This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.
https://fedorahosted.org/freeipa/ticket/2664
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
Improved options checking so that host-mod operation is not changing
password for enrolled host when '--random' option is used.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/2799
Updated set of characters that is used for generating random passwords
for ipa hosts. All characters that might need escaping were removed.
https://fedorahosted.org/freeipa/ticket/2800
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID.
First is used for recording SID of our users/groups, second is to store
SID of a remote trusted domain.
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
When unknown keyword arguments are passed to a Command, raise an
error instead of ignoring them.
Options used when IPA calls its commands internally are listed
in a new Command attribute called internal_options, and allowed.
Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use
unknown keyword arguments in its own commands and tests, but since
that some violations were reintroduced in permission_find and tests.
Fix those.
Tests included; both a frontend unittest and a XML-RPC test via the
ping plugin (which was untested previously).
https://fedorahosted.org/freeipa/ticket/2509
Fix several problems with the callback interface:
- Automatically registered callbacks (i.e. methods named
exc_callback, pre_callback etc) were registered on every
instantiation.
Fix: Do not register callbacks in __init__; instead return the
method when asked for it.
- The calling code had to distinguish between bound methods and
plain functions by checking the 'im_self' attribute.
Fix: Always return the "default" callback as an unbound method.
Registered callbacks now always take the extra `self` argument,
whether they happen to be bound methods or not.
Calling code now always needs to pass the `self` argument.
- Did not work well with inheritance: due to the fact that Python
looks up missing attributes in superclasses, callbacks could
get attached to a superclass if it was instantiated early enough. *
Fix: Instead of attribute lookup, use a dictionary with class keys.
- The interface included the callback types, which are LDAP-specific.
Fix: Create generic register_callback and get_callback mehods,
move LDAP-specific code to BaseLDAPCommand
Update code that calls the callbacks.
Add tests.
Remove lint exceptions for CallbackInterface.
* https://fedorahosted.org/freeipa/ticket/2674
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.
https://fedorahosted.org/freeipa/ticket/2564
json_metadata command creates and sends metadata needed by Web UI. It uses __json__ method for serialization of commands, options, objects... . A lot of data sent was useless for Web UI and some usefull information were missing. We
* mostly CLI specific option attribues are not send.
* attributes evaluated to false or None are not send
* options which are send are not got from takes_aptions attribute but by get_options() method. It finally sends usefull option collection for commands part of metadata.
In the end the raw amount of data send is aproximately the same.
This patch is needed for Web UI to determine which option it can use in which commands.
https://fedorahosted.org/freeipa/ticket/2760
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.
User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.
https://fedorahosted.org/freeipa/ticket/2206
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for ACI-related plugins.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.
The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.
https://fedorahosted.org/freeipa/ticket/2320
This patch add support fo Action Lists.
Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.
Actions lists are defined on facet level. Facet header takes them from facet.
Action list options
actions: list of actions
state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.
State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
evaluate(record): should return string array which represents the state
get_description(): human readable representation of a state
Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.
action options:
name: string, required, name of the option
label: string, required, human readable name of the option
enable_cond: string array, states which need to be present in order to run this action
disable_cond: string array, states which must not be present in order to run this action
handler: function, contains action's logic
needs_confirm: boolean, default false, indicates if action needs user confirmation
confirm_msg: string, default generic message, human readable confirmation message.
Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.
In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.
https://fedorahosted.org/freeipa/ticket/2247
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.
Regression test included.
https://fedorahosted.org/freeipa/ticket/2706
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.
Use an empty list instead of None (or other false falues, of which we
only use the empty list).
https://fedorahosted.org/freeipa/ticket/2681
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for the automount plugin and its tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
This reverts commit 1356988b7a.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.
This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.
Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.
https://fedorahosted.org/freeipa/ticket/2676
Replace _call_exc_callbacks with a function wrapper, which will automatically
call exception callbacks when an exception is raised from the function. This
removes the need to specify the function and its arguments twice (once in the
function call itself and once in _call_exc_callbacks).
Add some extra checks to existing exception callbacks.
Provide some guidance on how to read and understand the output. Some
manual work is needed to identify which master the user is locked on.
Always display the enabled/disabled status.
Include the time that the master was contacted in the output for each
master as lockout is very time sensitive.
https://fedorahosted.org/freeipa/ticket/2162
Ticket #2512
In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.
The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.
The fix is to use the correct variables.
At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
