Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938https://fedorahosted.org/freeipa/ticket/2940
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return "Key has been revoked".
Wrap the operations in a try/except so we can ignore keyring failures.
This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.
https://fedorahosted.org/freeipa/ticket/2880
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.
Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.
https://fedorahosted.org/freeipa/ticket/2601
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.
However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.
https://fedorahosted.org/freeipa/ticket/2892
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.
iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
This patch adds support for new per-domain permissions to Web UI.
User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.
For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.
Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.
New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.
https://fedorahosted.org/freeipa/ticket/2851
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.
Fix these problems. Update tests.
https://fedorahosted.org/freeipa/ticket/2874https://fedorahosted.org/freeipa/ticket/2901
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.
This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).
Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.
This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.
https://fedorahosted.org/freeipa/ticket/2437
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.
Make sure that the LDAPObject object_class list is not modified during
the __json__ method.
https://fedorahosted.org/freeipa/ticket/2906
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.
A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.
https://fedorahosted.org/freeipa/ticket/2375https://fedorahosted.org/freeipa/ticket/2610
Make permission commands not pass options that the underlying ACI commands
do not understand.
Update tests.
Remove some extraneous imports of the `copy` module.
https://fedorahosted.org/freeipa/ticket/2885
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.
https://fedorahosted.org/freeipa/ticket/2664
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/2799
Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.
https://fedorahosted.org/freeipa/ticket/2800
We only checked the length of Command output dictionaries. A misspelled
key in would not be caught.
Fix the problem by checking if the sets of keys are equal.
Add a test. Split the test methods into more manageable pieces.
https://fedorahosted.org/freeipa/ticket/2860
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.
Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.
Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.
Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).
https://fedorahosted.org/freeipa/ticket/2509
Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.
Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
* exponential: when False, decimal number is normalized to its
non-exponential form
* numberclass: a set of allowed decimal number classes
(e.g. +Infinity, -Normal, ...) that are enforced
for every Decimal parameter value
https://fedorahosted.org/freeipa/ticket/2705
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
exc_callback, pre_callback etc) were registered on every
instantiation.
Fix: Do not register callbacks in __init__; instead return the
method when asked for it.
- The calling code had to distinguish between bound methods and
plain functions by checking the 'im_self' attribute.
Fix: Always return the "default" callback as an unbound method.
Registered callbacks now always take the extra `self` argument,
whether they happen to be bound methods or not.
Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
looks up missing attributes in superclasses, callbacks could
get attached to a superclass if it was instantiated early enough. *
Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
Fix: Create generic register_callback and get_callback mehods,
move LDAP-specific code to BaseLDAPCommand
Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.
* https://fedorahosted.org/freeipa/ticket/2674
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.
https://fedorahosted.org/freeipa/ticket/2564
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
* mostly CLI specific option attribues are not send.
* attributes evaluated to false or None are not send
* options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.
In the end the raw amount of data send is aproximately the same.
This patch is needed for Web UI to determine which option it can use in which commands.
https://fedorahosted.org/freeipa/ticket/2760
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.
User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.
https://fedorahosted.org/freeipa/ticket/2206
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for ACI-related plugins.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.
The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.
https://fedorahosted.org/freeipa/ticket/2320
This patch add support fo Action Lists.
Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.
Actions lists are defined on facet level. Facet header takes them from facet.
Action list options
actions: list of actions
state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.
State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
evaluate(record): should return string array which represents the state
get_description(): human readable representation of a state
Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.
action options:
name: string, required, name of the option
label: string, required, human readable name of the option
enable_cond: string array, states which need to be present in order to run this action
disable_cond: string array, states which must not be present in order to run this action
handler: function, contains action's logic
needs_confirm: boolean, default false, indicates if action needs user confirmation
confirm_msg: string, default generic message, human readable confirmation message.
Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.
In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.
https://fedorahosted.org/freeipa/ticket/2247
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.
Regression test included.
https://fedorahosted.org/freeipa/ticket/2706
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.
Use an empty list instead of None (or other false falues, of which we
only use the empty list).
https://fedorahosted.org/freeipa/ticket/2681
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for the automount plugin and its tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.
https://fedorahosted.org/freeipa/ticket/1966
This reverts commit 1356988b7a.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.
This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.
Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.
https://fedorahosted.org/freeipa/ticket/2676
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).
Add some extra checks to existing exception callbacks.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.
Always display the enabled/disabled status.
Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.
https://fedorahosted.org/freeipa/ticket/2162
Ticket #2512
In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.
The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.
The fix is to use the correct variables.
At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
When 2 groups in a remote LDAP server share the same GID number,
the migration may fail entirely with incomprehensible message. This
should not be taken as unrecoverable error - GID number check is
just a sanity check, a warning is enough. This patch also makes
sure that GID check warnings include a user name to make
an investigation easier.
https://fedorahosted.org/freeipa/ticket/2644
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.
This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
ldap2.find_entry_by_attr instead of NotFound error
This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.
https://fedorahosted.org/freeipa/ticket/2606
ticket #2566
When specifying a container to ds-migrate we should not automatically
append the basedn if it is provided by the end-user.
This is easy to detect using DN objects because DN objects have a
endswith() method which can easily and correctly ascertain if a base
already exists.
dnsrecord_add interactive mode did not work correctly when more
than one DNS record part was entered as command line option. It
asked for remaining options more than once. This patch fixes
this situation and also adds tests to cover this use case
properly.
https://fedorahosted.org/freeipa/ticket/2641
When dnsrecord-add or dnsrecord-mod commands are used on a root
zone record (it has a special name "@"), a zone name is returned
instead of a special name "@". This confuses DNS part of Web UI
which is then not able to manipulate records in the root zone
when these commands are used.
This patch fixes these 2 commands to return correct value when
a root zone is modified.
https://fedorahosted.org/freeipa/ticket/2627https://fedorahosted.org/freeipa/ticket/2628
Ticket #2555
We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.
* add parameter validation functions validate_dn_param() and
validate_rdn_param() to ipalib.util. Those functions simply invoke
the DN or RDN constructor from our dn module passing it the string
representation. If the constructor does not throw an error it's
valid.
* Add the parameter validation function pointers to the Param objects
in the migrate command.
* Make the usercontainer and groupcontainer parameters required.
passing --usercontainer= on the command line will produce
ipa: ERROR: 'user_container' is required
* Fix _get_search_bases() so if a container dn is empty it it just
uses the base dn alone instead of faulting (currently
bullet-proofing because now the containers are required).
* Update the doc for usercontainer and groupcontainer to reflect the
fact they are DN's not RDN's. A RDN can only be one level and it
should be possible to have a container more than one RDN removed
from the base.
Have the test suite check error messages.
Since XMLRPC doesn't give us structured error information, just
compare the resulting text.
Fix messages that tests expect to cause.
Minor changes:
Make netgroup-mod's NotFound message consistent with other objects
and methods.
In test_automember_plugin, test with nonexistent automember rules
of both types, instead of nonexistent users.
https://fedorahosted.org/freeipa/ticket/2549
Problem:
In the Privilege page, can list Permissions. This "Shows Results" for "Direct
Membership". But there is an option to list this for "Indirect Membership"
also.
There isn't a way to nest permissions, so this option is not needed.
Solution:
This patch removes the memberofindirect_persmission definition from server plugin. It fixes the problem in Web UI.
https://fedorahosted.org/freeipa/ticket/2611
Attribute Patrams marked no_update never get cloned to Update commands,
and thus never receive the `attribute` flag. This makes their `encode`
method a no-op, which meant they don't get properly encoded when used
with --setattr, making the --setattr fail.
Introduce a `force` argument to encode, which overrides checking
for the attribute flag. Use this in set/add/delattr normalization,
where we know we are dealing with attributes.
https://fedorahosted.org/freeipa/ticket/2616
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.
https://fedorahosted.org/freeipa/ticket/2585
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.
Checkboxes were changed to radios.
https://fedorahosted.org/freeipa/ticket/2599
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.
The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.
https://fedorahosted.org/freeipa/ticket/2578
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.
https://fedorahosted.org/freeipa/ticket/2597
This adds tests for the batch plugin, and changes its output
declaration to allow results as tuples (this tripped validation).
The assert_deepequal function ignores the order of items in lists.
Document this in its docstring, and use a custom checker for the
batch plugin results.
Migrated users don't get a private group, there is no safe way to verify
that the namespace is correct without redoing the uidnumber as well.
Verify that the GID at least points to a valid group on the remote server
and warn if it doesn't (this doesn't guarantee that the group gets migrated
but at least we try).
If the remote entry has no gidNumber then don't migrate that user. We
don't know why that user is non-POSIX, it could be a special user used
for auth, for example.
Add a loginshell if the remote user doesn't have one.
https://fedorahosted.org/freeipa/ticket/2562
When user does not pass a name of parent map in
automountmap-add-indirect command, auto.master is used as
a default. However, when auto.master does not exist in a given
location, we raise NotFound error with a name of a location instead
of a name of the missing automount map.
https://fedorahosted.org/freeipa/ticket/2387
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2448
'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.
For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.
Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2447
These test that command lines are parsed to correct Command arguments.
Includes some tests for interactive prompts.
To make this possible cli.run is broken up into several pieces.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
When dnsrecord-del pre_callback detects that the record does
not contain any records, it sets a flag to connection context
and deletes the record object later. However, when more
dnsrecord-del commands share the same context (and this is
the case of "ipa-replica-manage del $MASTER" DNS cleanup), it
may reuse a positive flag from previous dnsrecord-del command
and delete the root DNS zone record and thus effectively delete
the zone.
This patch makes sure that this flag is always initialized to a
sane value in dnsrecord-del pre_callback to make sure that the DNS
zone is not deleted. It also fixes pre_callback function definition
to prevent adding attrs_list to "keys" parameter and thus confuse
developers.
https://fedorahosted.org/freeipa/ticket/2503
There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.
This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.
All these use cases were also covered by new unit tests.
https://fedorahosted.org/freeipa/ticket/2551
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.
This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.
https://fedorahosted.org/freeipa/ticket/2550
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')
That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.
Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.
Also, document Param's csv arguments, and update tests.
https://fedorahosted.org/freeipa/ticket/2417https://fedorahosted.org/freeipa/ticket/2227
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
Add a support for new global options in bind-dyndb-ldap, that is:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
https://fedorahosted.org/freeipa/ticket/2439
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]
https://fedorahosted.org/freeipa/ticket/2462
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.
https://fedorahosted.org/freeipa/ticket/1418
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
in_server controls how a method is dispatched, it should not also control
what plugins are imported.
This suppresses the error message "session memcached servers not running."
https://fedorahosted.org/freeipa/ticket/2499
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
raises an error and thus breaks the migration
This patch fixes both issues.
https://fedorahosted.org/freeipa/ticket/2508
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.
https://fedorahosted.org/freeipa/ticket/2484
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:
1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.
2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.
https://fedorahosted.org/freeipa/ticket/2386
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.
https://fedorahosted.org/freeipa/ticket/2382
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.
https://fedorahosted.org/freeipa/ticket/2418
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.
This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.
Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.
Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.
When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.
Fixes: http://fedorahosted.org/freeipa/ticket/2472
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.
'--with-compat' is new flag. If it is set, the compat status is ignored.
https://fedorahosted.org/freeipa/ticket/2274
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.
Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).
Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.
Add a test to ensure that nowhitespace is actually enforced.
https://fedorahosted.org/freeipa/ticket/2115
Related: https://fedorahosted.org/freeipa/ticket/2089
Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285https://fedorahosted.org/freeipa/ticket/1286https://fedorahosted.org/freeipa/ticket/1287
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.
This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.
As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.
https://fedorahosted.org/freeipa/ticket/2420
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.
This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.
https://fedorahosted.org/freeipa/ticket/2384
When an invalid record type is entered during dnsrecord-add
interactive mode, user is provided with a list of allowed values
(record types). However, the provided list contains also
unsupported record types (APL, DHCID, etc.) and any attempt to add
such records would end with error. This patch limits the list
to supported record types only.
https://fedorahosted.org/freeipa/ticket/2378
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.
New tests were also added to the unit-tests.
https://fedorahosted.org/freeipa/ticket/2293
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919https://fedorahosted.org/freeipa/ticket/2314
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.
New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.
https://fedorahosted.org/freeipa/ticket/2351
