Commit Graph

1238 Commits

Author SHA1 Message Date
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Alexander Bokovoy
73e7a6c409 trust: fix get_dn() to distinguish creating and re-adding trusts
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.

Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.

https://fedorahosted.org/freeipa/ticket/4067
2013-12-11 13:33:15 +01:00
Jan Cholasta
36502a6367 Fix internal error in the user-status command.
https://fedorahosted.org/freeipa/ticket/4066
2013-12-10 15:34:45 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Martin Basti
efffcfdbc2 migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243
2013-12-02 13:30:12 +01:00
Alexander Bokovoy
32df84f04b subdomains: Use AD admin credentials when trust is being established
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.

When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.

Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.

Fixes https://fedorahosted.org/freeipa/ticket/4046
2013-11-29 13:13:55 +01:00
Petr Viktorin
1e836d2d0c Switch client to JSON-RPC
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.

The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.

The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).

Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.

For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.

Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
2013-11-26 16:59:59 +01:00
Tomas Babej
63d4f30686 trusts: Do not pass base-id to the subdomain ranges
For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.

In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.

https://fedorahosted.org/freeipa/ticket/4041
2013-11-22 08:47:49 +01:00
Petr Viktorin
56e3e12f12 Break long doc string in the Host plugin
Also split the translations in French and Ukraininan

Part of https://fedorahosted.org/freeipa/ticket/3587
2013-11-21 10:34:25 +01:00
Ana Krivokapic
b216a7b610 Add userClass attribute for users
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
2013-11-19 14:27:50 +01:00
Ana Krivokapic
b7c7eaf8d9 Add automember rebuild command to the web UI
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3928
2013-11-15 13:28:16 +01:00
Ana Krivokapic
6c9b3b02a4 Fix error message when adding duplicate automember rule
Also fix object_name and object_name_plural for automember rules.

https://fedorahosted.org/freeipa/ticket/2708
2013-11-15 12:46:07 +01:00
Ana Krivokapic
d97386de5b Add automember rebuild command
Add a new command to IPA CLI: ipa automember-rebuild

The command integrates the automember rebuild membership task functionality
into IPA CLI. It makes it possible to rebuild automember membership for
groups/hostgroups.

Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Nathaniel McCallum
3f85f09a83 Add support for managing user auth types
https://fedorahosted.org/freeipa/ticket/3368
2013-11-08 12:48:15 +01:00
Jan Cholasta
df5f4ee81d Turn LDAPEntry.single_value into a dictionary-like property.
This change makes single_value consistent with the raw property.

https://fedorahosted.org/freeipa/ticket/3521
2013-11-05 13:56:55 +01:00
Sumit Bose
b5e60c2020 Remove AllowLMhash from the allowed IPA config strings
Fixes https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:28:35 +01:00
Jan Cholasta
5d1d513849 Always use lists for values in LDAPEntry internally.
Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce
lists for attribute values, this will be removed.

https://fedorahosted.org/freeipa/ticket/3521
2013-10-31 18:09:51 +01:00
Martin Kosek
21137ab63c Remove ipa-pwd-extop and ipa-enrollment duplicate error strings
Some error strings were duplicate which makes it then harder to
see what is the real root cause of it.

https://fedorahosted.org/freeipa/ticket/3988
2013-10-30 17:59:46 +01:00
Petr Viktorin
2c433cdd7e Use new ipaldap entry API in aci and permission plugin 2013-10-30 11:50:05 +01:00
Petr Viktorin
7051f510b6 Update Permission and ACI plugins to decorator registration API 2013-10-30 11:50:04 +01:00
Tomas Babej
df5f5c9fab trusts: Fix typo in error message for realm-domain mismatch 2013-10-25 13:51:59 +02:00
Jakub Hrozek
c088c940e6 trusts: combine filters with AND to make sure only the intended domain matches 2013-10-24 07:53:34 +03:00
Tomas Babej
ced2170b9d Get the created range type in case of re-establishing trust
This is a regression fix introduced by commit id:
285ed59889

Fixes internal error in case of re-establishing the trust.
2013-10-21 15:45:27 +02:00
Tomas Babej
285ed59889 trusts: Do not create ranges for subdomains in case of POSIX trust
For the AD trusts where the ID range for the root level domain is of
ipa-ad-trust-posix type, do not create a separate ranges for the
subdomains, since POSIX attributes provide global mapping.
2013-10-14 10:09:56 +02:00
Alexander Bokovoy
d228b1bd70 ipa-kdb: Handle parent-child relationship for subdomains
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
f734988e24 trust: integrate subdomains support into trust-add 2013-10-04 10:25:31 +02:00
Alexander Bokovoy
a87813bf42 ipaserver/dcerpc: remove use of trust account authentication
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.
2013-10-04 10:25:31 +02:00
Alexander Bokovoy
0b29bfde0d trusts: support subdomains in a forest
Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909
2013-10-04 10:25:31 +02:00
Tomas Babej
8ebb76177d Do not add trust to AD in case of IPA realm-domain mismatch
Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.

https://fedorahosted.org/freeipa/ticket/3923
2013-10-03 12:01:56 +02:00
Petr Viktorin
295ce7bf18 Use correct super-calls in get_args() methods
The get_args methods in ipalib.crud and ipalib.plugins.baseldap used
super() calls that skipped some of the classes in the inheritance
chain, and contained code that reimplemented some of the skipped
functionality.
This made it difficult to customize the get_args behavior.

Use proper super() calls.
2013-10-02 16:09:07 +02:00
Jan Cholasta
7c66912824 Fix service-disable in CA-less install.
https://fedorahosted.org/freeipa/ticket/3886
2013-08-29 10:18:32 +02:00
Ana Krivokapic
196c4b5f53 Fix tests which fail after ipa-adtrust-install
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852
2013-08-28 16:45:57 +02:00
Tomas Babej
e68bef0b1c Fix incorrect error message occurence when re-adding the trust
You cannot re-add the trust and modify the range in the process.
The check in the code was malfunctioning since it assumed that
range_size parameter has default value. However, default value
is assigned only later in the add_range function.

https://fedorahosted.org/freeipa/ticket/3870
2013-08-27 17:01:37 +02:00
Petr Vobornik
ca0d959df8 Add base-id, range-size and range-type options to trust-add dialog
https://fedorahosted.org/freeipa/ticket/3049
2013-08-22 15:23:56 +02:00
Petr Viktorin
7804a74826 Allow API plugin registration via a decorator
This makes plugin registration easier to read, less error-prone, and,
for many Plugins in a single module, faster to write.

Functionally, the decorator is equivalent to current plugin
registration. However, in the future this style will allow cleaner
semantics.

As an example, and to exercise the new syntax to prevent regressions,
the ping plugin is converted to this style.
2013-08-14 12:08:27 +02:00
Martin Kosek
b9ec4d1a67 Prevent *.pyo and *.pyc multilib problems
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.

This patch:
 1) Ensures that timestamps of generated *.pyo and *.pyc files match
 2) Python integer literals greater or equal 2^32 and lower than 2^64
    are converted to long right away to prevent different type of
    the integer on architectures with different size of int

https://fedorahosted.org/freeipa/ticket/3858
2013-08-13 15:31:46 +02:00
Tomas Babej
69394bab5a Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
2013-08-09 12:14:42 +02:00
Ana Krivokapic
6e28e709ed Add new command compat-is-enabled
Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:43 +02:00
Tomas Babej
3bb6d38308 Improve help entry for ipa host
Updates old information produced by the ipa help host command.
Also adds a section to ipa-client-install manpage about client
re-enrollment.

https://fedorahosted.org/freeipa/ticket/3820
2013-08-06 12:31:16 +02:00
Tomas Babej
f954f2d1b9 Limit pwpolicy maxlife to 20000 days
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.

Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).

https://fedorahosted.org/freeipa/ticket/3817
2013-08-05 17:50:31 +02:00
Ana Krivokapic
69bcfa49d4 Expose ipaRangeType in Web UI
https://fedorahosted.org/freeipa/ticket/3759
2013-07-29 10:38:03 +02:00
Tomas Babej
2934160b9c Refactor the interactive prompt logic in idrange_add
Make the interactive prompts interpret the following logic:

- AD range (dom-sid/dom-name set):
      require RID base if not set

- local range(dom-sid/dom-name not set):
    a) server with adtrust support:
           require both RID base and secondary RID base
    b) server without adtrust support:
           if any of RID base, secondary RID base set,
           require both of them

https://fedorahosted.org/freeipa/ticket/3786
2013-07-26 13:57:35 +02:00
Martin Kosek
a789d70f39 Use valid LDAP search base in migration plugin
One find_entry_by_attr call did not set a search base leading to
LDAP search call with zero search base. This leads to false negative
results from LDAP.
2013-07-26 13:42:22 +02:00
Petr Vobornik
e08f4620cf Remove word 'field' from GECOS param label
No other param/field has 'field' in a label.
2013-07-23 15:32:13 +02:00
Alexander Bokovoy
7b5cc3ed83 ipaserver/dcerpc: attempt to resolve SIDs through SSSD first
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.

https://fedorahosted.org/freeipa/ticket/3803
2013-07-23 16:24:38 +03:00
Tomas Babej
17c7d46c25 Use AD LDAP probing to create trusted domain ID range
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.

For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
2013-07-23 16:24:33 +03:00
Jan Cholasta
b7f10d9fe6 Add new hidden command option to suppress processing of membership attributes.
https://fedorahosted.org/freeipa/ticket/3706
2013-07-23 13:13:54 +02:00
Ana Krivokapic
8a8a9045b9 Fix internal error in idrange-add
Fix internal error in idrange-add, caused by a missing 'name' argument of
ValidationError.

https://fedorahosted.org/freeipa/ticket/3781
2013-07-22 10:49:40 +02:00
Tomas Babej
e4437a3e7f Add --range-type option that forces range type of the trusted domain
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.

When --range-type option is not specified, the range type should be
determined by ID range discovery.

https://fedorahosted.org/freeipa/ticket/3650
2013-07-11 12:39:28 +03:00
Jan Cholasta
55da832867 Use LDAP search instead of *group_show to check for a group objectclass.
https://fedorahosted.org/freeipa/ticket/3706
2013-07-11 12:39:26 +03:00