| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed by LDAP
password change command.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
|
| |
|
|
|
|
|
| |
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
|
| |
|
|
|
|
|
|
| |
This reverts commit a58cbb985ec007c0ef83010b32408efb2f4784d2.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.
This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
ldap2.find_entry_by_attr instead of NotFound error
This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.
https://fedorahosted.org/freeipa/ticket/2606
|
| |
|
|
|
|
|
|
|
| |
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.
This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.
https://fedorahosted.org/freeipa/ticket/2565
|
| |
|
|
|
|
|
|
|
|
| |
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.
This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.
https://fedorahosted.org/freeipa/ticket/2293
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
|
|
|
|
|
| |
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
|
| |
|
|
|
|
| |
Made specifically for the case where S4U2Proxy delegation fails.
https://fedorahosted.org/freeipa/ticket/2414
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).
Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
|
| |
|
|
|
|
|
|
|
| |
This ensures a correct configuration in case a user has created their
own openldap config file and set SASL_SECPROPS to something bad.
Note that this doesn't modify the 389-ds setting which by default is 0.
https://fedorahosted.org/freeipa/ticket/2021
|
| |
|
|
|
|
|
|
| |
"!" is a unary LDAP filter operator and cannot be treated in the
same way as binary operators ("&", "|"). Otherwise, an invalid
LDAP filter is created.
https://fedorahosted.org/freeipa/ticket/1675
|
| |
|
|
|
|
|
|
|
| |
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.
Also fix few issues in the unit tests to enable them to succeed.
ticket 1959
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use convenience types (classes) in IPA which make working with LDAP
easier and more robust. It would be really nice if the basic python-ldap
library understood our utility types and could accept them as parameters
to the basic ldap functions and/or the basic ldap functions returned our
utility types.
Normally such a requirement would trivially be handled in an object-
oriented language (which Python is) by subclassing to extend and modify
the functionality. For some reason we didn't do this with the python-ldap
classes.
python-ldap objects are primarily used in two different places in our
code, ipaserver.ipaldap.py for the IPAdmin class and in
ipaserver/plugins/ldap2.py for the ldap2 class's .conn member.
In IPAdmin we use a IPA utility class called Entry to make it easier to
use the results returned by LDAP. The IPAdmin class is derived from
python-ldap.SimpleLDAPObject. But for some reason when we added the
support for the use of the Entry class in SimpleLDAPObject we didn't
subclass SimpleLDAPObject and extend it for use with the Entry class as
would be the normal expected methodology in an object-oriented language,
rather we used an obscure feature of the Python language to override all
methods of the SimpleLDAPObject class by wrapping those class methods in
another function call. The reason why this isn't a good approach is:
* It violates object-oriented methodology.
* Other classes cannot be derived and inherit the customization (because
the method wrapping occurs in a class instance, not within the class
type).
* It's non-obvious and obscure
* It's inefficient.
Here is a summary of what the code was doing:
It iterated over every member of the SimpleLDAPObject class and if it was
callable it wrapped the method. The wrapper function tested the name of
the method being wrapped, if it was one of a handful of methods we wanted
to customize we modified a parameter and called the original method. If
the method wasn't of interest to use we still wrapped the method.
It was inefficient because every non-customized method (the majority)
executed a function call for the wrapper, the wrapper during run-time used
logic to determine if the method was being overridden and then called the
original method. So every call to ldap was doing extra function calls and
logic processing which for the majority of cases produced nothing useful
(and was non-obvious from brief code reading some methods were being
overridden).
Object-orientated languages have support built in for calling the right
method for a given class object that do not involve extra function call
overhead to realize customized class behaviour. Also when programmers look
for customized class behaviour they look for derived classes. They might
also want to utilize the customized class as the base class for their use.
Also the wrapper logic was fragile, it did things like: if the method name
begins with "add" I'll unconditionally modify the first and second
argument. It would be some much cleaner if the "add", "add_s", etc.
methods were overridden in a subclass where the logic could be seen and
where it would apply to only the explicit functions and parameters being
overridden.
Also we would really benefit if there were classes which could be used as
a base class which had specific ldap customization.
At the moment our ldap customization needs are:
1) Support DN objects being passed to ldap operations
2) Support Entry & Entity objects being passed into and returned from
ldap operations.
We want to subclass the ldap SimpleLDAPObject class, that is the base
ldap class with all the ldap methods we're using. IPASimpleLDAPObject
class would subclass SimpleLDAPObject class which knows about DN
objects (and possilby other IPA specific types that are universally
used in IPA). Then IPAEntrySimpleLDAPObject would subclass
IPASimpleLDAPObject which knows about Entry objects.
The reason for the suggested class hierarchy is because DN objects will be
used whenever we talk to LDAP (in the future we may want to add other IPA
specific classes which will always be used). We don't add Entry support to
the the IPASimpleLDAPObject class because Entry objects are (currently)
only used in IPAdmin.
What this patch does is:
* Introduce IPASimpleLDAPObject derived from
SimpleLDAPObject. IPASimpleLDAPObject is DN object aware.
* Introduce IPAEntryLDAPObject derived from
IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware.
* Derive IPAdmin from IPAEntryLDAPObject and remove the funky method
wrapping from IPAdmin.
* Code which called add_s() with an Entry or Entity object now calls
addEntry(). addEntry() always existed, it just wasn't always
used. add_s() had been modified to accept Entry or Entity object
(why didn't we just call addEntry()?). The add*() ldap routine in
IPAEntryLDAPObject have been subclassed to accept Entry and Entity
objects, but that should proably be removed in the future and just
use addEntry().
* Replace the call to ldap.initialize() in ldap2.create_connection()
with a class constructor for IPASimpleLDAPObject. The
ldap.initialize() is a convenience function in python-ldap, but it
always returns a SimpleLDAPObject created via the SimpleLDAPObject
constructor, thus ldap.initialize() did not allow subclassing, yet
has no particular ease-of-use advantage thus we better off using the
obvious class constructor mechanism.
* Fix the use of _handle_errors(), it's not necessary to construct an
empty dict to pass to it.
If we follow the standard class derivation pattern for ldap we can make us
of our own ldap utilities in a far easier, cleaner and more efficient
manner.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.
Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.
https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
|
| |
|
|
|
|
|
|
|
|
|
|
| |
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server framework does not support encoding of native Python type
values stored in Param classes and sub-classes. When backend (LDAP)
value encoding differs from Python type value representation user
has to has to hard-code the encoders in his processing.
This patch introduces a method Param.encode which is used in server
context to encode native Python Param values. The new encode method
is used for Bool parameter to convert native Python bool type value
(True, False) to LDAP value ("TRUE", "FALSE").
https://fedorahosted.org/freeipa/ticket/2039
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1964
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When investigating if member/memberof attribute is direct/indirect
we do a lot of LDAP SCOPE_SUBTREE searches when we actually search
just for one item. Make sure we search only with SCOPE_BASE to improve
the performance.
One not so efficient iteration was also changed to list comprehension
to speed things up a tiny bit.
https://fedorahosted.org/freeipa/ticket/1885
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
|
| |
|
|
|
|
|
|
|
| |
Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.
This significantly reduces the number of queries required for large groups.
https://fedorahosted.org/freeipa/ticket/1885
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
|
| |
|
|
|
|
|
|
|
|
| |
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).
https://fedorahosted.org/freeipa/ticket/1388
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1259
According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE.
This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values
and enforces TRUE or FALSE string for account locking.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
|
| |
|
|
|
|
|
|
|
|
|
| |
When the RA is about to submit a signing request to a CA, check
if the ca_host is actually a CA. If it isn't, and it isn't the
local host, check if the local host is a CA. If that doesn't
work, try to select a CA host at random. If there aren't any,
just give up and pretend the ca_host is a CA so that we can fail
to connect to it, as we would have before.
Ticket #1252.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Indirect membership is calculated by looking at each member and pulling
all the memberof out of it. What was missing was doing nested searches
on any members in that member group.
So if group2 was a member of group1 and group3 was a member of group2
we would miss group3 as being an indirect member of group1.
I updated the nesting test to do deeper nested testing. I confirmed
that this test failed with the old code and works with the new.
This also prevents duplicate indirect users and looping on circular
membership.
ticket https://fedorahosted.org/freeipa/ticket/1273
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.
Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.
https://fedorahosted.org/freeipa/ticket/1209
|
| |
|
|
|
|
|
|
|
|
| |
Attempt to retrieve the schema the first time it is needed rather than
when Apache is started. A global copy is cached for future requests
for performance reasons.
The schema will be retrieved once per Apache child process.
ticket 583
|
| |
|
|
|
|
|
|
|
| |
It was discovered that using the batch plugin it was possible to
store duplicate data in parts of the ipa_config during iterations.
This was causing a cascading exec failures if any one of the batch
executions failed.
https://fedorahosted.org/freeipa/ticket/1220
|
| |
|
|
|
|
|
|
|
|
|
| |
Rather than doing full searches for members read each member individually
to determine if it is direct or indirect.
Also add a fail-safe when calculating indirect membership so removing
a member will log enough information for debugging (ticket 1133).
https://fedorahosted.org/freeipa/ticket/1139
https://fedorahosted.org/freeipa/ticket/1133
|
| |
|
|
|
|
|
|
| |
There are some operations that fetch the configuration multiple times.
This will return a cached value instead of getting it from LDAP over
and over.
ticket 1023
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1140
|
| |
|
|
|
|
|
| |
Jakub did the initial diagnosis of this, I added a fix for removing
the last entry when removing members and a test case.
ticket 1000
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/935
|
| | |
|
| |
|
|
|
| |
This patch removes two files which seem to be long obsoleted and not
used any more.
|
| |
|
|
| |
ticket 944
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
|
