Commit Graph

1963 Commits

Author SHA1 Message Date
Ana Krivokapic
38dded7db6 Raise ValidationError for incorrect subtree option.
Ticket: https://fedorahosted.org/freeipa/ticket/3233
2013-01-14 14:09:54 +01:00
Martin Kosek
cb7e93bb91 permission-find no longer crashes with --targetgroup
Target Group parameter was not processed correctly which caused
permission-find to always crash when this search parameter was used.
Fix the crash and create a unit test case to avoid future regression.

https://fedorahosted.org/freeipa/ticket/3335
2013-01-11 10:51:31 +01:00
Rob Crittenden
746181a88d Convert uniqueMember members into DN objects.
We were asserting that they should be DN objects but weren't converting
them anywhere.

https://fedorahosted.org/freeipa/ticket/3339
2013-01-11 10:43:38 +01:00
Martin Kosek
86e56b9125 Fix delegation-find command --group handling
A wrong way of handling --group DN object caused Internal Error
for this command. Fix that and also provide unit tests to avoid
another regression.

https://fedorahosted.org/freeipa/ticket/3311
2012-12-19 16:32:15 +01:00
Simo Sorce
e8cb869046 Log info on failure to connect
When multiple servers are avilable we were simply suppressing information on
why a connection failed.
Log it as 'info' so that it is possible to diagnose issues more easily.
2012-12-19 09:50:43 +01:00
Tomas Babej
389854756b Forbid overlapping rid ranges for the same id range
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.

https://fedorahosted.org/freeipa/ticket/3171
2012-12-17 15:29:35 +01:00
Tomas Babej
7f27a18b51 Relax restriction for leading/trailing whitespaces in *-find commands
All *-find commands now enable leading/trailing whitespaces in the
search phrase. Behaviour has been implemented directly into
crud.Search class. IPA_API_VERSION_MINOR incremented to 45.

https://fedorahosted.org/freeipa/ticket/2981
2012-12-11 12:34:28 +01:00
Lynn Root
4d6de44d3d Raise ValidationError when CSR does not have a subject hostname
Raise ValidationError when CSR does not have a subject hostname.

Ticket: https://fedorahosted.org/freeipa/ticket/3123
2012-12-11 12:28:59 +01:00
Lynn Root
173ee4d141 Switch %r specifiers to '%s' in Public errors
This switch drops the preceding 'u' from strings within Public error messages.

This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function.

Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com.

Ticket: https://fedorahosted.org/freeipa/ticket/3121
Ticket: https://fedorahosted.org/freeipa/ticket/2588
2012-12-11 10:52:06 +01:00
John Dennis
9269e5d6dd Compliant client side session cookie behavior
In summary this patch does:

* Follow the defined rules for cookies when:

  - receiving a cookie (process the attributes)

  - storing a cookie (store cookie + attributes)

  - sending a cookie

    + validate the cookie domain against the request URL

    + validate the cookie path against the request URL

    + validate the cookie expiration

    + if valid then send only the cookie, no attribtues

* Modifies how a request URL is stored during a XMLRPC
  request/response sequence.

* Refactors a bit of the request/response logic to allow for making
  the decision whether to send a session cookie instead of full
  Kerberous auth easier.

* The server now includes expiration information in the session cookie
  it sends to the client. The server always had the information
  available to prevent using an expired session cookie. Now that
  expiration timestamp is returned to the client as well and now the
  client will not send an expired session cookie back to the server.

* Adds a new module and unit test for cookies (see below)

Formerly we were always returning the session cookie no matter what
the domain or path was in the URL. We were also sending the cookie
attributes which are for the client only (used to determine if to
return a cookie). The attributes are not meant to be sent to the
server and the previous behavior was a protocol violation. We also
were not checking the cookie expiration.

Cookie library issues:

We need a library to create, parse, manipulate and format cookies both
in a client context and a server context. Core Python has two cookie
libraries, Cookie.py and cookielib.py. Why did we add a new cookie
module instead of using either of these two core Python libaries?

Cookie.py is designed for server side generation but can be used to
parse cookies on the client. It's the library we were using in the
server. However when I tried to use it in the client I discovered it
has some serious bugs. There are 7 defined cookie elements, it fails
to correctly parse 3 of the 7 elements which makes it unusable because
we depend on those elements. Since Cookie.py was designed for server
side cookie processing it's not hard to understand how fails to
correctly parse a cookie because that's a client side need. (Cookie.py
also has an awkward baroque API and is missing some useful
functionality we would have to build on top of it).

cookielib.py is designed for client side. It's fully featured and obeys
all the RFC's. It would be great to use however it's tightly coupled
with another core library, urllib2.py. The http request and response
objects must be urllib2 objects. But we don't use urllib2, rather we use
httplib because xmlrpclib uses httplib. I don't see a reason why a
cookie library should be so tightly coupled to a protocol library, but
it is and that means we can't use it (I tried to just pick some isolated
entrypoints for our use but I kept hitting interaction/dependency problems).

I decided to solve the cookie library problems by writing a minimal
cookie library that does what we need and no more than that. It is a
new module in ipapython shared by both client and server and comes
with a new unit test. The module has plenty of documentation, no need
to repeat it here.

Request URL issues:

We also had problems in rpc.py whereby information from the request
which is needed when we process the response is not available. Most
important was the requesting URL. It turns out that the way the class
and object relationships are structured it's impossible to get this
information. Someone else must have run into the same issue because
there was a routine called reconstruct_url() which attempted to
recreate the request URL from other available
information. Unfortunately reconstruct_url() was not callable from
inside the response handler. So I decided to store the information in
the thread context and when the request is received extract it from
the thread context. It's perhaps not an ideal solution but we do
similar things elsewhere so at least it's consistent. I removed the
reconstruct_url() function because the exact information is now in the
context and trying to apply heuristics to recreate the url is probably
not robust.

Ticket https://fedorahosted.org/freeipa/ticket/3022
2012-12-10 12:45:09 -05:00
Tomas Babej
0292ebd1e5 Add detection for users from trusted/invalid realms
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.

Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.

https://fedorahosted.org/freeipa/ticket/3252
2012-12-06 10:34:23 -05:00
Sumit Bose
a9bac3d600 Do not recommend how to configure DNS in error message
The best way to configure DNS depends on the environment and no general
recommendations should be given by the CLI or Web UI. Especially
forwarders should not be recommended by only be option of last resort.

Fixes https://fedorahosted.org/freeipa/ticket/3261
2012-12-03 15:38:34 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Petr Vobornik
1bf537db9e Web UI: disable global forwarding per zone
Web UI part of 'disable global forwaring per zone' effort.

Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 17:46:04 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Alexander Bokovoy
53a9421110 Clarify trust-add help regarding multiple runs against the same domain
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
2012-11-02 16:38:22 +01:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Rob Crittenden
fb7575d6b7 Close connection after each request, avoid NSS shutdown problem.
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180
2012-10-24 15:07:53 -04:00
Petr Vobornik
445744206b Fixed incorrect link to browser config after session expiration
Fixed typo in message placeholder.

https://fedorahosted.org/freeipa/ticket/3187
2012-10-24 09:17:26 +02:00
Rob Crittenden
4a97fd0601 Fix requesting certificates that contain subject altnames.
https://fedorahosted.org/freeipa/ticket/3184
2012-10-19 16:16:06 +02:00
Petr Vobornik
fed5bbd298 Simpler instructions to generate certificate
Instructions to generate certificate were simplified.

New instructions:

 1) Create a certificate database or use an existing one. To create a new database:
    # certutil -N -d <database path>
 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
    # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:

https://fedorahosted.org/freeipa/ticket/3056
2012-10-19 14:30:06 +02:00
Alexander Bokovoy
21d893ddde Warn about DNA plugin configuration when working with local ID ranges
https://fedorahosted.org/freeipa/ticket/3116
2012-10-17 12:08:15 +02:00
Alexander Bokovoy
d05e297015 Use PublicError instructions support for trust-add case when domain is not found
https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:31:02 -04:00
Alexander Bokovoy
88262a75ff Add instructions support to PublicError
When long additional text should follow the error message, one can
supply instructions parameter to a class derived from PublicError.

This will cause following text added to the error message:

    Additional instructions:
    <additional text>

`instructions' optional parameter could be a list or anything that coerces
into unicode(). List entries will be joined with '\n'.

https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:30:58 -04:00
Jan Cholasta
a51b65d9d4 Do not show full SSH public keys in command output by default. 2012-10-11 12:19:17 +02:00
Alexander Bokovoy
b3606e3d92 Fix wrong RID for Domain Admins in the examples of trust commands 2012-10-10 14:53:24 +02:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Alexander Bokovoy
e51b7ea2de Handle NotFound exception when establishing trust
Establishing trust implies discovery of the trusted domain's domain controller via DNS.
If DNS discovery is not possible, NotFound exception is raised.

Intercept the exception and process it to help diagnose and fix actual problem:
 - if IPA is managing DNS, suggest to make a forward for the domain's zone
 - otherwise suggest to setup DNS forwarder at upstream DNS server

https://fedorahosted.org/freeipa/ticket/3103
2012-10-09 10:19:33 +02:00
Alexander Bokovoy
6f45de10d7 support multi-line error messages in exceptions 2012-10-09 10:18:40 +02:00
Sumit Bose
fdd3299fa8 ipa-adtrust-install: Add fallback group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:26 -04:00
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Rob Crittenden
5bf1cee702 Clear kernel keyring in client installer, save dbdir on new connections
This patch addresses two issues:

1. If a client is previously enrolled in an IPA server and the server
   gets re-installed then the client machine may still have a keyring
   entry for the old server. This can cause a redirect from the
   session URI to the negotiate one. As a rule, always clear the keyring
   when enrolling a new client.

2. We save the NSS dbdir in the connection so that when creating a new
   session we can determine if we need to re-initialize NSS or not. Most
   of the time we do not. The dbdir was not always being preserved between
   connections which could cause an NSS_Shutdown() to happen which would
   fail because of existing usage. This preserves the dbdir information when
   a new connection is created as part of the session mechanism.

https://fedorahosted.org/freeipa/ticket/3108
2012-10-03 19:22:00 +02:00
Martin Kosek
0c2d0bb2b0 Fill ipakrbprincipalalias on upgrades
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106
2012-10-02 15:17:42 -04:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Tomas Babej
0edeb9b01d Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.

https://fedorahosted.org/freeipa/ticket/3097
2012-10-03 09:39:15 +02:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Martin Kosek
988ea36827 Improve StrEnum validation error message
Do not print list of possible values as "%r" but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.

https://fedorahosted.org/freeipa/ticket/2869
2012-10-01 13:39:22 +02:00
Petr Viktorin
c16c257145 Fix NS records in installation
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.

Fix this error and add a check for empty DNS labels to the validator
2012-09-27 16:01:22 +02:00
Martin Kosek
256024db0a Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.

https://fedorahosted.org/freeipa/ticket/2993
2012-09-27 10:43:39 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Alexander Bokovoy
ba5248135c Make sure external group members are listed for the external group
https://fedorahosted.org/freeipa/ticket/2975
2012-09-25 08:21:22 +02:00
Petr Viktorin
0b254e8b1e Always handle NotFound error in dnsrecord-mod
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).

https://fedorahosted.org/freeipa/ticket/3055
2012-09-24 13:55:17 +02:00
Alexander Bokovoy
26baae1fe9 Document use of external group membership 2012-09-20 14:58:32 +02:00
Alexander Bokovoy
21ecf2f287 Add documentation for 'ipa trust' set of commands 2012-09-20 14:57:49 +02:00
Alexander Bokovoy
9d84a3cf49 Fix error messages and use proper ImportError for dcerpc import 2012-09-20 14:57:07 +02:00
Alexander Bokovoy
87a37c8e2f validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
2012-09-20 14:55:34 +02:00
Martin Kosek
459016d12b Fix idrange plugin help
range plugin was renamed to idrange. Update plugin help to reflect
this change.
2012-09-20 10:36:13 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00