Re: [Freeipa-devel] [PATCH] Make pwd-extop aware of new ipaNTHash attribute
On Mon, 2011-12-05 at 11:40 +0200, Alexander Bokovoy wrote: On Mon, 28 Nov 2011, Sumit Bose wrote: Hi, in IPAv3 we introduce a new attribute 'ipaNTHash' to store the NT hash. Currently the plugin handling the change password extended operation only sets and updates 'sambaNTPassword'. This patch add support for the new attribute without removing the support for the old one. ACK One possible enhancement I would make is to get attribute names as constant defines and re-use them across the code. Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add ipasam samba passdb backend
On Mon, 2011-12-05 at 11:42 +0200, Alexander Bokovoy wrote: On Wed, 30 Nov 2011, Martin Kosek wrote: On Wed, 2011-11-30 at 10:11 +0100, Sumit Bose wrote: On Tue, Nov 29, 2011 at 11:25:41PM +0200, Alexander Bokovoy wrote: On Tue, 29 Nov 2011, Sumit Bose wrote: @@ -199,10 +216,11 @@ class ADTRUSTInstance(service.Service): self.admin_conn.addEntry(entry) entry = ipaldap.Entry(self.smb_dom_dn) -entry.setValues(objectclass, [sambaDomain, nsContainer]) +entry.setValues(objectclass, [self.OBJC_DOMAIN, nsContainer]) entry.setValues(cn, self.domain_name) -entry.setValues(sambaDomainName, self.netbios_name) -entry.setValues(sambaSID, self.__gen_sid_string()) +entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name) +entry.setValues(self.ATTR_SID, self.__gen_sid_string()) +entry.setValues(self.ATTR_GUID, str(uuid.uuid4())) #TODO: which MAY attributes do we want to set ? self.admin_conn.add_s(entry) Could you please also convert this one to .addEntry(entry)? I think it is the last one left... This is fixed in freeipa-sbose-0012-3-Fix-some-pylint-warnings.patch. Martin, shall I extract the add_s-addEntry changes into a separate patch so the they can reviewed indepently of the 6 ipasam patches? bye, Sumit I think it is OK to review (and push) them in a scope of your patch 0012-3, we don't have to divide them. Yes. ACK then. Pushed all to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote: On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote: On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: Simo Sorce wrote: Hello all, with this set of patches it is possible to allow constrained delegation of credentials so that a service can impersonate a user when [..] In the third patch in ipadb_get_delegation_acl() you can just fall through to the return. Removed useless check. I also noticed I had added the prototype declaration for the new vtable function in the 2nd patch instead of the 3rd where it belongs by mistake. So I fixed that too. I think the content of this e-mail should be added as a README to the source tree. Ok, I dumped and adapted the email content into a README file and added it to the third patch. I also fixed the patch names as per policy. Simo. We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of the 'artificial' test done by kvno. I pushed a patch to handle part of the problem as a new krb5 package in ipa-devel. Soon we will have a patch for mod_auth_kerb that handles an issue there. But we still have an unresolved issue when using the adtrust functionality and our KDC releases PACs. The attached patch can be used to deal with that case. As you can see this is not intended for production, but can be used until we have a better fix on the KDC side. Simo. Rebased patch 468 to apply to current master. Simo. -- Simo Sorce * Red Hat, Inc * New York From 1ecdb11ba9a11707278e03fb54cff5693bd626ce Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Sun, 20 Nov 2011 17:04:05 -0500 Subject: [PATCH] ipa-kdb: Delegation ACL schema --- install/share/60basev3.ldif |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 0e4303b1e2b247f751fad3aaeb2b418d3ffa16eb..104cffb2b70d97d4b83b9215234171801cf59b64 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -23,8 +23,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.20 NAME 'memberPrincipal' DESC 'Principal names member of a groupOfPrincipals group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC 'Principals that can be impersonated' SUP distinguishedName X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTSecurityIdentifier $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) ) +objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) -- 1.7.7.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com
Re: [Freeipa-devel] [PATCH] 315 Added commands into metadata.
On 12/06/2011 06:38 AM, Endi Sukma Dewata wrote: On 11/18/2011 12:27 PM, Endi Sukma Dewata wrote: Now the methods metadata seem to be a subset of commands metadata, so we probably can change the UI to use commands metadata and not pull the methods metadata. I did this change in the updated patch. It seems to be working fine. In the JSON API itself the parameters are specified as options, so the order shouldn't matter to the UI. Is there a way to define the execute() using unordered keywords? I'm trying to avoid changing the method signature again in the future. I replaced takes_args with takes_options which takes care the ordering problem. I verified the old UI way of calling json_metadata still works. Updated patch attached. Web UI - ACK. Server side - seems fine - I would give it an ACK, but I'm not sure if I'm the right person for it. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 316 Added support for radio buttons in table widget.
On 12/06/2011 06:39 AM, Endi Sukma Dewata wrote: On 11/21/2011 12:18 PM, Endi Sukma Dewata wrote: The table widget has been modified to support single-valued attribute using radio buttons needed by some facets in HBAC Test. The widget now uses 'pagination' flag to determine whether to show the pagination control. The test data has also been updated. Ticket #388 Updated patch attached. ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 317 Fixed entity metadata resolution.
On 12/06/2011 06:39 AM, Endi Sukma Dewata wrote: On 11/21/2011 12:23 PM, Endi Sukma Dewata wrote: The current code assumes that an entity will always have a corresponding LDAPObject on the server, so it looks for the metadata in a fixed location. This assumption doesn't work for HBAC Test since it is a Command, not an LDAPObject, so the metadata has to be obtained from a different location. A new method get_default_metadata() has been added to allow each entity to find the metadata from the correct location. Ticket #388 Updated patch attached. ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 318 Refactored facet.load().
On 12/06/2011 06:40 AM, Endi Sukma Dewata wrote: On 11/21/2011 12:29 PM, Endi Sukma Dewata wrote: The load() in IPA.facet has been modified to accept the complete data returned by the server instead of just the result. This is needed by HBAC Test to access other attributes returned in the test result. Ticket #388 Updated patch attached. ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 319 Added HBAC Test page.
On 12/06/2011 06:41 AM, Endi Sukma Dewata wrote: On 11/21/2011 12:38 PM, Endi Sukma Dewata wrote: This is the initial implementation of HBAC Test page. Currently it can select user, source/target group, service, rules, and execute the test. Other functionalities to be implemented include the search filter, external users/hosts, back/next buttons, validation, styling, and internalization. Ticket #388 Updated patch attached. ACK In tables are 3 boolean columns which are not translated. I'll wait with pushing my patch #51 and I'll add them there along with some issues you mentioned in that patch' review. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 320 Fixed navigation buttons for HBAC Test.
On 12/06/2011 06:41 AM, Endi Sukma Dewata wrote: On 11/21/2011 7:31 PM, Endi Sukma Dewata wrote: The Back, Next, and New Test buttons in HBAC Test have been fixed to work properly. Ticket #388 Updated patch attached. NACK CSS issues: 1) 'Collapse all' link in details facet is no longer aligned right. 2) Find button in association adder dialog has wrong size. 3) '' and '' buttons in association adder dialog cannot be clicked - in Chrome. In Firefox they work. Other: 4) get_key_index method is defined twice in jQuery.ordered_map. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 321 Fixed search filter in HBAC Test.
On 12/06/2011 06:42 AM, Endi Sukma Dewata wrote: On 11/21/2011 7:33 PM, Endi Sukma Dewata wrote: The search filter in HBAC Test has been fixed to work properly. Ticket #388 Updated patch attached. ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 315 Added commands into metadata.
Petr Vobornik wrote: On 12/06/2011 06:38 AM, Endi Sukma Dewata wrote: On 11/18/2011 12:27 PM, Endi Sukma Dewata wrote: Now the methods metadata seem to be a subset of commands metadata, so we probably can change the UI to use commands metadata and not pull the methods metadata. I did this change in the updated patch. It seems to be working fine. In the JSON API itself the parameters are specified as options, so the order shouldn't matter to the UI. Is there a way to define the execute() using unordered keywords? I'm trying to avoid changing the method signature again in the future. I replaced takes_args with takes_options which takes care the ordering problem. I verified the old UI way of calling json_metadata still works. Updated patch attached. Web UI - ACK. Server side - seems fine - I would give it an ACK, but I'm not sure if I'm the right person for it. I think this is too radical a change. We can only bump the minor version in this release so while the api can be modified it still needs to be backwards compatible. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 322 Added external fields for HBAC Test.
On 12/06/2011 06:47 AM, Endi Sukma Dewata wrote:
A text field has been added for specifying external user, host, and
service for HBAC testing.
Ticket #388
1) An exception occurs right after showing HBAC test page - user facet:
hbactest.js:364: if (that.selected_values[0] === '__external__') {
that.selected_values is undefined.
2) An exception occurs when you freshly open UI, go right for hbac test,
from user facet you skip to run test and click on new test. It's
because other facets are not created, so when calling reset
that.external_radio is undefined.
--
Petr Vobornik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 910 fix memberof for privileges
Some privileges were being created after the permissions that were pointing to it causing the memberof to not be generated. This patch reorders things for new installs and creates a PBAC memberof task that will correct an upgrade. rob From 259710708eda0e31ac3a048884bf678eb4bd0e74 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 6 Dec 2011 14:01:46 -0500 Subject: [PATCH] Reorder priviledges so that memberof for permissions are generated properly. The privilege was added after the permission causing the memberof to not be generated. Add a new task to regenerate memberof for existing PBAC to fix upgrades. https://fedorahosted.org/freeipa/ticket/2058 https://fedorahosted.org/freeipa/ticket/2059 https://fedorahosted.org/freeipa/ticket/2060 https://fedorahosted.org/freeipa/ticket/2061 --- install/updates/40-delegation.update | 41 +++ install/updates/55-pbacmemberof.update | 10 +++ install/updates/Makefile.am|1 + 3 files changed, 31 insertions(+), 21 deletions(-) create mode 100644 install/updates/55-pbacmemberof.update diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index a852ba4..cd5b498 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -18,6 +18,12 @@ dn: $SUFFIX add:aci: '(targetattr = ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring)(target = ldap:///cn=ipaconfig,cn=etc,$SUFFIX; )(version 3.0 ; acl permission:Write IPA Configuration; allow (write) groupdn = ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX;)' # Host-Based Access Control +dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: HBAC Administrator +default:description: HBAC Administrator dn: cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX default:objectClass: groupofnames @@ -82,13 +88,6 @@ default:objectClass: top default:cn: Manage HBAC service group membership default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX -default:objectClass: nestedgroup -default:objectClass: groupofnames -default:objectClass: top -default:cn: HBAC Administrator -default:description: HBAC Administrator - dn: $SUFFIX add:aci: '(target = ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Add HBAC rule;allow (add) groupdn = ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)' add:aci: '(target = ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Delete HBAC rule;allow (delete) groupdn = ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)' @@ -102,6 +101,13 @@ add:aci: '(targetattr = member)(target = ldap:///cn=*,cn=hbacservicegroups,cn # SUDO +dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: Sudo Administrator +default:description: Sudo Administrator + dn: cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX default:objectClass: groupofnames default:objectClass: ipapermission @@ -165,13 +171,6 @@ default:objectClass: top default:cn: Manage Sudo command group membership default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX -default:objectClass: nestedgroup -default:objectClass: groupofnames -default:objectClass: top -default:cn: Sudo Administrator -default:description: Sudo Administrator - dn: $SUFFIX add:aci: '(target = ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Add Sudo rule;allow (add) groupdn = ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX;)' add:aci: '(target = ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Delete Sudo rule;allow (delete) groupdn = ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX;)' @@ -184,6 +183,13 @@ add:aci: '(target = ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX;)(version 3.0 add:aci: '(targetattr = member)(target = ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX;)(version 3.0;acl permission:Manage Sudo command group membership;allow (write) groupdn = ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX;)' # Password Policy +dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: Password Policy Administrator +default:description: Password Policy Administrator + dn:
[Freeipa-devel] Announcing FreeIPA 2.1.4
The FreeIPA team is proud to announce version 2.1.4. It can be downloaded from http://www.freeipa.org/Downloads and should appear in the Fedora 15 and 16 updates-testing soon (still waiting for bohdi to push the builds). A rawhide (F-17) build is also available. == Highlights in 2.1.4 == This is a security release, users are strongly advised to upgrade. Specifically, it addresses CVE-2011-3636. A Cross-Site Request Forgery (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer Header in the server (it is not set in the CLI utilities). If a remote attacker could trick a user, who was logged into the FreeIPA management interface, into visiting a specially-crafted URL, the attacker could perform FreeIPA configuration changes with the privileges of the logged in user. Some bugs have been addressed too, the highlights are: * Certificates in the UI are now displayed in PEM format * systemd support in Fedora 16 * Change the way the Kerberos random salt is calculated to improve interoperability with Windows * Fix nis netgroups, users and groups were not appearing * Better handling of Kerberos realm to domain mapping == Upgrading == === Server === To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater --update === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog for 2.1.3 == Alexander Bokovoy (4): * hbactest fails while you have svcgroup in hbacrule * Add support for systemd environments and use it to support Fedora 16 * Spin for connection success also when socket is not (yet) available * Quote multiple workers option Endi S. Dewata (1): * Added current password field. Evgeny Sinelnikov (1): * ipa_kpasswd: Update selinux policies for ldap and urandom John Dennis (1): * Unable to Download Certificate with Browser Martin Kosek (8): * Fix client krb5 domain mapping and DNS * Fix ipa-managed-entries password option long form * Fix ipa-server-install answer cache * Fix ipa-replica-conncheck port labels * Fix ipa-managed-entries bind procedure * Let PublicError accept Gettext objects * Enable automember for upgraded servers * Make ipa-server-install clean after itself Ondrej Hamada (1): * Client install root privileges check Rob Crittenden (4): * Fix problems in help system * Fix nis netgroup config entry so users appear in netgroup triple. * Don't allow default objectclass list to be empty. * Require an HTTP Referer header in the server. Send one in ipa tools. (CVE-2011-3636) Simo Sorce (1): * Modify random salt creation for interoperability ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] pushed one-liner
I noticed an extraneous trailing quote on nis.uldif, I pushed the fix as
a one-liner.
diff --git a/install/share/nis.uldif b/install/share/nis.uldif
index 7567b5a..6ff575f 100644
--- a/install/share/nis.uldif
+++ b/install/share/nis.uldif
@@ -68,5 +68,5 @@ default:nis-map: netgroup
default:nis-base: cn=ng, cn=alt, $SUFFIX
default:nis-filter: (objectClass=ipanisNetgroup)
default:nis-key-format: %{cn}
-default:nis-value-format:%merge(
,%{memberNisNetgroup},(%link(\%ifeq(\\\hostCategory\\\,\\\all\\\,\\,\\\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\\\)\,\-\,\,\,\%ifeq(\\\userCategory\\\,\\\all\\\,\\,\\\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\\\)\,\-\),%{nisDomainName:-}))'
+default:nis-value-format:%merge(
,%{memberNisNetgroup},(%link(\%ifeq(\\\hostCategory\\\,\\\all\\\,\\,\\\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\\\)\,\-\,\,\,\%ifeq(\\\userCategory\\\,\\\all\\\,\\,\\\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\\\)\,\-\),%{nisDomainName:-}))
default:nis-secure: no
--
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 908 make some fields required
Rob Crittenden wrote: Endi Sukma Dewata wrote: On 11/28/2011 12:09 PM, Rob Crittenden wrote: Some attributes in the framework were not marked as required even though they are in the schema. These are typically computed values and I think the intention was to not prompt for them. This has the side-effect of them showing as not required in the UI even though they are. Since they all have default values set they won't be prompted for on the CLI so there won't be any practical changes. This patch fixes the problem with required attributes in DNS Zones and cn, uidNumber, and gidNumber in Users. The UI now shows the required indicators for these attributes. So this patch is ACKed. Some problems mentioned in ticket #2015 are still present: 1. Removing the homeDirectory from a user fails because it's required by posixAccount. 2. Removing the gidNumber from a group fails because it's required by posixGroup. 3. Removing config attributes listed in the ticket generates internal error. I think at least the server should return a proper error message. The required indicator can be hard-coded in the UI if necessary. I know you acked this already but I went ahead and addressed #1 and #2 and updated the patch. For #3 I filed a new ticket, https://fedorahosted.org/freeipa/ticket/2159 rob ACKed by Endi in IRC, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa-client-install with --no-sssd option should check for nss_ldap
Ondrej Hamada wrote:
On 12/02/2011 04:16 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
On 11/29/2011 10:33 PM, Rob Crittenden wrote:
Ondrej Hamada wrote:
On 11/11/2011 02:55 PM, Ondrej Hamada wrote:
https://fedorahosted.org/freeipa/ticket/2063
In order to check presence of nss_ldap when installing client with
'--no-sssd' option there was added code into ipa-client-install.
Check
is base on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Presence of any of these files is considered
as success otherwise failure.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I've rewritten it. Additionally it checks for existence of
nss-pam-ldapd
and makes the results reusable by configure_{ldap|nslcd}_conf()
functions.
https://fedorahosted.org/freeipa/ticket/2063
In order to check presence of nss_ldap or nss-pam-ldapd when
installing
client
with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of nss_ldap configuration files. This
configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with
pam_ldap
module and hence the presence of it is checked by looking for
'pam_ldap.conf' file.
Existence of nss-pam-ldapd is checked against existence of
'nslcd.conf'
file.
All this checking is done by function nssldap_exists().
Because both main modules are maintained by two different
functions, the
function
returns tuple containing return code and dictionary structure - its
key
is name
of target function and value is list of existing configuration files.
Files to check are specified inside the nssldap_exists() function.
In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf()
were slightly modified. They accept one more parameter which is
list of
existing files.
They are not checking existence of above mentioned files anymore.
The patch looks good, just a couple of issues.
1. In the nslcd configurator you add ''.join(files). Did you mean
','.join(files)?
2. The commit message lines wrap making it difficult to read. Can you
limit the lines to ~70 chars per line?
3. I think the message printed when neither package is available can
be simplified to:
One of these packages must be installed: nss_ldap or nss-pam-ldapd
It needs a rebase too.
rob
corrected, corrected, changed, rebased
In order to check presence of nss_ldap or nss-pam-ldapd when
installing client with '--no-sssd' option there was added
code intoipa-client-install. Checking is based on existence
of one of nss_ldap configuration files. This configuration
could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could
cooperate with pam_ldap module and hence the presence of it
is checked by looking for 'pam_ldap.conf' file. Existence
of nss-pam-ldapd is checked against existence of
'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by
two different functions, the function returns tuple
containing return code and dictionary structure - its
key is name of target function and value is list of
existing configuration files. Files to check are specified
inside the nssldap_exists() function.
In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They
accept one more parameter which is list of existing files.
They are not checking existence of above mentioned
files anymore.
https://fedorahosted.org/freeipa/ticket/2063
Can you add a block header to nssldap_exists()? I think in particular
you need explain that it returns 1 and 0 because that value can
eventually be the return value of the installer itself (normally an
exists would return True/False).
I've changed it to return True/False and added comment
Seeing a traceback:
# ipa-client-install --no-sssd
[ snip ]
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
LDAP enabled
Kerberos 5 enabled
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1294, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 1281, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1211, in install
(retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm,
cli_domain, cli_server, dnsok, options)
TypeError: configure_ldap_conf() takes exactly 8 arguments (7 given)
rob
corrected
ack, pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA 2.1.4
Thanks Rob for all the great work! I want to add just one warning that may escape users attention. Due to the need to address the CSRF attack, our command line tools (including ipa-client-install) will not work on newer servers until you upgrade those clients. The reason is that the old tools never sent the Referer header. The newer tools should work w/o any issue against an old server. Unfortunately although CSRF attacks are a concern only when using the Web UI, we had to break compatibility because a browser could be subverted to use the xml-rpc interface used by the CLI tools, and we couldn't leave that hole open even though this means we are breaking backwards compatibility. So if you need to have a gradual upgrade you should start from clients (and install images) before upgrading the server. Keep in mind though that the flaw will not be fixed until you upgrade the server. So, although the flaw is not really critical (IMO), you should not delay upgrades too long in production environments and be careful on administrative clients where you use admin credentials. HTH, Simo. On Tue, 2011-12-06 at 14:26 -0500, Rob Crittenden wrote: The FreeIPA team is proud to announce version 2.1.4. It can be downloaded from http://www.freeipa.org/Downloads and should appear in the Fedora 15 and 16 updates-testing soon (still waiting for bohdi to push the builds). A rawhide (F-17) build is also available. == Highlights in 2.1.4 == This is a security release, users are strongly advised to upgrade. Specifically, it addresses CVE-2011-3636. A Cross-Site Request Forgery (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer Header in the server (it is not set in the CLI utilities). If a remote attacker could trick a user, who was logged into the FreeIPA management interface, into visiting a specially-crafted URL, the attacker could perform FreeIPA configuration changes with the privileges of the logged in user. Some bugs have been addressed too, the highlights are: * Certificates in the UI are now displayed in PEM format * systemd support in Fedora 16 * Change the way the Kerberos random salt is calculated to improve interoperability with Windows * Fix nis netgroups, users and groups were not appearing * Better handling of Kerberos realm to domain mapping == Upgrading == === Server === To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater --update === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog for 2.1.3 == Alexander Bokovoy (4): * hbactest fails while you have svcgroup in hbacrule * Add support for systemd environments and use it to support Fedora 16 * Spin for connection success also when socket is not (yet) available * Quote multiple workers option Endi S. Dewata (1): * Added current password field. Evgeny Sinelnikov (1): * ipa_kpasswd: Update selinux policies for ldap and urandom John Dennis (1): * Unable to Download Certificate with Browser Martin Kosek (8): * Fix client krb5 domain mapping and DNS * Fix ipa-managed-entries password option long form * Fix ipa-server-install answer cache * Fix ipa-replica-conncheck port labels * Fix ipa-managed-entries bind procedure * Let PublicError accept Gettext objects * Enable automember for upgraded servers * Make ipa-server-install clean after itself Ondrej Hamada (1): * Client install root privileges check Rob Crittenden (4): * Fix problems in help system * Fix nis netgroup config entry so users appear in netgroup triple. * Don't allow default objectclass list to be empty. * Require an HTTP Referer header in the server. Send one in ipa tools. (CVE-2011-3636) Simo Sorce (1): * Modify random salt creation for interoperability ___ Freeipa-users mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York
Re: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA 2.1.4
On Dec 6, 2011, at 1:09 PM, Simo Sorce wrote: Thanks Rob for all the great work! I want to add just one warning that may escape users attention. Due to the need to address the CSRF attack, our command line tools (including ipa-client-install) will not work on newer servers until you upgrade those clients. The reason is that the old tools never sent the Referer header. How do you upgrade your clients if they are RHEL and the Server is Fedora? The newer tools should work w/o any issue against an old server. Unfortunately although CSRF attacks are a concern only when using the Web UI, we had to break compatibility because a browser could be subverted to use the xml-rpc interface used by the CLI tools, and we couldn't leave that hole open even though this means we are breaking backwards compatibility. So if you need to have a gradual upgrade you should start from clients (and install images) before upgrading the server. Keep in mind though that the flaw will not be fixed until you upgrade the server. So, although the flaw is not really critical (IMO), you should not delay upgrades too long in production environments and be careful on administrative clients where you use admin credentials. HTH, Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 315 Added commands into metadata.
Endi Sukma Dewata wrote: On 12/6/2011 10:30 AM, Rob Crittenden wrote: Updated patch attached. Web UI - ACK. Server side - seems fine - I would give it an ACK, but I'm not sure if I'm the right person for it. I think this is too radical a change. We can only bump the minor version in this release so while the api can be modified it still needs to be backwards compatible. New patch attached. The existing arguments are retained, new options are added. ACK on framework changes. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 316 Added support for radio buttons in table widget.
On 12/6/2011 8:28 AM, Petr Vobornik wrote: ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 317 Fixed entity metadata resolution.
On 12/6/2011 8:29 AM, Petr Vobornik wrote: ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 315 Added commands into metadata.
On 12/6/2011 4:02 PM, Rob Crittenden wrote: Web UI - ACK. Server side - seems fine - I would give it an ACK, but I'm not sure if I'm the right person for it. I think this is too radical a change. We can only bump the minor version in this release so while the api can be modified it still needs to be backwards compatible. New patch attached. The existing arguments are retained, new options are added. ACK on framework changes. Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 318 Refactored facet.load().
On 12/6/2011 8:52 AM, Petr Vobornik wrote: ACK Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 319 Added HBAC Test page.
On 12/6/2011 9:06 AM, Petr Vobornik wrote: ACK In tables are 3 boolean columns which are not translated. I'll wait with pushing my patch #51 and I'll add them there along with some issues you mentioned in that patch' review. Thanks. Pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 911 ensure confidential minssf
Ensure that we always use at least 56 for minssf when communicating with
389-ds. This will prevent someone from modifying /etc/openldap/ldap.conf
in a way to put all communication in the clear.
See the ticket for testing information.
rob
From 04303a4227a7da2c0de2a0f0d35fc2e0691c31f3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 6 Dec 2011 17:36:15 -0500
Subject: [PATCH] Require minimum SSF 1, confidentially. Also ensure minssf =
maxssf.
This ensures a correct configuration in case a user has created their
own openldap config file and set SASL_SECPROPS to something bad.
Note that this doesn't modify the 389-ds setting which by default is 0.
https://fedorahosted.org/freeipa/ticket/2021
---
ipaserver/plugins/ldap2.py |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 4bfc849..95a88e6 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -450,6 +450,15 @@ class ldap2(CrudBackend, Encoder):
conn = _ldap.initialize(self.ldap_uri)
if self.ldap_uri.startswith('ldapi://') and ccache:
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
+minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
+maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
+# Always connect with at least an SSF of 1, confidentiality
+# This also protects us from a broken ldap.conf
+if minssf = 0:
+minssf = 1
+conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
+if maxssf minssf:
+conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
conn.sasl_interactive_bind_s('', SASL_AUTH)
--
1.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 911 ensure confidential minssf
Rob Crittenden wrote: Ensure that we always use at least 56 for minssf when communicating with 389-ds. This will prevent someone from modifying /etc/openldap/ldap.conf in a way to put all communication in the clear. See the ticket for testing information. rob Note that it should be setting minssf to 56 and not 1 here. I hadn't committed that change yet, I'll fix before pushing if acked. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Display the value of memberOf ACIs in permission plugin.
There were two problems:
1. memberof wasn't in the list of things we looked for in the return
value from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a
lookup and potentially returning a NotFound if an aci points to a group
that no longer exists.
https://fedorahosted.org/freeipa/ticket/2100
rob
From 8fe31617d48e85711be3a242bcd5e4f12e79c7fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 6 Dec 2011 18:15:41 -0500
Subject: [PATCH] Display the value of memberOf ACIs in permission plugin.
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
---
ipalib/plugins/aci.py | 11 +++--
ipalib/plugins/permission.py|2 +-
tests/test_xmlrpc/test_permission_plugin.py | 56 +++
3 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7ace05e..4b85bc9 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -122,6 +122,7 @@ from ipalib import api, crud, errors
from ipalib import Object, Command
from ipalib import Flag, Int, Str, StrEnum
from ipalib.aci import ACI
+from ipalib.dn import DN
from ipalib import output
from ipalib import _, ngettext
if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False):
kw['attrs'] = tuple(kw['attrs'])
if 'targetfilter' in a.target:
target = a.target['targetfilter']['expression']
-if target.startswith('(memberOf') or target.startswith('memberOf'):
-kw['memberof'] = unicode(target)
+if target.startswith('(memberOf=') or target.startswith('memberOf='):
+(junk, memberof) = target.split('memberOf=', 1)
+memberof = DN(memberof)
+kw['memberof'] = memberof['cn']
else:
kw['filter'] = unicode(target)
if 'target' in a.target:
@@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False):
# targetgroup attr, otherwise we consider it a subtree
if api.env.container_group in target:
targetdn = unicode(target.replace('ldap:///',''))
-(dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
-kw['targetgroup'] = entry_attrs['cn'][0]
+target = DN(targetdn)
+kw['targetgroup'] = target['cn']
else:
kw['subtree'] = unicode(target)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index c48979f..457fe80 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -98,7 +98,7 @@ class permission(LDAPObject):
'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
-'filter', 'subtree', 'targetgroup',
+'filter', 'subtree', 'targetgroup', 'memberof',
]
attribute_members = {
'member': ['privilege'],
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index a116a66..e9017a7 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -438,4 +438,60 @@ class test_permission(Declarative):
)
),
+
+dict(
+desc='Create memberof permission %r' % permission1,
+command=(
+'permission_add', [permission1], dict(
+ memberof=u'editors',
+ permissions=u'write',
+)
+),
+expected=dict(
+value=permission1,
+summary=u'Added permission %s' % permission1,
+result=dict(
+dn=lambda x: DN(x) == permission1_dn,
+cn=[permission1],
+objectclass=objectclasses.permission,
+memberof=u'editors',
+permissions=[u'write'],
+),
+),
+),
+
+
+dict(
+desc='Delete %r' % permission1,
+command=('permission_del', [permission1], {}),
+expected=dict(
+result=dict(failed=u''),
+value=permission1,
+summary=u'Deleted permission %s' % permission1,
+)
+),
+
+
+dict(
+desc='Create targetgroup permission
[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.
Resending as a [PATCH]
---BeginMessage---
There were two problems:
1. memberof wasn't in the list of things we looked for in the return
value from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a
lookup and potentially returning a NotFound if an aci points to a group
that no longer exists.
https://fedorahosted.org/freeipa/ticket/2100
rob
From 8fe31617d48e85711be3a242bcd5e4f12e79c7fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 6 Dec 2011 18:15:41 -0500
Subject: [PATCH] Display the value of memberOf ACIs in permission plugin.
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
---
ipalib/plugins/aci.py | 11 +++--
ipalib/plugins/permission.py|2 +-
tests/test_xmlrpc/test_permission_plugin.py | 56 +++
3 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7ace05e..4b85bc9 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -122,6 +122,7 @@ from ipalib import api, crud, errors
from ipalib import Object, Command
from ipalib import Flag, Int, Str, StrEnum
from ipalib.aci import ACI
+from ipalib.dn import DN
from ipalib import output
from ipalib import _, ngettext
if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False):
kw['attrs'] = tuple(kw['attrs'])
if 'targetfilter' in a.target:
target = a.target['targetfilter']['expression']
-if target.startswith('(memberOf') or target.startswith('memberOf'):
-kw['memberof'] = unicode(target)
+if target.startswith('(memberOf=') or target.startswith('memberOf='):
+(junk, memberof) = target.split('memberOf=', 1)
+memberof = DN(memberof)
+kw['memberof'] = memberof['cn']
else:
kw['filter'] = unicode(target)
if 'target' in a.target:
@@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False):
# targetgroup attr, otherwise we consider it a subtree
if api.env.container_group in target:
targetdn = unicode(target.replace('ldap:///',''))
-(dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
-kw['targetgroup'] = entry_attrs['cn'][0]
+target = DN(targetdn)
+kw['targetgroup'] = target['cn']
else:
kw['subtree'] = unicode(target)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index c48979f..457fe80 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -98,7 +98,7 @@ class permission(LDAPObject):
'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
-'filter', 'subtree', 'targetgroup',
+'filter', 'subtree', 'targetgroup', 'memberof',
]
attribute_members = {
'member': ['privilege'],
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index a116a66..e9017a7 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -438,4 +438,60 @@ class test_permission(Declarative):
)
),
+
+dict(
+desc='Create memberof permission %r' % permission1,
+command=(
+'permission_add', [permission1], dict(
+ memberof=u'editors',
+ permissions=u'write',
+)
+),
+expected=dict(
+value=permission1,
+summary=u'Added permission %s' % permission1,
+result=dict(
+dn=lambda x: DN(x) == permission1_dn,
+cn=[permission1],
+objectclass=objectclasses.permission,
+memberof=u'editors',
+permissions=[u'write'],
+),
+),
+),
+
+
+dict(
+desc='Delete %r' % permission1,
+command=('permission_del', [permission1], {}),
+expected=dict(
+result=dict(failed=u''),
+value=permission1,
+summary=u'Deleted permission %s' % permission1,
+)
+),
+
+
+dict(
+
Re: [Freeipa-devel] [PATCH] 56 Add new Param method for marshalling values from complex data types
Dne 27.10.2011 14:08, Jan Cholasta napsal(a): Add new Param method for marshalling values from complex data types to primitive data types suitable for transmission over RPC. This change makes it possible to use complex data types (like python-netaddr IPAddress) in parameters. https://fedorahosted.org/freeipa/ticket/2033 This will help implementing IP address parameter types properly in https://fedorahosted.org/freeipa/ticket/1487 . Self-NACK, I need to redo this on top of Martin's patch 163. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Hashbang line in IPA scripts
Dne 2.12.2011 17:00, Simo Sorce napsal(a): On Fri, 2011-12-02 at 15:50 +0100, Jan Cholasta wrote: Hi, We currently use this hashbang line in IPA scripts: #! /usr/bin/python -E IMHO this should be changed to point to Python 2 binary specifically: #! /usr/bin/python2 -E for the sake of distros, which symlink /usr/bin/python to Python 3 binary by default (Fedora 17?). Honza Send a patch, but is python2 guaranteed to be always available (thinking RHEL for example) ? Simo. An option is to use distutils (setup.py) on all the scripts, as it automatically changes the hashbang line to point to the correct interpreter. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
