Commit Graph

1092 Commits

Author SHA1 Message Date
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
18476c9538 Use newer API in ipalib/x509 and add missing import.
The import was only used when running the in-tree lite-server
2010-07-15 11:17:58 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
2bb2850fff Include contents of has_output_params in get_output_params 2010-07-13 09:27:50 -04:00
Rob Crittenden
371a4b2c72 Add separate var for search attributes and config attribute for search fields
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.

Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
2010-07-13 09:27:34 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba0f18dcd6 Clean up imports of hbacsvc plugin
I used pylint to identify a bunch of unnecessary and too-broad imports
2010-07-06 15:39:41 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
901ccc1393 First pass at per-command documentation 2010-06-22 13:58:04 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
1dd7b11b0b Connect the -v cli argument to the verbose flag in xmlrpclib
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
2010-06-03 17:08:22 -04:00
Rob Crittenden
4924270b45 Increase supported weeks per month from 4 to 6 in AccessTime() type 2010-06-03 09:25:25 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
72afb4c605 Try to clear up that uid is a number, not the login name 2010-05-17 13:49:50 -04:00
Rob Crittenden
4a0b38a8ec Enforce that max password lifetime is greater than the min lifetime
461325
2010-05-17 13:49:23 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Rob Crittenden
1943993737 Remove left-over debugging statement 2010-05-14 17:28:22 -04:00
Pavel Zuna
64490a3ee0 Correctly handle EmptyModlist exception in pwpolicy2-mod.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.

This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
2010-05-14 11:07:10 -04:00
Pavel Zuna
7993719329 Add exception callback (exc_callback) to baseldap.py classes.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
2010-05-14 11:06:59 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
Rob Crittenden
fa59c8b9d3 Increase the attributes we display by default and fix up some labels. 2010-05-05 14:58:01 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
Rob Crittenden
2f50668753 Fix output of summary and embedded dictionaries
Summaries were appearing as "Gettext(...")

Embedded dictionaries, such as group membership failures, didn't have
labels so were basically just being dumped.
2010-05-03 13:40:34 -06:00
Martin Nagy
04182bf68f Add forgotten trailing dots in DNS records
583023
2010-04-23 17:19:41 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Pavel Zuna
bc5b5a82d9 Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
  had the has_output attribute in place
- --all: this is related to the output definitions as
  Command.get_options() adds the --all and --raw options automatically
  if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
  overwritten everytime a new one was added from the CLI
2010-04-19 11:38:19 +02:00
Pavel Zuna
18349dda0f Enable LDAPObject subclasses to disable DN normalization in their methods. 2010-04-16 14:24:20 -04:00
Pavel Zuna
671bb9c978 Add interface for baseldap plugins to register additional callbacks. 2010-04-16 13:43:05 -04:00
Pavel Zuna
e143c22d69 Fix output of env plugin. It displayed more than it should. 2010-04-16 11:06:54 -04:00
Jason Gerard DeRose
918721c1d0 XML-RPC signature change 2010-03-30 15:10:58 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Pavel Zuna
c7a35f95c5 Fix output for commands that do not return entries.
I also changed the default value of the print_all argument in
textui.print_entry from False to True. It think it makes more sense this
way, because:

1) if order is None, it will still print something
2) if order is not None, it will print what's in order first and then the
   rest
3) commands that care about the print_all argument have to set it in any
   case, those that don't care usually want to print everything
2010-03-26 16:56:47 -04:00
Rob Crittenden
4a61ff681c Fix cut-and-paste error in pwpolicy plugin 2010-03-23 15:59:54 -04:00
Rob Crittenden
9922f47ecb Do a better query so we can optimize seeing if a cospriority is unique 2010-03-23 14:03:26 -04:00
Pavel Zuna
c9831d1cc6 Use ldap2.make_*dn* methods in pwpolicy plugin.
Fixes #572423.
2010-03-22 11:49:20 -04:00
Pavel Zuna
43ab2c483d Add INTERNAL flag to frontend plugins. If set, the plugin won't show in UI. 2010-03-22 10:41:36 -04:00
Rob Crittenden
664ae51eb6 Raise an error if no modifications were performed in an update.
This will alert the user that nothing was done and is handy when used
with --attr=''. This can be used to delete a non-required attribute but
can be set to any valid attribute, present or not. We should alert the
user if they attempt to delete a non-existant value.
2010-03-19 08:33:42 -06:00
Rob Crittenden
d13fcb6a0c Ensure that the group policy priority is unique.
We use CoS to determine the order in which group policy is applied. The
behavior in CoS is undefined for multiple entries with the same
cospriority.
2010-03-19 07:13:33 -06:00
Rob Crittenden
00f27fe8c9 Fix a number of bugs in the pwpolicy plugin
This fixes:
- Consistent usage of priority vs cospriority in options
- Fixes bug introduced with recent patch where global policy couldn't be
  updated
- Doesn't allow cospriority to be removed for groups (#570536)
- returns the priority with group policy so it can be displayed
- Properly unicode encode group names for display
2010-03-19 04:36:56 -06:00
Rob Crittenden
b46f262a60 Include params in Method.output_params
Method overrides the Command get_output_params() method and only returns
the object params, not anything defined within the method itself. Return
those as well so they are displayed in output. Some care needs to be taken
to avoid returning duplicate values. In the case of duplicates the
value in obj.params wins.
2010-03-19 04:31:40 -06:00
Rob Crittenden
1400c85188 Catch modifications with no updates and raise an error
569848
2010-03-17 23:52:15 -06:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00