summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-191-0/+141
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add option to specify SID using domain name to idrange-add/modTomas Babej2013-02-181-13/+81
| | | | | | | | | | When adding/modifying an ID range for a trusted domain, the newly added option --dom-name can be used. This looks up SID of the trusted domain in LDAP and therefore the user is not required to write it down in CLI. If the lookup fails, error message asking the user to specify the SID manually is shown. https://fedorahosted.org/freeipa/ticket/3133
* Fix hbachelp examples formattingMartin Kosek2013-02-141-23/+23
| | | | | | Add correct labeling of matched/nonmatched output attributes. Also make sure that "\" is not interpreted as newline escape character but really as a "\" character.
* Add support for AD users to hbactest commandMartin Kosek2013-02-141-10/+131
| | | | | | | | | | | | | | | | | | | | | How this works: 1. When a trusted domain user is tested, AD GC is searched for the user entry Distinguished Name 2. The user entry is then read from AD GC and its SID and SIDs of all its assigned groups (tokenGroups attribute) are retrieved 3. The SIDs are then used to search IPA LDAP database to find all external groups which have any of these SIDs as external members 4. All these groups having these groups as direct or indirect members are added to hbactest allowing it to perform the search LIMITATIONS: - only Trusted Admins group members can use this function as it uses secret for IPA-Trusted domain link - List of group SIDs does not contain group memberships outside of the trusted domain https://fedorahosted.org/freeipa/ticket/2997
* Do not hide SID resolver error in group-add-memberMartin Kosek2013-02-141-3/+0
| | | | | | | | | When group-add-member does not receive any resolved trusted domain object SID, it raises an exception which hides any useful error message passed by underlying resolution methods. Remove the exception to reveal this error messages to user. https://fedorahosted.org/freeipa/ticket/2997
* Generalize AD GC searchMartin Kosek2013-02-141-4/+5
| | | | | | | | | | | | | | Modify access methods to AD GC so that callers can specify a custom basedn, filter, scope and attribute list, thus allowing it to perform any LDAP search. Error checking methodology in these functions was changed, so that it rather raises an exception with a desription instead of simply returning a None or False value which would made an investigation why something does not work much more difficult. External membership method in group-add-member command was updated to match this approach. https://fedorahosted.org/freeipa/ticket/2997
* Add SID blacklist attributesMartin Kosek2013-02-121-6/+38
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Add trusconfig-show and trustconfig-mod commandsMartin Kosek2013-02-111-7/+183
| | | | | | | | | | | | Global trust configuration is generated ipa-adtrust-install script is run. Add convenience commands to show auto-generated options like SID or GUID or options chosen by user (NetBIOS). Most of these options are not modifiable via trustconfig-mod command as it would break current trusts. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/3333
* Prevent a crash when no entries are successfully migrated.Rob Crittenden2013-02-081-0/+1
| | | | | | | It would fail in _update_default_group() because migrate_cnt wasn't defined in context. https://fedorahosted.org/freeipa/ticket/3386
* Improve migration performanceRob Crittenden2013-02-051-8/+88
| | | | | | | | | | | | | | | | | | | Add new users to the default users group in batches of 100. The biggest overhead of migration is in calculating the modlist when managing the default user's group and applying the changes. A significant amount of time can be saved by not doing this on every add operation. Some other minor improvements include: Add a negative cache for groups not found in the remote LDAP server. Replace call to user_mod with a direct LDAP update. Catch some occurances of LimitError and handle more gracefully. I also added some debug logging to report on migration status and performance. https://fedorahosted.org/freeipa/ticket/3386
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Use fully qualified CCACHE namesMartin Kosek2013-02-011-3/+6
| | | | | | | | | | | | | | Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381
* Fix migration for openldap DSMartin Kosek2013-02-011-1/+13
| | | | | | | | | | | | | | | | | openldap server does not store its schema in cn=schema entry, but rather in cn=subschema. Add a fallback to ldap2 plugin to read from this entry when cn=schema is not found. ldap2 plugin uses the schema when doing some of the automatic encoding, like an automatic encoding of DN object. IPA migration plugin DN attribute processing is now also more tolerant when it finds that some DN attribute was not autoencoded. It tries to convert it to DN on its own and report a warning and continue with user processing when the conversion fails instead of crashing with AssertionError and thus abandoning the whole migration run. https://fedorahosted.org/freeipa/ticket/3372
* Pylint cleanup.Jan Cholasta2013-01-291-2/+2
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Raise ValidationError for incorrect subtree option.Ana Krivokapic2013-01-141-1/+4
| | | | Ticket: https://fedorahosted.org/freeipa/ticket/3233
* permission-find no longer crashes with --targetgroupMartin Kosek2013-01-111-2/+3
| | | | | | | | Target Group parameter was not processed correctly which caused permission-find to always crash when this search parameter was used. Fix the crash and create a unit test case to avoid future regression. https://fedorahosted.org/freeipa/ticket/3335
* Convert uniqueMember members into DN objects.Rob Crittenden2013-01-111-3/+9
| | | | | | | We were asserting that they should be DN objects but weren't converting them anywhere. https://fedorahosted.org/freeipa/ticket/3339
* Fix delegation-find command --group handlingMartin Kosek2012-12-191-1/+1
| | | | | | | | A wrong way of handling --group DN object caused Internal Error for this command. Fix that and also provide unit tests to avoid another regression. https://fedorahosted.org/freeipa/ticket/3311
* Forbid overlapping rid ranges for the same id rangeTomas Babej2012-12-171-10/+69
| | | | | | | | | Creating an id range with overlapping primary and secondary rid range using idrange-add or idrange-mod command now raises ValidationError. Unit tests have been added to test_range_plugin.py. https://fedorahosted.org/freeipa/ticket/3171
* Raise ValidationError when CSR does not have a subject hostnameLynn Root2012-12-111-0/+4
| | | | | | Raise ValidationError when CSR does not have a subject hostname. Ticket: https://fedorahosted.org/freeipa/ticket/3123
* Switch %r specifiers to '%s' in Public errorsLynn Root2012-12-111-3/+3
| | | | | | | | | | | This switch drops the preceding 'u' from strings within Public error messages. This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function. Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com. Ticket: https://fedorahosted.org/freeipa/ticket/3121 Ticket: https://fedorahosted.org/freeipa/ticket/2588
* Do not recommend how to configure DNS in error messageSumit Bose2012-12-031-13/+9
| | | | | | | | The best way to configure DNS depends on the environment and no general recommendations should be given by the CLI or Web UI. Especially forwarders should not be recommended by only be option of last resort. Fixes https://fedorahosted.org/freeipa/ticket/3261
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-213-61/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Web UI: disable global forwarding per zonePetr Vobornik2012-11-091-0/+1
| | | | | | | | Web UI part of 'disable global forwaring per zone' effort. Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy. https://fedorahosted.org/freeipa/ticket/3209
* Disable global forwarding per-zoneMartin Kosek2012-11-091-2/+17
| | | | | | | | | | | bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
* Process relative nameserver DNS record correctlyMartin Kosek2012-11-061-18/+93
| | | | | | | | | | | | | | | | | | | | | | | Nameserver hostname passed to dnszone_add command was always treated as FQDN even though it was a relative DNS name to the new zone. All relative names were being rejected as unresolvable. Modify --name-server option processing in dnszone_add and dnszone_mod to respect FQDN/relative DNS name and do the checks accordingly. With this change, user can add a new zone "example.com" and let dnszone_add to create NS record "ns" in it, when supplied with its IP address. IP address check is more strict so that it is not entered when no forward record is created. Places misusing the option were fixed. Nameserver option now also accepts zone name, which means that NS and A record is placed to DNS zone itself. Also "@" is accepted as a nameserver name, BIND understand it also as a zone name. As a side-effect of this change, other records with hostname part (MX, KX, NS, SRV) accept "@" as valid hostname. BIND replaces it with respective zone name as well. Unit tests were updated to test the new format. https://fedorahosted.org/freeipa/ticket/3204
* Clarify trust-add help regarding multiple runs against the same domainAlexander Bokovoy2012-11-021-3/+25
| | | | | | | | Since trust-add re-establishes the trust every time it is run and all the other information fetched from the remote domain controller stays the same, it can be run multiple times. The only change would occur is update of trust relationship credentials -- they are supposed to be updated periodically by underlying infrastructure anyway.
* Resolve external members from trusted domain via Global CatalogAlexander Bokovoy2012-11-012-22/+27
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Fixed incorrect link to browser config after session expirationPetr Vobornik2012-10-241-1/+1
| | | | | | Fixed typo in message placeholder. https://fedorahosted.org/freeipa/ticket/3187
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-191-1/+1
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Minor fixes for default SMB groupMartin Kosek2012-10-091-1/+1
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-041-1/+1
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-021-1/+6
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-031-3/+17
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Improve user addition to default group in user-addTomas Babej2012-10-031-1/+9
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
* Only use service PAC type as an overrideMartin Kosek2012-10-032-11/+30
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Do not produce unindexed search on every DEL commandMartin Kosek2012-10-011-1/+7
| | | | | | | | | | | | Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
* Validate SELinux users in config-modMartin Kosek2012-09-271-17/+32
| | | | | | | | config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-261-19/+6
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-241-2/+1
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
generated by cgit (git 2.34.1) at 2025-09-02 14:50:17 +0000