To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
Lists and tuples are already allowed for convenience; it is easier to write
(1, 2, 3) or [1, 2, 3] than frozenset([1, 2, 3]).
This allows the set literal syntax, {1, 2, 3}, as well.
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.
Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.
https://fedorahosted.org/freeipa/ticket/4067
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.
In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.
https://fedorahosted.org/freeipa/ticket/4041
This object will allow splitting large translatable strings into more
pieces, so translators don't have to re-translate the entire text
when a small part changes.
https://fedorahosted.org/freeipa/ticket/3587
Previously the help plugin failed when searching for the docstring
when a topic's module was not found. This can happen when some server
plugins are loaded (e.g. for tests).
Use empty documentation when the topic is not found.
There code assumes that the `conn` in any Connection in the context is
a ServerProxy. This might not always be the case: ldap2 uses a
python-ldap connection here.
For the AD trusts where the ID range for the root level domain is of
ipa-ad-trust-posix type, do not create a separate ranges for the
subdomains, since POSIX attributes provide global mapping.
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.
Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.
We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.
Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.
Remove support for authenticating as trust account because it should not
really be used other than within Samba.
Add IPA CLI to manage trust domains.
ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust> -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
By default all discovered trust domains are allowed to access IPA resources
IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
part of https://fedorahosted.org/freeipa/ticket/3909
Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.
https://fedorahosted.org/freeipa/ticket/3923
The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.
Use proper super() calls.
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.
https://fedorahosted.org/freeipa/ticket/3852
You cannot re-add the trust and modify the range in the process.
The check in the code was malfunctioning since it assumed that
range_size parameter has default value. However, default value
is assigned only later in the add_range function.
https://fedorahosted.org/freeipa/ticket/3870
This makes plugin registration easier to read, less error-prone, and,
for many Plugins in a single module, faster to write.
Functionally, the decorator is equivalent to current plugin
registration. However, in the future this style will allow cleaner
semantics.
As an example, and to exercise the new syntax to prevent regressions,
the ping plugin is converted to this style.