| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
| | |
|
| |
|
|
|
|
| |
When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3352
|
| |
|
|
|
|
|
|
|
| |
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
|
| |
|
|
|
|
|
| |
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several Commands were missing the 'version' option. Add it to those
that were missing it.
Do not remove the version option before calling commands. This means
methods such as execute(), forward(), run() receive it.
Several of these needed `**options` added to their signatures.
Commands in the Cert plugin passed any unknown options to the underlying
functions, these are changed to pass what's needed explicitly.
Some commands in DNS and Batch plugins now pass version to commands
they call.
When the option is not given, fill it in automatically. (In a subsequent
commit, a warning will be added in this case).
Note that the public API did not change: all RPC calls already accepted
a version option. There's no need for an API version bump (even though
API.txt changes substantially).
Design page: http://freeipa.org/page/V3/Messages
Tickets:
https://fedorahosted.org/freeipa/ticket/2732
https://fedorahosted.org/freeipa/ticket/3294
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
|
| |
|
|
| |
Tests included.
|
| |
|
|
|
|
|
|
|
| |
Since sudo commands are case-sensitive, we can't use 'sudocmd'
as the RDN.
Tests for case-sensitive behavior included
https://fedorahosted.org/freeipa/ticket/2482
|
| |
|
|
|
|
|
|
| |
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_find
https://fedorahosted.org/freeipa/ticket/2528
|
| |
|
|
|
|
|
|
|
| |
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
|
| |
|
|
|
|
|
|
|
|
| |
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
|
| |
|
|
|
|
| |
Add correct labeling of matched/nonmatched output attributes. Also
make sure that "\" is not interpreted as newline escape character
but really as a "\" character.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
|
| |
|
|
|
|
|
|
|
| |
When group-add-member does not receive any resolved trusted domain
object SID, it raises an exception which hides any useful error
message passed by underlying resolution methods. Remove the exception
to reveal this error messages to user.
https://fedorahosted.org/freeipa/ticket/2997
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.
Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.
https://fedorahosted.org/freeipa/ticket/2997
|
| |
|
|
|
|
|
|
| |
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/3333
|
| |
|
|
|
|
|
| |
It would fail in _update_default_group() because migrate_cnt wasn't
defined in context.
https://fedorahosted.org/freeipa/ticket/3386
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new users to the default users group in batches of 100. The
biggest overhead of migration is in calculating the modlist when
managing the default user's group and applying the changes. A
significant amount of time can be saved by not doing this on every
add operation.
Some other minor improvements include:
Add a negative cache for groups not found in the remote LDAP server.
Replace call to user_mod with a direct LDAP update.
Catch some occurances of LimitError and handle more gracefully.
I also added some debug logging to report on migration status and
performance.
https://fedorahosted.org/freeipa/ticket/3386
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2642
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.
IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.
https://fedorahosted.org/freeipa/ticket/3372
|
| |
|
|
|
|
|
| |
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.
https://fedorahosted.org/freeipa/ticket/3379
|
| |
|
|
| |
Ticket: https://fedorahosted.org/freeipa/ticket/3233
|
| |
|
|
|
|
|
|
| |
Target Group parameter was not processed correctly which caused
permission-find to always crash when this search parameter was used.
Fix the crash and create a unit test case to avoid future regression.
https://fedorahosted.org/freeipa/ticket/3335
|
| |
|
|
|
|
|
| |
We were asserting that they should be DN objects but weren't converting
them anywhere.
https://fedorahosted.org/freeipa/ticket/3339
|
| |
|
|
|
|
|
|
| |
A wrong way of handling --group DN object caused Internal Error
for this command. Fix that and also provide unit tests to avoid
another regression.
https://fedorahosted.org/freeipa/ticket/3311
|
| |
|
|
|
|
|
|
|
| |
Creating an id range with overlapping primary and secondary
rid range using idrange-add or idrange-mod command now
raises ValidationError. Unit tests have been added to
test_range_plugin.py.
https://fedorahosted.org/freeipa/ticket/3171
|
| |
|
|
|
|
| |
Raise ValidationError when CSR does not have a subject hostname.
Ticket: https://fedorahosted.org/freeipa/ticket/3123
|
| |
|
|
|
|
|
|
|
|
|
| |
This switch drops the preceding 'u' from strings within Public error messages.
This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function.
Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com.
Ticket: https://fedorahosted.org/freeipa/ticket/3121
Ticket: https://fedorahosted.org/freeipa/ticket/2588
|
| |
|
|
|
|
|
|
| |
The best way to configure DNS depends on the environment and no general
recommendations should be given by the CLI or Web UI. Especially
forwarders should not be recommended by only be option of last resort.
Fixes https://fedorahosted.org/freeipa/ticket/3261
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.
Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).
Fix some unit tests that are failing because we actually get the data
now due to transactions.
Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.
Deprecate wait_for_attr code.
Add a memberof fixup task for roles.
https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
|
| |
|
|
|
|
|
|
| |
Web UI part of 'disable global forwaring per zone' effort.
Option "Forwarding disabled" was added to 'DNS global config' and 'DNS zone' forwarding policy. It corresponds to 'none' value of idnsforwardpolicy.
https://fedorahosted.org/freeipa/ticket/3209
|
| |
|
|
|
|
|
|
|
|
|
| |
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.
Few lines to help added to explain the feature to users too.
https://fedorahosted.org/freeipa/ticket/3209
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.
Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.
Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.
Unit tests were updated to test the new format.
https://fedorahosted.org/freeipa/ticket/3204
|
| |
|
|
|
|
|
|
| |
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
|
| |
|
|
|
|
| |
Fixed typo in message placeholder.
https://fedorahosted.org/freeipa/ticket/3187
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3184
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instructions to generate certificate were simplified.
New instructions:
1) Create a certificate database or use an existing one. To create a new database:
# certutil -N -d <database path>
2) Create a CSR with subject CN=<hostname>,O=<realm>, for example:
# certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM'
3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below:
https://fedorahosted.org/freeipa/ticket/3056
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3116
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3167
|
| | |
|
| |
|
|
|
|
|
|
| |
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.
https://fedorahosted.org/freeipa/ticket/3147
|
| |
|
|
|
|
|
|
|
|
|
| |
Establishing trust implies discovery of the trusted domain's domain controller via DNS.
If DNS discovery is not possible, NotFound exception is raised.
Intercept the exception and process it to help diagnose and fix actual problem:
- if IPA is managing DNS, suggest to make a forward for the domain's zone
- otherwise suggest to setup DNS forwarder at upstream DNS server
https://fedorahosted.org/freeipa/ticket/3103
|
