summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* trust-fetch-domains: contact forest DCs when fetching trust domain infoMartin Babinsky2016-09-141-3/+11
| | | | | | | | | | | | The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert-request: raise error when request failsFraser Tweedale2016-09-131-0/+4
| | | | | | | | | | | Fix a regression in recent change to request cert via Dogtag REST API. 'ra.request_certificate' was no longer raising CertificateOperationError when the cert request failed. Inspect the request result to determine if the request completed, and raise if it did not. Fixes: https://fedorahosted.org/freeipa/ticket/6309 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* netgroup: avoid extraneous LDAP search when retrieving primary key from DNMartin Babinsky2016-09-091-0/+20
| | | | | | | | | | | DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in their leaf RDN depending on their origin. Since 'cn' is the primary key, we can return it in `get_primary_key_from_dn` right away and avoid any extraneous LDAP search. https://fedorahosted.org/freeipa/ticket/5855 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add 'Restore' option to action dropdown menuPavel Vomacka2016-09-081-0/+1
| | | | | | | | Also moving activate_action method several lines up - correcting logical order of methods. https://fedorahosted.org/freeipa/ticket/5818 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Allow multicast addresses in A/AAAA recordsMartin Basti2016-09-071-2/+4
| | | | | | | | | There is no reason (RFC) why we should prevent users to add multicast addresses to A/AAAA records https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow network ip addressesMartin Basti2016-09-071-3/+2
| | | | | | | | | | | | | | Currently cloud environments uses heavily prefix /32 (/128) what makes IPA validators to fail. IPA should not care if IP address is network or not. This commit allows usage of network addresses in: * host plugin * dns plugin * server-installer * client-installer https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
* Make host/service cert revocation aware of lightweight CAsFraser Tweedale2016-09-072-39/+37
| | | | | | | | | | Revocation of host/service certs on host/service deletion or other operations is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. Fixes: https://fedorahosted.org/freeipa/ticket/6221 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-request: raise CertificateOperationError if CA disabledFraser Tweedale2016-09-071-2/+10
| | | | | | | | | | Detect when cert-request returns HTTP 409, which indicates that the target CA is disabled - a valid scenario - and raise CertificateOperationError with a friendly message instead of HTTPRequestError. Fixes: https://fedorahosted.org/freeipa/ticket/6260 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use Dogtag REST API for certificate requestsFraser Tweedale2016-09-071-285/+191
| | | | | | | | | | | | The Dogtag REST API gives better responses statuses than the RPC API and properly reports failure due to disabled CA (status 409). Make 'ra' extend 'RestClient' and refactor the 'request_certificate' method to use Dogtag's REST API. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add HTTPRequestError classFraser Tweedale2016-09-071-1/+2
| | | | | | | | | | | | | | | Currently, HTTP requests that respond with status not in the 2xx range raise RemoteRetrieveError. The exception includes no information about the response status. Add the 'HTTPRequestError' class which extends 'RemoteRequestError' with an attribute for the response status, and update the Dogtag RestClient to raise the new error. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Allow Dogtag RestClient to perform requests without logging inFraser Tweedale2016-09-071-12/+24
| | | | | | | | | | | | | | | | | Currently the Dogtag RestClient '_ssldo' method requires a session cookie unconditionally, however, not all REST methods require a session: some do not require authentication at all, and some will authenticate the agent on the fly. To avoid unnecessary login/logout requests via the context manager, add the 'use_session' keyword argument to '_ssldo'. It defaults to 'True' to preserve existing behaviour (session required) but a caller can set to 'False' to avoid the requirement. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert: fix cert-find --certificate when the cert is not in LDAPJan Cholasta2016-09-071-7/+5
| | | | | | | | | Always return the cert specified in --certificate in cert-find result, even when the cert is not found in LDAP. https://fedorahosted.org/freeipa/ticket/6304 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ca-disable and ca-enable commandsFraser Tweedale2016-09-072-2/+70
| | | | | | | | | | | | | We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* dns: prompt for missing record parts in CLIJan Cholasta2016-09-061-0/+15
| | | | | | | | | Fix the code which determines if a record part is required and thus should be prompted not to wrongfully consider all record parts to be optional. https://fedorahosted.org/freeipa/ticket/6203 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always fetch forest info from root DCs when establishing two-way trustMartin Babinsky2016-09-051-8/+21
| | | | | | | | | | | | | | Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* do not use trusted forest name to construct domain admin principalMartin Babinsky2016-08-311-1/+1
| | | | | | | | | | | | | | When `trust-add` is supplied AD domain admin name without realm component, the code appends the uppercased AD forest root domain name to construct the full principal. This can cause authentication error, however, when external trust with non-root domain is requested. We should instead use the supplied DNS domain name (if valid) as a realm component. https://fedorahosted.org/freeipa/ticket/6277 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix CA ACL Check on SubjectAltNamesSimo Sorce2016-08-311-4/+8
| | | | | | | | | | The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert: include CA name in cert command outputJan Cholasta2016-08-301-9/+24
| | | | | | | | | | | | Include name of the CA that issued a certificate in cert-request, cert-show and cert-find. This allows the caller to call further commands on the cert without having to call ca-find to find the name of the CA. https://fedorahosted.org/freeipa/ticket/6151 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert: add missing param values to cert-find outputJan Cholasta2016-08-301-1/+2
| | | | | | | | | Add back `serial_number_hex` and `revoked` param values to cert-find output accidentally removed in commit c718ef058847bb39e78236e8af0ad69ac961bbcf. https://fedorahosted.org/freeipa/ticket/6269 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Raise DuplicatedEnrty error when user exists in delete_containerMartin Basti2016-08-301-2/+13
| | | | | | | | | | | We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. https://fedorahosted.org/freeipa/ticket/6199 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Don't ignore --ignore-last-of-role for last CAStanislav Laznicka2016-08-291-3/+4
| | | | | | | | | Use a handler created for the purpose of deciding whether to raise exception or not. https://fedorahosted.org/freeipa/ticket/6259 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* otptoken, permission: Convert custom type parameters on serverDavid Kupka2016-08-292-0/+4
| | | | | | | | | Force client to send the value of ipatokenotpkey and ipapermlocation as entered by user. https://fedorahosted.org/freeipa/ticket/6247 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert-show: show subject alternative namesFraser Tweedale2016-08-261-3/+126
| | | | | | | | Enhance the cert-show command to return subject alternative name values. Fixes: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: include otherName DER value in GeneralNameInfoFraser Tweedale2016-08-261-1/+1
| | | | | | | | | | We want to include the whole DER value when we pretty-print unrecognised otherNames, so add a field to the GeneralNameInfo namedtuple and populate it for otherNames. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* x509: use NSS enums and OIDs to identify SAN typesFraser Tweedale2016-08-261-9/+10
| | | | | | | | | | GeneralName parsing currently relies heavily on strings from NSS. Make the code hopefully less brittle by identifying GeneralName types by NSS enums and, for otherName, the name-type OID also. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move GeneralName parsing code to ipalib.x509Fraser Tweedale2016-08-261-4/+4
| | | | | | | | | | | GeneralName parsing code is primarily relevant to X.509. An upcoming change will add SAN parsing to the cert-show command, so first move the GeneralName parsing code from ipalib.pkcs10 to ipalib.x509. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Validate key in otptoken-addTomas Krizek2016-08-241-0/+4
| | | | | | | | | Verify that key is not empty when adding otp token. If it is empty, raise an appropriate error. https://fedorahosted.org/freeipa/ticket/6200 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove Custodia server keys from LDAPChristian Heimes2016-08-241-0/+29
| | | | | | | | | The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 Reviewed-By: Martin Basti <mbasti@redhat.com>
* config-mod: normalize attribute names for --usersearch/--groupsearchPetr Spacek2016-08-221-3/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/6236 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Corrected minor spell check in AD Trust information doc messagesAbhijeet Kasurde2016-08-221-1/+1
| | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trust: make sure ID range is created for the child domain even if it existsAlexander Bokovoy2016-08-221-3/+7
| | | | | | | | | | | | | | | | | | | | ID ranges for child domains of a forest trust were created incorrectly in FreeIPA 4.4.0 due to refactoring of -- if the domain was already existing, we never attempted to create the ID range for it. At the same time, when domain was missing, we attempted to add ID range and passed both forest root and the child domain names to add_range(). However, add_range() only looks at the first positional argument which was the forest root name. That ID range always exists (it is created before child domains are processed). Modify the code to make sure child domain name is passed as the first positional argument. In addition, the oddjob helper should explicitly set context='server' so that idrange code will be able to see and use ipaserver/dcerpc.py helpers. Resolves: https://fedorahosted.org/freeipa/ticket/5738 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trust: make sure external trust topology is correctly renderedAlexander Bokovoy2016-08-221-11/+17
| | | | | | | | | | | | | | | | | | | | When external trust is established, it is by definition is non-transitive: it is not possible to obtain Kerberos tickets to any service outside the trusted domain. Reflect this reality by only accepting UPN suffixes from the external trust -- since the trusted domain is a part of another forest and UPN suffixes are forest-wide, there could be user accounts in the trusted domain that use forest-wide UPN suffix but it will be impossible to reach the forest root via the externally trusted domain. Also, an argument to netr_DsRGetForestTrustInformation() has to be either forest root domain name or None (NULL). Otherwise we'll get an error as explained in MS-NRPC 3.5.4.7.5. https://fedorahosted.org/freeipa/ticket/6021 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert-revoke: fix permission check bypass (CVE-2016-5404)Fraser Tweedale2016-08-221-28/+32
| | | | | | | | | | | | | | | | | The 'cert_revoke' command checks the 'revoke certificate' permission, however, if an ACIError is raised, it then invokes the 'cert_show' command. The rational was to re-use a "host manages certificate" check that is part of the 'cert_show' command, however, it is sufficient that 'cert_show' executes successfully for 'cert_revoke' to recover from the ACIError continue. Therefore, anyone with 'retrieve certificate' permission can revoke *any* certificate and cause various kinds of DoS. Fix the problem by extracting the "host manages certificate" check to its own method and explicitly calling it from 'cert_revoke'. Fixes: https://fedorahosted.org/freeipa/ticket/6232 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix: container owner should be able to add vaultMartin Basti2016-08-181-1/+1
| | | | | | | | | | | | With recent change in DS (CVE fix), ds is not returging DuplicatedEntry error in case that user is not permitted by ACI to write, but ACIError instead. Is safe to ignore ACI error in container, because it will be raised again later if user has no access to container. https://fedorahosted.org/freeipa/ticket/6159 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added new authentication methodTiboris2016-08-171-1/+5
| | | | | | Addressing ticket https://fedorahosted.org/freeipa/ticket/5764 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* service: add flag to allow S4U2SelfAlexander Bokovoy2016-08-171-0/+7
| | | | | | Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add warning about only one existing CA serverPavel Vomacka2016-08-171-0/+2
| | | | | | | | | | It is not safe to have only one CA server in topology. Therefore there is a check and in case that there is only one CA server a warning is shown. The warning is shown after each refreshing of servers facet. https://fedorahosted.org/freeipa/ticket/5828 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* cert: do not crash on invalid data in cert-findJan Cholasta2016-08-171-4/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/6150 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* cert: speed up cert-findJan Cholasta2016-08-171-182/+216
| | | | | | | | | | | | Use issuer+serial rather than raw DER blob to identify certificates in cert-find's intermediate result. Restructure the code to make it (hopefully) easier to follow. https://fedorahosted.org/freeipa/ticket/6098 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* DNS: allow to add forward zone to already broken sub-domainPetr Spacek2016-08-171-1/+1
| | | | | | | | | | Errors during DNS resolution might indicate that forwarder is the necessary configuration which is missing. Now we disallow adding a forwarder only if the zone is normally resolvable without the forwarder. https://fedorahosted.org/freeipa/ticket/6062 Reviewed-By: Martin Basti <mbasti@redhat.com>
* parameters: move the `confirm` kwarg to ParamJan Cholasta2016-08-101-4/+0
| | | | | | | | | | | | | | | | | | | Whether a parameter is treated like password is determined by the `password` class attribute defined in the Param class. Whether the CLI will asks for confirmation of a password parameter depends on the value of the `confirm` kwarg of the Password class. Move the `confirm` kwarg from the Password class to the Param class, so that it can be used by any Param subclass which has the `password` class attribute set to True. This fixes confirmation of the --key option of otptoken-add, which is a Bytes subclass with `password` set to True. https://fedorahosted.org/freeipa/ticket/6174 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix ipa-caalc-add-service error messageTomas Krizek2016-08-091-1/+1
| | | | | | | | | When service is not found in ipa-caalc-add-service command, return the entire principal name of the service instead of the first character. https://fedorahosted.org/freeipa/ticket/6171 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* caacl: fix regression in rule instantiationFraser Tweedale2016-08-051-6/+11
| | | | | | | | | | | The Principal refactor causes service collections ('memberservice_service' attribute) to return Principal objects where previously it returned strings, but the HBAC machinery used for CA ACL enforcement only handles strings. Update the code to stringify service Principal objects when adding them to HBAC rules. Fixes: https://fedorahosted.org/freeipa/ticket/6146 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Increase default length of auto generated passwordsMartin Basti2016-08-034-8/+16
| | | | | | | | | | | | | | | Installer/IPA generates passwords for warious purpose: * KRA * kerberos master key * NSSDB password * temporary passwords during installation Length of passwords should be increased to 22, ~128bits of entropy, to be safe nowadays. https://fedorahosted.org/freeipa/ticket/6116 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* re-set canonical principal name on migrated usersMartin Babinsky2016-08-011-13/+28
| | | | | | | | | | | The migration procedure has been updated to re-set `krbcanonicalname` attribute on migrated users as well as `krbprincipalname` so that migration from FreeIPA versions supporting principal aliases does not break subsequent authentication of migrated users. https://fedorahosted.org/freeipa/ticket/6101 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* idrange: fix unassigned global variableMartin Basti2016-07-291-0/+3
| | | | | | | | | | Global variable '_dcerpc_bindings_installed' is in some cases used before assigment. This patch ensures that _dcerpc_bindings_installed is always initialized. https://fedorahosted.org/freeipa/ticket/6082 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* baseldap: Fix MidairCollision instantiation during entry modificationMartin Babinsky2016-07-271-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/6097 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* help: Add dnsserver commands to help topic 'dns'David Kupka2016-07-221-0/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Host-del: fix behavior of --updatedns and PTR recordsMartin Basti2016-07-221-11/+15
| | | | | | | | | | * target for ptr record must be absolute domain name * zone is detected using DNS system instead of random splitting of hostname https://fedorahosted.org/freeipa/ticket/6060 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* trust-add: handle `--all/--raw` options properlyMartin Babinsky2016-07-211-14/+27
| | | | | | | | | | `trust-add` command did not handle these options correctly often resulting in internal errors or mangled output. This patch implements a behavior which is more in-line with the rest of the API commands. https://fedorahosted.org/freeipa/ticket/6059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 19:41:06 +0000