| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Replace all occurences of Entry instantiation with calls to make_entry.
|
|
|
|
|
|
| |
These will serve as templates for changes in the calling code.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
Also remove _FORCE_REPLACE_ON_UPDATE_ATTRS which was never used.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
|
| |
The get_ipa_config method relies on IPA being installed.
Leave the implementation in ldap2, and add stub get_ipa_config that
simply returns an empty dictionary to LDAPConnection.
The get_members method contains an optimization that also relies on
the api object. The optimization is disabled in base LDAPConfig.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
| |
ldap2 has "DN normalization" functionality, which silently adds the base
DN to DNs that don't already end with it.
This functionality is left in the ldap2 class only.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of inheritance, the LDAPObject is kept in a `conn` attribute,
as the ldap2 class does it.
However, all IPASimpleLDAPObject methods are still available as before
(using __getattr__-based proxying).
Also, remove the IPAEntryLDAPObject class. The methods it overrode
were never called in ways that would make them behave differently than
the superclass.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
The first method to be extracted is handle_errors
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
| |
The ldap2 plugin should only contain the actual CRUDBackend plugin.
Common LDAP classes are moved to ipaldap.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
| |
This decision used the api object, which might not be available
in installer code. Move the decision to callers.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
| |
The connection code depends on the api object. If we want to use
the cache in installer code, where the api object is not always
available, the dependency must be removed.
Luckily, SchemaCache.get_schema is currently always given a connection.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
| |
Legacy Entry methods such as setValue are added to LDAPEntry directly,
so that we can use connection classes that return LDAPEntry with
code that expects Entries.
The Entry and its unique __init__ are still kept for compatibility.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
| |
This change makes it easier to see what is going on, in addition
to getting rid of pylint exceptions.
Also, make logging imports use explicit names instead of `import *`.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
| |
The two classes were nearly identical, and the updater is
the only code that uses Entity.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
These classes are deprecated, there's no use keeping unused methods around.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API version the client sends can now be used to check what the client
expects or is capable of.
All version tests IPA does will be be named and listed in one module,
ipalib.capabilities, which includes a function to test a specific capability
against an API version.
Similarly to Python's __future__ module, capabilities.py also serves as
documentation of backwards-incompatible changes to the API.
The first capability to be defined is "messages". Recent enough clients can
accept a list of warnings or other info under the "messages" key in the
result dict.
If a JSON client does not send the API version, it is assumed this is a testing
client (e.g. curl from the command line). Such a client "has" all capabilities,
but it will always receive a warning mentioning that forward compatibility
is not guaranteed.
If a XML client does not send the API version, it is assumed it uses the API
version before capabilities were introduced. (This is to keep backwards
compatibility with clients containing bug https://fedorahosted.org/freeipa/ticket/3294)
Whenever a capability is added, the API version must be incremented.
To ensure that, capabilities are written to API.txt and checked by
`makeapi --validate`.
Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.
When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError. Also make sure that this exception is
properly processed in group-add-member post callback.
https://fedorahosted.org/freeipa/ticket/3390
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.
dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.
The search operation is unauthenticated
Design page: http://freeipa.org/page/V3/Cert_find
https://fedorahosted.org/freeipa/ticket/2528
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3132
|
|
|
|
|
|
|
|
|
|
| |
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.
https://fedorahosted.org/freeipa/ticket/3133
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify access methods to AD GC so that callers can specify a custom
basedn, filter, scope and attribute list, thus allowing it to perform
any LDAP search.
Error checking methodology in these functions was changed, so that it
rather raises an exception with a desription instead of simply returning
a None or False value which would made an investigation why something
does not work much more difficult. External membership method in
group-add-member command was updated to match this approach.
https://fedorahosted.org/freeipa/ticket/2997
|
|
|
|
|
|
|
| |
Give a clear message about what is wrong with current Trust settings
before letting AD to return a confusing error message.
https://fedorahosted.org/freeipa/ticket/3193
|
|
|
|
|
|
|
|
| |
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Break the script into several smaller methods.
Use modern idioms: os.path.join instead of string addition; the with statement
for closing files.
Add --quiet, --verbose, and --log-file options. Use logging instead of print
statements. (http://freeipa.org/page/V3/Logging_and_output)
Part of: https://fedorahosted.org/freeipa/ticket/2652
Fixes: https://fedorahosted.org/freeipa/ticket/3285
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Automatically add a "Logging and output options" group with the --quiet,
--verbose, --log-file options.
- Set up logging based on these options; details are in the setup_logging
docstring and in the design document.
- Don't bind log methods as individual methods of the class. This means one
less linter exception.
- Make the help for command line options consistent with optparse's --help and
--version options.
Design document: http://freeipa.org/page/V3/Logging_and_output
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3381
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openldap server does not store its schema in cn=schema entry, but
rather in cn=subschema. Add a fallback to ldap2 plugin to read from
this entry when cn=schema is not found. ldap2 plugin uses the schema
when doing some of the automatic encoding, like an automatic
encoding of DN object.
IPA migration plugin DN attribute processing is now also more
tolerant when it finds that some DN attribute was not autoencoded.
It tries to convert it to DN on its own and report a warning and
continue with user processing when the conversion fails instead of
crashing with AssertionError and thus abandoning the whole
migration run.
https://fedorahosted.org/freeipa/ticket/3372
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DS is installed before the CA cert is generated. Trying to
add the cert to LDAP before it exists resulted in a nasty-looking
error message.
This moves the cert upload to after the CA cert is ready and the
certdb is created.
Move the cert upload to after thecertdb is generated.
https://fedorahosted.org/freeipa/ticket/3375
|
|
|
|
|
|
|
| |
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.
https://fedorahosted.org/freeipa/ticket/3379
|
|
|
|
|
|
|
| |
Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
| |
Define post-update plugin to upload public CA certificate to IPA LDAP server.
The plugin includes also update file that creates default container for the
certificate.
|
|
|
|
|
| |
This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA installer sometimes tries to connect to the Directory Server
via loopback address 127.0.0.1. However, the Directory Server on
pure IPv6 systems may not be listening on this address. This address
may not even be available.
Rather use the FQDN of the server when connecting to the DS to fix
this issue and make the connection consistent ldapmodify calls which
also use FQDN instead of IP address.
https://fedorahosted.org/freeipa/ticket/3355
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP updates were sorted by number of RDNs in DN. This, however,
sometimes caused updates to be executed before cn=schema updates.
If the update required an objectClass or attributeType added during
the cn=schema update, the update operation failed.
Fix the sorting so that the cn=schema updates are always run first
and then the other updates sorted by RDN count.
https://fedorahosted.org/freeipa/ticket/3342
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3314
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In summary this patch does:
* Follow the defined rules for cookies when:
- receiving a cookie (process the attributes)
- storing a cookie (store cookie + attributes)
- sending a cookie
+ validate the cookie domain against the request URL
+ validate the cookie path against the request URL
+ validate the cookie expiration
+ if valid then send only the cookie, no attribtues
* Modifies how a request URL is stored during a XMLRPC
request/response sequence.
* Refactors a bit of the request/response logic to allow for making
the decision whether to send a session cookie instead of full
Kerberous auth easier.
* The server now includes expiration information in the session cookie
it sends to the client. The server always had the information
available to prevent using an expired session cookie. Now that
expiration timestamp is returned to the client as well and now the
client will not send an expired session cookie back to the server.
* Adds a new module and unit test for cookies (see below)
Formerly we were always returning the session cookie no matter what
the domain or path was in the URL. We were also sending the cookie
attributes which are for the client only (used to determine if to
return a cookie). The attributes are not meant to be sent to the
server and the previous behavior was a protocol violation. We also
were not checking the cookie expiration.
Cookie library issues:
We need a library to create, parse, manipulate and format cookies both
in a client context and a server context. Core Python has two cookie
libraries, Cookie.py and cookielib.py. Why did we add a new cookie
module instead of using either of these two core Python libaries?
Cookie.py is designed for server side generation but can be used to
parse cookies on the client. It's the library we were using in the
server. However when I tried to use it in the client I discovered it
has some serious bugs. There are 7 defined cookie elements, it fails
to correctly parse 3 of the 7 elements which makes it unusable because
we depend on those elements. Since Cookie.py was designed for server
side cookie processing it's not hard to understand how fails to
correctly parse a cookie because that's a client side need. (Cookie.py
also has an awkward baroque API and is missing some useful
functionality we would have to build on top of it).
cookielib.py is designed for client side. It's fully featured and obeys
all the RFC's. It would be great to use however it's tightly coupled
with another core library, urllib2.py. The http request and response
objects must be urllib2 objects. But we don't use urllib2, rather we use
httplib because xmlrpclib uses httplib. I don't see a reason why a
cookie library should be so tightly coupled to a protocol library, but
it is and that means we can't use it (I tried to just pick some isolated
entrypoints for our use but I kept hitting interaction/dependency problems).
I decided to solve the cookie library problems by writing a minimal
cookie library that does what we need and no more than that. It is a
new module in ipapython shared by both client and server and comes
with a new unit test. The module has plenty of documentation, no need
to repeat it here.
Request URL issues:
We also had problems in rpc.py whereby information from the request
which is needed when we process the response is not available. Most
important was the requesting URL. It turns out that the way the class
and object relationships are structured it's impossible to get this
information. Someone else must have run into the same issue because
there was a routine called reconstruct_url() which attempted to
recreate the request URL from other available
information. Unfortunately reconstruct_url() was not callable from
inside the response handler. So I decided to store the information in
the thread context and when the request is received extract it from
the thread context. It's perhaps not an ideal solution but we do
similar things elsewhere so at least it's consistent. I removed the
reconstruct_url() function because the exact information is now in the
context and trying to apply heuristics to recreate the url is probably
not robust.
Ticket https://fedorahosted.org/freeipa/ticket/3022
|
|
|
|
|
| |
Use our DN objects for generating DNs, instead of relying on
string operations.
|
|
|
|
|
|
|
|
|
| |
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.
PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.
Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.
https://fedorahosted.org/freeipa/ticket/3252
|
|
|
|
|
|
|
|
|
|
| |
When using Global Catalog for resolving users and groups, one needs
to authenticate against Active Directory DC using GSSAPI. Obtaining
Kerberos ticket might fail. Make sure the failure message is actually
returned to the user so that decision can be made about the source
of issue.
https://fedorahosted.org/freeipa/ticket/3265
|