| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
ldap2.get_allowed_attribute(['posixuser'])
returns a list of unicode all lower case attribute names allowed
for the object class 'posixuser'
|
| | |
|
| |
|
|
|
|
|
| |
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.
ticket 808
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/760
|
| |
|
|
|
|
|
|
|
| |
Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.
ticket 752
|
| |
|
|
|
|
|
|
|
|
|
| |
The output problem was a missing label for failed managedby.
This also fixes a call to print_entry that was missing the flags argument.
Add a flag to specify whether a group can be a member of itself, defaulting
to False.
ticket 708
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/550
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
| |
Search filters generated from attributes with multiple values
were incorrect when the NOT operator was used (ldap.MATCH_NONE).
|
| |
|
|
| |
ticket 496
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes search where we were asking for the member attribute 10 or more
times.
When retrieving indirect members make sure we always pass around the
size and time limits so we don't have to look it up with every call to
find_entries()
ticket 557
|
| |
|
|
| |
Also use the realm name as nickname for the CA certificate
|
| |
|
|
|
|
|
|
| |
The signature of ldap2.get_entry() changed so normalize wasn't being
handled properly so the basedn was always being appended causing our
entry in cn=config to be not found.
ticket 414
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done by creating a new attribute, memberindirect, to hold this
indirect membership.
The new function get_members() can return all members or just indirect or
direct. We are only using it to retrieve indirect members currently.
This also:
* Moves all member display attributes into baseldap.py to reduce duplication
* Adds netgroup nesting
* Use a unique object name in hbacsvc and hbacsvcgroup
ticket 296
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To do a change right now you have to perform a setattr like:
ipa user-mod --setattr uid=newuser olduser
The RDN change is performed before the rest of the mods. If the RDN
change is the only change done then the EmptyModlist that update_entry()
throws is ignored.
ticket 323
|
| |
|
|
|
|
| |
Fixes a bug where find_entries was not passed a parameter for filter.
Instead of fixing the call point, this patch adds a defaulty value for the parameter,
so that they can all be passed by name.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When setting or adding an attribute wiht setatt/addattr check to
see if there is a Param for the attribute and enforce the multi-value.
If there is no Param check the LDAP schema for SINGLE-VALUE.
Catch RDN mods and try to return a more reasonable error message.
Ticket #230
Ticket #246
|
| |
|
|
|
|
| |
Also fix some imports for sha. We have a compat module for it, use it.
ticket 181
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We lacked good error messages if the user/group container you used doesn't
exist.
Add a --continue option so things can continue if you use a bad user/group
container. This has the side-effect of letting you migrate just users or
groups by using a bad container for the one you don't want.
Fix a Gettext() error when displaying the migrated password message.
ticket 289
|
| |
|
|
|
|
|
|
|
| |
In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS.
The search actually was fine and returned data but an exception was returned
and handled (though we didn't know what to do with it). This patch
lets it continue along.
ticket 285
|
| |
|
|
|
|
| |
Fix a logic problem in ldap2:get_schema() for determining if it
can fetch the schema or not. Normally we only want to do this for servers
but if you pass in your own connection it will use that.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When making LDAP calls via api.Backend.ldap2 the ldap2 object will already
be locked by the api.finalize() call. So the first time that
api.Backend.ldap2.connect() is called an error would be thrown that
self.schema cannot be set because the object is ReadOnly. This uses the
documented procedure for working around this lock.
This was preventing the DNS installation to proceed.
ticket #188
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the user-private group caching code out of the global config and
determine the value the first time it is needed.
Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.
Moved the global get_syntax() into a class method so that a schema
can be passed in.
If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).
ticket 63
|
| |
|
|
|
|
| |
Add test to verify that limit is honored and truncated flag set.
ticket #48
|
| |
|
|
|
| |
It incorrectly was trying to call the class method _handle_errors() instead
of the global function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
|
| |
|
|
| |
The import was only used when running the in-tree lite-server
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
|
| | |
|
| |
|
|
|
|
|
| |
We set a new port to be used with dogtag but IPA doesn't utilize it.
This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
|
| |
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()
Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.
Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.
These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
|
| |
|
|
|
|
|
|
| |
This error message was producing a warning from xgettext
because there were multiple substations in the string.
In some languages it may be necessary to reorder the
substitutions for a proper translation, this is only
possible if the substitutions use named values.
|
| |
|
|
|
| |
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
|
| |
|
|
|
|
|
|
| |
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|
| |
|
|
|
|
| |
Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
|
| |
|
|
|
|
|
|
| |
ldap2._generate_modlist now uses more sophisticated means to decide
when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE.
MOD_REPLACE is always used for single value attributes and never
for multi value.
|
| |
|
|
|
|
|
|
|
|
|
| |
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.
This is the first step of allowing the subject to be set at
installation time.
Also fix 2 more issues related to the return results migration.
|
