summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldap2.py
Commit message (Collapse)AuthorAgeFilesLines
* python-ldap fails gloriously if the search time limit is 0. Don't allow it.Rob Crittenden2011-01-141-0/+2
| | | | | | | | | Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns immediately. ticket 752
* Fix output of failed managedby hosts, allow a host to manage itself.Rob Crittenden2011-01-111-3/+9
| | | | | | | | | | | The output problem was a missing label for failed managedby. This also fixes a call to print_entry that was missing the flags argument. Add a flag to specify whether a group can be a member of itself, defaulting to False. ticket 708
* Enable low-level LDAP debugging.Rob Crittenden2011-01-111-1/+4
|
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-47/+4
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Remove common entries when deleting a master.Simo Sorce2010-12-211-3/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix search filter generator in ldap2 for NOT operator.Pavel Zuna2010-12-081-0/+6
| | | | | Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE).
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-0/+2
| | | | ticket 496
* Ensure list of attrs to retrieve is unique, optimize getting indirect membersRob Crittenden2010-12-061-3/+9
| | | | | | | | | | | This fixes search where we were asking for the member attribute 10 or more times. When retrieving indirect members make sure we always pass around the size and time limits so we don't have to look it up with every call to find_entries() ticket 557
* Fix NotFound exception in ipa-nis-manage.Rob Crittenden2010-11-091-1/+1
| | | | | | | | The signature of ldap2.get_entry() changed so normalize wasn't being handled properly so the basedn was always being appended causing our entry in cn=config to be not found. ticket 414
* Populate indirect members when showing a group object.Rob Crittenden2010-10-281-0/+71
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-281-0/+2
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* find_entries paramAdam Young2010-10-251-3/+1
| | | | | | Fixes a bug where find_entries was not passed a parameter for filter. Instead of fixing the call point, this patch adds a defaulty value for the parameter, so that they can all be passed by name.
* Add fail-safe defaults to time and size limits in ldap2 searches.Pavel Zuna2010-10-221-5/+11
|
* Disallow RDN change and single-value bypass using setattr/addattr.Pavel Zuna2010-10-181-13/+31
| | | | | | | | | | | When setting or adding an attribute wiht setatt/addattr check to see if there is a Param for the attribute and enforce the multi-value. If there is no Param check the LDAP schema for SINGLE-VALUE. Catch RDN mods and try to return a more reasonable error message. Ticket #230 Ticket #246
* Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.Rob Crittenden2010-09-281-3/+11
| | | | | | | | | | | | | We lacked good error messages if the user/group container you used doesn't exist. Add a --continue option so things can continue if you use a bad user/group container. This has the side-effect of letting you migrate just users or groups by using a bad container for the one you don't want. Fix a Gettext() error when displaying the migrated password message. ticket 289
* Handle search_ext() returning ldap.SUCCESSRob Crittenden2010-09-281-0/+2
| | | | | | | | | In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS. The search actually was fine and returned data but an exception was returned and handled (though we didn't know what to do with it). This patch lets it continue along. ticket 285
* Add some tests for using the ldap2 Backend.Rob Crittenden2010-09-241-1/+1
| | | | | | Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that.
* Allow the schema to be set once an ldap connection is locked.Rob Crittenden2010-09-091-1/+3
| | | | | | | | | | | | When making LDAP calls via api.Backend.ldap2 the ldap2 object will already be locked by the api.finalize() call. So the first time that api.Backend.ldap2.connect() is called an error would be thrown that self.schema cannot be set because the object is ReadOnly. This uses the documented procedure for working around this lock. This was preventing the DNS installation to proceed. ticket #188
* Make ldap2 class work as a client library as well.Rob Crittenden2010-09-071-36/+48
| | | | | | | | | | | | | | | | | | Move the user-private group caching code out of the global config and determine the value the first time it is needed. Renamed global_init() back to get_schema() and make it take an optional connection. This solves the problem of being able to do all operations with a simple bind instead of GSSAPI. Moved the global get_syntax() into a class method so that a schema can be passed in. If a schema wasn't loaded during the module import then it is loaded when the connection is created (so we have the credntials needed for binding). ticket 63
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-5/+17
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Fix reference to _handle_errors() in remove_principal_key()Rob Crittenden2010-08-101-1/+1
| | | | | It incorrectly was trying to call the class method _handle_errors() instead of the global function.
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-131-0/+16
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-13/+17
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Add support for User-Private GroupsRob Crittenden2010-07-061-7/+30
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Replace a new instance of IPAdmin use in ipa-server-install.Pavel Zuna2010-04-271-8/+8
|
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-191-13/+9
|
* Retrieve the LDAP schema using kerberos credentials.Rob Crittenden2010-03-171-7/+38
| | | | This is required so we can disable anonymous access in 389-ds.
* Convert integer and boolean values to unicode, don't leave them as str.Pavel Zuna2010-02-171-2/+0
|
* Fix schema loading in the ldap backend.Pavel Zuna2010-01-271-1/+4
|
* Allow cospriority to be updated and fix description of priority orderingRob Crittenden2010-01-191-9/+13
| | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work.
* Improve modlist generation in ldap2. Some code cleanup as bonus.Pavel Zuna2010-01-111-65/+89
| | | | | | | | ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. MOD_REPLACE is always used for single value attributes and never for multi value.
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Add option to not normalize a DN when adding/updating a record.Rob Crittenden2009-10-051-4/+6
| | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it.
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-1/+3
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Only initialize the API once in the installerRob Crittenden2009-09-281-8/+14
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-1/+41
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+2
| | | | virtual plugin to work with the new backend
* Make ldap2.add_entry proof to None values, because python-ldap hate'em.Pavel Zuna2009-09-081-0/+4
|
* Introduce a list of attributes for which only MOD_REPLACE operations are ↵Pavel Zuna2009-08-281-2/+10
| | | | generated.
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-20/+11
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-4/+0
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Fix bug in _get_syntax (it was always returning None).Pavel Zuna2009-08-031-15/+7
| | | | Also prevent a few cases of double processing of arguments.
* Import explode_dn from ldap.functions for backward compatibility with older ↵Pavel Zuna2009-07-081-2/+4
| | | | | | version of python-ldap. Fix bug in add_entry_to_group. Resolves 510149
* Add class variable to indicate whether SSL is required or not.Rob Crittenden2009-07-071-2/+4
| | | | | Older python-ldap versions will crash if you call ldap.get_option() on a value that has not been set.
* Fix bug in ldap2.modify_password and make adding/removing members slightly ↵Pavel Zuna2009-07-071-4/+4
| | | | more efficient.
generated by cgit (git 2.34.1) at 2024-05-27 15:19:05 +0000