When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
Current master branch represents future release of FreeIPA (3.2).
Bump VERSION so that current development packages are not being
updated with freeipa-3.1.x packages already released in downstream
repositories.
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
The messages module contains message classes that can be added
to a RPC response to provide additional information or warnings.
This patch adds only the module with a single public message,
VersionMissing, and unit tests.
Since message classes are very similar to public errors, some
functionality and unit tests were shared.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732https://fedorahosted.org/freeipa/ticket/3294
freeipa.profile was updated accordingly to contain all modules in dojo layer.
This change removes expected errors during the build and therefore it won't confuse others during rpm build. It also helps during development because developer will notice real dependency errors (those not specified this way).
One can specify module ids provided by other means (already built layer file) in providedMids array of build profile file's package section. Builder then ignores dependency errors for specified modules. This allows to build layers without source codes of their dependencies, with no expected errors raised.
Example:
packages:[
{
name: "freeipa",
location: "freeipa",
providedMids: [
'dojo/_base/declare',
'dojo/_base/lang',
'dojo/_base/array',
'dojo/Stateful'
//etc
]
}
],
Develop.js contains code useful only for debugging. It is not part of FreeIPA
release.
Is loaded by typing require(['freeipa/develop']); in browser JS console.
It adds IPA global variable and provide easier way of loading AMD modules into
window.ipadev[providedNameOrModuleName] variable.
https://fedorahosted.org/freeipa/ticket/112
Random domain name may bring undererministic behavior. It also breaks
the test on some systems as string.lowercase is locale dependent and
can return non-ASCII letters and thus later break the unicode encoding
and raise UnicodeDecodeError.
Use a fixed domain in "test" TLD instead. This domain is guaranteed to
be not existent.
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.
The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.
https://fedorahosted.org/freeipa/ticket/3402
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_findhttps://fedorahosted.org/freeipa/ticket/2528
Since we use associatedDomain attribute to store information about UPN suffixes
and our own domain, searching subtree is going to return more than one entry.
Limit search for own domain by base scope as we only need to fetch our own
domain information here, not UPN suffixes.
Required for https://fedorahosted.org/freeipa/ticket/2945
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
Move the parser setup from bootstrap_with_global_options to bootstrap,
so all API objects have access to it.
Add some CLI tests for the help system.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
This avoids the problem with ambiguous command/topic names.
No functionality is changed; `ipa help <COMMAND>` still works as before
if there's no topic with the same name.
https://fedorahosted.org/freeipa/ticket/3247
Make `ipa -h` and `ipa help` output the same message.
Since `ipa -h` output is generated by the OptionParser, we need to make
the parser available. Store it in `api.parser`.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
Whenever a command is used incorrectly, it should output
an error message (and possibly additional help) to stderr.
This patch adds a parameter to a bunch of places to allow
selecting either stdout or stderr for help output, and makes
badly called commands output to stderr only.
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
Fix the usage string to match actual usage.
Add command description.
Put information about `ipa help topics` etc. to the epilog,
instead of using empty option groups. Use a custom formatter
to preserve newlines.
Add the -h/--help option manually to ensure consistent case
(capital S).
Part of the effort for https://fedorahosted.org/freeipa/ticket/3060
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
Currently kdb5kdc crashes on exit if the ipadb KDB modules is loaded and trusts
are configured. The reason is the talloc autofree context which get initialised
during the ndr_push_union_blob() call. On exit the KDC module is unloaded an
later on atexit() tries to free the context, but all related symbols are
already unloaded with the module.
This patch frees the talloc autofree context during the cleanup routine of the
module. Since this is called only at exit and not during normal operations this
is safe even if other KDC plugins use the talloc autofree context, e.g. via
some Samba libraries, as well.
Fixes https://fedorahosted.org/freeipa/ticket/3410
This function retried an LDAP search when the result was OK due to
flawed logic of retry detection (ipadb_need_retry function which
returns true when we need retry and not 0).
https://fedorahosted.org/freeipa/ticket/3413
All known memory leaks caused by unfreed allocated memory or unfreed
LDAP results (which should be also done after unsuccessful searches)
are fixed.
https://fedorahosted.org/freeipa/ticket/3413
Add correct labeling of matched/nonmatched output attributes. Also
make sure that "\" is not interpreted as newline escape character
but really as a "\" character.
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
When group-add-member does not receive any resolved trusted domain
object SID, it raises an exception which hides any useful error
message passed by underlying resolution methods. Remove the exception
to reveal this error messages to user.
https://fedorahosted.org/freeipa/ticket/2997
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.
Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.
https://fedorahosted.org/freeipa/ticket/2997
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.
https://fedorahosted.org/freeipa/ticket/3195
