summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldap2.py
Commit message (Collapse)AuthorAgeFilesLines
...
* Handle an empty base_dn and no cn=ipaconfig in the ldap2 backend, fix migration.Rob Crittenden2010-09-281-3/+11
| | | | | | | | | | | | | We lacked good error messages if the user/group container you used doesn't exist. Add a --continue option so things can continue if you use a bad user/group container. This has the side-effect of letting you migrate just users or groups by using a bad container for the one you don't want. Fix a Gettext() error when displaying the migrated password message. ticket 289
* Handle search_ext() returning ldap.SUCCESSRob Crittenden2010-09-281-0/+2
| | | | | | | | | In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS. The search actually was fine and returned data but an exception was returned and handled (though we didn't know what to do with it). This patch lets it continue along. ticket 285
* Add some tests for using the ldap2 Backend.Rob Crittenden2010-09-241-1/+1
| | | | | | Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that.
* Allow the schema to be set once an ldap connection is locked.Rob Crittenden2010-09-091-1/+3
| | | | | | | | | | | | When making LDAP calls via api.Backend.ldap2 the ldap2 object will already be locked by the api.finalize() call. So the first time that api.Backend.ldap2.connect() is called an error would be thrown that self.schema cannot be set because the object is ReadOnly. This uses the documented procedure for working around this lock. This was preventing the DNS installation to proceed. ticket #188
* Make ldap2 class work as a client library as well.Rob Crittenden2010-09-071-36/+48
| | | | | | | | | | | | | | | | | | Move the user-private group caching code out of the global config and determine the value the first time it is needed. Renamed global_init() back to get_schema() and make it take an optional connection. This solves the problem of being able to do all operations with a simple bind instead of GSSAPI. Moved the global get_syntax() into a class method so that a schema can be passed in. If a schema wasn't loaded during the module import then it is loaded when the connection is created (so we have the credntials needed for binding). ticket 63
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-5/+17
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Fix reference to _handle_errors() in remove_principal_key()Rob Crittenden2010-08-101-1/+1
| | | | | It incorrectly was trying to call the class method _handle_errors() instead of the global function.
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-131-0/+16
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-13/+17
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Add support for User-Private GroupsRob Crittenden2010-07-061-7/+30
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Replace a new instance of IPAdmin use in ipa-server-install.Pavel Zuna2010-04-271-8/+8
|
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-191-13/+9
|
* Retrieve the LDAP schema using kerberos credentials.Rob Crittenden2010-03-171-7/+38
| | | | This is required so we can disable anonymous access in 389-ds.
* Convert integer and boolean values to unicode, don't leave them as str.Pavel Zuna2010-02-171-2/+0
|
* Fix schema loading in the ldap backend.Pavel Zuna2010-01-271-1/+4
|
* Allow cospriority to be updated and fix description of priority orderingRob Crittenden2010-01-191-9/+13
| | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work.
* Improve modlist generation in ldap2. Some code cleanup as bonus.Pavel Zuna2010-01-111-65/+89
| | | | | | | | ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. MOD_REPLACE is always used for single value attributes and never for multi value.
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Add option to not normalize a DN when adding/updating a record.Rob Crittenden2009-10-051-4/+6
| | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it.
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-1/+3
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Only initialize the API once in the installerRob Crittenden2009-09-281-8/+14
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-1/+41
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+2
| | | | virtual plugin to work with the new backend
* Make ldap2.add_entry proof to None values, because python-ldap hate'em.Pavel Zuna2009-09-081-0/+4
|
* Introduce a list of attributes for which only MOD_REPLACE operations are ↵Pavel Zuna2009-08-281-2/+10
| | | | generated.
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-20/+11
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-4/+0
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Fix bug in _get_syntax (it was always returning None).Pavel Zuna2009-08-031-15/+7
| | | | Also prevent a few cases of double processing of arguments.
* Import explode_dn from ldap.functions for backward compatibility with older ↵Pavel Zuna2009-07-081-2/+4
| | | | | | version of python-ldap. Fix bug in add_entry_to_group. Resolves 510149
* Add class variable to indicate whether SSL is required or not.Rob Crittenden2009-07-071-2/+4
| | | | | Older python-ldap versions will crash if you call ldap.get_option() on a value that has not been set.
* Fix bug in ldap2.modify_password and make adding/removing members slightly ↵Pavel Zuna2009-07-071-4/+4
| | | | more efficient.
* Add conversion of attribute name synonyms when generating modlists.Pavel Zuna2009-06-151-0/+28
|
* Add support for incomplete (truncated) search results.Pavel Zuna2009-06-151-14/+29
| | | | | | | | | | ldap2.find_entries now returns a tuple containing 2 values. First, a list of entries (dn, entry_attrs), Second, the truncated flag. If the truncated flag is True, search results hit a server limitation and are incomplete. This patch also removes decoding of non-string scalar python types into unicode (they are left unchanged).
* Fix bugs in ldap2.Pavel Zuna2009-06-121-18/+8
|
* Fix bug in ldap2.normalize_dn.Pavel Zuna2009-06-101-1/+1
| | | | DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries.
* Make it easier to search for a single entry by attribute value ↵Pavel Zuna2009-05-261-6/+19
| | | | (find_entry_by_attr). Fix minor search filter generation issues.
* Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 ↵Pavel Zuna2009-05-221-117/+43
| | | | base classes and use encode_args/decode_retval where applicable.
* Make search filter generation a bit safer. Minor bug fixes/code improvements.Pavel Zuna2009-04-301-8/+12
|
* Add method to generate DN from attribute directly, without making RDN first.Pavel Zuna2009-04-301-0/+10
|
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-25/+25
|
* Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add ↵Pavel Zuna2009-04-221-3/+4
| | | | member to a group.
* Change ldap2.__handle_errors into the global _handle_errors function.Pavel Zuna2009-04-221-52/+53
|
* Make it possible to construct partial match filters using make_filter_* ↵Pavel Zuna2009-04-221-6/+20
| | | | methods. Add missing _sasl_auth variable.
* Remove unwanted white spaceRob Crittenden2009-04-201-12/+12
|
* Finish work replacing the errors module with errors2Rob Crittenden2009-04-201-30/+64
| | | | | | Once this is committed we can start the process of renaming errors2 as errors. I thought that combinig this into one commit would be more difficult to review.
* Use full OID for LDAP SYNTAX identification. Don't convert Booleans and ↵Pavel Zuna2009-04-061-24/+20
| | | | Integers into respective python types as their ranges might not match. Rename module-scope functions.
generated by cgit (git 2.34.1) at 2025-08-28 16:29:23 +0000