Commit Graph

4976 Commits

Author SHA1 Message Date
Martin Kosek
b26777c59d Fix default_server configuration in ipapython.config
When default server was being parsed from IPA's default.conf
configuration file, the parsed server was not appended correctly to
the default_server list.
2012-05-24 13:59:23 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Rob Crittenden
6bb462e26a Retry retrieving ldap principals when setting up replication.
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.

This should also make the error report clearer if even after the retries
one of the principals doesn't exist.

https://fedorahosted.org/freeipa/ticket/2737
2012-05-22 20:57:02 -04:00
Ondrej Hamada
dd3c4ef49b ipa-server-install reword message
Output message of the 'read_domain_name' function in ipa-server-install
was reworded.

https://fedorahosted.org/freeipa/ticket/2704
2012-05-22 15:16:18 +02:00
Martin Kosek
9a5c2090eb Remove LDAP limits from DNS service
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.

This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.

https://fedorahosted.org/freeipa/ticket/2531
2012-05-22 12:28:21 +02:00
Martin Kosek
aa9ea477af Remove ipa-server-install LDAP update errors
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.

The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.

Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.

https://fedorahosted.org/freeipa/ticket/2520
https://fedorahosted.org/freeipa/ticket/2743
2012-05-17 21:21:47 -04:00
Rob Crittenden
560f2ce8bd Check for locked-out user before incrementing lastfail.
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:

 - We were incrementing the fail counter before checking to see if the
   account was already locked out.
 - The current fail count wasn't taken into consideration when
   deciding if the account is locked.

The sequence was this:

1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
   update the last_failed date.

So I reversed 2 and 3 and check to see if the fail count exceeds policy.

https://fedorahosted.org/freeipa/ticket/2765
2012-05-18 09:03:22 +02:00
Simo Sorce
46c6ff69ac Fix migration code password setting.
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.

Ticket: https://fedorahosted.org/freeipa/ticket/2764
2012-05-17 17:17:42 +02:00
Rob Crittenden
4b539a41d9 During replication installation see if an agreement already exists.
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.

https://fedorahosted.org/freeipa/ticket/2030
2012-05-17 17:12:45 +02:00
Ondrej Hamada
677ea8cbfa permission-mod prompts for all parameters
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).

https://fedorahosted.org/freeipa/ticket/2280
2012-05-17 10:12:10 +02:00
Rob Crittenden
13b51f3011 Validate on the user-provided domain name in the installer.
Wrap printing exceptions in unicode() to do Gettext conversion.

https://fedorahosted.org/freeipa/ticket/2196
2012-05-17 08:01:42 +02:00
Rob Crittenden
eef056165f Include more information when IP address is not local during installation.
Provide the IP address we resolved when displaying the exception.

Also handle the exception ourselves with sys.exit().

https://fedorahosted.org/freeipa/ticket/2654
2012-05-17 07:54:46 +02:00
Petr Vobornik
02b942a72e Correction of nested search facets tab labels
Nested search facets were using 'search' tab label instead of their nested entity name.

This patch is fixing that regression.

https://fedorahosted.org/freeipa/ticket/2744
2012-05-15 13:06:06 +02:00
Petr Vobornik
77f2f87fe5 Improved calculation of max pkey length in facet header
Very long pkeys in facet header were limited to 60 characters. This magic number was good enough but with new action lists it isn't.

This patch is adding calculation of maximum characters for pkey in facet header. It fixes regression introduced by Action Lists and also it uses effectively available space.

Also this patch is changing limiting of breadcrumbs element to use as much space as possible. It works in three steps. First a threshold is set which is equal to length average. Then a total length of keys with length less than threshold is calculated. From this we can get remaining space for long keys and calculate new threshold. At last keys are limited to new threshold.

https://fedorahosted.org/freeipa/ticket/2247

f
2012-05-15 13:05:21 +02:00
Petr Vobornik
69877296dc Host page fixed to work with disabled DNS support
When DNS support was disabled there were following errors in Web UI:
 1) Host details page was not filled with data
 2) Host adder dialog was broken -> unusable
 3) DNS tab was displayed in navigation

The bugs were fixed by:

1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present.

2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname.

3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed.

https://fedorahosted.org/freeipa/ticket/2728
2012-05-15 12:51:57 +02:00
Martin Kosek
abbecf450f Fix python Requires in Fedora 17 build
When python's distutils build process prepares python scripts, it use
current Python interpreter in an updated shebang for python scripts.
Since Makefile did not use absolute path to python interpreter, it
may be translated to "/bin/python" in Fedora 17 which is then taken
by rpmbuild as freeipa-admintools dependency. This can break of F-17
python package which provides just "/usr/bin/python"

This patch updates Makefile to use a correct absolute path to python
interpreter which is then filled to freeipa scripts shebang and rpm
Requires list. The value is taken from RPM __python macro so that
we do not hardcode it.

https://fedorahosted.org/freeipa/ticket/2727
2012-05-15 10:43:39 +02:00
Petr Vobornik
4640f957ad Instructions to generate cert use certutil instead of openssl
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.

https://fedorahosted.org/freeipa/ticket/2725
2012-05-15 10:36:53 +02:00
Petr Viktorin
1de37e8110 Disallow '<' and non-ASCII characters in the DM password
pkisilent does not handle these properly.

https://fedorahosted.org/freeipa/ticket/2675
2012-05-15 10:26:17 +02:00
Petr Viktorin
ece68f381a Check for empty/single value parameters before calling callbacks
https://fedorahosted.org/freeipa/ticket/2701
2012-05-15 10:02:26 +02:00
Rob Crittenden
26ab9a504f Implement permission/aci find by subtree
https://fedorahosted.org/freeipa/ticket/2321
2012-05-15 08:54:22 +02:00
Petr Viktorin
c5689e7faf Do not use extra command options in ACI, permission, selfservice
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for ACI-related plugins.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-14 10:38:07 +02:00
Rob Crittenden
95bb8d0f45 Fix overlapping cn param/option issue, pass cn as aciname in find
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.

The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.

https://fedorahosted.org/freeipa/ticket/2320
2012-05-14 10:07:41 +02:00
Petr Vobornik
472f9fc5aa Consistent change of entry status.
This patch adds action list and control buttons for consistent change of enty status for user, hbac rules, sudo rules, SELinux maps and dns zones.

Action lists with 'enable' and 'disable' and 'delete' options were added to details facets.
Two control buttons: 'enable' and 'disable' were added to search facets.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Vobornik
719b09fb4e General details facet actions
This patch adds common action button actions for enabling/disabling/deleting object.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Petr Vobornik
2c11dcda25 Batch action for search page control buttons
This patch implements a base action which can execute a batch of commands with single pkey as a parameter.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Petr Vobornik
eeac88238a Hide search facet add/delete buttons in self-service
Adds hiding/showing capabilities to action_button_widget. This patch is fixing regression caused replacing old details facet buttons with control_buttons_widget. The problem was that some buttons were not hidden in self-service mode.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Petr Vobornik
29059cd45d Redefined search control buttons
This patch replaces old search facet action buttons with new control_buttons_widget.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Vobornik
4db2032426 Redefined details control buttons
This patch replaces old details facet action buttons with new control_buttons_widget.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Vobornik
1f56c4e5bb Control buttons
Control buttons is a widget which contains action buttons. It is located in facet header and are supposed to replace old action buttons created by IPA.action_button(spec) call. The benefit is that now it is possible to define new buttons declaratively in spec definition without a need of inheriting facet and overriding create method.

Action buttons are an entry poing for execution facet-wide action so they are tightly bound to facet.

Action button options:
name: string
label: string, human readable label
tooltip: string, human readable tooltip
href: string, optional
icon: string, icon class
needs_confirm: boolean, default false
confirm_msg: string, human readable confirmation message
confirm_dialog: confirmation dialog, optional, custom confirmation dialog
action: action, action which will be executed
enabled: boolean, optional, default true

Control buttons are define in facet spec in control_buttons property. Its a spec object with following attributes:
  all attributes which normal widget can have
  buttons: array of action_button specs
  state_listeners: array of state listener specs

In init phase control_buttons_widget should assign a action_button a facet.

control_buttons_widget are resposible for evaluation of action_button disable/enable state because they contain state_listeners which creates the state upon the enabled/disabled state is evaluated.

State listeners are similar to state_evaluators. The differce is that the state is not evaluated from record set but from facet itself. The execution of evaluation is bound to a facet event.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Vobornik
8c3eadf978 Action lists
This patch add support fo Action Lists.

Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.

Actions lists are defined on facet level. Facet header takes them from facet.

Action list options
  actions: list of actions
  state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.

State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
 evaluate(record): should return string array which represents the state
 get_description(): human readable representation of a state

Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.

action options:
  name: string, required, name of the option
  label: string, required, human readable name of the option
  enable_cond: string array, states which need to be present in order to run this action
  disable_cond: string array, states which must not be present in order to run this action
  handler: function, contains action's logic
  needs_confirm: boolean, default false, indicates if action needs user confirmation
  confirm_msg: string, default generic message, human readable confirmation message.

Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.

In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.

https://fedorahosted.org/freeipa/ticket/2247
2012-05-11 18:30:48 +02:00
Petr Vobornik
12401fe4da General builder support
Web UI mainly uses declarative way of defining UI structure. When a new object type is created it is often required to create a new builder which would build the objects from spec file. The builders' logic is mostly the same. This patch adds a general builder with some extendability capabilities.

Now it is possible to:
  1) define spec for single object and build it by calling IPA.build(spec, /* optional */ builder_fac)
  2) define an array of specs and build the objects by the same call

Prerequisite for following action list patches.

https://fedorahosted.org/freeipa/ticket/2707
2012-05-11 18:30:48 +02:00
Rob Crittenden
58732a83bc Return LDAP_SUCCESS on mods on a referral entry.
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.

All we really want to do is escape when we don't hvae an entry to modify.

https://fedorahosted.org/freeipa/ticket/2237
2012-05-11 08:37:41 +02:00
Petr Viktorin
1565ce3a8c Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649
2012-05-11 08:14:20 +02:00
Petr Viktorin
f19218f7d8 Remove duplicate and unused utility code
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
2012-05-09 11:54:20 +02:00
Petr Viktorin
c02fcf5d34 Don't fail when adding default objectclasses using config-mod
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.

Regression test included.

https://fedorahosted.org/freeipa/ticket/2706
2012-05-09 09:53:51 +02:00
Jan Cholasta
d9d1967989 Redo boolean value encoding.
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
2012-05-09 09:43:35 +02:00
Petr Viktorin
abef5e8c02 Do not crash on empty --setattr, --getattr, --addattr
Also the unused `append` argument from _convert_2_dict.

https://fedorahosted.org/freeipa/ticket/2680
2012-05-07 17:23:08 +02:00
Petr Viktorin
0206dbe795 Do not crash on empty reverse member options
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.

Use an empty list instead of None (or other false falues, of which we
only use the empty list).

https://fedorahosted.org/freeipa/ticket/2681
2012-05-07 17:21:58 +02:00
Petr Viktorin
c45174d680 Do not use extra command options in the automount plugin
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for the automount plugin and its tests.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
2012-05-07 14:08:50 +02:00
Ondrej Hamada
343aba2486 Allow one letter net/hostgroups names
Changed regex validating net/hostgroup names to allow single letter
names. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2671
2012-05-07 08:35:11 +02:00
Petr Viktorin
85185a89db Update hostname validator error messages in tests
A recent patch changed the error message from the hostname
validator. Update the tests to reflect this change.
2012-05-03 16:54:57 +02:00
Martin Kosek
b8f30bce77 Make ipa 2.2 client capable of joining an older server
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
2012-05-01 20:38:43 -04:00
Jan Cholasta
6569f355b6 Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
2012-04-29 19:45:13 -04:00
Martin Kosek
caf36e1f24 Improve error message in zonemgr validator
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.

https://fedorahosted.org/freeipa/ticket/1966
2012-04-29 19:38:19 -04:00
Rob Crittenden
1a26406db2 Revert "Validate attributes in permission-add"
This reverts commit 1356988b7a.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:55 -04:00
Rob Crittenden
4416c185de Revert "Search allowed attributes in superior objectclasses"
This reverts commit a58cbb985e.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:42 -04:00
Petr Vobornik
e1f6962545 Paging disable for password policies
Password policies are sorted by priority. When paging is enabled, table facet uses pwpolicy-find --pkey-only to get all pwpolicies keys. Those keys are sorted on server by priority but table facet sorts them again. This breaks the priority sorting.

This patch disables the paging in passord policy serch page so the keys are sorted by priority.

TODO: we should inspect sorting in table facet more deeply and disable it if it don't break anything.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:32:17 +02:00
Petr Viktorin
c34136b037 Additional tests for pwpolicy
Test that `pwpolicy_find --pkey-only` works as expected
Test that deleting a group removes its password policy

Rename the test module to be consistent with other plugin tests.
2012-04-26 14:32:11 +02:00
Martin Kosek
b137b71371 Sort password policies properly with --pkey-only
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.

This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.

Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.

https://fedorahosted.org/freeipa/ticket/2676
2012-04-26 14:31:53 +02:00
John Dennis
81c65ee0b2 validate i18n strings when running "make lint"
* Add bootstrap-autogen depdenency to lint target to force
  generated files to be created.

* Add validate-src-strings to lint rules

* Add validate-src-strings as dependency to lint targett

* Remove obsolete test_lang frm test target

* Add diagnostic message to validation command in i18n.py
  that outputs how many objects were scanned. Formerly it only
  output a message if there were errors. This made it impossible to
  distinguish an empty file from one with no errors.

* While adding the validation counts it was discovered plurals had
  been omitted for some of the validation checks. Added the missing
  checks for plural forms.

* Also distinguished between errors and warnings. Permit warnings to
  be emitted but do not fail the validatition unless actual errors
  were also detected.
2012-04-26 13:53:37 +02:00