This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.
https://fedorahosted.org/freeipa/ticket/4260
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added capability to transfer DNSName type between server and client
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169i
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Specifying the default in the LDAP Object causes the parameter to be specified
for non-add operations. This is especially problematic when performing the
modify operation as it causes the primary key to change for every
modification.
https://fedorahosted.org/freeipa/ticket/4227
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a krbPrincipalExpiration attribute to the user class
in user.py ipalib plugin as a DateTime parameter.
Part of: https://fedorahosted.org/freeipa/ticket/3306
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.
In the CLI, accepts one of the following formats:
Accepts LDAP Generalized time without in the following format:
'%Y%m%d%H%M%SZ'
Accepts subset of values defined by ISO 8601:
'%Y-%m-%dT%H:%M:%SZ'
'%Y-%m-%dT%H:%MZ'
'%Y-%m-%dZ'
Also accepts above formats using ' ' (space) as a separator instead of 'T'.
As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.
Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).
Part of: https://fedorahosted.org/freeipa/ticket/3306
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.
This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.
https://fedorahosted.org/freeipa/ticket/4239
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it
Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.
Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.
Write support will be added in a subsequent patch.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.
Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.
https://fedorahosted.org/freeipa/ticket/3852
Since krbMaxPwdLife attribute is represented as number of seconds,
setting maxlife to high values such as 999 999 days (~2739 years)
would result to overflow when parsing this attribute in kdb plugin,
and hence default maxlife of 90 days would be applied.
Limit the maximum value of maxlife that can be set through the
framework to 20 000 days (~ 54 years).
https://fedorahosted.org/freeipa/ticket/3817
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.
When --range-type option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.
Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.
Add tests to cover the new functionality
https://fedorahosted.org/freeipa/ticket/3634
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.
Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).
https://fedorahosted.org/freeipa/ticket/3528
Fix output of dnsrecord_del: it now uses output.standard_delete
and excludes --all and --raw flags.
Fix output of sudorule_{add,remove}_option: they now use
output.standard_entry and include --all and --raw flags.
https://fedorahosted.org/freeipa/ticket/3503
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
Current master branch represents future release of FreeIPA (3.2).
Bump VERSION so that current development packages are not being
updated with freeipa-3.1.x packages already released in downstream
repositories.
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_findhttps://fedorahosted.org/freeipa/ticket/2528
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/3333
All *-find commands now enable leading/trailing whitespaces in the
search phrase. Behaviour has been implemented directly into
crud.Search class. IPA_API_VERSION_MINOR incremented to 45.
https://fedorahosted.org/freeipa/ticket/2981
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.
Few lines to help added to explain the feature to users too.
https://fedorahosted.org/freeipa/ticket/3209
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.
Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.
Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.
Unit tests were updated to test the new format.
https://fedorahosted.org/freeipa/ticket/3204
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.
Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.
https://fedorahosted.org/freeipa/ticket/3189
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.
Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).
https://fedorahosted.org/freeipa/ticket/2184
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.
Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.
Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.
ticket 2932, 2935
range plugin was missing range-mod command that could be used for
example to fix a size for a range generated during upgrades. The
range should be updated with a caution though, a misconfiguration
could break trusts.
iparangetype is now also handled better and filled in all commands
instead of just range-show. objectclass attribute is deleted only
when really needed now.
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
The DN and ACI code doesn't always escape special characters properly.
Rather than trying to fix it, this patch takes the easy way out and
enforces that the names are safe.
https://fedorahosted.org/freeipa/ticket/2585
This will prevent errors if an empty reason is provided and it is
set by default one doesn't have to always set it on the command-line.
https://fedorahosted.org/freeipa/ticket/2597
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2448
'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.
For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.
Unit-tests added.
https://fedorahosted.org/freeipa/ticket/2447
Add a support for new global options in bind-dyndb-ldap, that is:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
https://fedorahosted.org/freeipa/ticket/2439
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.
'--with-compat' is new flag. If it is set, the compat status is ignored.
https://fedorahosted.org/freeipa/ticket/2274
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919https://fedorahosted.org/freeipa/ticket/2314
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.
This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):
ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse
This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).
Few modification were done to new DNS API to support this feature:
- Refactor --ip-address option handling from host-add and place it
to dns.py to be used by both modules
- Add support for "extra" per-type options
- Hide DNS record part options in dnsrecord_find command as they
have no effect for this command
https://fedorahosted.org/freeipa/ticket/2009
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
Convert from a freeform string into a enumeration.
Only values currently allowed are AllowLMhash and AllowNThash.
To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.
https://fedorahosted.org/freeipa/ticket/1433
Since A6 is an obsolete RR type, no DNS part option was created.
This is, however, not consistent with the rest of per-type API
and may cause problems. This patch adds at least a DNS part for
raw A6 record data so that the record type is treated consistently.
This patch also fixes interactive mode for A6 records. Their data
were not detected correctly as dnsrecord_add didn't expect
a number in DNS part option name.
https://fedorahosted.org/freeipa/ticket/2309
Host object has a virtual attribute "managing" containing all hosts
it manages (governed by managedBy attribute). This patch also adds
standard membership filtering options:
--man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned
--not-man-hosts=HOSTS: Only hosts which do not manage _any_ host
in HOSTS are returned
https://fedorahosted.org/freeipa/ticket/1675
macaddress is a multi-valued attribute and we allow multiple entries.
This is from the objectclass ieee802device. This is added manually when
doing a mod or add and not as a default to support existing host entries
that do not have this objectclass. If this were added to the defaults
then existing hosts missing this objectclass would not be found by
host-find.
It is possible to get ethers data out of nss by configuring nsswitch.conf
to use ldap for ethers and running getent ethers <hostname>
I tested nslcd and it only returned one macaddress value.
https://fedorahosted.org/freeipa/ticket/1132
pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.
Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."
https://fedorahosted.org/freeipa/ticket/2092
Use new structured DNSRecord parameters to generate per-type API
for all supported DNS RR types. This should help significantly
the end-user with manipulating complex DNS record type (MX, LOC,
etc.).
All enhancements are integrated to current DNS record commands:
1) dnsrecord-add
- Records can be either entered as a raw value (e.g. --mx-rec=
"1 srv1.example.com" for MX record) or per-part:
--mx-preference=1 --mx-exchanger=srv1.example.com
- CLI interactive help behavior was changed. It will ask for
a record type and then ask for all DNS record part values
(e.g. MX Preference value, MX Exchanger value).
2) dnsrecord-mod
- This command can now operate in 2 modes. When only a raw DNS
record is entered (e.g. --mx-rec="1 srv1.example.com") it
operates in standard mode and replaces any previous mxrecord
value with the --mx-rec value.
When any structured parameter (e.g. --mx-preference) is passed
it modifies just the specified parts of one mxrecord value
referred by --mx-rec:
--mx-rec="1 srv1.example.com" --mx-preference=2
- New interactive help has been implemented. It will ask for a
record to be modified (in the same manner as dnsrecord-del)
and then let user change DNS record part(s) for chosen
records.
3) All dnsrecord-* commands have now --structured option
- When this option is passed, instead of displaying raw DNS values
all DNS records are parsed and displayed per-part. Example:
$ ipa dnsrecord-show example.com @ --structured
Record name: @
Records:
Record type: MX
Record data: 0 server1.example.com.
MX Preference: 0
MX Exchanger: server1.example.com.
Record type: NS
Record data: ns1.example.com.
NS Hostname: ns1.example.com.
All API changes are compatible with clients without this patch.
https://fedorahosted.org/freeipa/ticket/2082
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.
Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.
https://fedorahosted.org/freeipa/ticket/2085
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.
Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).
I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.
https://fedorahosted.org/freeipa/ticket/1979
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.
Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.
ticket 2007
Add a --delattr option to round out multi-valued attribute
manipulation. The new option is available for all LDAPUpdate based
commands. --delattr is evaluated last, it can remove any value
present either in --addattr/--setattr option or in current LDAP
object.
--*attr processing was completely refactored and placed to one
independent function available for all baseldap commands. For this
purpose a missing common base class for all baseldap commands has
been implemented. The new class should serve not only for --*attr
processing but also for other common baseldap methods and
attributes.
This approach will also benefit other custom commands based neither
on LDAPCreate nor LDAPUpdate. They can easily integrate --*attr
option processing when needed.
https://fedorahosted.org/freeipa/ticket/1929
--allow-dynupdate was implemented as a Flag parameter type, which
is not convenient for LDAP attributes. When a DNS zone with
permitted dynamic updates was modified and the --allow-dynupdate
flag was not set, dynamic updates were turned off.
This patch changes the option type to Bool parameter type which
behaves according to user expectations when modifying the zone.
https://fedorahosted.org/freeipa/ticket/2039
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.
This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.
https://fedorahosted.org/freeipa/ticket/1262
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.
Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.
https://fedorahosted.org/freeipa/ticket/1866
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.
This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.
Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).
https://fedorahosted.org/freeipa/ticket/1266
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.
So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.
Multiple direct maps are still supported and for those the info is
always required.
ticket 1229
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
This patch contains 2 parts.
The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.
The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).
To determine the API version of the server from a client use the ping
command.
ticket 584
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
Fix make maintainer-clean
Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)
Version 1.1.0 was released some times ago, bump up to 1.1.1
The file VERSION is now the sole-source of versioning.
The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.
By default a GIT build is done. To do a non-GIT build do:
$ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no
When updating the version you can run this to regenerate the version:
$ make version-update
The version can be determined in Python by using ipaserver.version.VERSION
