summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Configure Anonymous PKINIT on server installkdc-pkinitSimo Sorce2016-12-082-18/+70
| | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix permission-find with sizelimit setStanislav Laznicka2016-12-071-0/+7
| | | | | | | | | | | If permission-find is fired with an argument and sizelimit set a message about truncation will be sent along with the result as the search in post_callback() does general search instead of having its filter properly set. https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Generalize filter generation in LDAPSearchStanislav Laznicka2016-12-071-20/+34
| | | | | | | | | Make it easier to generate search filters properly and in a unified way in any inheriting method https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert-request: match names against principal aliasesFraser Tweedale2016-12-061-28/+85
| | | | | | | | | | | | | | | Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* fix missing translation stringshanyin2016-12-061-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* permission-find: fix a sizelimit off-by-one bugStanislav Laznicka2016-12-061-9/+9
| | | | | | | | | permission-find: sizelimit option set to number of permissions -1 could return all permissions anyway https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix permission_find fail on low search size limitStanislav Laznicka2016-12-061-2/+2
| | | | | | | | | | | permission_find() method would have failed if size_limit in config is too small caused by a search in post_callback. This search should also respect the passed sizelimit or the sizelimit from ipa config if no sizelimit is passed. https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make `env` and `plugins` commands local againMartin Babinsky2016-12-021-118/+5
| | | | | | | | | | | | | | During thin client refactoring, LocalOrRemote class implementation of `run` method was overriden by default Command implementation during instantiation of client plugins from schema. This caused these commands to always forward this request to IPA master. This patch restores the original behavior: unless `--server` option was specified, the commands will always print out local config. https://fedorahosted.org/freeipa/ticket/6490 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-291-2/+3
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: remove get_domain_name()Jan Cholasta2016-11-291-2/+1
| | | | | | | | | | | get_domain_name() and related code depends on ipaplatform. Replace all uses of get_domain_name() with api.env.domain and remove get_domain_name() and all of the related code. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* wrap long lineChristian Heimes2016-11-251-1/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix Python 3 bugs discovered by pylintChristian Heimes2016-11-252-2/+2
| | | | | | | | | | | | In Python 3 exception instances no longer have a message attribute. For most exceptions, str(e) or string formatting give the same result. Fix some renamed modules, module members and functions. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Break ipaplatform / ipalib import cycle of hellChristian Heimes2016-11-242-2/+2
| | | | | | | | | | | Here is an attempt to break the import cycle of hell between ipaplatform and ipalib. All services now pass an ipalib.api object to services.service(). RedHatServices.__init__() still needs to do a local import because it initializes its wellknown service dict with service instances. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix ipa migrate-ds when it finds a search referenceFlorence Blanc-Renaud2016-11-171-2/+1
| | | | | | | | | | | | | | | | | | | | When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix examines first the objtype returned by self.conn.result3. If it is a search result done, then the loop can be exited. Otherwise (referral or entry), _convert_result is called and the result (if not empty) is appended to the list of returned entries. https://fedorahosted.org/freeipa/ticket/6358 Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert-request: accept CSRs with extraneous dataFraser Tweedale2016-11-111-2/+5
| | | | | | | | | | | | | | | The cert-request command used to accept CSRs that had extra data surrounding the PEM data, e.g. commentary about the contents of the CSR. Recent commits that switch to using python-cryptography for cert and CSR handling broke this. Our acceptance tests use such CSRs, hence the tests are now failing. To avoid the issue, freshly encode the python-cryptography CertificateSigningRequest object as PEM. This avoids re-using the user-supplied data, in case it has extraneous data. Fixes: https://fedorahosted.org/freeipa/ticket/6472 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* x509: use python-cryptography to process certsFraser Tweedale2016-11-102-63/+72
| | | | | | | | | | | | | | | | | Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* x509: avoid use of nss.data_to_hexFraser Tweedale2016-11-102-6/+8
| | | | | | | | | | | Avoid use of the nss.data_to_hex function for formatting certificate fingerprints. Add our own helper functions to format the fingerprints as hex (with colons). Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pkcs10: use python-cryptography for CSR processingFraser Tweedale2016-11-101-52/+43
| | | | | | | | | | Update ``ipalib.pkcs10`` module to use python-cryptography for CSR processing instead of NSS. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* server-del: fix incorrect check for one IPA masterMartin Babinsky2016-11-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6417 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ldap2: modify arguments for create_connectionTomas Krizek2016-11-072-20/+12
| | | | | | | | | | | | | | * Remove unused and obsolete function arguments: * tls_certfile * tls_keyfile * debug_level * Rename tls_cacertfile to cacert (same as name in LDAPClient) * Set cacert to constants.CACERT by default. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: change default bind_dnTomas Krizek2016-11-071-1/+1
| | | | | | | | | Set default bind_dn to cn=directory manager. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap2: change default time/size limitTomas Krizek2016-11-071-12/+25
| | | | | | | | | | | * Set default time_limit and size_limit in ldap2 to unlimited. * Set time_limit and size_limit to None in backend. This will respect ipaconfig values. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-4/+1
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trustdomain-del: fix the way how subdomain is searchedAlexander Bokovoy2016-11-011-6/+9
| | | | | | | | | | With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic. Update 'ipa trustdomain-del' command to properly calculate DN to the actual child domain and handle the case when it is missing correctly. Fixes https://fedorahosted.org/freeipa/ticket/6445 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert-show: show validity in default outputFraser Tweedale2016-10-261-2/+2
| | | | | | | | | cert-show no longer shows validity dates without `--all', but this is important information that should be shown by default. Make it so. Fixes: https://fedorahosted.org/freeipa/ticket/6419 Reviewed-By: Martin Basti <mbasti@redhat.com>
* pwpolicy: do not run klist on importJan Cholasta2016-10-241-37/+22
| | | | | | | | | | | | | On pwpolicy module import, "klist -V" is run to determine if the installed krb5 version supports account lockout (>= 1.8). Remove the check, as we require a krb5 version which does support account lockout (1.12). https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* pylint: enable the import-error checkJan Cholasta2016-10-242-4/+4
| | | | | | | | | | Check for import errors with pylint to make sure new python package dependencies are not overlooked. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* cert: add revocation reason back to cert-find outputJan Cholasta2016-10-131-8/+9
| | | | | | | | | | | | | | | In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were accidentally removed from cert-find output. In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and `revoked` were added back. Add back `revocation_reason` as well. Also, do not include `revoked` with --raw, as it's a virtual attribute. https://fedorahosted.org/freeipa/ticket/6269 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* do not use keys() method when iterating through dictionariesMartin Babinsky2016-10-122-5/+5
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when building FreeIPA, we have to fix these errors https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>
* remove trailing newlines form python modulesMartin Babinsky2016-10-1217-18/+0
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order to build FreeIPA with this version https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>
* WebUI: fix API Browser menu labelPavel Vomacka2016-10-111-0/+1
| | | | | | | | | The label of API Browser is now in translatable strings and it has uppercase B at the beginnig of second word. https://fedorahosted.org/freeipa/ticket/6384 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: Improve field descriptions for SRV recordsPetr Spacek2016-10-111-1/+5
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: Support URI resource record typePetr Spacek2016-10-111-3/+47
| | | | | | https://fedorahosted.org/freeipa/ticket/6344 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add commentary about CA deletion to plugin docFraser Tweedale2016-10-061-8/+13
| | | | | | | | | | | Add commentary to 'ca' plugin documentation to explain what happens when a CA gets deleted - namely, that its signing cert gets revoked and its private key deleted. Also break the docstring up into smaller chunks to aid translation. Fixes: https://fedorahosted.org/freeipa/ticket/6256 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Pylint: remove unused variables in ipaserver packageMartin Basti2016-10-0612-88/+66
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-2712-0/+24
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove unused variables in the codeMartin Basti2016-09-2710-11/+12
| | | | | | | | | | | This commit removes unused variables or rename variables as "expected to be unused" by using "_" prefix. This covers only cases where fix was easy or only one unused variable was in a module Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* sudorule: add SELinux transition examples to plugin docFraser Tweedale2016-09-231-0/+4
| | | | | | | | | It is not obvious how to add SELinux type and role transitions to a Sudo rule. Update the 'sudorule' plugin documentation with examples of how to do this. Fixes: https://fedorahosted.org/freeipa/ticket/3461 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix cert revocation when removing all certs via host/service-modFraser Tweedale2016-09-232-2/+4
| | | | | | | | | | | When removing all host/service certificates via host/service-mod --certificate=, the removed certificates should be revoked, but they are not. Examine whether the --certificate option was provided to determine whether certs should be revoked, instead of looking for a cert list in the options (which in this case is empty). Fixes: https://fedorahosted.org/freeipa/ticket/6305 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: fix redefine-in-handlerJan Barta2016-09-221-5/+5
| | | | | Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pylint: fix unneeded-notJan Barta2016-09-225-6/+6
| | | | | Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pylint: fix simplifiable-if-statement warningsJan Barta2016-09-221-8/+2
| | | | | | | fix inefficient if statements, enable pylint check Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* WebUI: Change group name from 'normal' to 'Non-POSIX'Pavel Vomacka2016-09-211-1/+1
| | | | | | | | It will correspond with CLI and will be more self-explanatory. https://fedorahosted.org/freeipa/ticket/6334 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add help info about certificate revocation reasonsTomas Krizek2016-09-211-1/+2
| | | | | | | | | | Inform the user where to find additional information about certificate revocation reasons. https://fedorahosted.org/freeipa/ticket/6327 Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Use constant for user and group patternsMartin Basti2016-09-203-5/+11
| | | | | | | | | | User and groups regexp are the same and constant should be used to avoid any future misconfigurations. https://fedorahosted.org/freeipa/ticket/5822 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix regexp patterns in parameters to not enforce lengthMartin Basti2016-09-205-7/+7
| | | | | | | | | | | Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dns: re-introduce --raw in dnsrecord-delJan Cholasta2016-09-191-0/+4
| | | | | | | | | The flag was removed in commit ff52c25ae299abba8bed653fe324951979a41293 because it is unused. Add it back for compatibility with old clients. https://fedorahosted.org/freeipa/ticket/5644 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa passwd: use correct normalizer for user principalsMartin Babinsky2016-09-141-3/+4
| | | | | | | | | | | Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the handling of user principals supplied to the`ipa passwd` command. This patch restores the original behavior which lowercases the username portion of the principal. https://fedorahosted.org/freeipa/ticket/6329 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trust-fetch-domains: contact forest DCs when fetching trust domain infoMartin Babinsky2016-09-141-3/+11
| | | | | | | | | | | | The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert-request: raise error when request failsFraser Tweedale2016-09-131-0/+4
| | | | | | | | | | | Fix a regression in recent change to request cert via Dogtag REST API. 'ra.request_certificate' was no longer raising CertificateOperationError when the cert request failed. Inspect the request result to determine if the request completed, and raise if it did not. Fixes: https://fedorahosted.org/freeipa/ticket/6309 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 19:41:49 +0000