summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
* enable proxy for dogtagAdam Young2011-08-291-1/+1
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-7/+28
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch. https://fedorahosted.org/freeipa/ticket/1471
* find_entry_by_attr() should fail if multiple entries are foundRob Crittenden2011-07-111-1/+6
| | | | | | | | | | It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
* Convert Bool to TRUE/FALSE when working with LDAP backend ↵Alexander Bokovoy2011-06-271-2/+5
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE. This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values and enforces TRUE or FALSE string for account locking.
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-0/+4
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Select a server with a CA on it when submitting signing requests.Nalin Dahyabhai2011-06-141-3/+65
| | | | | | | | | | | When the RA is about to submit a signing request to a CA, check if the ca_host is actually a CA. If it isn't, and it isn't the local host, check if the local host is a CA. If that doesn't work, try to select a CA host at random. If there aren't any, just give up and pretend the ca_host is a CA so that we can fail to connect to it, as we would have before. Ticket #1252.
* Fix indirect member calculationRob Crittenden2011-06-141-9/+16
| | | | | | | | | | | | | | | | | Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket https://fedorahosted.org/freeipa/ticket/1273
* Handle LDAP search referencesMartin Kosek2011-06-101-2/+5
| | | | | | | | | | | | | LDAP search operation may return a search reference pointing to an LDAP resource. As the framework does not handle search references, skip these results to prevent result processing failures. Migrate operation crashed when the migrated DS contained search references. Now, it correctly skips these records and prints the failed references to user. https://fedorahosted.org/freeipa/ticket/1209
* Do a lazy retrieval of the LDAP schema rather than at module load.Rob Crittenden2011-05-301-18/+25
| | | | | | | | | | Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583
* Return copy of config from ipa_get_config()Jr Aquino2011-05-131-2/+2
| | | | | | | | | It was discovered that using the batch plugin it was possible to store duplicate data in parts of the ipa_config during iterations. This was causing a cascading exec failures if any one of the batch executions failed. https://fedorahosted.org/freeipa/ticket/1220
* Optimize and dynamically verify group membershipJr Aquino2011-04-221-52/+42
| | | | | | | | | | | Rather than doing full searches for members read each member individually to determine if it is direct or indirect. Also add a fail-safe when calculating indirect membership so removing a member will log enough information for debugging (ticket 1133). https://fedorahosted.org/freeipa/ticket/1139 https://fedorahosted.org/freeipa/ticket/1133
* Cache the value of get_ipa_config() in the request context.Rob Crittenden2011-03-311-0/+7
| | | | | | | | There are some operations that fetch the configuration multiple times. This will return a cached value instead of getting it from LDAP over and over. ticket 1023
* Escape LDAP characters in member and memberof searchesJr Aquino2011-03-311-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/1140
* Replace only if old and new have nothing in commonRob Crittenden2011-03-031-1/+1
| | | | | | | Jakub did the initial diagnosis of this, I added a fix for removing the last entry when removing members and a test case. ticket 1000
* Collect memberof information for sudo commands.Rob Crittenden2011-02-231-0/+8
| | | | | | | | | | | | We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003
* Add handling for indirect memberof other entries.Rob Crittenden2011-02-211-0/+71
| | | | | | | | | | | | | | | This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. ticket 966
* Try to register DNS name through a DNS Update on install.Simo Sorce2011-02-171-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/935
* Raise NotImplementedError for selfsigned cert-remove-holdJakub Hrozek2011-02-171-1/+1
|
* Code cleanupJan Zeleny2011-02-151-445/+0
| | | | | This patch removes two files which seem to be long obsoleted and not used any more.
* Ignore case when removing group members.Rob Crittenden2011-02-141-1/+1
| | | | ticket 944
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-0/+14
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Add ldap2 method to retrieve allowed attributes for specified objectClasses.Pavel Zuna2011-01-261-3/+17
| | | | | | | ldap2.get_allowed_attribute(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser'
* Fix assorted bugs found by pylintJakub Hrozek2011-01-253-10/+2
|
* Add some basic filter validation to permissions and disallow empty filtersRob Crittenden2011-01-211-0/+2
| | | | | | | Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808
* Move mep templates under cn=etcSimo Sorce2011-01-141-1/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* python-ldap fails gloriously if the search time limit is 0. Don't allow it.Rob Crittenden2011-01-141-0/+2
| | | | | | | | | Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns immediately. ticket 752
* Fix output of failed managedby hosts, allow a host to manage itself.Rob Crittenden2011-01-111-3/+9
| | | | | | | | | | | The output problem was a missing label for failed managedby. This also fixes a call to print_entry that was missing the flags argument. Add a flag to specify whether a group can be a member of itself, defaulting to False. ticket 708
* Enable low-level LDAP debugging.Rob Crittenden2011-01-111-1/+4
|
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-47/+4
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* Remove common entries when deleting a master.Simo Sorce2010-12-211-3/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-208-40/+40
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix search filter generator in ldap2 for NOT operator.Pavel Zuna2010-12-081-0/+6
| | | | | Search filters generated from attributes with multiple values were incorrect when the NOT operator was used (ldap.MATCH_NONE).
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-0/+2
| | | | ticket 496
* Ensure list of attrs to retrieve is unique, optimize getting indirect membersRob Crittenden2010-12-061-3/+9
| | | | | | | | | | | This fixes search where we were asking for the member attribute 10 or more times. When retrieving indirect members make sure we always pass around the size and time limits so we don't have to look it up with every call to find_entries() ticket 557
* Use Realm as certs subject base nameSimo Sorce2010-11-181-2/+3
| | | | Also use the realm name as nickname for the CA certificate
* Fix NotFound exception in ipa-nis-manage.Rob Crittenden2010-11-091-1/+1
| | | | | | | | The signature of ldap2.get_entry() changed so normalize wasn't being handled properly so the basedn was always being appended causing our entry in cn=config to be not found. ticket 414
* Populate indirect members when showing a group object.Rob Crittenden2010-10-281-0/+71
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-281-0/+2
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* find_entries paramAdam Young2010-10-251-3/+1
| | | | | | Fixes a bug where find_entries was not passed a parameter for filter. Instead of fixing the call point, this patch adds a defaulty value for the parameter, so that they can all be passed by name.
* Add fail-safe defaults to time and size limits in ldap2 searches.Pavel Zuna2010-10-221-5/+11
|
* Disallow RDN change and single-value bypass using setattr/addattr.Pavel Zuna2010-10-181-13/+31
| | | | | | | | | | | When setting or adding an attribute wiht setatt/addattr check to see if there is a Param for the attribute and enforce the multi-value. If there is no Param check the LDAP schema for SINGLE-VALUE. Catch RDN mods and try to return a more reasonable error message. Ticket #230 Ticket #246
* Use consistent, specific nickname for the IPA CA certificate.Rob Crittenden2010-10-011-1/+2
| | | | | | Also fix some imports for sha. We have a compat module for it, use it. ticket 181
* Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.Rob Crittenden2010-09-281-3/+11
| | | | | | | | | | | | | We lacked good error messages if the user/group container you used doesn't exist. Add a --continue option so things can continue if you use a bad user/group container. This has the side-effect of letting you migrate just users or groups by using a bad container for the one you don't want. Fix a Gettext() error when displaying the migrated password message. ticket 289
* Handle search_ext() returning ldap.SUCCESSRob Crittenden2010-09-281-0/+2
| | | | | | | | | In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS. The search actually was fine and returned data but an exception was returned and handled (though we didn't know what to do with it). This patch lets it continue along. ticket 285
* Add some tests for using the ldap2 Backend.Rob Crittenden2010-09-241-1/+1
| | | | | | Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that.
* Allow the schema to be set once an ldap connection is locked.Rob Crittenden2010-09-091-1/+3
| | | | | | | | | | | | When making LDAP calls via api.Backend.ldap2 the ldap2 object will already be locked by the api.finalize() call. So the first time that api.Backend.ldap2.connect() is called an error would be thrown that self.schema cannot be set because the object is ReadOnly. This uses the documented procedure for working around this lock. This was preventing the DNS installation to proceed. ticket #188
* Make ldap2 class work as a client library as well.Rob Crittenden2010-09-071-36/+48
| | | | | | | | | | | | | | | | | | Move the user-private group caching code out of the global config and determine the value the first time it is needed. Renamed global_init() back to get_schema() and make it take an optional connection. This solves the problem of being able to do all operations with a simple bind instead of GSSAPI. Moved the global get_syntax() into a class method so that a schema can be passed in. If a schema wasn't loaded during the module import then it is loaded when the connection is created (so we have the credntials needed for binding). ticket 63
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-5/+17
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Fix reference to _handle_errors() in remove_principal_key()Rob Crittenden2010-08-101-1/+1
| | | | | It incorrectly was trying to call the class method _handle_errors() instead of the global function.
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-291-17/+11
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
generated by cgit (git 2.34.1) at 2024-05-07 01:12:49 +0000