summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/trust.py
Commit message (Collapse)AuthorAgeFilesLines
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-031-1725/+0
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: split off client-side plugin code into ipaclientJan Cholasta2016-06-031-24/+0
| | | | | | | | | | | Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: use relative imports for cross-plugin importsJan Cholasta2016-05-251-2/+2
| | | | | | | | | This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: remove the unused `csv` argument of ParamJan Cholasta2016-05-251-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* frontend: re-raise remote RequirementError using CLI name in CLIJan Cholasta2016-05-251-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-221-1/+2
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Fix broken trust warningsMartin Basti2016-03-161-1/+3
| | | | | | | | Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all. https://fedorahosted.org/freeipa/ticket/5737 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Warn user if trust is brokenMartin Basti2016-02-231-0/+41
| | | | | | | | | | Detect missing ipaNTSecurityIdentifier and print message for a user, that the trust is broken as result of trust-show and trust-find commands. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: use ipaNTTrustPartner attribute to detect trust entriesMartin Basti2016-02-231-2/+5
| | | | | | | | | | | | | | Trust entries were found by presence of ipaNTSecurityIdentifier attribute. Unfortunately this attribute might not be there due the bug. As replacement for this, attribute ipaNTTrustPartner can be used. Note: other non trust entries located in cn=trusts subtree can be cross-realm principals. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use explicit truncating divisionPetr Viktorin2016-01-201-1/+1
| | | | | | | | | | In Python 3, the truncating division operator, //, is needed to get C-style "int division". https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-2/+13
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trustdomain: Perform validation of the trust domain firstTomas Babej2015-10-261-1/+6
| | | | | | | | | | Makes sure that the first check that is performed when trustdomain-del command is run is that the actual trusted domain exists. This is done to prevent a subseqent error which might be misleading. https://fedorahosted.org/freeipa/ticket/5389 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Make trust_show.get_dn raise properly formatted NotFoundTomas Babej2015-10-261-8/+24
| | | | | | | | | | | | | The trust_show command does not raise a properly formatted NotFound error if the trust is not found, only a generic EmptyResult error is raised. This patch makes the trust_show tell us what actually could not be found. https://fedorahosted.org/freeipa/ticket/5389 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+5
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Replace uses of map()Petr Viktorin2015-09-011-3/+3
| | | | | | | | | | In Python 2, map() returns a list; in Python 3 it returns an iterator. Replace all uses by list comprehensions, generators, or for loops, as required. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: format Kerberos principal properly when fetching trust topologyAlexander Bokovoy2015-08-241-1/+6
| | | | | | | | | | | | | | | | | | For bidirectional trust if we have AD administrator credentials, we should be using them with Kerberos authentication. If we don't have AD administrator credentials, we should be using HTTP/ipa.master@IPA.REALM credentials. This means we should ask formatting 'creds' object in Kerberos style. For one-way trust we'll be fetching trust topology as TDO object, authenticating with pre-created Kerberos credentials cache, so in all cases we do use Kerberos authentication to talk to Active Directory domain controllers over cross-forest trust link. Part of trust refactoring series. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Fixes: https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: Detect missing Samba instanceTomas Babej2015-08-171-20/+79
| | | | | | | | | | | | | | | | | | | | | In the event of invocation of trust related commands, IPA server needs to contact local Samba instance. This is not possible on servers that merely act as AD trust agents, since they do not have Samba instance running. Properly detect the absence of the Samba instance and output user-friendly message which includes list of servers that are capable of running the command, if such exist. List of commands affected: * ipa trust-add * ipa trust-fetch-domains * all of the trustdomain commands available via CLI https://fedorahosted.org/freeipa/ticket/5165 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Detect domain clash with IPA domain when adding a AD trustTomas Babej2015-08-171-0/+8
| | | | | | | | | | | | | | | | | | When IPA is deployed in the same domain as AD, trust-add fails since the names of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID. Detect such domain collisions early and bail out with an appropriate error message. https://fedorahosted.org/freeipa/ticket/4549 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-4/+4
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix incorrect type comparison in trust-fetch-domainsTomas Babej2015-08-061-1/+1
| | | | | | | | Value needs to be unpacked from the list and converted before comparison. https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-1/+1
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Check for AD root domain among our trusted domainsTomas Babej2015-07-171-1/+20
| | | | | | | | | | | | | Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix minor typosYuri Chornoivan2015-07-171-1/+1
| | | | | | | | | | | | | <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-081-14/+51
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-34/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-081-1/+8
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-081-1/+2
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.David Kupka2015-01-131-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4787 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa trust-add command should be interactiveGabe2014-08-251-1/+25
| | | | | | | | | - Make ipa trust-add command interactive for realm_admin and realm_passwd - Fix 'Active directory' typo to 'Active Directory' https://fedorahosted.org/freeipa/ticket/3034 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Validate missing trust secret properlyTomas Babej2014-07-141-4/+6
| | | | | | | | | Detect the situation if the user passes empty trust secret and error out properly. https://fedorahosted.org/freeipa/ticket/4266 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+11
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update all remaining plugins to the new Registry APINathaniel McCallum2014-06-111-21/+24
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Make trust objects available to regular usersMartin Kosek2014-04-281-11/+19
| | | | | | | | With global read ACI removed, some of the trust and trustdomain attributes are not available. Make trust plugin resilient to these missing attributes and let it return the available information. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add managed read permissions to trustPetr Viktorin2014-04-281-0/+15
| | | | | | | | A single permission is added to cover trust, trustconfig, and trustdomain. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrsPetr Viktorin2014-04-281-4/+3
| | | | | | | | | These attributes contain secrets for the trusts and should not be returned by default. Also, search_display_attributes is modified to better match default_attributes Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Allow primary keys to use different type than unicode.Jan Cholasta2014-04-181-14/+16
| | | | | | | | | | Also return list of primary keys instead of a single unicode CSV value from LDAPDelete-based commands. This introduces a new capability 'primary_key_types' for backward compatibility with old clients. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trust: do not fetch subdomains in case shared secret was used to set up the ↵Alexander Bokovoy2014-03-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | trust Until incoming trust is validated from AD side, we cannot run any operations against AD using the trust. Also, Samba currently does not suport verifying trust against the other party (returns WERR_NOT_SUPPORTED). This needs to be added to the documentation: When using 'ipa trust-add ad.domain --trust-secret', one has to manually validate incoming trust using forest trust properties in AD Domains and Trusts tool. Once incoming trust is validated at AD side, use IPA command 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. From this point on the trust should be usable. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert remaining frontend code to LDAPEntry API.Jan Cholasta2014-01-241-6/+4
|
* Hide trust-resolve commandMartin Kosek2014-01-201-0/+1
| | | | | | | | | | | | We do not need to expose a public FreeIPA specific interface to resolve SIDs to names. The interface is only used internally to resolve SIDs when external group members are listed. Additionally, the command interface is not prepared for regular user and can give rather confusing results. Hide it from CLI. The API itself is still accessible and compatible with older clients. https://fedorahosted.org/freeipa/ticket/4113
* trustdomain-find: report status of the (sub)domainAlexander Bokovoy2014-01-151-1/+17
| | | | | | | | | | Show status of each enumerated domain trustdomain-find shows list of domains associated with the trust. Each domain except the trust forest root can be enabled or disabled with the help of trustdomain-enable and trustdomain-disable commands. https://fedorahosted.org/freeipa/ticket/4096
* trust-fetch-domains: create ranges for new child domainsAlexander Bokovoy2014-01-151-121/+135
| | | | | | | | | | | | When trust is added, we do create ranges for discovered child domains. However, this functionality was not available through 'trust-fetch-domains' command. Additionally, make sure non-existing trust will report proper error in trust-fetch-domains. https://fedorahosted.org/freeipa/ticket/4111 https://fedorahosted.org/freeipa/ticket/4104
* trust: fix get_dn() to distinguish creating and re-adding trustsAlexander Bokovoy2013-12-111-2/+2
| | | | | | | | | | | Latest support for subdomains introduced regression that masked difference between newly added trust and re-added one. Additionally, in case no new subdomains were found, the code was returning None instead of an empty list which later could confuse trustdomain-find command. https://fedorahosted.org/freeipa/ticket/4067
* subdomains: Use AD admin credentials when trust is being establishedAlexander Bokovoy2013-11-291-3/+10
| | | | | | | | | | | | | | | | | | | | When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
* trusts: Do not pass base-id to the subdomain rangesTomas Babej2013-11-221-0/+5
| | | | | | | | | | | | | | | For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. https://fedorahosted.org/freeipa/ticket/4041
* trusts: Fix typo in error message for realm-domain mismatchTomas Babej2013-10-251-2/+2
|
* trusts: combine filters with AND to make sure only the intended domain matchesJakub Hrozek2013-10-241-1/+2
|
* Get the created range type in case of re-establishing trustTomas Babej2013-10-211-0/+2
| | | | | | | This is a regression fix introduced by commit id: 285ed59889590ddd0d6ca2e2a030b28527941cbf Fixes internal error in case of re-establishing the trust.
generated by cgit (git 2.34.1) at 2025-09-26 13:10:36 +0000