Commit Graph

392 Commits

Author SHA1 Message Date
Tomas Babej
b65b74890b idviews: Create basic idview plugin structure
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
be36525dc5 idviews: Add ipaAssignedIDVIew reference to the host object
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
David Kupka
cd9a4cca1f Do not require description in UI.
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.

https://fedorahosted.org/freeipa/ticket/4387

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-29 12:53:43 +02:00
Martin Basti
239adf9de4 DNS: autofill admin email
Admins email (SOA RNAME) is autofilled with value 'hostmaster'. Bind
will automaticaly append zone part.

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Martin Basti
7bc17bb852 Deprecation of --name-server and --ip-address option in DNS
Option --name-server is changing only SOA MNAME, this option has no more
effect to NS records

Option --ip-addres is just ignored

A warning message is sent after use these options

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Tomas Babej
1f8f762b84 ipalib: host_del: Extend LDAPDelete's takes_options instead of overriding
The host-del command did not accept --continue option, since the
takes_options was overriden and did not take the options from LDAPDelete.

Fix the behaviour.

https://fedorahosted.org/freeipa/ticket/4473

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-17 09:36:27 +02:00
Petr Viktorin
8fabd6dde1 Support delegating RBAC roles to service principals
https://fedorahosted.org/freeipa/ticket/3164

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-08-21 14:07:01 +02:00
Petr Viktorin
ab5edd0e45 Update API.txt
Additional fix for https://fedorahosted.org/freeipa/ticket/4323
2014-07-28 15:21:55 +02:00
Martin Basti
2637116eab Allow to add managed permission for reverse zones
Ticket: https://fedorahosted.org/freeipa/ticket/4422
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 16:10:33 +02:00
Tomas Babej
9bf29c270d ipalib: Use DateTime parameter class for OTP token timestamp attributes
For ipatokennotbefore and ipatokennotafter attributes use DateTime
parameter class instead of Str, since these are represented as
LDAP Generalized Time in LDAP.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-04 08:17:37 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-01 12:37:08 +02:00
Nathaniel McCallum
0d21937995 Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.

https://fedorahosted.org/freeipa/ticket/4260

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 16:15:18 +02:00
Nathaniel McCallum
2767fb584a Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 16:10:16 +02:00
Petr Vobornik
2df6542232 ipa-passwd: add OTP support
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Martin Basti
2229e89bbb Digest part in DLV/DS records allows only heaxadecimal characters
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:03 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:40 +02:00
Martin Basti
48865aed5f DNSSEC: remove unsuported records
Removed SIG, NSEC, KEy, RRSIG records

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:39 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 13:14:45 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Martin Basti
fa21899529 PTR record target can be relative
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:33 +02:00
Martin Basti
a4d3d01f3f Modified records and zone parameters to use DNSNameParam
* Zone is stored as an absolute name (ipa never support relative
* zonenames)
* compatible with relative zone names as was before
* PTR target can be relative domain name

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Martin Basti
e70f88c696 Modified has_output attributes
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Martin Basti
d0cf1f3e94 get_ancestors_primary_keys clone
Fix: classes didnt inherite params from parent correctly

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Martin Basti
7625c02844 dns_name_values capability added
Added capability to transfer DNSName type between server and client

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169i

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Petr Viktorin
8b7daf675e dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone
Part of the work for: https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-28 15:58:24 +02:00
Nathaniel McCallum
5afa3c1815 Only specify the ipatokenuniqueid default in the add operation
Specifying the default in the LDAP Object causes the parameter to be specified
for non-add operations. This is especially problematic when performing the
modify operation as it causes the primary key to change for every
modification.

https://fedorahosted.org/freeipa/ticket/4227

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-05-23 11:50:23 +03:00
Tomas Babej
edb5a0c534 ipalib: Expose krbPrincipalExpiration in CLI
Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 19:01:04 +03:00
Tomas Babej
1df696f543 ipalib: Add DateTime parameter
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.

In the CLI, accepts one of the following formats:
    Accepts LDAP Generalized time without in the following format:
       '%Y%m%d%H%M%SZ'

    Accepts subset of values defined by ISO 8601:
        '%Y-%m-%dT%H:%M:%SZ'
        '%Y-%m-%dT%H:%MZ'
        '%Y-%m-%dZ'

    Also accepts above formats using ' ' (space) as a separator instead of 'T'.

As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.

Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 18:57:29 +03:00
Jan Cholasta
4314d02fbf Allow primary keys to use different type than unicode.
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.

This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Adam Misnyovszki
8b91d9a6e8 automember rebuild nowait feature added
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.

https://fedorahosted.org/freeipa/ticket/4239

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-09 13:45:32 +02:00
Adam Misnyovszki
0f626a9cc8 Extending user plugin with inetOrgPerson fields
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber

carlicenseplate is now multivalued

https://fedorahosted.org/freeipa/ticket/4165

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-03-28 12:38:50 +01:00
Petr Viktorin
1df9b5836a Allow modifying permissions with ":" in the name
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.

Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.

(* modify/delete have unrelated restrictions on managed permissions)

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
801b2fd458 permission CLI: rename --permissions to --right
The old name is kept as a deprecated alias.

https://fedorahosted.org/freeipa/ticket/4231

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-21 12:49:21 +01:00
Petr Viktorin
254c82727f permission CLI: Rename filter to rawfilter, extratargetfilter to filter
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
3120a6833e permission plugin: Output the extratargetfilter virtual attribute
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it

Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.

Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.

Write support will be added in a subsequent patch.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Nathaniel McCallum
21ff4f920e Rework how otptoken defaults are handled
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.

Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Petr Viktorin
00d6b529c9 Update API.txt
This fixes commit be7b1b94e3
https://fedorahosted.org/freeipa/ticket/4163
2014-02-25 16:31:30 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Petr Viktorin
78b657b02d Add permission_filter_objectclasses for explicit type filters
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Petr Viktorin
4a64a1f18b Allow anonymous and all permissions
Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
2014-01-07 09:56:41 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Petr Viktorin
acede580e1 Remove default from the ipapermlocation option
The value from my machine ended up wired into API.txt,
so builds on other machines would fail.

Correct the mistake.
2013-12-13 16:32:39 +01:00
Petr Viktorin
f47669a5b9 Verify ACIs are added correctly in tests
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
2013-12-13 15:08:52 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Martin Basti
efffcfdbc2 migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243
2013-12-02 13:30:12 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00
Ana Krivokapic
d97386de5b Add automember rebuild command
Add a new command to IPA CLI: ipa automember-rebuild

The command integrates the automember rebuild membership task functionality
into IPA CLI. It makes it possible to rebuild automember membership for
groups/hostgroups.

Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Nathaniel McCallum
3f85f09a83 Add support for managing user auth types
https://fedorahosted.org/freeipa/ticket/3368
2013-11-08 12:48:15 +01:00
Sumit Bose
b5e60c2020 Remove AllowLMhash from the allowed IPA config strings
Fixes https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:28:35 +01:00
Alexander Bokovoy
0b29bfde0d trusts: support subdomains in a forest
Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Ana Krivokapic
196c4b5f53 Fix tests which fail after ipa-adtrust-install
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852
2013-08-28 16:45:57 +02:00
Tomas Babej
69394bab5a Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
2013-08-09 12:14:42 +02:00
Ana Krivokapic
6e28e709ed Add new command compat-is-enabled
Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:43 +02:00
Tomas Babej
f954f2d1b9 Limit pwpolicy maxlife to 20000 days
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.

Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).

https://fedorahosted.org/freeipa/ticket/3817
2013-08-05 17:50:31 +02:00
Tomas Babej
17c7d46c25 Use AD LDAP probing to create trusted domain ID range
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.

For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
2013-07-23 16:24:33 +03:00
Jan Cholasta
b7f10d9fe6 Add new hidden command option to suppress processing of membership attributes.
https://fedorahosted.org/freeipa/ticket/3706
2013-07-23 13:13:54 +02:00
Tomas Babej
e4437a3e7f Add --range-type option that forces range type of the trusted domain
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.

When --range-type option is not specified, the range type should be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650
2013-07-11 12:39:28 +03:00
Martin Kosek
77ae4da706 Remove entitlement support
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739
2013-06-26 14:11:42 +02:00
Ana Krivokapic
91a5d3349b Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.

Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.

Add tests to cover the new functionality

https://fedorahosted.org/freeipa/ticket/3634
2013-06-24 14:30:06 +02:00
Tomas Babej
d2b943f08b Extend idrange commands to support new range origin types
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:

 'ipa-local': 'local domain range'
 'ipa-ad-winsync': 'Active Directory winsync range'
 'ipa-ad-trust': 'Active Directory domain range'
 'ipa-ad-trust-posix': 'Active Directory trust range with
                        POSIX attributes'
 'ipa-ipa-trust': 'IPA trust range'

Part of https://fedorahosted.org/freeipa/ticket/3647
2013-06-10 12:27:34 +03:00
Ana Krivokapic
b1321e95d7 Deprecate options --dom-sid and --dom-name in idrange-mod
https://fedorahosted.org/freeipa/ticket/3636
2013-05-31 14:21:12 +02:00
Alexander Bokovoy
03cdc22c94 Resolve SIDs in Web UI
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.

The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.

Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.

Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.

https://fedorahosted.org/freeipa/ticket/3302
2013-05-06 20:44:00 +02:00
Martin Kosek
5af2e1779a Add userClass attribute for hosts
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
2013-04-26 10:20:17 -04:00
Ana Krivokapic
b8b573a966 Deprecate HBAC source hosts from CLI
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.

Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).

https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Ana Krivokapic
ff52c25ae2 Fix output for some CLI commands
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.

https://fedorahosted.org/freeipa/ticket/3503
2013-04-11 15:57:45 +02:00
Petr Vobornik
e64db8cbc2 Filter groups by type (POSIX, non-POSIX, external)
Added flag for each groups type: --posix, --nonposix, --external to group-find command.

Group types:
* non-POSIX: not posix, not external
* POSIX: with objectclass posixgroup
* external: with objectclass ipaexternalgroup

https://fedorahosted.org/freeipa/ticket/3483
2013-04-09 19:00:30 +02:00
Jan Cholasta
5f26d2c6db Add Kerberos ticket flags management to service and host plugins.
https://fedorahosted.org/freeipa/ticket/3329
2013-03-29 16:34:46 +01:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Sumit Bose
331856b13c Allow 'nfs:NONE' in global configuration
This patch adds 'nfs:NONE' as an allowed entry for the global
authorization data type in the CLI and WebUI. This is an ad-hoc solution
to make sure that the new default value for the NFS service is not
removed by chance.

This patch should be removed if a more generic solution is implemented
to modify service:TYPE style values of the authorization data type.

https://fedorahosted.org/freeipa/ticket/2960
2013-03-08 10:46:00 +01:00
Petr Viktorin
42300eb55b Rename the "messages" Output of the i18n_messages command to "texts"
This is to prevent a fatal name clash wih the new common "messages" Output.

Since i18n_messages is an internal plugin, the change does not affect
our public API.
2013-02-21 16:26:09 +01:00
Petr Viktorin
24bca144a8 Add client capabilities, enable messages
The API version the client sends can now be used to check what the client
expects or is capable of.

All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.

The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.

If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)

Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.

Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
2013-02-21 16:26:09 +01:00
Petr Viktorin
7336a176b4 Add the version option to all Commands
Several Commands were missing the 'version' option. Add it to those
that were missing it.

Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.

When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).

Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).

Design page: http://freeipa.org/page/V3/Messages
Tickets:
  https://fedorahosted.org/freeipa/ticket/2732
  https://fedorahosted.org/freeipa/ticket/3294
2013-02-21 16:26:09 +01:00
Rob Crittenden
462beacc9d Implement the cert-find command for the dogtag CA backend.
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.

dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.

The search operation is unauthenticated

Design page: http://freeipa.org/page/V3/Cert_find

https://fedorahosted.org/freeipa/ticket/2528
2013-02-19 11:52:33 -05:00
Ana Krivokapic
3253a30541 Add list of domains associated to our realm to cn=etc
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:15:46 +02:00
Tomas Babej
559a87017a Add option to specify SID using domain name to idrange-add/mod
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133
2013-02-18 16:37:07 +01:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Martin Kosek
67d8b434c5 Add trusconfig-show and trustconfig-mod commands
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.

Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/3333
2013-02-11 15:38:22 +01:00
Petr Viktorin
fa6be6d8db Sort Options and Outputs in API.txt
Python does not guarantee dict order. Our reliance on it in `makeapi`
is technically incorrect, even if it doesn't matter yet in any of our
developers' environments.
This patch sorts the options by name instead of relying on dict order.

As an added benefit, future API.txt diffs should be be neater.
2012-12-12 14:10:47 +01:00
Tomas Babej
7f27a18b51 Relax restriction for leading/trailing whitespaces in *-find commands
All *-find commands now enable leading/trailing whitespaces in the
search phrase. Behaviour has been implemented directly into
crud.Search class. IPA_API_VERSION_MINOR incremented to 45.

https://fedorahosted.org/freeipa/ticket/2981
2012-12-11 12:34:28 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Jan Cholasta
46ad724301 Use OpenSSH-style public keys as the preferred format of SSH public keys.
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.

Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.

Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.

ticket 2932, 2935
2012-09-06 19:11:57 -04:00
Sumit Bose
67b47a65f2 IDRange CLI: allow to work without arguments
Fixes https://fedorahosted.org/freeipa/ticket/2999
2012-09-07 16:50:35 +02:00
Sumit Bose
377e1267b7 Rename range CLI to idrange 2012-09-07 16:50:35 +02:00
Martin Kosek
1915c2d4dd Cast DNS SOA serial maximum boundary to long
This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.
2012-09-07 15:40:00 +02:00
Martin Kosek
6abe476459 Fix DNS SOA serial parameters boundaries
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).

https://fedorahosted.org/freeipa/ticket/2568
2012-09-06 14:57:48 +02:00
Sumit Bose
59df038f87 trust CLI: add ID range for new trusted domain 2012-08-15 23:41:17 -04:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Jan Cholasta
9bfa905e72 Add --{set,add,del}attr options to commands which are missing them.
ticket 2963
2012-08-03 10:18:30 +02:00
Rob Crittenden
fb817d3401 Add per-service option to store the types of PAC it supports
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
2012-08-01 16:15:51 +02:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Rob Crittenden
50ebd1a339 Add missing option to range_add in API.txt
Fix build
2012-06-30 19:58:00 -04:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Alexander Bokovoy
a5cb1961fe Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-25 18:16:15 +02:00
Simo Sorce
f602ad270d Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
2012-06-06 22:12:22 -04:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Martin Kosek
d31f0c2d33 Improve migration NotFound error
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.

User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.

https://fedorahosted.org/freeipa/ticket/2206
2012-06-05 08:51:30 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Martin Kosek
5b465811ce Add rename option for DNS records
This option will make renaming DNS records much easier.
Add a unit test for this new functionality.

https://fedorahosted.org/freeipa/ticket/2600
2012-05-31 12:45:47 +02:00
Petr Viktorin
1af36da933 Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580
2012-05-29 09:23:26 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Ondrej Hamada
343aba2486 Allow one letter net/hostgroups names
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
2012-05-07 08:35:11 +02:00
John Dennis
d317c2a0d1 Validate DN & RDN parameters for migrate command
Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.
2012-04-16 08:35:03 +02:00
Petr Viktorin
e1813976a5 Remove pattern_errmsg from API.txt
https://fedorahosted.org/freeipa/ticket/2619
2012-04-12 15:05:54 +02:00
Petr Viktorin
6e5c8b25bf Limit permission and selfservice names to alphanumerics, -, _, space
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.

https://fedorahosted.org/freeipa/ticket/2585
2012-04-09 20:56:29 -04:00
Jan Cholasta
cdebb29fec Check whether the default user group is POSIX when adding new user with --noprivate.
ticket 2572
2012-04-05 15:04:45 +02:00
Rob Crittenden
51b34d5c42 Make revocation_reason required when revoking a certificate.
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.

https://fedorahosted.org/freeipa/ticket/2597
2012-04-05 08:51:30 +02:00
Rob Crittenden
a5a4323946 Add updated Output format for batch to API.txt
This doesn't require bumping VERSION, it just makes list and tuple
both allowable
2012-04-03 17:17:41 -04:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Martin Kosek
9b562f7377 Add missing global options in dnsconfig
Add a support for new global options in bind-dyndb-ldap, that is:
 * idnsforwardpolicy: Default policy for conditional forwarding
 * idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
   updates
 * idnszonerefresh: Default interval between regular polls of the
   name server for new DNS zones

https://fedorahosted.org/freeipa/ticket/2439
2012-03-20 15:40:08 +01:00
Rob Crittenden
763265f28e Fix API.txt and VERSION to reflect new sudoOrder option. 2012-03-01 22:24:26 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Rob Crittenden
d5c9f7bcaa Add status command to retrieve user lockout status
This information is not replicated so pull from all IPA masters
and display the status across all servers.

https://fedorahosted.org/freeipa/ticket/2162
2012-03-02 16:28:54 +01:00
Ondrej Hamada
73249140fc Migration warning when compat enabled
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
2012-02-29 18:30:03 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
Rob Crittenden
7d7322de2e Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
Apply this to hostgroup names as well since they can be linked.

https://fedorahosted.org/freeipa/ticket/2221
2012-02-27 00:06:44 -05:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Martin Kosek
16d88d79ad Add gidnumber minvalue
Do not accept invalid GID values in IPA user/group plugins.

https://fedorahosted.org/freeipa/ticket/2335
2012-02-23 21:00:15 -05:00
Martin Kosek
1c898e388b Add API for PTR sync control
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.

As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.

This patch adds an API for this control.

https://fedorahosted.org/freeipa/ticket/2176
2012-02-24 09:40:51 +01:00
Martin Kosek
210d913eb1 Add DNS conditional forwarding
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.

https://fedorahosted.org/freeipa/ticket/2108
2012-02-24 09:40:47 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Petr Viktorin
d706c411ef Honor default home directory and login shell in user_add
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.

https://fedorahosted.org/freeipa/ticket/2332

The login shell had the same problem. Again this patch removes the
client-side default and adds a test.

Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
2012-02-09 18:11:57 +01:00
Rob Crittenden
44c69ef33e Make ipaconfigstring modifiable by users.
Convert from a freeform string into a enumeration.

Only values currently allowed are AllowLMhash and AllowNThash.

To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.

https://fedorahosted.org/freeipa/ticket/1433
2012-02-09 08:29:09 +01:00
Martin Kosek
f411ed1e47 Add data field for A6 record
Since A6 is an obsolete RR type, no DNS part option was created.
This is, however, not consistent with the rest of per-type API
and may cause problems. This patch adds at least a DNS part for
raw A6 record data so that the record type is treated consistently.

This patch also fixes interactive mode for A6 records. Their data
were not detected correctly as dnsrecord_add didn't expect
a number in DNS part option name.

https://fedorahosted.org/freeipa/ticket/2309
2012-02-03 16:26:20 +01:00
Martin Kosek
cb4b2e6fac Fix NSEC record conversion
NSEC record needs special treatment as it is not composed from
a fixed set of DNS parts divided by space, but it contains
a multivalued DNS part "types" containing a list of RR types
it covers.

There was already a special method for parsing raw NSEC record
to DNS parts, but the other direction was missing. This patch
adds special NSEC convertor to fix this issue.

https://fedorahosted.org/freeipa/ticket/2307
2012-02-03 16:25:26 +01:00
Martin Kosek
0b9279a30a Add missing managing hosts filtering options
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
  --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
  --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
    in HOSTS are returned

https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 10:17:39 -06:00
Rob Crittenden
52e3488b75 Add support for storing MAC address in host entries.
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.

It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>

I tested nslcd and it only returned one macaddress value.

https://fedorahosted.org/freeipa/ticket/1132
2012-01-26 14:11:33 +01:00
Martin Kosek
092dd8db12 Replace float with Decimal
Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.

This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.

In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.

https://fedorahosted.org/freeipa/ticket/2260
2012-01-20 08:13:44 +01:00
Martin Kosek
7f6c9ac04c Add missing --pkey-only option for selfservice and delegation
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.

Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."

https://fedorahosted.org/freeipa/ticket/2092
2012-01-16 20:08:13 +01:00
Alexander Bokovoy
1e04e9f029 Allow hbactest to work with HBAC rules exceeding default IPA limits
When multiple HBAC rules are defined, IPA default limits to retrieve
objects may limit the scope of HBAC testing. To allow full range of rules
to be tested support for --sizelimit option is added.

In addition, when --rules option is specified, make sure only those rules
are retrieved regardless total number of rules defined. This should also
speed up HBAC test performance for real life scenarios when few new rules
are added to large collection of rules.

https://fedorahosted.org/freeipa/ticket/2230
2012-01-13 18:22:57 +02:00
Martin Kosek
485c3bb897 Fix maxvalue in DNS plugin
Having a Parameter maxvalue larger that 2G makes Python convert it
to "long" type instead of "int" type. Our framework than fails to
bootstrap the API when it detects long integer in Parameter
maxvalue.

Remove the clashing maxvalue out entirely as we can't transfer
values larger than 2G anyway (xmlrpc limitation).

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 17:15:00 +01:00
Martin Kosek
a22620c832 Create per-type DNS API
Use new structured DNSRecord parameters to generate per-type API
for all supported DNS RR types. This should help significantly
the end-user with manipulating complex DNS record type (MX, LOC,
etc.).

All enhancements are integrated to current DNS record commands:

1) dnsrecord-add
  - Records can be either entered as a raw value (e.g. --mx-rec=
    "1 srv1.example.com" for MX record) or per-part:
    --mx-preference=1 --mx-exchanger=srv1.example.com
  - CLI interactive help behavior was changed. It will ask for
    a record type and then ask for all DNS record part values
    (e.g. MX Preference value, MX Exchanger value).

2) dnsrecord-mod
  - This command can now operate in 2 modes. When only a raw DNS
    record is entered (e.g. --mx-rec="1 srv1.example.com") it
    operates in standard mode and replaces any previous mxrecord
    value with the --mx-rec value.

    When any structured parameter (e.g. --mx-preference) is passed
    it modifies just the specified parts of one mxrecord value
    referred by --mx-rec:
      --mx-rec="1 srv1.example.com" --mx-preference=2
  - New interactive help has been implemented. It will ask for a
    record to be modified (in the same manner as dnsrecord-del)
    and then let user change DNS record part(s) for chosen
    records.

3) All dnsrecord-* commands have now --structured option
  - When this option is passed, instead of displaying raw DNS values
    all DNS records are parsed and displayed per-part. Example:

$ ipa dnsrecord-show example.com @ --structured
  Record name: @
  Records:
    Record type: MX
    Record data: 0 server1.example.com.
    MX Preference: 0
    MX Exchanger: server1.example.com.

    Record type: NS
    Record data: ns1.example.com.
    NS Hostname: ns1.example.com.

All API changes are compatible with clients without this patch.

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 09:44:00 +01:00
Martin Kosek
52ea3a6b29 Refactor dnsrecord processing
Current DNS record processing architecture has many flaws,
including custom execute() methods which does not take advantage
of base LDAP commands or nonstandard and confusing DNS record
option processing.

This patch refactors DNS record processing with the following
improvements:
 * Every DNS record has now own Parameter type. Each DNS record
   consists from one or more "parts" which are also Parameters.
   This architecture will enable much easier implementation of
   future per-DNS-type API.
 * Validation is now not written as a separate function for
   every parameter but is delegated to DNS record parts.
 * Normalization is also delegated to DNS record parts.
 * Since standard LDAP base commands execute method is now used,
   dnsrecord-add and dnsrecord-mod correctly supports --setattr
   and --addattr options.
 * In order to prevent confusion unsupported DNS record types
   are now hidden. They are still present in the plugin so that
   old clients receive proper validation error.

The patch also contains several fixes:
 * Fix domain-name validation and normalization- allow domain
   names that are not fully qualified. For example --cname-rec=bar
   is a valid domain-name for bind which will translate it then
   as bar.<owning-domain>. This change implies, that fully qualified
   domain names must end with '.'.
 * Do not let user accidentally remove entire zone with command
   "ipa dnsrecord-del @ --del-all".
 * Fix --ttl and --class option processing in dnsrecord-add and
   dnsrecord-mod.

All API changes are compatible with clients without this patch.

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 09:43:05 +01:00
Ondrej Hamada
0e037f24ce HBAC test optional sourcehost option
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
2012-01-09 08:49:10 +02:00
Ondrej Hamada
da4b4fc4d9 User-add random password support
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.

Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).

I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.

https://fedorahosted.org/freeipa/ticket/1979
2011-12-12 00:17:07 -05:00
Rob Crittenden
55512dc938 Add SELinux user mapping framework.
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.

https://fedorahosted.org/freeipa/ticket/755
2011-12-09 16:46:25 +02:00
Endi S. Dewata
8f642bbe08 Added commands into metadata.
The json_metadata command has been modified to accept some new
options and return the commands metadata. The API.txt has been
updated as well. The UI has been modified to use commands metadata
instead of methods metadata.

Ticket #388
2011-12-06 22:07:35 +00:00
Rob Crittenden
181e6da9d8 Mark some attributes required to match the schema.
This makes no changes to the functionality in the command-line or
GUI because these all have defaults anyway. This is mostly to show
them properly in the UI and prevent someone from trying to erase the
value (and getting a nasty schema error in response).

https://fedorahosted.org/freeipa/ticket/2015
2011-12-05 22:29:02 -05:00
Jan Cholasta
135ccf89de Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.

Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.

ticket 2007
2011-11-30 17:08:35 +01:00
Martin Kosek
1b0b9645d1 Add --delattr option to complement --setattr/--addattr
Add a --delattr option to round out multi-valued attribute
manipulation. The new option is available for all LDAPUpdate based
commands. --delattr is evaluated last, it can remove any value
present either in --addattr/--setattr option or in current LDAP
object.

--*attr processing was completely refactored and placed to one
independent function available for all baseldap commands. For this
purpose a missing common base class for all baseldap commands has
been implemented. The new class should serve not only for --*attr
processing but also for other common baseldap methods and
attributes.

This approach will also benefit other custom commands based neither
on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr
option processing when needed.

https://fedorahosted.org/freeipa/ticket/1929
2011-11-29 10:08:28 +01:00
Martin Kosek
16b18135d9 Remove redundant information from API.txt
Some Param or Output attributes do not cause API incompatibility
(e.g. doc, label or callables) and does not need to be included
in API.txt. When these attributes are modified, a lot of bogus
changes may get in API.txt - making the real API changes less
detectable.

https://fedorahosted.org/freeipa/ticket/2107
2011-11-15 18:35:28 +01:00
Martin Kosek
2a3a4ae64a Fix LDAP object parameter encoding
Parameters in LDAP objects missed an information if they are real
LDAP attributes or not. Real LDAP attributes are written to
entry_attrs dictionary in plugin callbacks and are being encoded.
This causes issues when plugin callbacks does not expect that
the parameters values are already encoded for submission to LDAP.

This patch introduces a new flag "noattribute" used to mark that
a parameter is not an LDAP attribute and thus should not be encoded
or added to entry_attrs. Param documentation is improved to describe
the meaning of this and other Param flags or attributes.

https://fedorahosted.org/freeipa/ticket/2097
2011-11-15 13:17:44 +01:00
Martin Kosek
0f34e0bf82 Fix API.txt
Fix a post-makeapi change in one option's label in commit
62c110a3b8

https://fedorahosted.org/freeipa/ticket/1906
2011-11-14 10:26:23 +01:00
Martin Kosek
62c110a3b8 Polish ipa config help
Remove config-mod options help from config module help to keep the
option doc on one place and without unnecessary redundancy. The new
format is more consistent with the rest of the plugins. Also fix
several inconsistencies in the labels/doc, including:
- using abbreviation when not needed
- using '.' at the end of options help

https://fedorahosted.org/freeipa/ticket/1906
2011-11-10 20:18:40 -05:00
Martin Kosek
efc3e2c1f7 Improve DNS record data validation
Implement missing validators for DNS RR types so that we can capture
at least basic user errors. Additionally, a normalizer creating
a fully-qualified domain name has been implemented for several RRs
where name server may mis-interpret the domain name otherwise.

Unit tests exercising these new validators for the most common
RR types have been added. This patch also consolidates hard-coded
values in DNS test to one place.

https://fedorahosted.org/freeipa/ticket/1106
2011-11-10 18:48:41 -05:00
Martin Kosek
843c0787b7 Fix DNS zone --allow-dynupdate option behavior
--allow-dynupdate was implemented as a Flag parameter type, which
is not convenient for LDAP attributes. When a DNS zone with
permitted dynamic updates was modified and the --allow-dynupdate
flag was not set, dynamic updates were turned off.

This patch changes the option type to Bool parameter type which
behaves according to user expectations when modifying the zone.

https://fedorahosted.org/freeipa/ticket/2039
2011-11-09 15:31:50 +01:00
Martin Kosek
a486f49a37 Create pkey-only option for find commands
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.

This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.

https://fedorahosted.org/freeipa/ticket/1262
2011-10-27 14:17:51 +00:00
Martin Kosek
b26d0dcc04 Add --zonemgr/--admin-mail validator
Do at least a basic validation of DNS zone manager mail address.

Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.

https://fedorahosted.org/freeipa/ticket/1966
2011-10-26 08:52:50 +02:00
Martin Kosek
2aa63fe4a9 Improve handling of GIDs when migrating groups
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.

Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.

https://fedorahosted.org/freeipa/ticket/1866
2011-10-11 23:24:00 -04:00
Rob Crittenden
bd227b3562 Require current password when using passwd to change your own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808
2011-10-04 15:16:15 +02:00
Rob Crittenden
8cf8870d3d Add regular expression pattern to host names.
Limit hostnames to letters, digits and - with a maximum length of 255

https://fedorahosted.org/freeipa/ticket/1780
2011-09-27 16:08:26 +02:00
Rob Crittenden
a1430dcb2c Normalize uid in user principal to lower-case and do validation
Use same normalization and validation in passwd plugin and add some
tests for invalid principals

https://fedorahosted.org/freeipa/ticket/1778
2011-09-22 15:41:19 +02:00
Rob Crittenden
29ec63c381 Skip the cert validator if the csr we are passed in is a valid filename
The validator will still fire, just after the load_files() call. Basically
it will hit the validator twice. The first time it will exit because the
value of csr is a filename. The second time it will run the validator against
the contents of the file.

ticket https://fedorahosted.org/freeipa/ticket/1777
2011-09-14 18:27:05 +02:00
Rob Crittenden
5ddc027d7f Remove normalizer that made role, privilege and permission names lower-case
https://fedorahosted.org/freeipa/ticket/1747
2011-09-12 16:51:25 -04:00
Jr Aquino
d05ace8fba 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272
2011-08-31 09:49:43 +02:00
Rob Crittenden
e52f652873 Add netgroup as possible memberOf for hostgroups
https://fedorahosted.org/freeipa/ticket/1563
2011-08-29 21:29:16 -04:00
Rob Crittenden
1936b8050e Add option to only prompt once for passwords, use in entitle_register
A Password param always prompted to confirm the entered password.
This doesn't make sense if you want to prompt for a password to another
system like we do with entitlements. This adds a new boolean option to
control the Password prompt parameter.

https://fedorahosted.org/freeipa/ticket/1695
2011-08-24 15:25:53 -04:00
Martin Kosek
d28f1c3b7c Fix automountkey-mod
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.

Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.

Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.

https://fedorahosted.org/freeipa/ticket/1528
2011-08-18 20:35:12 -04:00
Martin Kosek
07837082f4 Hide continue option from automountkey-del
This option makes no sense for automount keys. This should be
removed in future versions.

https://fedorahosted.org/freeipa/ticket/1529
2011-08-02 02:16:54 -04:00
Rob Crittenden
d8c479731e Deprecated managing users and runas user/group in sudorule add/mod
We have helpers to manage these values so they shouldn't be available
via add/mod. There is no logic behind them to do the right thing.

https://fedorahosted.org/freeipa/ticket/1307
https://fedorahosted.org/freeipa/ticket/1320
2011-07-29 15:40:01 +02:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Rob Crittenden
abb5ee22d2 Autofill the default revocation reason
https://fedorahosted.org/freeipa/ticket/1514
2011-07-22 08:57:31 +02:00
Rob Crittenden
506cbaa1fb Hide the HBAC access type attribute now that deny is deprecated.
It won't appear in the UI/CLI but is still available via XML-RPC.
allow is the default and deny will be rejected.

https://fedorahosted.org/freeipa/ticket/1495
2011-07-21 01:11:45 -04:00
Jan Cholasta
b203756a88 Add ability to specify DNS reverse zone name by IP network address.
In order for this to work, chaining of parameters through
default_from is made possible.

ticket 1474
2011-07-15 02:21:23 -04:00
Rob Crittenden
bea7818add Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.

The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.

https://fedorahosted.org/freeipa/ticket/1432
2011-07-14 19:23:17 -04:00
Rob Crittenden
9dfdf55034 In sudo labels we should use RunAs and not Run As.
https://fedorahosted.org/freeipa/ticket/1328
2011-07-14 19:18:02 -04:00
Martin Kosek
0cb65fd9f6 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
2011-07-13 15:06:13 +02:00
Endi S. Dewata
b2c5b2b4b5 Fixed object_name and object_name_plural internationalization
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.

Ticket #1435
2011-07-12 16:33:08 -04:00
Martin Kosek
e6c68e9993 Add DNS record modification command
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.

This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
 - modify a DNS record value (note than DNS record can hold multiple values
   and those will be overwritten)
 - remove a DNS record when an empty value is passed

New tests for this new command have been added to the CLI test suite.

https://fedorahosted.org/freeipa/ticket/1137
2011-07-12 14:20:16 -04:00
Rob Crittenden
3a5e26a01c Enforce class rules when query=True, continue to not run validators.
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.

I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.

https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2011-07-11 18:43:32 -04:00
Adam Young
a38ad1d433 password expiration label 2011-07-05 18:00:05 -04:00
Endi S. Dewata
6083df1b02 Fixed object_name usage.
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.

Ticket #1217
2011-07-05 16:19:10 -04:00
Adam Young
9d8ddb5d46 config widgets entity select default group checkbox for migration 2011-06-30 22:26:19 -04:00
Jan Cholasta
67b807d640 Replace the 'private' option in netgroup-find with 'managed'.
The 'private' option is kept in to maintain API compatibility, but
is hidden from the user.

ticket 1120
2011-06-28 01:57:11 -04:00
Adam Young
eeed975bc6 ipaddress for host add
updated label triggered an API change
2011-06-20 20:53:15 -04:00
Jr Aquino
44cdf8ef54 Raise DuplicateEntry Error when adding a duplicate sudo option
https://fedorahosted.org/freeipa/ticket/1276
https://fedorahosted.org/freeipa/ticket/1277
https://fedorahosted.org/freeipa/ticket/1308

Added new Exception: AttrValueNotFound
Fixed XML Test for Sudorule remove_option
1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule)
1277 (Raise DuplicateEntry Error when adding a duplicate sudo option)
1308 (Make sudooption a required option for sudorule_remove_option)
2011-06-16 19:21:07 -04:00
Martin Kosek
058e3d0306 Add ignore lists to migrate-ds command
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.

This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.

Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).

https://fedorahosted.org/freeipa/ticket/1266
2011-06-15 08:36:32 +02:00
Rob Crittenden
bee4e6a85a Remove automountinformation as part of the DN for automount.
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.

So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.

Multiple direct maps are still supported and for those the info is
always required.

ticket 1229
2011-06-13 22:59:27 -04:00
Jr Aquino
d7c60205a6 Add sudorule and hbacrule to memberof and indirectmemberof attributes
Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
2011-06-06 13:14:38 -04:00
Rob Crittenden
e91aa64d4a Include the word 'member' with autogenerated optional member labels.
There were reports of confusion over what was being prompted for, hopefully
adding member will make things clearer.

ticket 1062
2011-05-27 13:54:31 -04:00
Martin Kosek
dea578a357 A new flag to disable creation of UPG
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.

https://fedorahosted.org/freeipa/ticket/1131
2011-05-25 08:39:47 +02:00
Martin Kosek
72b56e4630 Remove doc from API.txt
Doc parts are not removed from the API completely. This leads to
unnecessary updates to API.txt when the option/argument documentation
is changed.

This patch replaces unreliable doc stripping function with a regular
expression. It works for all current doc strings (simple string or
GetText). The only limitation is that the RE supports only up to
2 levels of nested parentheses in doc string.

https://fedorahosted.org/freeipa/ticket/1057
2011-05-13 13:06:37 +02:00
Martin Kosek
bc6f9accd9 Need force option in DNS zone adder dialog
When adding a new DNS zone in the WebUI, IPA server will verify
whether the nameserver is in DNS. Sometimes it is necessary to
skip the verification.

This patch adds a --force option already available in CLI which
can skip this the verification.

https://fedorahosted.org/freeipa/ticket/1105
2011-04-21 19:03:38 +00:00
Rob Crittenden
740416c8fb Always ask members in LDAP*ReverseMember commands.
This changes the API but alwaysask is enforced on the client only
so doesn't change the wire API so I'm not updating the API version.

ticket 1081
2011-04-15 13:12:16 +02:00
Martin Kosek
c2350e756a Revert "Remove doc from API.txt"
This commit accidentaly slipped in (it was not ready for the
upstream).

This reverts commit 9915b93737.
2011-04-08 15:54:59 +02:00