Commit Graph

1730 Commits

Author SHA1 Message Date
Martin Kosek
eeee8e1c6e Fix encoding for setattr/addattr/delattr
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.

https://fedorahosted.org/freeipa/ticket/2418
2012-03-01 21:50:52 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Martin Kosek
b7d092a0f4 Remove memberPrincipal for deleted replicas
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.

This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.

https://fedorahosted.org/freeipa/ticket/2451
2012-03-02 16:45:35 +01:00
Rob Crittenden
d5c9f7bcaa Add status command to retrieve user lockout status
This information is not replicated so pull from all IPA masters
and display the status across all servers.

https://fedorahosted.org/freeipa/ticket/2162
2012-03-02 16:28:54 +01:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Simo Sorce
03fc5c3d73 Fix ticket checks when using either s4u2proxy or a delegated krbtgt
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.

This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.

Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.

Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.

When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.

Fixes: http://fedorahosted.org/freeipa/ticket/2472
2012-03-01 00:56:01 -05:00
Ondrej Hamada
73249140fc Migration warning when compat enabled
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
2012-02-29 18:30:03 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
Martin Kosek
fab033b949 Improve FQDN handling in DNS and host plugins
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.

This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.

As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.

https://fedorahosted.org/freeipa/ticket/2420
2012-02-29 19:06:18 +01:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00
Martin Kosek
4e9a2e0983 Improve dnsrecord-add interactive mode
When an invalid record type is entered during dnsrecord-add
interactive mode, user is provided with a list of allowed values
(record types). However, the provided list contains also
unsupported record types (APL, DHCID, etc.) and any attempt to add
such records would end with error. This patch limits the list
to supported record types only.

https://fedorahosted.org/freeipa/ticket/2378
2012-02-29 18:42:38 +01:00
Rob Crittenden
e294f79488 Don't set migrated user's GID to that of default users group.
The GID should be the UID unless UPG is disabled.

https://fedorahosted.org/freeipa/ticket/2430
2012-02-29 18:05:31 +01:00
Ondrej Hamada
1356988b7a Validate attributes in permission-add
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
2012-02-28 18:22:24 -05:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
Petr Voborník
7da8d2f296 Added unsupported_validator
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.

New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Voborník
25bda1e860 New UI for DNS global configuration
UI for DNS global configuration was implemented.

https://fedorahosted.org/freeipa/ticket/2350
2012-02-29 12:59:13 +01:00
Petr Voborník
a1f8c39f88 DNS Zone UI: added new attributes
New attributes were added to DNS zone details facet.

Attributes:
    idnsallowquery
    idnsallowtransfer
    idnsforwarders
    idnsforwardpolicy
    idnsallowsyncptr

New network address validator created for idnsallowquery and idnsallowtransfer attributes.

Network address validator also added to dnszone adder dialog - from_ip field.

https://fedorahosted.org/freeipa/ticket/2351
2012-02-29 12:59:13 +01:00
Petr Viktorin
45e92a338f Use stricter semantics when checking IP address for DNS records
https://fedorahosted.org/freeipa/ticket/2379
2012-02-29 11:02:58 +01:00
Martin Kosek
aff6bc0e63 Improve dns error message
Improve AttrValueNotFound exception error message raised in the DNS
module when a deleted (modified) attribute value is not found
in a record. In order to be consistent with previous DNS module
implementation this error message should include an attribute
label instead of an attribute name.

https://fedorahosted.org/freeipa/ticket/2377
2012-02-28 08:45:05 +01:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
059a90702e Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.

* Reduced the default session_auth_duration from 1 hour to 20 minutes.

* Replaced the sesssion write_timestamp with the access_timestamp and
  update the access_timestamp whenever the session data is created,
  retrieved, or written.

* Modify set_session_expiration_time to handle both an inactivity
  timeout and a fixed duration.

* Introduce  KerberosSession as a mixin class to share session
  duration functionality with all classes manipulating session data
  with Kerberos auth. This is both the non-RPC login class and the RPC
  classes.

* Update make-lint to handle new classes.

* Added session_auth_duration_type config item.

* Updated default.conf.5 man page for new session_auth_duration_type item.

* Removed these unused config items: mount_xmlserver,
  mount_jsonserver, webui_assets_dir

https://fedorahosted.org/freeipa/ticket/2392
2012-02-27 05:55:15 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Rob Crittenden
7d7322de2e Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
Apply this to hostgroup names as well since they can be linked.

https://fedorahosted.org/freeipa/ticket/2221
2012-02-27 00:06:44 -05:00
Martin Kosek
7fe63f8233 Add SSHFP update policy for existing zones
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.

This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.

https://fedorahosted.org/freeipa/ticket/2394
2012-02-27 18:04:19 +01:00
Martin Kosek
cbb3bfae23 Add reverse DNS record when forward is created
Adding reverse DNS record may be a time consuming task, especially
for IPv6 addresses. Having a way to automatically create a reverse
record when a forward record is created could speed up the process.
host-add command already has this possibility.

This patch takes advantage of the new per-type API and adds new
options for A/AAAA record types: --a-create-reverse and
--aaaa-create-reverse. These commands can be used to automatically
create reverse records for new A/AAAA addresses (both forward
and reverse zones need to be managed by FreeIPA server):

ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse

This command would add a new A record to record foo in zone
example.com and a PTR record to appropriate reverse zone for
IP address 10.0.0.1 (for example PTR record 1 in zone
0.0.10.in-addr.arpa. pointing to foo.example.com.).

Few modification were done to new DNS API to support this feature:
 - Refactor --ip-address option handling from host-add and place it
   to dns.py to be used by both modules
 - Add support for "extra" per-type options
 - Hide DNS record part options in dnsrecord_find command as they
   have no effect for this command

https://fedorahosted.org/freeipa/ticket/2009
2012-02-27 16:50:08 +01:00
Rob Crittenden
ac47b1ca6e Don't consider virtual attributes when validating custom objectclasses
We verify user and group default objectclasses when changing them
to be sure that required objectclasses aren't being dropped. We need
to ignore virtual attributes or it will raise an error because they
aren't defined in schema.

https://fedorahosted.org/freeipa/ticket/2406
2012-02-27 10:06:35 +01:00
Martin Kosek
16d88d79ad Add gidnumber minvalue
Do not accept invalid GID values in IPA user/group plugins.

https://fedorahosted.org/freeipa/ticket/2335
2012-02-23 21:00:15 -05:00
Martin Kosek
1c898e388b Add API for PTR sync control
New version of bind-dyndb-ldap plugin have an ability to
automatically update machine reverse address when its forward
address is updated via GSS-TSIG update. The reverse zone must be
managed by FreeIPA as well in order of this feature to work.

As it would not be secure to enable this behaviour for all zones
there is a global attribute that can enable PTR sync for all zones
and also a per-zone attribute that can enable for chosen zones
only.

This patch adds an API for this control.

https://fedorahosted.org/freeipa/ticket/2176
2012-02-24 09:40:51 +01:00
Martin Kosek
210d913eb1 Add DNS conditional forwarding
Add ability configure per-zone forwarder for DNS zones. Any data
in such zone will then be considered as non-authoritative and all
queries will be sent to specified forwarder.

https://fedorahosted.org/freeipa/ticket/2108
2012-02-24 09:40:47 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Rob Crittenden
d4a1dc5712 Don't allow IPA master hosts or important services be deleted.
Deleting these would cause the IPA master to blow up.

For services I'm taking a conservative approach and only limiting the
deletion of known services we care about.

https://fedorahosted.org/freeipa/ticket/2425
2012-02-23 20:17:12 +01:00
Petr Voborník
a7ced67e77 Added missing configuration options
Missing options were added to Web UI's IPA Server/Configuration page.
 * ipaconfigstring
 * ipaselinuxusermaporder
 * ipaselinuxusermapdefault

https://fedorahosted.org/freeipa/ticket/2285
https://fedorahosted.org/freeipa/ticket/2400
2012-02-20 15:47:39 -06:00
Petr Viktorin
efb37739ab Add common helper for interactive prompts
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or  KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.

The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.

A minor fix restores errors.py's ability print out the list of
errors when run as a script.
2012-02-19 20:23:20 -05:00
Martin Kosek
e10af0b764 Ease zonemgr restrictions
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.

This patch also fixes default zonemgr value in help texts and man
pages.

https://fedorahosted.org/freeipa/ticket/2272
2012-02-20 15:34:45 +01:00
Rob Crittenden
2da6d6e746 Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
2012-02-15 17:08:33 +01:00
Petr Voborník
8ad295a554 Redirection to PTR records from A,AAAA records
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
 1) fetch all dns zones
 2) find most accurate reverse zone for IP address
    2 -fail) show error message, stop
 3) checks if target record exists in the zone
    3 -fail) show 'dns record create link', stop
 4) redirects

Click on 'dns record create link':
 1) creates record
   1 -fail) show error, stop
 2) redirects

https://fedorahosted.org/freeipa/ticket/1975
2012-02-15 09:23:26 +01:00
Petr Voborník
eb87b8c319 UI support for ssh keys
To user and host details pages was added ipasshpubkey attribute.

New widget for ssh public keys was created.

https://fedorahosted.org/freeipa/ticket/2340
2012-02-15 09:23:05 +01:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
Jan Cholasta
ca3f304110 Base64-decode unicode values in Bytes parameters.
Fix wrong handling of strings in --setattr/--addattr/--delattr.

These changes make it possible to use Bytes in --setattr/--addattr/
--delattr without errors.

Fixes managing SSH keys on command-line

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:50 -05:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Petr Viktorin
528a94f839 Internationalization for HBAC and ipalib.output
* hbacrule: Internationalize HBAC rule "all" category exceptions
  https://fedorahosted.org/freeipa/ticket/2267

* hbactest: Use internationalized names (doc) instead of names
  for output items
  Also don't convert result to bool, `not` does it implicitly

* ipalib.output: Internationalize descriptions of some standard entries
2012-02-14 19:08:40 +01:00
Petr Voborník
2755709f2e Removed question marks from field labels
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".

https://fedorahosted.org/freeipa/ticket/2353
2012-02-14 08:35:49 -06:00
Petr Viktorin
90d99f6017 Clean up i18n strings
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).

Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
2012-02-10 11:53:40 +01:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Petr Viktorin
d706c411ef Honor default home directory and login shell in user_add
The homedirectory argument had a default_from '/home/<name>', ignoring
the ipahomesrootdir config setting. This patch removes that default,
and adds a test case for ipahomesrootdir.

https://fedorahosted.org/freeipa/ticket/2332

The login shell had the same problem. Again this patch removes the
client-side default and adds a test.

Building the home directory from the default is changed to use
posixpath.join instead of string formatting and ad-hoc cleanup,
and to use '/home' instead of failing when the ipahomesrootdir
setting is not present for some reason.
2012-02-09 18:11:57 +01:00
Rob Crittenden
44c69ef33e Make ipaconfigstring modifiable by users.
Convert from a freeform string into a enumeration.

Only values currently allowed are AllowLMhash and AllowNThash.

To add more than one value on the command-line either specify
--ipaconfigstring multiple times or add the values comma-separated.

https://fedorahosted.org/freeipa/ticket/1433
2012-02-09 08:29:09 +01:00
Ondrej Hamada
616d543a54 Memberof attribute control and update
Checking of parameters used by _make_aci funcion was rewritten.
Additional attributes of ACI(type, attribute, memberof, targetgroup,
subtree, filter) could be unset.

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305
2012-02-08 10:43:25 +01:00
Rob Crittenden
304b70843a Consolidate external member code into two functions in baseldap.py
External members (users and hosts) are assumed when doing member
management on certain attributes. If the member isn't in IPA it
is assumed to be external. When doing member management we need
to sift through the list of failures and pull out all those
that were simply not found in IPA.

https://fedorahosted.org/freeipa/ticket/1734
2012-02-08 09:12:53 +01:00