freeipa/ipaserver/plugins
Alexander Bokovoy 08d7209828 baseldap: allow rejecting unknown objects instead of adding to an external attr
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.

With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-26 13:05:27 -05:00
..
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
aci.py Use ACI class set_permissions() method to set permissions 2020-09-14 09:15:59 +03:00
automember.py Fixes pylint errors introduced by version 2.4.0. 2019-09-27 09:38:32 +02:00
automount.py Reworked the renaming mechanism 2017-03-27 19:08:26 +02:00
baseldap.py baseldap: allow rejecting unknown objects instead of adding to an external attr 2021-01-26 13:05:27 -05:00
baseuser.py baseuser: fix ipanthomedirectorydrive option name 2020-06-16 19:06:02 -04:00
batch.py CVE-2019-10195: Don't log passwords embedded in commands in calls using batch 2019-11-26 15:24:20 +02:00
ca.py ca plugin: improve doc 2020-07-07 10:07:48 -04:00
caacl.py LGTM: raise handle_not_found() 2018-01-09 07:53:28 +01:00
cert.py dnspython: Add compatibility shim 2020-08-31 09:46:03 +03:00
certmap.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
certprofile.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
config.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
delegation.py Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
dns.py dns: allow PTR records in arbitrary zones 2020-11-11 10:24:38 +02:00
dnsserver.py dnsserver.py: dnsserver-find no longer returns internal server error 2017-06-15 13:51:06 +02:00
dogtag.py Let dogtag.py be imported if the api is not initialized 2020-11-02 10:43:57 -05:00
domainlevel.py Use api.env.container_masters 2019-03-28 00:21:00 +01:00
group.py Prevent local account takeover 2020-06-15 22:44:42 +03:00
hbac.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
hbacrule.py ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels 2020-02-24 15:02:24 +01:00
hbacsvc.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbacsvcgroup.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbactest.py support using trust-related operations in the server console 2020-06-08 12:39:34 -04:00
host.py Allow leading/trailing whitespaces in passwords 2020-12-18 16:47:59 +02:00
hostgroup.py Allow rename of a host group 2020-03-31 09:21:37 +03:00
idrange.py support using trust-related operations in the server console 2020-06-08 12:39:34 -04:00
idviews.py idviews: add extended validator for users from trusted domains 2021-01-26 13:05:27 -05:00
internal.py Unify spelling of "One-Time Password" (take 2) 2020-06-24 14:55:27 +02:00
join.py Delay import of psutil to avoid AVC 2020-09-23 14:49:15 +02:00
krbtpolicy.py Reset per-indicator Kerberos policy 2019-12-18 14:16:33 +01:00
ldap2.py Optimize user-add by caching ldap2.has_upg() 2019-12-05 15:07:57 +01:00
location.py Fix div-by-zero when svc weight is 0 for all masters in location 2020-02-26 13:42:10 -05:00
migration.py Terminology improvements: use block list 2020-06-23 10:16:29 +02:00
misc.py Make env and plugins commands local again 2016-12-02 13:00:06 +01:00
netgroup.py LGTM: raise handle_not_found() 2018-01-09 07:53:28 +01:00
otp.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
otpconfig.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
otptoken.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
passwd.py logging: remove object-specific loggers 2017-07-14 15:55:59 +02:00
permission.py Remove virtual attributes before rolling back a permission 2021-01-13 13:50:45 +01:00
ping.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
pkinit.py Don't fail if config-show does not return servers 2019-03-28 17:57:58 +01:00
privilege.py Privilege: add a helper checking if a principal has a given privilege 2020-03-05 14:40:58 +01:00
pwpolicy.py Extend IPA pwquality plugin to include libpwquality support 2020-10-23 09:32:52 -04:00
rabase.py CRL generation master: new utility to enable|disable 2019-03-14 09:39:55 +01:00
radiusproxy.py radiusproxy: add permission for reading radius proxy servers 2018-11-13 12:40:44 +01:00
realmdomains.py Fix pylint 2.0 return-related violations 2018-07-11 10:11:38 +02:00
role.py Support adding user ID overrides as group and role members 2020-06-08 12:39:34 -04:00
schema.py Fix E713 test for membership should be 'not in' 2020-05-05 10:42:46 +02:00
selfservice.py Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
selinuxusermap.py Fix E711 comparison to None 2020-05-05 10:42:46 +02:00
server.py Privilege: add a helper checking if a principal has a given privilege 2020-03-05 14:40:58 +01:00
serverrole.py servrole: takes_params must be a tuple 2020-04-27 10:15:58 +02:00
serverroles.py Improve config-show to show hidden servers 2019-03-28 17:57:58 +01:00
service.py Terminology improvements: use allow list 2020-06-23 10:16:29 +02:00
servicedelegation.py service delegation: allow to add and remove host principals 2020-05-14 21:47:17 +03:00
session.py Fix some untranslatable commands in Web UI API Browser 2018-06-21 18:42:05 +02:00
stageuser.py Fix E722 do not use bare 'except' 2020-05-05 10:42:46 +02:00
sudo.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
sudocmd.py sudocmd: fix unsupported assignment 2017-09-08 15:42:07 +02:00
sudocmdgroup.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
sudorule.py sudorule runAs: allow to add users and groups from trusted domains directly 2021-01-26 13:05:27 -05:00
topology.py domainlevel-get: fix various issues when running as non-admin 2019-03-25 09:48:31 +01:00
trust.py ipaserver/dcerpc: store forest topology as a blob in ipasam 2021-01-22 12:21:33 -05:00
user.py Prevent local account takeover 2020-06-15 22:44:42 +03:00
vault.py Consolidate container_masters queries 2019-03-28 00:21:00 +01:00
virtual.py extract virtual operation access check subroutine 2020-06-30 11:47:29 +02:00
whoami.py whoami.py: Type error when running tests 2017-07-07 14:44:42 +02:00
xmlserver.py Add endpoint for serving i18n requests 2018-07-17 15:32:28 -04:00