freeipa.git/ipaserver/plugins, branch WIP Unnamed repository; edit this file 'description' to name the repository. Raise proper exception when LDAP limits are exceeded 2012-04-17T03:23:57+00:00 Martin Kosek mkosek@redhat.com 2012-04-17T07:56:04+00:00 a663e83cb2717ac4cf831261c93c1582f562a07f ldap2 plugin returns NotFound error for find_entries/get_entry queries when the server did not manage to return an entry due to time limits. This may be confusing for user when the entry he searches actually exists. This patch fixes the behavior in ldap2 plugin to 1) Return even a zero search results + truncated bool set in ldap2.find_entries 2) Raise LimitsExceeded in ldap2.get_entry and ldap2.find_entry_by_attr instead of NotFound error This changed several assumptions about ldap2.find_entries results. Several calls accross IPA code base had to be amended. https://fedorahosted.org/freeipa/ticket/2606 
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
Change parameters to use only default_from for dynamic default values. 2012-03-28T12:04:31+00:00 Jan Cholasta jcholast@redhat.com 2012-03-15T08:32:37+00:00 a2299070c86ae049fb5702a72567a820fe6eaa28 Replace all occurences of create_default with equivalent default_from and remove create_default from the framework. This is needed for proper parameter validation, as there is no way to tell which parameters to validate prior to calling create_default, because create_default does not provide information about which parameters are used for generating the default value. 
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
Fix LDAP effective rights control with python-ldap 2.4.x 2012-03-22T04:54:57+00:00 Martin Kosek mkosek@redhat.com 2012-03-21T08:50:33+00:00 2d460003b9ec18d1dea52b745fc534090d82daab The new version of python-ldap changed the way it created LDAPv3 extended controls. The API used in 2.4.x can no longer be used because it does not send the bind DN with effective rights control and LDAP server thus rejects it. This patch implements the new API in a backward compatible way so that it works both with python-ldap versions 2.3.x and 2.4.x. https://fedorahosted.org/freeipa/ticket/2565 
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565
Search allowed attributes in superior objectclasses 2012-03-22T16:13:39+00:00 Ondrej Hamada ohamada@redhat.com 2012-03-21T12:30:42+00:00 a58cbb985ec007c0ef83010b32408efb2f4784d2 get_allowed_attributes function was improved to look for allowed attributes also in the superior objectclasses of specified objectclass. This fixes the regression caused by patch for ticket #2293. Test-case for unit-test was also created. https://fedorahosted.org/freeipa/ticket/2293 
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
Display serial number as HEX (DECIMAL) when showing certificates. 2012-03-14T08:40:35+00:00 Rob Crittenden rcritten@redhat.com 2012-03-06T20:53:07+00:00 d4a80dbe52158f204e78afea742fc3322bbc65e5 https://fedorahosted.org/freeipa/ticket/1991 
https://fedorahosted.org/freeipa/ticket/1991
Allow removing sudo commands with special characters from command groups 2012-03-12T15:02:29+00:00 Petr Viktorin pviktori@redhat.com 2012-03-02T17:42:27+00:00 1dc11a01d7e2a8e561b3a79aa97bf0939cd3fd25 Previously the commands were compared as serialized strings. Differences in serializations meant commands with special characters weren't found in the checked list. Use the DN class to compare DNs correctly. https://fedorahosted.org/freeipa/ticket/2483 
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
Implement password based session login 2012-02-27T10:57:43+00:00 John Dennis jdennis@redhat.com 2012-02-25T18:39:19+00:00 ee780df13c99a5465cd6df965772260c297a5eb2 * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095 
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
Tweak the session auth to reflect developer consensus. 2012-02-27T10:54:29+00:00 John Dennis jdennis@redhat.com 2012-02-15T15:26:42+00:00 9753fd423059e8d5725ead9a90a7cf1b9e0b9b85 * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362 
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
Catch public exceptions when creating the LDAP context in WSGI. 2012-02-24T15:53:24+00:00 Rob Crittenden rcritten@redhat.com 2012-02-23T22:25:53+00:00 b241e828a9b47a6c706a3ac8378fd6e57b8202fb Made specifically for the case where S4U2Proxy delegation fails. https://fedorahosted.org/freeipa/ticket/2414 
Made specifically for the case where S4U2Proxy delegation fails.

https://fedorahosted.org/freeipa/ticket/2414
Global DNS options 2012-02-24T08:40:40+00:00 Martin Kosek mkosek@redhat.com 2012-02-10T11:54:49+00:00 2cf58937615c28527d1c78f883dad8726331c6df Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216 
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216