Commit Graph

324 Commits

Author SHA1 Message Date
Jr Aquino
fc8f7f9da8 SUDO plugin support for external hosts and users https://fedorahosted.org/freeipa/ticket/570 2010-12-21 12:29:46 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
ffd467bd7e Translate the membergroup dn into a group name.
Drop filter from the output, it is superfluous.

ticket 634
2010-12-20 15:18:42 -05:00
Jakub Hrozek
ffc6031ad7 Allow RDN changes from CLI
https://fedorahosted.org/freeipa/ticket/397
2010-12-20 11:27:46 -05:00
Rob Crittenden
34534a026f Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
2010-12-17 18:04:37 -05:00
Rob Crittenden
ffc967b47a Fix a slew of tests.
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
2010-12-17 17:01:57 -05:00
Rob Crittenden
cd7b64103b Add group to group delegation plugin.
This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.

ticket 532
2010-12-13 20:15:46 -05:00
Jr Aquino
ced639eb99 tests for sudo run as user or group https://fedorahosted.org/freeipa/ticket/570 2010-12-13 17:56:13 -05:00
Rob Crittenden
ba8d21f5ae Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group
of the same name exists. This would leave the user without a private
group.

We need to check for both the user and the group so we can do 1 of 3 things:
- throw an error that the group exists (but not the user)
- throw an error that the user exists (and the group)
- allow the uesr to be added

ticket 567
2010-12-13 09:53:29 -05:00
Rob Crittenden
e8e274c9e0 Properly handle multi-valued attributes when using setattr/addattr.
The problem was that the normalizer was returning each value as a tuple
which we were then appending to a list, so it looked like
[(u'value1',), (u'value2',),...]. If there was a single value we could
end up adding a tuple to a list which would fail. Additionally python-ldap
doesn't like lists of lists so it was failing later in the process as well.

I've added some simple tests for setattr and addattr.

ticket 565
2010-12-10 13:42:47 -05:00
Rob Crittenden
5330280f08 Fix automount tests 2010-12-08 17:28:35 -05:00
Rob Crittenden
4c09809ea8 Add plugin for manage self-service ACIs
This is just a thin wrapper around the aci plugin, controlling what
types of ACIs can be added.

Right now only ACIs in the basedn can be managed with this plugin.

ticket 531
2010-12-08 13:51:10 -05:00
Rob Crittenden
6e2dd0fa5b Add new parameter type IA5Str and use this to enforce the right charset.
ticket 496
2010-12-07 16:37:42 -05:00
Rob Crittenden
bfb3e46996 Remove accessTime from HBAC.
ticket 545
2010-12-06 11:42:13 -05:00
Pavel Zuna
5db7c4ec34 Add new version of DNS plugin: complete rework with baseldap + unit tests.
Ticket #36
Ticket #450
2010-12-01 21:32:09 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Rob Crittenden
d4f25453e1 Add managedby to Host entries
This will allow others to provision on behalf of the host.

ticket 280
2010-11-19 10:31:42 -05:00
Rob Crittenden
2046eddb7a Revoke a host's certificate (if any) when it is deleted or disabled.
Disable any services when its host is disabled.

This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.

ticket 297
2010-11-19 10:31:42 -05:00
Simo Sorce
629e9520e0 Revert tests code to use the old uuid format. 2010-11-15 11:47:27 -05:00
Rob Crittenden
6f5cd3232a user-enable/disable improvements
Always display the account enable/disable status.

Don't ignore the exceptions when a user is already enabled or disabled.

Fix the exception error messages to use the right terminology.

In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.

ticket 392
2010-11-04 12:49:33 -04:00
Rob Crittenden
72cf73b6b6 Output ACI's broken out into attributes rather than a single text field
Also add validation to the List parameter type.

ticket 357
2010-11-04 12:48:45 -04:00
Jr Aquino
c99fda0d1e Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes. 2010-11-03 10:23:40 -04:00
Rob Crittenden
813dfe5013 Use kerberos password policy.
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.

There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.

The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.

As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.

ticket 51
2010-11-01 14:15:42 -04:00
Rob Crittenden
03de1b89ca Implement nested netgroups and include summaries for the commands.
Replace the existing netgroup test cases with Declarative tests. This triples
the number of tests we were doing.

ticket 209
2010-10-29 14:03:15 -04:00
Rob Crittenden
3c795f3251 Return reason for failure when updating group membership fails.
We used to return a list of dns that failed to be added. We now return
a list of tuples instead. The tuple looks like (dn, reason) where reason
is the exception that was returned.

Also made the label we use for failures to be singular instead of plural
since we now print them out individually instead of as comma-separated.

ticket 270
2010-10-28 17:47:20 -04:00
Rob Crittenden
7486ead6c9 Don't allow managed groups to have group password policy.
UPG cannot have members and we use memberOf in class of service to determine
which policy to apply.

ticket 160
2010-10-28 17:36:05 -04:00
Rob Crittenden
c1dfb50ee9 Remove group nesting from the HBAC service groups
ticket 389
2010-10-28 17:34:34 -04:00
Rob Crittenden
33802ab712 Use context to decide which name to return on RequirementsErrors
When a Requirement fails we throw an exception including the name of the
field that is missing. To make the command-line friendlier we have a
cli_name defined which may or may not match the LDAP attribute. This can
be confusing if you are using ipalib directly because the attribute name
missing may not match what is actually required (desc vs description is
a good example).

If you use the context 'cli' then it will throw exceptions using cli_name.
If you use any other context it will use the name of the attribute.

ticket 187
2010-10-28 16:06:06 -04:00
Rob Crittenden
c25d62965a Populate indirect members when showing a group object.
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.

The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.

This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup

ticket 296
2010-10-28 15:15:52 -04:00
Rob Crittenden
70a57924c8 Allow RDN changes for users, groups, rolegroups and taskgroups.
To do a change right now you have to perform a setattr like:

ipa user-mod --setattr uid=newuser olduser

The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.

ticket 323
2010-10-28 08:39:10 -04:00
Simo Sorce
c51ce61e4d UUIDs: remove uuid python plugin and let DS always autogenerate
merge in remove uuid
2010-10-28 07:58:31 -04:00
Rob Crittenden
0e4e1f4bbd Fix two failing tests.
The first test is a mismatch in the sample output of an exception.

The second test adds certificate information output to the service plugin.
2010-10-22 21:45:37 -04:00
Pavel Zuna
42c78a383d Add flag to group-find to only search on private groups.
ticket #251
2010-10-20 17:38:03 -04:00
Rob Crittenden
391d66e4af Fix _merge_from_file test 2010-10-18 15:52:20 -04:00
Rob Crittenden
d2a9ccf407 Accept an incoming certificate as either DER or base64 in the service plugin.
The plugin required a base64-encoded certificate and always decoded it
before processing. This doesn't work with the UI because the json module
decodes binary values already.

Try to detect if the incoming value is base64-encoded and decode if
necessary. Finally, try to pull the cert apart to validate it. This will
tell us for sure that the data is a certificate, regardless of the format
it came in as.

ticket 348
2010-10-08 13:15:03 -04:00
Rob Crittenden
bed6e81935 If an HBAC category is 'all' don't allow individual objects to be added.
Basically, make 'all' mutually exclusive. This makes debugging lots easier.
If say usercat='all' there is no point adding specific users to the rule
because it will always apply to everyone.

ticket 164
2010-10-08 10:11:41 -04:00
Pavel Zuna
6606b2a9c5 Rename user-lock and user-unlock to user-enable user-disable.
Ticket #165
2010-10-06 09:20:44 -04:00
Jr Aquino
bfd2e383dc Added modifications to the sudorule plugin to reflect the schema update. 2010-10-05 21:37:59 -04:00
Rob Crittenden
f94a3d1751 Fix a couple of test cases broken by the POSIX group change.
They were made as non-POSIX originally, keep them that way.
2010-10-04 09:53:42 -04:00
Rob Crittenden
f906aaf376 Groups are now created as POSIX by default.
ticket 241
2010-10-01 14:16:36 -04:00
Rob Crittenden
88bd2a0a45 Fix LDAP client backend failing test case 2010-10-01 13:42:32 -04:00
Jr Aquino
af48654cbc Add plugins for Sudo Commands, Command Groups and Rules 2010-09-27 22:38:06 -04:00
Rob Crittenden
5b3d0f568a Add some tests for using the ldap2 Backend.
Fix a logic problem in ldap2:get_schema() for determining if it
can fetch the schema or not. Normally we only want to do this for servers
but if you pass in your own connection it will use that.
2010-09-24 15:40:56 -04:00
Rob Crittenden
86c4970d11 Fix the ipa-ldap-updater tests.
We dropped the schema for ipaContainer so use nsContainer instead.

ticket 121
2010-09-10 16:52:31 -04:00
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
e225ad4341 Add support for ldap:///self bind rules
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.

ticket 80
2010-08-19 10:49:42 -04:00
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
719592a209 Fix user tests to handle managed entries
We now enable managed entries by default and need to account for it
in the expected output.
2010-08-10 16:41:28 -04:00