summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldap2.py
Commit message (Collapse)AuthorAgeFilesLines
* py3: remove_entry_from_group: attribute name must be stringMartin Basti2017-02-081-1/+1
| | | | | | | | Do not encode attribute names https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: can_read: attributelevelrights is already stringMartin Basti2017-01-311-1/+1
| | | | | | | | | Remove decode() as it causes error in py3 because the attribute is already string not bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: get_effective_rights: values passed to ldap must be bytesMartin Basti2017-01-311-1/+4
| | | | | | | | Values passed to LDAP must be bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: add_entry_to_group: attribute name must be string not bytesMartin Basti2017-01-241-1/+1
| | | | | | | | | With bytes as attribute name pyldap raises type error https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-291-2/+3
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ldap2: modify arguments for create_connectionTomas Krizek2016-11-071-16/+8
| | | | | | | | | | | | | | * Remove unused and obsolete function arguments: * tls_certfile * tls_keyfile * debug_level * Rename tls_cacertfile to cacert (same as name in LDAPClient) * Set cacert to constants.CACERT by default. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: change default bind_dnTomas Krizek2016-11-071-1/+1
| | | | | | | | | Set default bind_dn to cn=directory manager. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: change default time/size limitTomas Krizek2016-11-071-12/+25
| | | | | | | | | | | * Set default time_limit and size_limit in ldap2 to unlimited. * Set time_limit and size_limit to None in backend. This will respect ipaconfig values. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-4/+1
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: enable the import-error checkJan Cholasta2016-10-241-1/+1
| | | | | | | | | | Check for import errors with pylint to make sure new python package dependencies are not overlooked. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipalib, ipaserver: migrate all plugins to Registry-based registrationJan Cholasta2016-05-251-3/+4
| | | | | | | | Do not use the deprecated API.register method. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-2/+3
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Upgrade: increase time limit for upgradesMartin Basti2015-12-011-29/+43
| | | | | | | | | | | | | | | | Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix caching in get_ipa_configMartin Basti2015-11-191-1/+1
| | | | | | | | | Different opbject types were compared thus always result of comparation was False and caching does not work. https://fedorahosted.org/freeipa/ticket/5463 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for ↵Gabe2015-09-221-2/+2
| | | | | | | | unlimited minvalue https://fedorahosted.org/freeipa/ticket/4023 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Make ldap2 connection management thread-safe againJan Cholasta2015-09-041-18/+15
| | | | | | | | | | | This fixes the connection code in LDAPClient to not store the LDAP connection in an attribute of the object, which in combination with ldap2's per-thread connections lead to race conditions resulting in connection failures. ldap2 code was updated accordingly. https://fedorahosted.org/freeipa/ticket/5268 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-261-28/+32
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-37/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* allow to call ldap2.destroy_connection multiple timesPetr Vobornik2015-05-071-2/+3
| | | | | | A regression fix. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* speed up indirect member processingPetr Vobornik2015-04-271-90/+0
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Move value encoding from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-7/+15
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_passwordJan Cholasta2015-04-161-6/+5
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient bind and unbind methods in ldap2Jan Cholasta2015-04-161-34/+28
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient connection management in ldap2Jan Cholasta2015-04-161-3/+10
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add connection management to LDAPClientJan Cholasta2015-04-161-1/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix ldap2 shared connectionMartin Basti2015-04-021-1/+1
| | | | | | | | | Since API is not singleton anymore, ldap2 connections should not be shared by default. https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: Use self API instance instead of ipalib.apiJan Cholasta2015-03-051-13/+32
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ldap2 indirect membership processing: Use global limits if greater than ↵Petr Viktorin2014-07-141-6/+29
| | | | | | | | | | | | | | | | per-query ones Calling an ipa *-find command with --sizelimit=1 on an entry with more members would result in a LimitsExceeded error as the search for members was limited to 1 entry. For the memberof searches, only apply the global limit if it's larger than the requested one, so decreasing limits on the individual query only affects the query itself. https://fedorahosted.org/freeipa/ticket/4398 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add /session/token_sync POST supportNathaniel McCallum2014-06-261-4/+10
| | | | | | | | | | | | | | | | | This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ldap2: add otp support to modify_passwordPetr Vobornik2014-06-261-3/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4262 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Remove GetEffectiveRights control when ldap2.get_effective_rights fails.Jan Cholasta2014-06-241-3/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ldap2.has_upg: Raise an error if the UPG definition is not foundPetr Viktorin2014-05-291-13/+17
| | | | | | | | | | | | | | | | | The UPG Definition is always present in IPA; if it can not be read it's usually caused by insufficient privileges. Previously the code assumed the absence of the entry meant that UPG is disabled. With granular read permissions, this would mean that users that can add users but can't read UPG Definition would add users without UPG, and the reason for that would not be very clear. It is better to fail early if the definition can't be read. Raise an error if the UPG Definition is not available. This makes read access to it a prerequisite for adding users. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ldap2.find_entries: Do not modify attrs_list in-placePetr Viktorin2014-05-261-6/+9
| | | | | | | | | | | | | | | dap2.find_entries modified the passed in attrs_list to remove the virtual attributes memberindirect and memberofindirect before passing the list to LDAP. This means that a call like ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes) would permanently remove the virtual attributes from some_framework_object's definition. Create a copy of the list instead. https://fedorahosted.org/freeipa/ticket/4349 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Always use real entry DNs for memberOf in ldap2.Jan Cholasta2014-02-241-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store old entry state in dict rather than LDAPEntry.Jan Cholasta2014-01-101-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Convert remaining backend code to LDAPEntry API.Jan Cholasta2013-12-161-20/+19
|
* Remove unused method get_api of the ldap2 plugin.Jan Cholasta2013-11-271-3/+0
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Refactor indirect membership processing.Jan Cholasta2013-11-271-182/+67
| | | | | | A single LDAP search is now used instead of one search per member. https://fedorahosted.org/freeipa/ticket/3971
* Support searches with paged results control in LDAPClient.Jan Cholasta2013-11-271-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Move IPA specific code from LDAPClient to the ldap2 plugin.Jan Cholasta2013-11-271-0/+204
| | | | https://fedorahosted.org/freeipa/ticket/3971
* Use LDAP modify operation directly to add/remove group members.Jan Cholasta2013-07-111-23/+13
| | | | | | This prevents getting full member list from LDAP and putting it back later. https://fedorahosted.org/freeipa/ticket/3706
* Move ipaldap to ipapythonPetr Viktorin2013-03-131-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-22/+2
|
* Use full DNs in plugin code.Jan Cholasta2013-03-011-6/+4
|
* Aggregate IPASimpleLDAPObject in LDAPEntry.Jan Cholasta2013-03-011-4/+4
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-011-2/+0
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-011-1/+1
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.sasl_interactive_bind_sPetr Viktorin2013-03-011-2/+2
| | | | | | | Also, rename remaining uses of SASL_AUTH to SASL_GSSAPI to better reflect what it is. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Rename LDAPConnection to LDAPClientPetr Viktorin2013-03-011-3/+3
| | | | | | | It does more than just connecting, so it should have more suitable name. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Turn the LDAPError handler into a context managerPetr Viktorin2013-03-011-13/+4
| | | | | | | This has the advantage that the traceback is left intact if an error other than LDAPError is raised. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
generated by cgit (git 2.34.1) at 2024-09-24 08:10:59 +0000