Commit Graph

5132 Commits

Author SHA1 Message Date
Sumit Bose
0350b5e8a1 Add objects for initial ID range 2012-06-29 16:21:20 -04:00
Sumit Bose
ab6097bc6a Extend LDAP schema
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.

The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaDomainIDRange) or the ranges reserved
for AD domains (ipaTrustedADDomainRange). To be able to map the Posix
IDs to a RID and back the corresponding ranges can be saved here as
well.
2012-06-29 16:21:17 -04:00
Sumit Bose
876b1ec175 Use lower case names in LDAP to meet freeIPA convention 2012-06-29 11:59:39 +02:00
Petr Vobornik
5b103ca5b5 Continuation of removing of not supported command options from Web UI
This patch removes following non-existing command options:
 * all,rights in host_disable
 * record_type in dns_record_add
 * all,rights in various xxx_remove_xxx commands used in rule_association_table_field (removing association)

https://fedorahosted.org/freeipa/ticket/2878
2012-06-29 11:56:29 +02:00
Petr Vobornik
d46687ea91 Refactored associatin facet to use facet buttons with actions
Association facet was refactored to use new concept of control buttons. It is the last facet type which don't use this concept.
It fixes regression introduced by previous refactoring of table facet (delete button was never enabled).

https://fedorahosted.org/freeipa/ticket/2876
2012-06-29 11:56:04 +02:00
Petr Vobornik
5b7084aeb5 Web UI password is going to expire in n days notification
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').

Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).

https://fedorahosted.org/freeipa/ticket/2625
2012-06-29 11:55:53 +02:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Martin Kosek
302d5afe8b Add missing libsss_idmap Requires on freeipa-server-trust-ad 2012-06-28 13:48:45 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
ac6afd31f7 Add configure check for C Unit-Test framework check
The framework can be found at http://check.sourceforge.net.
2012-06-28 08:13:22 +02:00
Sumit Bose
dc3491ea42 Filter groups in the PAC
If one or more of the external groups given in the PAC can be found in
the ipaExternalGroup objects and these objects are members of local
groups, the SIDs of the local groups are added to the PAC.
2012-06-28 08:05:34 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Alexander Bokovoy
63567479df Add error condition handling to the SASL bind callback in ipasam
https://fedorahosted.org/freeipa/ticket/2877
2012-06-28 08:00:58 +02:00
Alexander Bokovoy
761cb71838 Support requests for DOMAIN$ account for trusted domains in ipasam module
https://fedorahosted.org/freeipa/ticket/2870
2012-06-28 07:57:29 +02:00
Rob Crittenden
db4c946f47 Defer adding ipa-cifs-delegation-targets until the Updates phase.
It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.

https://fedorahosted.org/freeipa/ticket/2837
2012-06-27 16:50:02 +02:00
Ondrej Hamada
8ce7330c53 Change random passwords behaviour
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.

Unit tests added.

https://fedorahosted.org/freeipa/ticket/2799

Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.

https://fedorahosted.org/freeipa/ticket/2800
2012-06-27 12:58:46 +02:00
Petr Vobornik
3c36fa8c0d Action panel for certificates
This is a continuation of effor which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets.

New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluater updates state and actions get disabled or enabled.

https://fedorahosted.org/freeipa/ticket/2250
2012-06-27 08:58:24 +02:00
Martin Kosek
32ef4efaca Remove ipaNTHash from global allow ACI
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.

https://fedorahosted.org/freeipa/ticket/2856
2012-06-26 21:28:25 +02:00
Petr Viktorin
3021b3e9d5 Improve output validation
We only checked the length of Command output dictionaries. A misspelled
key in would not be caught.

Fix the problem by checking if the sets of keys are equal.

Add a test. Split the test methods into more manageable pieces.

https://fedorahosted.org/freeipa/ticket/2860
2012-06-25 22:04:14 -04:00
Petr Viktorin
ec5115a155 Typo fixes 2012-06-25 21:35:11 -04:00
Rob Crittenden
f4d2f2a65b Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
2012-06-25 17:24:34 -04:00
Petr Vobornik
d1fe43c56f Same password validator
This patch adds validator which compares passwords in two fields.

In future it should be used in various password reset dialogs.

A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password).

https://fedorahosted.org/freeipa/ticket/2829
2012-06-26 12:32:50 +02:00
Petr Vobornik
ae19cce7ad Trust Web UI
This patch adds Web UI for trusts.

Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.

Adder dialog supports two ways if adding a trust:
1)  adding with domain name, admin name and admin password.
2) adding with domain name, shared secret

Search page shows only list of realm names which are trusts' cns.

Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)

trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.

Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.

https://fedorahosted.org/freeipa/ticket/2829
2012-06-25 18:17:06 +02:00
Alexander Bokovoy
a5cb1961fe Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' 2012-06-25 18:16:15 +02:00
Alexander Bokovoy
c3a7894ab6 Use correct SID attribute for trusted domains
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
2012-06-25 18:15:35 +02:00
Rob Crittenden
c9954878b8 Add logging to ipa-upgradeconfig
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log

Will output basic stauts information if executed from the command-line.

https://fedorahosted.org/freeipa/ticket/2696
2012-06-21 20:53:36 -04:00
Petr Vobornik
6f4121ccbb Custom Web UI error message for IPA error 911
Error message for IPA error 911 is not very clear for end users.

This patch changes the message and adds an advice how to get rid of the error.

https://fedorahosted.org/freeipa/ticket/2778
2012-06-22 10:45:06 +02:00
Petr Vobornik
0948a9f91b Set network.http.sendRefererHeader to 2 on browser config
IPA web UI isn't functional when browser doesn't send http headers.

This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it.

Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader

https://fedorahosted.org/freeipa/ticket/2778
2012-06-22 10:44:45 +02:00
Alexander Bokovoy
5a982358b5 Re-format ipa-adtrust-install final message to be within 80 characters wide
https://fedorahosted.org/freeipa/ticket/2857
2012-06-22 08:46:21 +02:00
Alexander Bokovoy
0e3d064ac1 restart dirsrv as part of ipa-adtrust-install
We should restart Directory Server when performing AD trusts configuration
to enable new CLDAP plugin and force KDC to notice MS PAC is now available.
Previously we only restarted KDC but if dirsrv is restarted, KDC will notice
its socket disappeared and will refresh itself

http://fedorahosted.org/freeipa/ticket/2862
2012-06-22 08:45:55 +02:00
Petr Vobornik
37b7b28993 Added password reset capabilities to unauthorized dialog
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.

If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 13:23:44 +02:00
Petr Vobornik
1eab43d292 Separate reset password page
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 12:46:59 +02:00
Ondrej Hamada
f298a20d27 Case sensitive renaming of objects
When renaming object its case sensitivity is obeyed. This was DS bug.
Unit tests were corrected and minimal DS version was updated in spec
file.

https://fedorahosted.org/freeipa/ticket/2620
2012-06-20 15:47:02 +02:00
Petr Viktorin
1235dfa7bf Fail on unknown Command options
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.

Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.

Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.

Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).

https://fedorahosted.org/freeipa/ticket/2509
2012-06-20 15:18:42 +02:00
Martin Kosek
1484ccc404 Decimal parameter conversion and normalization
Parameter Decimal does not have a sufficient value checks. Some values
cause Decimal parameter with a custom precision to crash with
an unhandled exception.

Improve parameter conversion and normalization operations to handle
decimal exceptions more gracefully. Decimal parameter now also has
new attributes enabling 2 new validation/normalization methods:
 * exponential: when False, decimal number is normalized to its
                non-exponential form
 * numberclass: a set of allowed decimal number classes
                (e.g. +Infinity, -Normal, ...) that are enforced
                for every Decimal parameter value

https://fedorahosted.org/freeipa/ticket/2705
2012-06-17 21:59:54 -04:00
Petr Viktorin
8f051c978e Improve autodiscovery logging
Track the source of discovered values (e.g. from option, interactive,
retrieved from DNS), and show it in the log in the configuration
overview and on erorrs involving the value.

Add additional log messages explaining the autodiscovery process.

For domains the discovery tries to get LDAP SRV records from, log
reasons explaining why the domain was chosen. Also, prevent the
same domain from being searched multiple times.

Add names for error codes, and show them in the log.

Also, modernize the discovery code a bit: move away from the
Java-style accessors, don't needlessly pre-declare variables, make
IPADiscovery a new-style class.

https://fedorahosted.org/freeipa/ticket/2553
2012-06-17 21:47:06 -04:00
Petr Viktorin
3e0116491f Improve ipa-client-install debug output
The client does a fair bit of work when trying to validate the hostnames,
do discovery and verify that the server it gets back is an IPA server.
The debug logging around this was horrid with very little state information,
duplicate log messages or just nothing at all.
In many cases errors were printed only to stderr/stdout.

This patch makes the logging and output go through the IPA log manager.
It sets up logging so that INFO, WARNING, and ERROR messages show up on the
console. If -d is given, DEBUG messages are also printed.
All messages also go to the log file.
The only exception is user input: prompts are only printed to the console,
but if the user provides any information it is echoed in a DEBUG-level
message.

https://fedorahosted.org/freeipa/ticket/2553
2012-06-17 21:47:06 -04:00
Rob Crittenden
e94733f04d Increase LimitRequestFieldSize in Apache config to support a 64KiB PAC
https://fedorahosted.org/freeipa/ticket/2767
2012-06-18 13:03:43 +02:00
Rob Crittenden
55d2d92dcf Add flag to ipa-client-install to managed order of ipa_server in sssd
The --fixed-primary flag determine the order of the ipa_server directive.
When set the IPA server discovered (or passed in via --server or via
user-input) will be listed first. Otherwise _srv_ is listed first.

https://fedorahosted.org/freeipa/ticket/2282
2012-06-13 22:38:14 -04:00
Rob Crittenden
54135ecd9a Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331
2012-06-14 14:02:26 +02:00
Martin Kosek
0c96f59356 Remove trust work unit test failures
Trust work that was pushed recently requires few changes in unit
tests to prevent test failures. This patch also removes repetitive
construction of group DN in group unit tests.
2012-06-14 12:21:18 +02:00
Petr Viktorin
9960149e3f Rework the CallbackInterface
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
    exc_callback, pre_callback etc) were registered on every
    instantiation.
    Fix: Do not register callbacks in __init__; instead return the
    method when asked for it.
- The calling code had to distinguish between bound methods and
    plain functions by checking the 'im_self' attribute.
    Fix: Always return the "default" callback as an unbound method.
    Registered callbacks now always take the extra `self` argument,
    whether they happen to be bound methods or not.
    Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
    looks up missing attributes in superclasses, callbacks could
    get attached to a superclass if it was instantiated early enough. *
    Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
    Fix: Create generic register_callback and get_callback mehods,
    move LDAP-specific code to BaseLDAPCommand

Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.

* https://fedorahosted.org/freeipa/ticket/2674
2012-06-14 11:09:43 +02:00
Petr Vobornik
f52fa2a018 Action panel for service provisioning
Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog.

Action for action panel and all required status evaluators for enabling/disabling of that action were also created.

https://fedorahosted.org/freeipa/ticket/2252
2012-06-13 16:44:35 +02:00
Petr Vobornik
961aeb80e9 Action panel for host enrollment
Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section.

https://fedorahosted.org/freeipa/ticket/2251
2012-06-13 16:44:30 +02:00
Alexander Bokovoy
a5fcfc2c7e Move AD trust support code to freeipa-server-trust-ad subpackage
DCERPC code in AD trusts implementation depends on Samba 4 Python bindings.
Make this dependency optional for main freeipa-server package by moving
the dependency to freeipa-server-trust-ad subpackage.

Main interface to AD trusts (ipalib/plugins/trust.py) will still stay,
as well as LDIF files and updates as they are not causing real dependency.

https://fedorahosted.org/freeipa/ticket/2821
2012-06-13 12:05:03 +03:00
Martin Kosek
d1e695b5d0 Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.

This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.

The actual password change in the script is processed by LDAP
password change command.

Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
  X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
  (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text

https://fedorahosted.org/freeipa/ticket/2276
2012-06-11 23:07:03 -04:00
Martin Kosek
34a1dee934 Only set sebools when necessary
setsebool -P was run for every package upgrade or server
installation even though the sebools were already set to the new
value.

Only set sebools which are different from current system values.
This speeds up ipa-upgradeconfig or package update by 150 seconds.
2012-06-10 21:23:23 -04:00
Martin Kosek
1d44aba89b Enable psearch on upgrades
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).

Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.

ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
2012-06-10 21:23:19 -04:00
Martin Kosek
ce97d6f8e7 Enable persistent search by default
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.

Make this mechanism default in ipa-server-install and ipa-dns-istall.

https://fedorahosted.org/freeipa/ticket/2524
2012-06-10 21:23:15 -04:00