summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldap2.py
Commit message (Collapse)AuthorAgeFilesLines
* ipalib, ipaserver: migrate all plugins to Registry-based registrationJan Cholasta2016-05-251-3/+4
| | | | | | | | Do not use the deprecated API.register method. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-2/+3
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Upgrade: increase time limit for upgradesMartin Basti2015-12-011-29/+43
| | | | | | | | | | | | | | | | Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix caching in get_ipa_configMartin Basti2015-11-191-1/+1
| | | | | | | | | Different opbject types were compared thus always result of comparation was False and caching does not work. https://fedorahosted.org/freeipa/ticket/5463 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for ↵Gabe2015-09-221-2/+2
| | | | | | | | unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Make ldap2 connection management thread-safe againJan Cholasta2015-09-041-18/+15
| | | | | | | | | | | This fixes the connection code in LDAPClient to not store the LDAP connection in an attribute of the object, which in combination with ldap2's per-thread connections lead to race conditions resulting in connection failures. ldap2 code was updated accordingly. https://fedorahosted.org/freeipa/ticket/5268 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-261-28/+32
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-37/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* allow to call ldap2.destroy_connection multiple timesPetr Vobornik2015-05-071-2/+3
| | | | | | A regression fix. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* speed up indirect member processingPetr Vobornik2015-04-271-90/+0
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Move value encoding from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-7/+15
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_passwordJan Cholasta2015-04-161-6/+5
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient bind and unbind methods in ldap2Jan Cholasta2015-04-161-34/+28
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient connection management in ldap2Jan Cholasta2015-04-161-3/+10
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add connection management to LDAPClientJan Cholasta2015-04-161-1/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix ldap2 shared connectionMartin Basti2015-04-021-1/+1
| | | | | | | | | Since API is not singleton anymore, ldap2 connections should not be shared by default. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: Use self API instance instead of ipalib.apiJan Cholasta2015-03-051-13/+32
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ldap2 indirect membership processing: Use global limits if greater than ↵Petr Viktorin2014-07-141-6/+29
| | | | | | | | | | | | | | | | per-query ones Calling an ipa *-find command with --sizelimit=1 on an entry with more members would result in a LimitsExceeded error as the search for members was limited to 1 entry. For the memberof searches, only apply the global limit if it's larger than the requested one, so decreasing limits on the individual query only affects the query itself. https://fedorahosted.org/freeipa/ticket/4398 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add /session/token_sync POST supportNathaniel McCallum2014-06-261-4/+10
| | | | | | | | | | | | | | | | | This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ldap2: add otp support to modify_passwordPetr Vobornik2014-06-261-3/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4262 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Remove GetEffectiveRights control when ldap2.get_effective_rights fails.Jan Cholasta2014-06-241-3/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ldap2.has_upg: Raise an error if the UPG definition is not foundPetr Viktorin2014-05-291-13/+17
| | | | | | | | | | | | | | | | | The UPG Definition is always present in IPA; if it can not be read it's usually caused by insufficient privileges. Previously the code assumed the absence of the entry meant that UPG is disabled. With granular read permissions, this would mean that users that can add users but can't read UPG Definition would add users without UPG, and the reason for that would not be very clear. It is better to fail early if the definition can't be read. Raise an error if the UPG Definition is not available. This makes read access to it a prerequisite for adding users. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ldap2.find_entries: Do not modify attrs_list in-placePetr Viktorin2014-05-261-6/+9
| | | | | | | | | | | | | | | dap2.find_entries modified the passed in attrs_list to remove the virtual attributes memberindirect and memberofindirect before passing the list to LDAP. This means that a call like ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes) would permanently remove the virtual attributes from some_framework_object's definition. Create a copy of the list instead. https://fedorahosted.org/freeipa/ticket/4349 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Always use real entry DNs for memberOf in ldap2.Jan Cholasta2014-02-241-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store old entry state in dict rather than LDAPEntry.Jan Cholasta2014-01-101-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Convert remaining backend code to LDAPEntry API.Jan Cholasta2013-12-161-20/+19
|
* Remove unused method get_api of the ldap2 plugin.Jan Cholasta2013-11-271-3/+0
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Refactor indirect membership processing.Jan Cholasta2013-11-271-182/+67
| | | | | | A single LDAP search is now used instead of one search per member. https://fedorahosted.org/freeipa/ticket/3971
* Support searches with paged results control in LDAPClient.Jan Cholasta2013-11-271-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Move IPA specific code from LDAPClient to the ldap2 plugin.Jan Cholasta2013-11-271-0/+204
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Use LDAP modify operation directly to add/remove group members.Jan Cholasta2013-07-111-23/+13
| | | | | | This prevents getting full member list from LDAP and putting it back later. https://fedorahosted.org/freeipa/ticket/3706
* Move ipaldap to ipapythonPetr Viktorin2013-03-131-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-22/+2
|
* Use full DNs in plugin code.Jan Cholasta2013-03-011-6/+4
|
* Aggregate IPASimpleLDAPObject in LDAPEntry.Jan Cholasta2013-03-011-4/+4
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-011-2/+0
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-011-1/+1
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.sasl_interactive_bind_sPetr Viktorin2013-03-011-2/+2
| | | | | | | Also, rename remaining uses of SASL_AUTH to SASL_GSSAPI to better reflect what it is. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Rename LDAPConnection to LDAPClientPetr Viktorin2013-03-011-3/+3
| | | | | | | It does more than just connecting, so it should have more suitable name. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Turn the LDAPError handler into a context managerPetr Viktorin2013-03-011-13/+4
| | | | | | | This has the advantage that the traceback is left intact if an error other than LDAPError is raised. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move entry add, update, remove, rename to LDAPConnectionPetr Viktorin2013-03-011-142/+2
| | | | | | Also remove _FORCE_REPLACE_ON_UPDATE_ATTRS which was never used. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move entry finding methods to LDAPConnectionPetr Viktorin2013-03-011-292/+7
| | | | | | | | | | | The get_ipa_config method relies on IPA being installed. Leave the implementation in ldap2, and add stub get_ipa_config that simply returns an empty dictionary to LDAPConnection. The get_members method contains an optimization that also relies on the api object. The optimization is disabled in base LDAPConfig. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move filter making methods to LDAPConnectionPetr Viktorin2013-03-011-121/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move DN handling methods to LDAPConnectionPetr Viktorin2013-03-011-36/+2
| | | | | | | | ldap2 has "DN normalization" functionality, which silently adds the base DN to DNs that don't already end with it. This functionality is left in the ldap2 class only. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move schema-related methods to LDAPConnectionPetr Viktorin2013-03-011-44/+5
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Start LDAPConnection, a common base for ldap2 and IPAdminPetr Viktorin2013-03-011-73/+9
| | | | | | The first method to be extracted is handle_errors Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldapPetr Viktorin2013-03-011-538/+5
| | | | | | | The ldap2 plugin should only contain the actual CRUDBackend plugin. Common LDAP classes are moved to ipaldap. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move the decision to force schema updates out of IPASimpleLDAPObjectPetr Viktorin2013-03-011-8/+20
| | | | | | | This decision used the api object, which might not be available in installer code. Move the decision to callers. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove connection-creating code from ShemaCachePetr Viktorin2013-03-011-34/+3
| | | | | | | | | | The connection code depends on the api object. If we want to use the cache in installer code, where the api object is not always available, the dependency must be removed. Luckily, SchemaCache.get_schema is currently always given a connection. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move LDAPEntry to ipaserver.ipaldap and derive Entry from itPetr Viktorin2013-03-011-97/+5
| | | | | | | | | | Legacy Entry methods such as setValue are added to LDAPEntry directly, so that we can use connection classes that return LDAPEntry with code that expects Entries. The Entry and its unique __init__ are still kept for compatibility. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
generated by cgit (git 2.34.1) at 2025-08-29 06:49:21 +0000