Commit Graph

1572 Commits

Author SHA1 Message Date
Martin Babinsky
5a5e1a2494 migrate-ds: print out failed attempts when no users/groups are migrated
This patch should fix both https://fedorahosted.org/freeipa/ticket/4846 and
https://fedorahosted.org/freeipa/ticket/4952.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-03-23 13:08:41 +01:00
Martin Basti
f26220b9b3 DNS: remove NSEC3PARAM from records
NSEC3PARAM is configurable only from zone commands. This patch removes
this record type from DNS records.

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:21:04 +01:00
Martin Basti
63c497a1fb DNS fix: do not show part options for unsupported records
Do not show parts options in help output, if record is marked as unsupported.

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:21:04 +01:00
Martin Basti
0c3bf595f3 DNS fix: do not traceback if unsupported records are in LDAP
Show records which are unsupported, if they are in LDAP.
Those records are not editable, and web UI doesnt show them.

Fixes traceback caused by --structured option

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:21:04 +01:00
Tomas Babej
93f3bb3ddd idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.

https://fedorahosted.org/freeipa/ticket/4915

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-23 17:51:21 +01:00
Tomas Babej
72af5fd975 ipalib: Make sure correct attribute name is referenced for fax
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-19 18:36:16 +01:00
Martin Babinsky
b95f4330c9 Changing the token owner changes also the manager
This works if the change is made to a token which is owned and managed by the
same person. The new owner then automatically becomes token's manager unless
the attribute 'managedBy' is explicitly set otherwise.

https://fedorahosted.org/freeipa/ticket/4681

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-18 13:55:27 +01:00
Martin Kosek
8ea8a7038e group-detach does not add correct objectclasses
https://fedorahosted.org/freeipa/ticket/4874

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-02-18 13:18:31 +01:00
Petr Vobornik
76d401bb88 Fix TOTP Synchronization Window label
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-17 08:26:42 +01:00
Gabe
3117e7b79c permission-add does not prompt for ipapermright in interactive mode
- Add flag "ask_create" to ipalib/plugins/permission.py
- Bump API version

https://fedorahosted.org/freeipa/ticket/4872

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-02-16 16:39:03 +01:00
Martin Babinsky
06376a48b2 migrate-ds: exit with error message if no users/groups to migrate are found
'ipa migrate-ds' will now exit with error message if no suitable users/groups
are found on LDAP server during migration.

https://fedorahosted.org/freeipa/ticket/4846

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-16 16:33:46 +01:00
Nathaniel McCallum
9549a5984b Expose the disabled User Auth Type
Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.

https://fedorahosted.org/freeipa/ticket/4720

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-02-12 10:31:24 +01:00
David Kupka
3b87302f5a idviews: Allow setting ssh public key on ipauseroverride-add
https://fedorahosted.org/freeipa/ticket/4868

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-27 16:03:13 +00:00
Martin Basti
af0a2409f9 Always return absolute idnsname in dnszone commands
Ticket: https://fedorahosted.org/freeipa/ticket/4722
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-26 07:07:44 +00:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00
Martin Basti
95371bd736 Detect and warn about invalid DNS forward zone configuration
Shows warning if forward and parent authoritative zone do not have
proper NS record delegation, which can cause the forward zone will be
ineffective and forwarding will not work.

Ticket: https://fedorahosted.org/freeipa/ticket/4721
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-15 13:20:12 +01:00
Tomas Babej
e11e8235ac baseldap: Handle missing parent objects properly in *-find commands
The find_entries function in ipaldap does not differentiate between
a LDAP search that returns error code 32 (No such object) and LDAP
search returning error code 0 (Success), but returning no results.

In both cases errors.NotFound is raised. In turn, LDAPSearch
commands interpret NotFound exception as no results.

To differentiate between the cases, a new error EmptyResult
was added, which inherits from NotFound to preserve the compatibility
with the new code.

This error is raised by ipaldap.find_entries in case it is performing
a search with and the target dn does not exist.

https://fedorahosted.org/freeipa/ticket/4659

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-13 16:16:14 +00:00
David Kupka
b0f412177f Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
https://fedorahosted.org/freeipa/ticket/4787

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-01-13 15:33:55 +01:00
Petr Vobornik
e6beaaccce migrate-ds: fix compat plugin check
After ACI refactoring, admin cannot read Schema Compatibility plugin configuration and therefore migrade-ds won't find if compat plugin is enabled.

Now the check si done by looking if cn=compat subtree is present.

https://fedorahosted.org/freeipa/ticket/4825

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-12 17:44:17 +00:00
Tomas Babej
c5c9d49706 idviews: Ignore host or hostgroup options set to None
Since passing --hosts= or --hostsgroups= to idview-apply or unapply
commands does not make sense, ignore it.

https://fedorahosted.org/freeipa/ticket/4806

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-12 17:04:21 +01:00
Tomas Babej
fdd7b79eea idviews: Complain if host is already assigned the ID View in idview-apply
When running a idview-apply command, the hosts that were already assigned
the desired view were silently ignored. Make sure such hosts show up in
the list of failed hosts.

https://fedorahosted.org/freeipa/ticket/4743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-12 16:43:23 +01:00
Martin Basti
b5ff0b941e Show SSHFP record containing space in fingerprint
SSHFP records added by nsupdate contains extra space (valid), framework
couldn't handle it.

Ticket: https://fedorahosted.org/freeipa/ticket/4790
Ticket: https://fedorahosted.org/freeipa/ticket/4789
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-10 18:35:45 +00:00
Tomas Babej
d0a781b9c6 hosts: Display assigned ID view by default in host-find and show commands
Makes ipaassignedidview a default attribute and takes care about the
conversion from the DN to the proper ID view name.

https://fedorahosted.org/freeipa/ticket/4774

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-05 15:55:38 +01:00
Nathaniel McCallum
b01767c69d Create an OTP help topic
This allows the various OTP related commands to be grouped together
in the IPA CLI documentation.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:44:51 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:42:19 +01:00
Petr Vobornik
026c9eca09 add --hosts and --hostgroup options to allow/retrieve keytab methods
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page

https://fedorahosted.org/freeipa/ticket/4777

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-03 11:34:10 +00:00
Nathaniel McCallum
b3a6701e73 Catch USBError during YubiKey location
https://fedorahosted.org/freeipa/ticket/4693

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-11-25 16:44:00 +01:00
David Kupka
56ca47d535 Fix error message for nonexistent members and add tests.
https://fedorahosted.org/freeipa/ticket/4643

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-24 16:04:57 +01:00
David Kupka
35dad9684b Fix --{user,group}-ignore-attribute in migration plugin.
Ignore case in attribute names.

https://fedorahosted.org/freeipa/ticket/4620

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-11-20 16:49:13 +01:00
Martin Basti
310e46452c Fix warning message should not contain CLI commands
Message is now universal for both CLI and WebUI

Ticket: https://fedorahosted.org/freeipa/ticket/4647
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-19 15:20:55 +01:00
Nathaniel McCallum
3c900ba7a8 Enable QR code display by default in otptoken-add
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.

https://fedorahosted.org/freeipa/ticket/4703

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-19 14:26:00 +01:00
Nathaniel McCallum
c38e2d7394 Ensure users exist when assigning tokens to them
https://fedorahosted.org/freeipa/ticket/4642

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 16:18:41 +01:00
Nathaniel McCallum
93ff9ec087 Improve otptoken help messages
https://fedorahosted.org/freeipa/ticket/4689

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-13 15:32:52 +01:00
David Kupka
b032debd23 Produce better error in group-add command.
https://fedorahosted.org/freeipa/ticket/4611

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 13:07:22 +00:00
Petr Vobornik
3d11de4849 idrange: include raw range type in output
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers

Solved by new iparangetyperaw output attribute which contains iparangetype's raw value

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-11 10:56:16 +01:00
Petr Vobornik
95a492caec ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.

Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.

No schema change is done.

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-11 10:56:16 +01:00
Alexander Bokovoy
d6b28f29ec Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
https://fedorahosted.org/freeipa/ticket/4664

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-24 15:54:43 +02:00
Martin Basti
5e1172f560 fix forwarder validation errors
Fix tests, validation in dnsconfig mod, wuser warning

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-21 15:55:09 +02:00
Martin Basti
10725033c6 DNSSEC: change link to ipa page
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
5556b7f50e DNSSEC: ACI
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
ca030a089f DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Petr Vobornik
df1ed11b48 webui: do not offer ipa users to Default Trust View
https://fedorahosted.org/freeipa/ticket/4616

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:29:10 +02:00
Petr Vobornik
741c31c2b4 webui: allow --force in dnszone-mod and dnsrecord-add
Allow to use --force when changing authoritative nameserver address in DNS zone.

Same for dnsrecord-add for NS record.

https://fedorahosted.org/freeipa/ticket/4573

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:06:02 +02:00
Petr Vobornik
d8f05d8841 webui: management of keytab permissions
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 10:13:47 +02:00
Nathaniel McCallum
560606a991 Display token type when viewing token
When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 09:59:19 +02:00
Petr Vobornik
43d3593873 webui: add link to OTP token app
- display info message which points user to FreeOTP project page
- the link or the text can be easily changed by a plugin if needed

https://fedorahosted.org/freeipa/ticket/4469

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-17 15:53:34 +02:00
Petr Vobornik
49fde3b047 idviews: error out if appling Default Trust View on hosts
https://fedorahosted.org/freeipa/ticket/4615

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-17 14:28:13 +02:00
Petr Vobornik
59ee6314af keytab manipulation permission management
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-17 14:11:35 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00