summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix CA ACL Check on SubjectAltNamesSimo Sorce2016-08-311-4/+8
| | | | | | | | | | The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert: include CA name in cert command outputJan Cholasta2016-08-301-9/+24
| | | | | | | | | | | | Include name of the CA that issued a certificate in cert-request, cert-show and cert-find. This allows the caller to call further commands on the cert without having to call ca-find to find the name of the CA. https://fedorahosted.org/freeipa/ticket/6151 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert: add missing param values to cert-find outputJan Cholasta2016-08-301-1/+2
| | | | | | | | | Add back `serial_number_hex` and `revoked` param values to cert-find output accidentally removed in commit c718ef058847bb39e78236e8af0ad69ac961bbcf. https://fedorahosted.org/freeipa/ticket/6269 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Raise DuplicatedEnrty error when user exists in delete_containerMartin Basti2016-08-301-2/+13
| | | | | | | | | | | We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. https://fedorahosted.org/freeipa/ticket/6199 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Don't ignore --ignore-last-of-role for last CAStanislav Laznicka2016-08-291-3/+4
| | | | | | | | | Use a handler created for the purpose of deciding whether to raise exception or not. https://fedorahosted.org/freeipa/ticket/6259 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* otptoken, permission: Convert custom type parameters on serverDavid Kupka2016-08-292-0/+4
| | | | | | | | | Force client to send the value of ipatokenotpkey and ipapermlocation as entered by user. https://fedorahosted.org/freeipa/ticket/6247 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-show: show subject alternative namesFraser Tweedale2016-08-261-3/+126
| | | | | | | | Enhance the cert-show command to return subject alternative name values. Fixes: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: include otherName DER value in GeneralNameInfoFraser Tweedale2016-08-261-1/+1
| | | | | | | | | | We want to include the whole DER value when we pretty-print unrecognised otherNames, so add a field to the GeneralNameInfo namedtuple and populate it for otherNames. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: use NSS enums and OIDs to identify SAN typesFraser Tweedale2016-08-261-9/+10
| | | | | | | | | | GeneralName parsing currently relies heavily on strings from NSS. Make the code hopefully less brittle by identifying GeneralName types by NSS enums and, for otherName, the name-type OID also. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move GeneralName parsing code to ipalib.x509Fraser Tweedale2016-08-261-4/+4
| | | | | | | | | | | GeneralName parsing code is primarily relevant to X.509. An upcoming change will add SAN parsing to the cert-show command, so first move the GeneralName parsing code from ipalib.pkcs10 to ipalib.x509. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Validate key in otptoken-addTomas Krizek2016-08-241-0/+4
| | | | | | | | | Verify that key is not empty when adding otp token. If it is empty, raise an appropriate error. https://fedorahosted.org/freeipa/ticket/6200 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove Custodia server keys from LDAPChristian Heimes2016-08-241-0/+29
| | | | | | | | | The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 Reviewed-By: Martin Basti <mbasti@redhat.com>
* config-mod: normalize attribute names for --usersearch/--groupsearchPetr Spacek2016-08-221-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/6236 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Corrected minor spell check in AD Trust information doc messagesAbhijeet Kasurde2016-08-221-1/+1
| | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trust: make sure ID range is created for the child domain even if it existsAlexander Bokovoy2016-08-221-3/+7
| | | | | | | | | | | | | | | | | | | | ID ranges for child domains of a forest trust were created incorrectly in FreeIPA 4.4.0 due to refactoring of -- if the domain was already existing, we never attempted to create the ID range for it. At the same time, when domain was missing, we attempted to add ID range and passed both forest root and the child domain names to add_range(). However, add_range() only looks at the first positional argument which was the forest root name. That ID range always exists (it is created before child domains are processed). Modify the code to make sure child domain name is passed as the first positional argument. In addition, the oddjob helper should explicitly set context='server' so that idrange code will be able to see and use ipaserver/dcerpc.py helpers. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trust: make sure external trust topology is correctly renderedAlexander Bokovoy2016-08-221-11/+17
| | | | | | | | | | | | | | | | | | | | When external trust is established, it is by definition is non-transitive: it is not possible to obtain Kerberos tickets to any service outside the trusted domain. Reflect this reality by only accepting UPN suffixes from the external trust -- since the trusted domain is a part of another forest and UPN suffixes are forest-wide, there could be user accounts in the trusted domain that use forest-wide UPN suffix but it will be impossible to reach the forest root via the externally trusted domain. Also, an argument to netr_DsRGetForestTrustInformation() has to be either forest root domain name or None (NULL). Otherwise we'll get an error as explained in MS-NRPC 3.5.4.7.5. https://fedorahosted.org/freeipa/ticket/6021 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert-revoke: fix permission check bypass (CVE-2016-5404)Fraser Tweedale2016-08-221-28/+32
| | | | | | | | | | | | | | | | | The 'cert_revoke' command checks the 'revoke certificate' permission, however, if an ACIError is raised, it then invokes the 'cert_show' command. The rational was to re-use a "host manages certificate" check that is part of the 'cert_show' command, however, it is sufficient that 'cert_show' executes successfully for 'cert_revoke' to recover from the ACIError continue. Therefore, anyone with 'retrieve certificate' permission can revoke *any* certificate and cause various kinds of DoS. Fix the problem by extracting the "host manages certificate" check to its own method and explicitly calling it from 'cert_revoke'. Fixes: https://fedorahosted.org/freeipa/ticket/6232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix: container owner should be able to add vaultMartin Basti2016-08-181-1/+1
| | | | | | | | | | | | With recent change in DS (CVE fix), ds is not returging DuplicatedEntry error in case that user is not permitted by ACI to write, but ACIError instead. Is safe to ignore ACI error in container, because it will be raised again later if user has no access to container. https://fedorahosted.org/freeipa/ticket/6159 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added new authentication methodTiboris2016-08-171-1/+5
| | | | | | Addressing ticket https://fedorahosted.org/freeipa/ticket/5764 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* service: add flag to allow S4U2SelfAlexander Bokovoy2016-08-171-0/+7
| | | | | | Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add warning about only one existing CA serverPavel Vomacka2016-08-171-0/+2
| | | | | | | | | | It is not safe to have only one CA server in topology. Therefore there is a check and in case that there is only one CA server a warning is shown. The warning is shown after each refreshing of servers facet. https://fedorahosted.org/freeipa/ticket/5828 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* cert: do not crash on invalid data in cert-findJan Cholasta2016-08-171-4/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/6150 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* cert: speed up cert-findJan Cholasta2016-08-171-182/+216
| | | | | | | | | | | | Use issuer+serial rather than raw DER blob to identify certificates in cert-find's intermediate result. Restructure the code to make it (hopefully) easier to follow. https://fedorahosted.org/freeipa/ticket/6098 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* DNS: allow to add forward zone to already broken sub-domainPetr Spacek2016-08-171-1/+1
| | | | | | | | | | Errors during DNS resolution might indicate that forwarder is the necessary configuration which is missing. Now we disallow adding a forwarder only if the zone is normally resolvable without the forwarder. https://fedorahosted.org/freeipa/ticket/6062 Reviewed-By: Martin Basti <mbasti@redhat.com>
* parameters: move the `confirm` kwarg to ParamJan Cholasta2016-08-101-4/+0
| | | | | | | | | | | | | | | | | | | Whether a parameter is treated like password is determined by the `password` class attribute defined in the Param class. Whether the CLI will asks for confirmation of a password parameter depends on the value of the `confirm` kwarg of the Password class. Move the `confirm` kwarg from the Password class to the Param class, so that it can be used by any Param subclass which has the `password` class attribute set to True. This fixes confirmation of the --key option of otptoken-add, which is a Bytes subclass with `password` set to True. https://fedorahosted.org/freeipa/ticket/6174 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix ipa-caalc-add-service error messageTomas Krizek2016-08-091-1/+1
| | | | | | | | | When service is not found in ipa-caalc-add-service command, return the entire principal name of the service instead of the first character. https://fedorahosted.org/freeipa/ticket/6171 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* caacl: fix regression in rule instantiationFraser Tweedale2016-08-051-6/+11
| | | | | | | | | | | The Principal refactor causes service collections ('memberservice_service' attribute) to return Principal objects where previously it returned strings, but the HBAC machinery used for CA ACL enforcement only handles strings. Update the code to stringify service Principal objects when adding them to HBAC rules. Fixes: https://fedorahosted.org/freeipa/ticket/6146 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Increase default length of auto generated passwordsMartin Basti2016-08-034-8/+16
| | | | | | | | | | | | | | | Installer/IPA generates passwords for warious purpose: * KRA * kerberos master key * NSSDB password * temporary passwords during installation Length of passwords should be increased to 22, ~128bits of entropy, to be safe nowadays. https://fedorahosted.org/freeipa/ticket/6116 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* re-set canonical principal name on migrated usersMartin Babinsky2016-08-011-13/+28
| | | | | | | | | | | The migration procedure has been updated to re-set `krbcanonicalname` attribute on migrated users as well as `krbprincipalname` so that migration from FreeIPA versions supporting principal aliases does not break subsequent authentication of migrated users. https://fedorahosted.org/freeipa/ticket/6101 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* idrange: fix unassigned global variableMartin Basti2016-07-291-0/+3
| | | | | | | | | | Global variable '_dcerpc_bindings_installed' is in some cases used before assigment. This patch ensures that _dcerpc_bindings_installed is always initialized. https://fedorahosted.org/freeipa/ticket/6082 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Fix MidairCollision instantiation during entry modificationMartin Babinsky2016-07-271-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/6097 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* help: Add dnsserver commands to help topic 'dns'David Kupka2016-07-221-0/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Host-del: fix behavior of --updatedns and PTR recordsMartin Basti2016-07-221-11/+15
| | | | | | | | | | * target for ptr record must be absolute domain name * zone is detected using DNS system instead of random splitting of hostname https://fedorahosted.org/freeipa/ticket/6060 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* trust-add: handle `--all/--raw` options properlyMartin Babinsky2016-07-211-14/+27
| | | | | | | | | | `trust-add` command did not handle these options correctly often resulting in internal errors or mangled output. This patch implements a behavior which is more in-line with the rest of the API commands. https://fedorahosted.org/freeipa/ticket/6059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* prevent search for RADIUS proxy servers by secretMartin Babinsky2016-07-211-0/+8
| | | | | | | | | radiusproxy-find should not allow search by proxy secret even for privileged users so we should hide it from CLI. https://fedorahosted.org/freeipa/ticket/6078 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* expose `--secret` option in radiusproxy-* commandsMartin Babinsky2016-07-211-1/+0
| | | | | | | | | | | Option `--secret` was hidden from radiusproxy CLI preventing setting a secret on existing server or searching by secret. Since thin client implementation it was also not recognized by the interactive prompt code in CLI frontend since it never got there. https://fedorahosted.org/freeipa/ticket/6078 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* allow 'value' output param in commands without primary keyMartin Babinsky2016-07-202-0/+5
| | | | | | | | | | | | | | | | | `PrimaryKey` output param works only for API objects that have primary keys, otherwise it expects None (nothing is associated with this param). Since the validation of command output was tightened durng thin client effort, some commands not honoring this contract began to fail output validation. A custom output was implemented for them to restore their functionality. It should however be considered as a fix for broken commands and not used further. https://fedorahosted.org/freeipa/ticket/6037 https://fedorahosted.org/freeipa/ticket/6061 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Show full error message for selinuxusermap-add-hostgroupFlorence Blanc-Renaud2016-07-201-38/+15
| | | | | | | | | | | | | | | | While investigating the issue for selinuxusermap-add-hostgroup, we discovered that other commands were missing output. A first patch fixes most of the issues: freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch This patch fixes servicedelegation CLI, where servicedelegation.takes_params was missing ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and memberprincipal https://fedorahosted.org/freeipa/ticket/6026 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* schema: Fix subtopic -> topic mappingDavid Kupka2016-07-151-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Preserve user principal aliases during rename operationMartin Babinsky2016-07-151-0/+46
| | | | | | | | | | | | | | | | When a MODRDN is performed on the user entry, the MODRDN plugin resets both krbPrincipalName and krbCanonicalName to the value constructed from uid. In doing so, hovewer, any principal aliases added to the krbPrincipalName are wiped clean. In this patch old aliases are fetched before the MODRDN operation takes place and inserted back after it is performed. This also preserves previous user logins which can be used further for authentication as aliases. https://fedorahosted.org/freeipa/ticket/6028 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* host-find: do not show SSH key by defaultMartin Basti2016-07-131-1/+0
| | | | | | | | | Only function 'remove_sshpubkey_from_output_list_post' should be used in postcallbacks of *-find, otherwise only one entry will be cleaned up https://fedorahosted.org/freeipa/ticket/6043 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* caacl: expand plugin documentationFraser Tweedale2016-07-131-6/+28
| | | | | | | | | | Expand the 'caacl' plugin documentation to explain some common confusions including the fact that CA ACLs apply to the target subject principal (not necessarily the principal requesting the cert), and the fact that CA-less CA ACL implies the 'ipa' CA. Fixes: https://fedorahosted.org/freeipa/ticket/6002 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix incorrect check for principal type when evaluating CA ACLsMartin Babinsky2016-07-011-1/+3
| | | | | | | | This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow unexpiring passwordsDavid Kupka2016-07-011-1/+1
| | | | | | | | | | Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Add --cn option to cert-statusFraser Tweedale2016-07-011-8/+8
| | | | | | | | | Add the 'cacn' option to the cert-status command. Right now there is nothing we need to (or can) do with it, but we add it anyway for future use. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add widgets for kerberos aliasesPavel Vomacka2016-07-011-0/+6
| | | | | | | | Create own custom_command_multivalued_widget for kerberos aliases. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Unify display of principal names/aliases across entitiesMartin Babinsky2016-07-013-6/+11
| | | | | | | | | | | | Since now users, hosts, and service all support assigning multiple principal aliases to them, the display of kerberos principal names should be consistent across all these objects. Principal aliases and canonical names will now be displayed in all add, mod, show, and find operations. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Provide API for management of host, service, and user principal aliasesMartin Babinsky2016-07-014-31/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...]) were added to manage principal aliases. 'add' commands will check the following: * the correct principal type is supplied as an alias * the principals have correct realm and the realm/alternative suffix (e.g. e-mail) do not overlap with those of trusted AD domains If the entry does not have canonical principal name, the first returned principal name will be set as one. This is mostly to smoothly operate on entries created on older servers. 'remove' commands will check that there is at least one principal alias equal to the canonical name left on the entry. See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases https://fedorahosted.org/freeipa/ticket/1365 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make framework consider krbcanonicalname as service primary keyMartin Babinsky2016-07-011-4/+80
| | | | | | | | | | | | | | The framework does not allow single param to appear as both positional argument and option in a single command, or to represent two different positional arguments for that matter. Since principal aliases shall go to krbprincipalname attribute, the framework has to be tricked to believe krbcanonicalname is the service's primary key. The entry DN stored in LDAP remains the same. https://fedorahosted.org/freeipa/ticket/1365 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow for commands that use positional parameters to add/remove attributesMartin Babinsky2016-07-015-31/+80
| | | | | | | | | | | | | | | Commands that modify a single multivalued attribute of an entry should use positional parameters to specify both the primary key and the values to add/remove. Named options are redundant in this case. The `--certificate option` of `*-add/remove-cert` commands was turned mandatory to avoid EmptyModlist when it is omitted. https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 00:36:29 +0000