Commit Graph

1121 Commits

Author SHA1 Message Date
Rob Crittenden
47f849ec21 Try to make topic help less confusing. Rename Related to Topic commands.
Also don't print the commands at the bottom if the plugin implements
only one command, like the passwd plugin.

ticket 105
2010-09-23 12:04:13 -04:00
Rob Crittenden
9fd7fedb76 Add an example for creating an HBAC service and service group.
Try to tie in the hbacsvc and hbacsvcgroup plugins better through an
example.

ticket 159
2010-09-23 11:59:14 -04:00
Rob Crittenden
89d2280a79 Add command to resolve a hostname. Returns True or raises NotFound.
Note that this doesn't rely on IPA having a configured DNS server.
It passes the host name to the resolver and doesn't try to do a lookup
within the IPA DNS directly (e.g. no internal LDAP search).

Tries to determine if a domain is included and if not then the IPA
domain is added. This won't do the right thing if there are multiple
configured subdomains.

ticket 106
2010-09-23 11:50:16 -04:00
Pavel Zuna
1bb412239d Big webUI patch.
Quick summary:
- use jQuery UI and jQuery BBQ libraries
- code restructuring

The patch has so many changes they can't be listed here. Many parts
of the code have been rewritten from scrach.

See freeipa-devel mailing list:
webUI code restructuring [wall of text, diagrams, ... you've been warned!]
2010-09-07
2010-09-17 19:42:40 -04:00
Adam Young
5fd09b016b user-find whoami
Now no longer breaks user-find with a filter
Uses the corrected Params for getting option
printf style strings
2010-09-15 15:04:42 -04:00
Adam Young
30def30eaf Revert "user whoami"
This reverts commit bef0690a2f.
2010-09-14 16:42:30 -04:00
Adam Young
bef0690a2f user whoami
Added a whoami option to the user, allows the user to query their own information based on their Kerberos principal
2010-09-14 13:57:56 -04:00
Rob Crittenden
67a4549519 Remove some additional instances of krbV from ipa-client
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.

Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.

ticket 136
2010-09-10 17:04:01 -04:00
Rob Crittenden
2e8bae590e Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.

This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.

This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.

ticket 67
2010-09-09 16:38:45 -04:00
Rob Crittenden
d0ea0bb638 Changes to fix compatibility with Fedora 14
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6

Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata

ticket 155
2010-08-31 16:59:27 -04:00
Rob Crittenden
4b6b710ba6 Update command documentation based on feedback from docs team.
ticket #158
2010-08-27 13:31:04 -04:00
Rob Crittenden
110d46b792 Use global time and size limit values when searching.
Add test to verify that limit is honored and truncated flag set.

ticket #48
2010-08-19 10:51:55 -04:00
Rob Crittenden
e225ad4341 Add support for ldap:///self bind rules
This is added mainly so the self service rules can be updated without
resorting to ldapmodify.

ticket 80
2010-08-19 10:49:42 -04:00
Pavel Zuna
7a007d958b Fix Update function on details page.
The problem was that parameters with no values are automatically
set to None by the framework and it wasn't handled properly in
baseldap.py:get_attributes function. Also, there were two logical
bugs in details.js:
1) atttribute callback to update values were called for input elements
   instead of dt elements
2) it was always trying to update the primary key
2010-08-17 14:53:03 -04:00
Rob Crittenden
2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Adam Young
3e6f0f5721 From: Pavel Zuna <pzuna@redhat.com>
Date: Tue, 10 Aug 2010 16:41:28 -0400
Subject: [PATCH 2/6] Add a new INTERNAL plugin that exports plugin meta-data into JSON.

This is required for the webUI, since we're dropping Genshi. *ehm* :)

You can't use this command on the CLI. It takes one optional argument:
the name of an IPA object. If not specified, meta-data for all objects
are returned.
2010-08-13 17:56:16 -04:00
Adam Young
030b5dab93 Change the behaviour of addattr/setattr parameters.
setattr and addattr can now be used both to set all values of
ANY attribute. the last setattr always resets the attribute to
the specified value and all addattr append to it.

Examples:
user-mod testuser --setattr=title=msc
  title: msc
user-mod testuser --setattr=title=msb
  title: msb
user-mod testuser --addattr=title=msc
  title: msb, msc
user-mod testuser --setattr=title=
  title:
user-mod testuser --setattr=title=msc --addattr=msb
  title: msc, msb
user-mod testuser --setattr=title=ing --addattr=bc
  title: ing, bc
user-mod testuser --setattr=title=doc
  title: doc

It's not very user friendly, but it's going to be used very very
rarely in special conditions in the CLI and we can use it to save
lots of JSON-RPC roundtrips in the webUI.

This version includes calling the validation of Params during the setting of the attrs.
2010-08-13 16:20:41 -04:00
Pavel Zuna
f15758dbea Improve serialization to JSON.
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
2010-08-12 09:06:22 -04:00
Pavel Zuna
cc9d0ffc67 Fix bug: not found exc. handler was failing for singleton objects 2010-08-12 09:03:36 -04:00
Pavel Zuna
6136f773a9 Add new parameters to LDAPSearch: timelimit and sizelimit. 2010-08-12 09:02:39 -04:00
Pavel Zuna
5797c8167a Make LDAPObject classes JSON serializable. 2010-08-12 09:01:56 -04:00
Rob Crittenden
5b894d1fb7 Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.

We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.

ticket 75
2010-08-10 16:41:47 -04:00
Rob Crittenden
8ad88b4119 Properly show the members when an add/remove operation fails.
The remove member function in baseldap was not returning failures at all.
The add member function was only showing them in the group object.

Most of the magic is handled in baseldap. Each plugin just needs to define
object_name and object_name_plural. object_name must be all lower-case
because fake-attributes are created so membership can be broken out
per-object type. I left the plural name lower case as well.

ticket 85
2010-08-06 15:34:09 -04:00
Rob Crittenden
2d7d047cbf Add optional error message to pattern validator
The pattern validator by default displays the pattern that is being
matched against. This isn't helpful, particularly for very hairy patterns.
This adds a new parameter, pattern_errmsg, that is displayed on errors
if set.

ticket #11
2010-08-06 15:32:37 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Rob Crittenden
830910d1f3 Have the env plugin print all attributes by default
ticket #113
2010-08-06 13:12:42 -04:00
Rob Crittenden
efa11d3746 Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
2010-08-06 13:12:21 -04:00
Adam Young
056419403a whoami plugin.
It returns the user prinicpal.
This is required by the webui, as the Kerberos credential mechanism in http
does not expose the cleartext prinicpal to the web browser.
2010-08-05 20:36:08 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
57a9001f8d Fix netgroup plugin to use correct member attribute names.
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.

I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
2010-07-15 11:18:18 -04:00
Rob Crittenden
18476c9538 Use newer API in ipalib/x509 and add missing import.
The import was only used when running the in-tree lite-server
2010-07-15 11:17:58 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
Rob Crittenden
1e1985b17c Add API to delete a service principal key, service-disable.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
2010-07-13 09:29:10 -04:00
Rob Crittenden
2bb2850fff Include contents of has_output_params in get_output_params 2010-07-13 09:27:50 -04:00
Rob Crittenden
371a4b2c72 Add separate var for search attributes and config attribute for search fields
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.

Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
2010-07-13 09:27:34 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba0f18dcd6 Clean up imports of hbacsvc plugin
I used pylint to identify a bunch of unnecessary and too-broad imports
2010-07-06 15:39:41 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
901ccc1393 First pass at per-command documentation 2010-06-22 13:58:04 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
1dd7b11b0b Connect the -v cli argument to the verbose flag in xmlrpclib
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
2010-06-03 17:08:22 -04:00
Rob Crittenden
4924270b45 Increase supported weeks per month from 4 to 6 in AccessTime() type 2010-06-03 09:25:25 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
72afb4c605 Try to clear up that uid is a number, not the login name 2010-05-17 13:49:50 -04:00
Rob Crittenden
4a0b38a8ec Enforce that max password lifetime is greater than the min lifetime
461325
2010-05-17 13:49:23 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00