Commit Graph

5132 Commits

Author SHA1 Message Date
Petr Viktorin
b5c1ce88a4 Framework for admin/install tools, with ipa-ldap-updater
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.

Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.

The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.

All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.

First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
2012-07-22 23:17:56 -04:00
Rob Crittenden
78810f9068 Default to no when trying trying to install a replica on wrong server.
When installing a replica file on the wrong server we warn that this will
likely fail and prompt to Continue. This prompt should default to
False, not True.

https://fedorahosted.org/freeipa/ticket/2325
2012-07-19 00:41:01 -04:00
Petr Viktorin
e578183ea2 Fix updating minimum_connections in ipa-upgradeconfig
The upgrade script set the "psearch" directive in some circumstances,
but did not remember that it was set, so later, when setting
minimum_connections, it assumed psearch is not set.

Also, the script did not set minimum_connections if the directive wasn't
already there. It should be set in that case.

Related to https://fedorahosted.org/freeipa/ticket/2554
2012-07-18 23:15:34 -04:00
Rob Crittenden
429edcfb72 Support per-principal sessions and handle session update failures
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return "Key has been revoked".

Wrap the operations in a try/except so we can ignore keyring failures.

This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.

https://fedorahosted.org/freeipa/ticket/2880
2012-07-18 16:05:08 -04:00
Simo Sorce
32c1aa45b3 Fix detection of deleted masters
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning.  This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.

Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
2012-07-17 21:01:57 -04:00
Simo Sorce
87040c0af1 Fix safety checks to prevent orphaning replicas
This is just a typo, we were checking one side twice and never the other
side. So depending on which side you run the command you'd be able or not
to remove the replication agreement even if it was the last one.

First part of ticket: https://fedorahosted.org/freeipa/ticket/2925
2012-07-17 21:01:57 -04:00
Rob Crittenden
67dbde0156 Don't hardcode serial_autoincrement to True.
https://fedorahosted.org/freeipa/ticket/2554
2012-07-17 17:18:53 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Alexander Bokovoy
2d75d8cc05 ipalib/plugins/trust.py: ValidationError takes 'error' named argument, not 'reason'
https://fedorahosted.org/freeipa/ticket/2865
2012-07-18 16:55:51 +03:00
Petr Vobornik
3adebcf919 Bigger textarea for permission type=subtree
Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed.

https://fedorahosted.org/freeipa/ticket/2832
2012-07-18 15:52:00 +02:00
Petr Vobornik
a14d243fcd Fixed display of attributes_widget in IE9
Attributes widget is using overflow css rule in tbody element. IE9 doesn't handle it well.

To fix the issue, attributes widget was slightly modified and conditional css stylesheet was added just for fixing IE problems.

https://fedorahosted.org/freeipa/ticket/2822
2012-07-17 15:55:44 +02:00
Petr Vobornik
7fcca4fa52 Differentiation of widget type and text_widget input type
There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it.

This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem.

https://fedorahosted.org/freeipa/ticket/2806
and half of: https://fedorahosted.org/freeipa/ticket/2834
2012-07-17 15:55:35 +02:00
Martin Kosek
854b763675 Enforce CNAME constrains for DNS commands
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.

Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.

https://fedorahosted.org/freeipa/ticket/2601
2012-07-12 17:44:13 -04:00
Martin Kosek
c20d4c71b8 Print ipa-ldap-updater errors during RPM upgrade
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.

Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.

Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:45 +02:00
Martin Kosek
378238b14e Warn user if an ID range with incorrect size was created
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.

However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:39 +02:00
Martin Kosek
34f8ff4793 Add range-mod command
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.

iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
2012-07-13 16:18:29 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Martin Kosek
4879c68d68 Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
2012-07-13 14:25:18 +02:00
Martin Kosek
5c54dd5b03 Fix ipa-managed-entries man page typo
Extra new line in .TH section of the man page caused invalid
wrapping.
2012-07-12 15:11:58 +02:00
Gowrishankar Rajaiyan
17c638b70e Adding exit status 3 & 4 to ipa-client-install man page 2012-07-12 11:42:50 +02:00
Martin Kosek
4760c15cb2 Add automount map/key update permissions
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.

Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.

https://fedorahosted.org/freeipa/ticket/2687
2012-07-10 20:41:14 -04:00
Petr Vobornik
14ac2193fe Add and remove dns per-domain permission in Web UI
This patch adds support for new per-domain permissions to Web UI.

User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.

For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.

Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.

New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.

https://fedorahosted.org/freeipa/ticket/2851
2012-07-11 16:33:10 +02:00
Petr Viktorin
7e606b01d5 Fix wrong option name in ipa-managed-entries man page
The page said `-y` but the actual option is `-p`.
2012-07-11 15:33:12 +02:00
Petr Viktorin
5f69a06d1a Fix batch command error reporting
The Batch command did not report errors correctly: it reported
the text of *all* errors, not just PublicError, used unicode(e)
instead of e.strerror (which results in incorrect i18n), and only
reported the text of error messages, not their type and code.

Fix these problems. Update tests.

https://fedorahosted.org/freeipa/ticket/2874
https://fedorahosted.org/freeipa/ticket/2901
2012-07-11 10:49:02 +02:00
David Spångberg
e494650b2c Indirect roles in WebUI
Add a check in the WebUI to use the admin navigation if a user is a
indirect member of a role.
2012-07-11 08:54:45 +02:00
Petr Vobornik
0d11b8b056 Web UI: kerberos ticket policy measurement units
Added measurement units for kerberos ticket policy.

https://fedorahosted.org/freeipa/ticket/2444
2012-07-10 13:30:43 +02:00
Petr Vobornik
848bd0e9e7 Password policy measurement units.
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.

This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).

Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.

This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.

https://fedorahosted.org/freeipa/ticket/2437
2012-07-10 13:30:38 +02:00
Petr Vobornik
05cf7c53a6 Display loginas information only after login
Message 'Logged in as: user@FREEIPA.ORG' was displayed before user was logged in. It was wrong.

Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more user@FREEIPA.ORG :) .

https://fedorahosted.org/freeipa/ticket/2882
2012-07-10 13:30:01 +02:00
Rob Crittenden
29fd982f7f Make client server option multi-valued, allow disabling DNS discovery
Let the --server option be specified multiple times on the command line.
The first one passed in is the one we enroll against.

Do additional verification before setting dnsok so we can be sure that
the record(s) were actually discovered in DNS.

If servers are provided on the CLI and --fixed-primary is set then
_srv_ is not added to ipa_server in sssd.conf.

https://fedorahosted.org/freeipa/ticket/2841
2012-07-10 10:45:39 +02:00
Martin Kosek
5ba8eeb970 Do not change LDAPObject objectclass list
__json__ method of LDAPObject may inadvertently append a list of possible
objectclasses to a list of basic objectclasses and thus change a behavior
of all subsequent LDAPSearch command. The command may only return objects
where all "possible" objectclasses are present and thus returning an
incomplete list.

Make sure that the LDAPObject object_class list is not modified during
the __json__ method.

https://fedorahosted.org/freeipa/ticket/2906
2012-07-09 14:53:11 +02:00
Sumit Bose
0ffb2022fe Fix typo
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2012-07-09 08:36:05 -04:00
Simo Sorce
6ffb35d0f5 Fix wrong check after allocation. 2012-07-07 16:30:22 -04:00
Petr Vobornik
61c3b86d73 Moved configuration to last position in navigation
Configaration was the last navigation item in IPA server tab. Trusts changed it. It was wrong because configuration is like 'other settings' and so it should be last.

This patch moves configuration navigation item to the last position again.

https://fedorahosted.org/freeipa/ticket/2900
2012-07-06 13:46:49 +03:00
Alexander Bokovoy
8c5504d26a reduce redundant checks in ldapsam_search_users() to a single statement 2012-07-06 13:39:27 +03:00
Alexander Bokovoy
75cb9bb0e1 Use smb.conf 'dedicated keytab file' parameter instead of hard-coded value 2012-07-06 13:38:46 +03:00
Sumit Bose
76d809574b ipasam: replace testing code 2012-07-06 13:06:16 +03:00
Sumit Bose
abe40284cf ipasam: fixes for clang warnings 2012-07-06 13:06:16 +03:00
Sumit Bose
7fb9ca23a1 Allow silent build if available 2012-07-06 13:06:15 +03:00
Alexander Bokovoy
e88049ecee ipasam: improve SASL bind callback
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.

Rework ccache handling to avoid re-initing every time callback is called
2012-07-06 13:06:15 +03:00
Rob Crittenden
e5b6260008 Centralize timeout for waiting for servers to start.
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
2012-07-02 17:08:58 -04:00
Rob Crittenden
6fb802152a Become IPA v3 beta 1 (3.0.0.pre1) 2012-07-01 18:07:11 -04:00
Sumit Bose
06b298e93a Use DN objects instead of strings in adtrustinstance 2012-07-01 17:41:57 -04:00
Martin Kosek
d5fe02999c Create default range entry after upgrade
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.

Default range LDIF entry for new install was fixed so that new
installation does not crash.

https://fedorahosted.org/freeipa/ticket/2891
2012-07-02 16:27:33 +02:00
Rob Crittenden
a4d2bcde33 Fix compatibility with Fedora 18.
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.

https://fedorahosted.org/freeipa/ticket/2839
2012-07-02 15:20:13 +02:00
Petr Viktorin
03f247ec86 Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
2012-07-02 08:31:03 +02:00
Rob Crittenden
50ebd1a339 Add missing option to range_add in API.txt
Fix build
2012-06-30 19:58:00 -04:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
fbebe82811 Add CLI for ID ranges
https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:50 -04:00
Sumit Bose
e809802aed Set RID bases for local domain during ipa-adtrust-install 2012-06-29 16:21:23 -04:00