ee2f Check for duplicate winsync agreement before trying to set one up.
We currently only support a single winsync agreement so all we need
to do is check to see if we have one with the remote host.

This also adds some minor exception handling cleanup.

https://fedorahosted.org/freeipa/ticket/2130
2012-02-27 14:39:37 +01:00
Rob Crittenden
31f00f90f1 Fix managing winsync replication agreements with ipa-replica-manage
force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.

This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync

https://fedorahosted.org/freeipa/ticket/2128
2012-02-27 14:38:21 +01:00
Rob Crittenden
872047fa0e Add Requires to ipa-client on oddjob-mkhomedir
https://fedorahosted.org/freeipa/ticket/2337
2012-02-27 11:00:26 +01:00
Rob Crittenden
ac47b1ca6e Don't consider virtual attributes when validating custom objectclasses
We verify user and group default objectclasses when changing them
to be sure that required objectclasses aren't being dropped. We need
to ignore virtual attributes or it will raise an error because they
aren't defined in schema.

https://fedorahosted.org/freeipa/ticket/2406
2012-02-27 10:06:35 +01:00
Martin Kosek
16d88d79ad Add gidnumber minvalue
Do not accept invalid GID values in IPA user/group plugins.

https://fedorahosted.org/freeipa/ticket/2335
2012-02-23 21:00:15 -05:00
Rob Crittenden
b241e828a9 Catch public exceptions when creating the LDAP context in WSGI.
Made specifically for the case where S4U2Proxy delegation fails.

https://fedorahosted.org/freeipa/ticket/2414
2012-02-24 16:53:24 +01:00
Martin Kosek
1c898e388b Add API for PTR sync control
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.

As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.

This patch adds an API for this control.

https://fedorahosted.org/freeipa/ticket/2176
2012-02-24 09:40:51 +01:00
Martin Kosek
210d913eb1 Add DNS conditional forwarding
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.

https://fedorahosted.org/freeipa/ticket/2108
2012-02-24 09:40:47 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Martin Kosek
1816643a43 Update schema for bind-dyndb-ldap
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072
2012-02-24 09:40:36 +01:00
Rob Crittenden
d4a1dc5712 Don't allow IPA master hosts or important services be deleted.
Deleting these would cause the IPA master to blow up.

For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.

https://fedorahosted.org/freeipa/ticket/2425
2012-02-23 20:17:12 +01:00
Rob Crittenden
915286fed2 Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag
We had this in v1 but removed it with v2 because we no longer used
TurboGears for the UI. Because we are now proxying requests to dogtag
we need to re-add this so that mod_ssl doesn't interfere with our
communication.

mod_ssl always blindly registers itself as the SSL provider for mod_proxy.
mod_nss will only register itself if mod_ssl hasn't already done so.

https://fedorahosted.org/freeipa/ticket/2177
2012-02-22 18:27:54 -05:00
Rob Crittenden
7aeae93c34 Don't check for schema uniqueness when comparing in ldapupdate.
This is needed on F-17+, otherwise things blow up when we try to see
if we've added new schema.

Introspection is required to see if the argument check_uniqueness is
available.

https://fedorahosted.org/freeipa/ticket/2383
2012-02-22 18:16:13 -05:00
Rob Crittenden
ecf544ea0b Make sure memberof is in replication attribute exclusion list.
A previous bug caused this attribute to not be added which would lead
to unnecessary replication. This runs as an updater plugin.

https://fedorahosted.org/freeipa/ticket/2223
2012-02-23 15:54:59 +01:00
Rob Crittenden
b9e3685534 Add the -v option to sslget to provide more verbose errors
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.

https://fedorahosted.org/freeipa/ticket/2391
2012-02-23 11:26:06 +01:00
Rob Crittenden
960baaebf4 Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.

https://fedorahosted.org/freeipa/ticket/2416
2012-02-23 11:05:52 +01:00
John Dennis
ce7b66ebfb update translation pot file 2012-02-21 17:19:20 -05:00
John Dennis
d4cc16766a pulled new po files from Transifex 2012-02-21 17:06:05 -05:00
John Dennis
62b91f5acf Update pot file and list of explicit Python files needing translation 2012-02-21 14:17:00 -05:00
Petr Voborník
a7ced67e77 Added missing configuration options
Missing options were added to Web UI's IPA Server/Configuration page.
 * ipaconfigstring
 * ipaselinuxusermaporder
 * ipaselinuxusermapdefault

https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
2012-02-20 15:47:39 -06:00
Petr Voborník
a11f1bb2c2 Fixed problem when attributes_widget was displaying empty option
Attribute table was modified to skip creation of option for empty value.

https://fedorahosted.org/freeipa/ticket/2291
2012-02-20 15:47:32 -06:00
Simo Sorce
9942a29cab policy: add function to check lockout policy
Fixes: https://fedorahosted.org/freeipa/ticket/2393
2012-02-19 20:43:45 -05:00
Rob Crittenden
ffd39503c1 Limit the change password permission so it can't change admin passwords
We don't want those in the helpdesk role to be able to reset
administrators passwords.

https://fedorahosted.org/freeipa/ticket/2271
2012-02-20 19:38:49 +01:00
Petr Viktorin
efb37739ab Add common helper for interactive prompts
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or  KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.

The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.

A minor fix restores errors.py's ability print out the list of
errors when run as a script.
2012-02-19 20:23:20 -05:00
Petr Viktorin
8125c11a8d Add extra checking function to XMLRPC test framework
This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add
ability in test framework to compare two values in result)
in a general way: adding an optional extra_check key to the test
dict, so a custom checking function with access to the whole result
can be called.

The particular test mentioned in that issue, checking that the
uidnumber and gidnumber for new isers are the same, is added.

Also, this adds a docstring to the Declarative class.

And finally, the test dictionary is passed to check() via keyword
arguments, preventing spelling mistakes in keys from going unnoticed.
2012-02-19 20:10:46 -05:00
Petr Viktorin
af233fbda1 Make ipausers a non-posix group on new installs
https://fedorahosted.org/freeipa/ticket/2238

It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.

This is for new installs only.
2012-02-19 19:48:03 -05:00
Martin Kosek
e10af0b764 Ease zonemgr restrictions
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.

This patch also fixes default zonemgr value in help texts and man
pages.

https://fedorahosted.org/freeipa/ticket/2272
2012-02-20 15:34:45 +01:00
Simo Sorce
8ec98dfcae ipa-kdb: Fix ACL evaluator
Fixes: https://fedorahosted.org/freeipa/ticket/2343
2012-02-20 10:48:59 +01:00
Rob Crittenden
dc5592af1d Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.
https://fedorahosted.org/freeipa/ticket/2118
2012-02-15 23:43:08 -05:00
Simo Sorce
2e2b0c13e2 Require krb5 1.10 2012-02-16 14:45:38 -05:00
Simo Sorce
d5e4bd5c59 Remove compat defines
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
2012-02-16 14:45:23 -05:00
Rob Crittenden
65f40aeb8d Use FQDN in place of FQHN for consistency in sub_dict.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
2012-02-15 20:27:34 -05:00
Rob Crittenden
cf35dfa2bc Configure ipa_memcached when a replica is installed.
https://fedorahosted.org/freeipa/ticket/2401
2012-02-16 18:45:14 +01:00
Rob Crittenden
b9bc99e43a Enable ipa_memcached when upgrading
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.

Also uninstall ipa_memcached when uninstalling the server.

https://fedorahosted.org/freeipa/ticket/2399
2012-02-16 14:43:08 +01:00
Simo Sorce
0c6e047128 ipa-kdb: set krblastpwdchange only when keys have been effectively changed 2012-02-15 04:51:15 -05:00
Simo Sorce
c3c59ce15c ipa-kdb: Avoid lookup on modify if possible
This avoids one useless search if we already have the entry_dn.
2012-02-15 04:50:57 -05:00
Rob Crittenden
0eb56656e0 Disable false pylint error in freeipa-systemd-upgrade 2012-02-15 00:26:18 -05:00
Rob Crittenden
1df314d3bf Add S4U2Proxy delegation permissions on upgrades
https://fedorahosted.org/freeipa/ticket/2396
2012-02-15 18:00:46 +01:00
Rob Crittenden
08413612d4 Remove Apache ccache on upgrade.
Make this removal a common function that can be shared between installer
and upgrade tool.

https://fedorahosted.org/freeipa/ticket/2395
2012-02-15 17:31:24 +01:00
Rob Crittenden
f2da73e367 Correct update syntax in 30-s4u2proxy.update
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.

https://fedorahosted.org/freeipa/ticket/2147
2012-02-15 17:27:05 +01:00