Commit Graph

140 Commits

Author SHA1 Message Date
Martin Basti
239adf9de4 DNS: autofill admin email
Admins email (SOA RNAME) is autofilled with value 'hostmaster'. Bind
will automaticaly append zone part.

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Martin Basti
7bc17bb852 Deprecation of --name-server and --ip-address option in DNS
Option --name-server is changing only SOA MNAME, this option has no more
effect to NS records

Option --ip-addres is just ignored

A warning message is sent after use these options

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Petr Viktorin
8fabd6dde1 Support delegating RBAC roles to service principals
https://fedorahosted.org/freeipa/ticket/3164

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-08-21 14:07:01 +02:00
Petr Viktorin
1e58588ec2 Become IPA 4.0.0 2014-07-07 16:59:07 +02:00
Martin Basti
2637116eab Allow to add managed permission for reverse zones
Ticket: https://fedorahosted.org/freeipa/ticket/4422
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 16:10:33 +02:00
Tomas Babej
9bf29c270d ipalib: Use DateTime parameter class for OTP token timestamp attributes
For ipatokennotbefore and ipatokennotafter attributes use DateTime
parameter class instead of Str, since these are represented as
LDAP Generalized Time in LDAP.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-04 08:17:37 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-01 12:37:08 +02:00
Nathaniel McCallum
0d21937995 Add otptoken-sync command
This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.

https://fedorahosted.org/freeipa/ticket/4260

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 16:15:18 +02:00
Nathaniel McCallum
2767fb584a Add the otptoken-add-yubikey command
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 16:10:16 +02:00
Petr Vobornik
2df6542232 ipa-passwd: add OTP support
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:40 +02:00
Martin Basti
48865aed5f DNSSEC: remove unsuported records
Removed SIG, NSEC, KEy, RRSIG records

Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:39 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 13:14:45 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Martin Basti
7625c02844 dns_name_values capability added
Added capability to transfer DNSName type between server and client

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169i

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Petr Viktorin
8b7daf675e dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone
Part of the work for: https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-28 15:58:24 +02:00
Nathaniel McCallum
5afa3c1815 Only specify the ipatokenuniqueid default in the add operation
Specifying the default in the LDAP Object causes the parameter to be specified
for non-add operations. This is especially problematic when performing the
modify operation as it causes the primary key to change for every
modification.

https://fedorahosted.org/freeipa/ticket/4227

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-05-23 11:50:23 +03:00
Tomas Babej
edb5a0c534 ipalib: Expose krbPrincipalExpiration in CLI
Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 19:01:04 +03:00
Tomas Babej
1df696f543 ipalib: Add DateTime parameter
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.

In the CLI, accepts one of the following formats:
    Accepts LDAP Generalized time without in the following format:
       '%Y%m%d%H%M%SZ'

    Accepts subset of values defined by ISO 8601:
        '%Y-%m-%dT%H:%M:%SZ'
        '%Y-%m-%dT%H:%MZ'
        '%Y-%m-%dZ'

    Also accepts above formats using ' ' (space) as a separator instead of 'T'.

As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.

Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).

Part of: https://fedorahosted.org/freeipa/ticket/3306

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-05 18:57:29 +03:00
Jan Cholasta
4314d02fbf Allow primary keys to use different type than unicode.
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.

This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Adam Misnyovszki
8b91d9a6e8 automember rebuild nowait feature added
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.

https://fedorahosted.org/freeipa/ticket/4239

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-09 13:45:32 +02:00
Adam Misnyovszki
0f626a9cc8 Extending user plugin with inetOrgPerson fields
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber

carlicenseplate is now multivalued

https://fedorahosted.org/freeipa/ticket/4165

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-03-28 12:38:50 +01:00
Petr Viktorin
1df9b5836a Allow modifying permissions with ":" in the name
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.

Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.

(* modify/delete have unrelated restrictions on managed permissions)

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
801b2fd458 permission CLI: rename --permissions to --right
The old name is kept as a deprecated alias.

https://fedorahosted.org/freeipa/ticket/4231

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-21 12:49:21 +01:00
Petr Viktorin
3120a6833e permission plugin: Output the extratargetfilter virtual attribute
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it

Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.

Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.

Write support will be added in a subsequent patch.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Nathaniel McCallum
21ff4f920e Rework how otptoken defaults are handled
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.

Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-05 10:09:16 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Petr Viktorin
e951f18416 permissions: Use multivalued targetfilter
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-20 13:11:41 +01:00
Petr Viktorin
3db08227e8 Add support for managed permissions
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.

The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).

Tests included.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-12 17:11:17 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Martin Basti
efffcfdbc2 migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243
2013-12-02 13:30:12 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00
Ana Krivokapic
d97386de5b Add automember rebuild command
Add a new command to IPA CLI: ipa automember-rebuild

The command integrates the automember rebuild membership task functionality
into IPA CLI. It makes it possible to rebuild automember membership for
groups/hostgroups.

Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Nathaniel McCallum
3f85f09a83 Add support for managing user auth types
https://fedorahosted.org/freeipa/ticket/3368
2013-11-08 12:48:15 +01:00
Ana Krivokapic
196c4b5f53 Fix tests which fail after ipa-adtrust-install
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852
2013-08-28 16:45:57 +02:00
Martin Kosek
49a621a257 Bump 3.4 development version to 3.3.90 2013-08-08 17:25:43 +02:00
Martin Kosek
f988e422eb Become 3.3.0 2013-08-08 15:03:05 +02:00
Martin Kosek
e6654110c4 Become 3.3.0 Beta 2 2013-08-07 14:18:18 +02:00
Ana Krivokapic
6e28e709ed Add new command compat-is-enabled
Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:43 +02:00
Tomas Babej
f954f2d1b9 Limit pwpolicy maxlife to 20000 days
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.

Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).

https://fedorahosted.org/freeipa/ticket/3817
2013-08-05 17:50:31 +02:00
Martin Kosek
5b54451e0e Become 3.3.0 Beta 1 2013-07-24 13:37:46 +02:00
Jan Cholasta
b7f10d9fe6 Add new hidden command option to suppress processing of membership attributes.
https://fedorahosted.org/freeipa/ticket/3706
2013-07-23 13:13:54 +02:00
Tomas Babej
e4437a3e7f Add --range-type option that forces range type of the trusted domain
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.

When --range-type option is not specified, the range type should be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650
2013-07-11 12:39:28 +03:00
Ana Krivokapic
91a5d3349b Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.

Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.

Add tests to cover the new functionality

https://fedorahosted.org/freeipa/ticket/3634
2013-06-24 14:30:06 +02:00