The initial fix of ticket 5247 rejected renames, but left the option
behind for API compatibility. Remove the option now, according to
the consensus that because it never worked, it is fine to remove it.
Fixes: https://fedorahosted.org/freeipa/ticket/5247
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The form`raise Error, value` is deprecated in favor of `raise Error(value)`,
and will be removed in Python 3.
Use the new syntax.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, next() for iterators is a function rather than method.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, raw_input() was renamed to input().
Import the function from six.moves to get the right version.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, filter() returns an iterator.
Use list comprehensions instead.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
`ipa user-del` with `--preserve` option will now process multiple entries and
handle `--continue` option in a manner analogous to `ipa user-del` in normal
mode.
In addition, it is now no longer possible to permanently delete a user by
accidentally running `ipa user-del --preserve` twice.
https://fedorahosted.org/freeipa/ticket/5234https://fedorahosted.org/freeipa/ticket/5236
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g. ECDSA. The patch just renames the occurences to avoid more
confusion in the future.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.
For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.
Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch replaces 'stageuser-add --from-delete' with new command
user-stage.
Original way always required to specify first and last name, and
overall combination of options was hard to manage. The new command
requires only login of deleted user (user-del --preserve).
https://fedorahosted.org/freeipa/ticket/5041
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault-find plugin has two additional arguments to list all
service vaults or user vaults. Since the name of a vault is only unique
for a particular user or service, the commands also print the vault user
or vault service. The virtual attributes were added in rev
01dd951ddc.
Example:
$ ipa vault-find --users
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault user: admin
Vault name: UserVault
Type: standard
Vault user: admin
----------------------------
Number of entries returned 2
----------------------------
$ ipa vault-find --services
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL
Vault name: myvault
Type: standard
Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL
----------------------------
Number of entries returned 2
----------------------------
https://fedorahosted.org/freeipa/ticket/5150
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.
The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA. Remove
the check.
Fixes: https://fedorahosted.org/freeipa/ticket/5205
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.
When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.
Detect such domain collisions early and bail out with an appropriate
error message.
https://fedorahosted.org/freeipa/ticket/4549
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
usercertificate attr was moved from "System Modify Users" to this
new permission.
https://fedorahosted.org/freeipa/ticket/5177
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The reduce function is no longer a built-in in Python 3.
Importing it from functools works on both py2 and py3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The deprecated has_key method will be removed from dicts in Python 3.
For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Python 3 uses double-underscored names for internal function attributes.
In Python 2.7, these names exist as aliases to the old 'func_*' and
'im_*' names.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
also show the message about the way UID/GID ranges are managed in FreeIPA in
the idrange-mod's help message
https://fedorahosted.org/freeipa/ticket/4826
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services
(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.
https://fedorahosted.org/freeipa/ticket/5167
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension. Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.
Also update cert-request to accept CSRs containing this extension.
Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited. Add more information to the ACIError message.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch forces the user management CLI command to store certificates as
userCertificate;binary attribute. The code to retrieve of user information was
modified to enable outputting of userCertificate;binary attribute to the
command line.
The modification also fixes https://fedorahosted.org/freeipa/ticket/5173
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.
https://fedorahosted.org/freeipa/ticket/5171
Reviewed-By: Martin Basti <mbasti@redhat.com>
certprofile-import no longer requires profileId in profile data. Instead
the profile ID from the command line is taken and added to the profile
data internally.
If profileId is set in the profile, then it still has to match the CLI
option.
https://fedorahosted.org/freeipa/ticket/5090
Reviewed-By: Martin Basti <mbasti@redhat.com>
A user can pass file names for password, public and private key files to
the vault plugin. The plugin attempts to read from these files. If any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
* handle not found error
* return new DN
https://fedorahosted.org/freeipa/ticket/5145
Reviewed-By: David Kupka <dkupka@redhat.com>
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.
https://fedorahosted.org/freeipa/ticket/5037
Reviewed-By: Martin Basti <mbasti@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.
https://fedorahosted.org/freeipa/ticket/5146
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.
https://fedorahosted.org/freeipa/ticket/4969
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes regression caused by cd3ca94ff2.
Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server
https://fedorahosted.org/freeipa/ticket/5133
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.
https://fedorahosted.org/freeipa/ticket/5038
Reviewed-By: David Kupka <dkupka@redhat.com>
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.
https://fedorahosted.org/freeipa/ticket/5120
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 62e8002bc4.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
New certificate widget which replaced certificate status widget.
It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.
part of: https://fedorahosted.org/freeipa/ticket/5045
Reviewed-By: Martin Basti <mbasti@redhat.com>
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.
Certificate search facet allows to add a certificate.
User details facet allows to add a certificate.
part of
https://fedorahosted.org/freeipa/ticket/5046
Reviewed-By: Martin Basti <mbasti@redhat.com>
API refactoring caused that session_logout command was not registered.
Commands in ipalib/plugins directory are automatically registered.
Reviewed-By: Martin Basti <mbasti@redhat.com>
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension. Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.
Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it. Use split_any_principal to do the
splitting correctly, also taking realm into account.
Reviewed-By: David Kupka <dkupka@redhat.com>
This reverts commit ea7f392bb9.
The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.
https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
