It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.
A dict is added to hold templates for the non-plugin permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.
Do not ask for memberindirect when retrieving the entry.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.
Also, do not reset ipapermbindruletype when updating an existing
managed permission.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.
Also removed now unused upload_ca_dercert method of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file
is used consistently in the installers.
https://fedorahosted.org/freeipa/ticket/4240
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
https://fedorahosted.org/freeipa/ticket/4202
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The logging level for these messages was decreaed so that they
do not show up in ipa-advise output.
Reset the log level to INFO and configure ipa-advise to not display
INFO messages from xmlclient by default.
Partially reverts commit efe5a96725https://fedorahosted.org/freeipa/ticket/4135
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
The two classes had very similar __call__ methods, but the JSON
server lacked error handling.
Create a common class for the __call__ method.
https://fedorahosted.org/freeipa/ticket/4069
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.
https://fedorahosted.org/freeipa/ticket/4084
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
