Re: [Freeipa-devel] [PATCHES 0024, 0025] Classless support for reverse domains
Hi, On 31.1.2014 16:06, Martin Basti wrote: Reverse domain names in form 0/28.0.10.10.in-addr.arpa. are now allowed. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Patches attached. I think the validation should be more strict. IPv4 reverse zones should allow slash only in the label for the last octet (i.e. 0/25.1.168.192 is valid, 0.1/25.168.192 is not). IPv6 reverse zones should not allow slash at all. +def _cname_hostname_validator(ugettext, value): Can you name this _bind_cname_hostname_validator, so that it is clear it is related to _bind_hostname_validator? +#classless reverse zones can contain slash '/' +if not zone_is_reverse(normalized_zone) and (normalized_zone.count('/') 0): +raise errors.ValidationError(name='name', +error=_(Only reverse zones can contain '/' in labels)) This should be handled in _domain_name_validator. Validation in pre_callback should be done only when the validation depends on values of multiple parameters, which is not this case. +def _reverse_zone_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): Rename this to _idnsname_pre_callback and you won't have to call it explicitly in run_precallback_validators. +if addr.count('/') 0: I think if '/' in addr: would be better. -def validate_dns_label(dns_label, allow_underscore=False): +def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): IMO instead of adding a new boolean argument, it would be nicer to replace allow_underscore with an argument (e.g. allowed_chars) which takes a string of extra allowed characters. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza -- Jan Cholasta From 3b94a8757d8c3f1867cb6e8f8f2bb1d27d6ee5ac Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 6 Feb 2014 12:33:43 +0100 Subject: [PATCH] Remove sourcehostcategory from the default HBAC rule. https://fedorahosted.org/freeipa/ticket/4158 --- install/share/default-hbac.ldif | 1 - ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_hbac.py | 52 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 ipaserver/install/plugins/update_hbac.py diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif index b7b6ba2..52fd30e 100644 --- a/install/share/default-hbac.ldif +++ b/install/share/default-hbac.ldif @@ -7,7 +7,6 @@ cn: allow_all accessruletype: allow usercategory: all hostcategory: all -sourcehostcategory: all servicecategory: all ipaenabledflag: TRUE description: Allow all users to access any host from any host diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 624e826..66895aa 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + update_hbac.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_hbac.py b/ipaserver/install/plugins/update_hbac.py new file mode 100644 index 000..3632c21 --- /dev/null +++ b/ipaserver/install/plugins/update_hbac.py @@ -0,0 +1,52 @@ +# Authors: +# Jan Cholasta jchol...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import errors +from ipalib.plugable import Registry +from ipapython.dn import DN + +register = Registry() + +@register() +class update_default_hbac(PostUpdate): + +Remove sourcehostcategory from the default HBAC rule. + + +def execute(self, **options): +ldap = self.obj.backend + +base_dn = DN(self.api.env.container_hbac, self.api.env.basedn) +filter = (cn=allow_all) +try: +entries = ldap.get_entries(base_dn=base_dn, filter=filter, + attrs_list=[]) +except errors.NotFound: +return (False, False, []) + +dn = entries[0].dn +update = { +dn: { +'dn': dn, +'updates': ['remove:sourcehostcategory: all'], +}, +} + +return (False, True, [update]) -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 531-541 OTP UI
On 5.2.2014 20:59, Nathaniel McCallum wrote: The Add Token dialog asks the user to specify a unique id. This unique id should be generated instead. See how I did this in the CLI. It should work in this case too. Nathaniel Fixed. I have not added proper handling of `optional_create` flag in Web UI, because it might affect details pages in unwanted manner. Because of that, otptoken dialog's `ipatokenuniqueid` field now use `required=false` override. On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote: On 13.1.2014 17:09, Petr Vobornik wrote: Hi, these patches implements the OTP Web UI. Last 5 patches is the OTP UI. First 6 patches is a little refactoring/bug fixes needed for them. General password dialog is introduced to avoid another implementation. Self-service UI is implemented to be very simple. Atm user can choose only token name. Admin interface allows to enter all values. It's based on the RCUE work - we need to push RCUE first. Thanks Nathaniel for review of the last font package. It will speed things up. Know bugs: - there is clash in id's of checkboxes preventing editation of subsequently displayed ones with the same name. Will be fixed in separate patch. - bugs caused by bugs in API (adding/removal of own tokens in self-service, inability to enter key on token creation - https://fedorahosted.org/freeipa/ticket/4099) - datetime format (widget+validator) will be implemented in separate patch - no support of not reviewed CLI patches (HOTP..) Cgit: http://fedorapeople.org/cgit/pvoborni/public_git/freeipa.git/log/?h=otp https://fedorahosted.org/freeipa/ticket/3369 Patches were rebased because of minor conflict with trusted domains patch. -- Petr Vobornik From 8203291e9d3382a6fd5240a827080f013db76541 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 12 Sep 2013 15:29:01 +0200 Subject: [PATCH] UI for OTP tokens https://fedorahosted.org/freeipa/ticket/3369 --- install/ui/doc/categories.json | 1 + install/ui/src/freeipa/app.js | 1 + install/ui/src/freeipa/navigation/menu_spec.js | 10 +- install/ui/src/freeipa/otptoken.js | 300 + install/ui/src/freeipa/search.js | 18 +- install/ui/test/data/ipa_init.json | 5 + ipalib/plugins/internal.py | 9 +- 7 files changed, 333 insertions(+), 11 deletions(-) create mode 100644 install/ui/src/freeipa/otptoken.js diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json index 9f04c4b28bd889947926faa990653e023b8954b0..02487e542c64eb1ab3dac76f497c186f41fe489b 100644 --- a/install/ui/doc/categories.json +++ b/install/ui/doc/categories.json @@ -218,6 +218,7 @@ name: Plugins, classes: [ aci, +otptoken, user ] } diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 2fbe0775c4dd58ed4a741a222323de82b7eb92f7..05bef374f4b25f4f052d9f107291c5b7a0914bbc 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -41,6 +41,7 @@ define([ './host', './idrange', './netgroup', +'./otptoken', './policy', './realmdomains', './rule', diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 9d4c5eff9b6c2b5a64a2f83f73fcec87aef7443d..e531a9f6d4446b1d395b6bb6dfd011877ac61530 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -56,7 +56,8 @@ var nav = {}; ] }, { entity: 'cert', label: '@i18n:tabs.cert' }, -{ entity: 'realmdomains' } +{ entity: 'realmdomains' }, +{ entity: 'otptoken' } ] }, {name: 'policy', label: '@i18n:tabs.policy', children: [ @@ -148,10 +149,13 @@ nav.self_service = { { name: 'identity', label: '@i18n:tabs.identity', -children: [{entity: 'user'}] +children: [ +{ entity: 'user' }, +{ entity: 'otptoken' } +] } ] }; return nav; -}); \ No newline at end of file +}); diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js new file mode 100644 index ..6e6bb34d257f3b71f5744fc208630ff9bf366999 --- /dev/null +++ b/install/ui/src/freeipa/otptoken.js @@ -0,0 +1,300 @@ +/* Authors: + *Petr Vobornik pvobo...@redhat.com + * + * Copyright (C) 2013 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at
Re: [Freeipa-devel] [PATCH] 531-541 OTP UI
The sent patch was exactly the same as 537-1. Correct patch attached. On 6.2.2014 13:36, Petr Vobornik wrote: On 5.2.2014 20:59, Nathaniel McCallum wrote: The Add Token dialog asks the user to specify a unique id. This unique id should be generated instead. See how I did this in the CLI. It should work in this case too. Nathaniel Fixed. I have not added proper handling of `optional_create` flag in Web UI, because it might affect details pages in unwanted manner. Because of that, otptoken dialog's `ipatokenuniqueid` field now use `required=false` override. On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote: On 13.1.2014 17:09, Petr Vobornik wrote: Hi, these patches implements the OTP Web UI. Last 5 patches is the OTP UI. First 6 patches is a little refactoring/bug fixes needed for them. General password dialog is introduced to avoid another implementation. Self-service UI is implemented to be very simple. Atm user can choose only token name. Admin interface allows to enter all values. It's based on the RCUE work - we need to push RCUE first. Thanks Nathaniel for review of the last font package. It will speed things up. Know bugs: - there is clash in id's of checkboxes preventing editation of subsequently displayed ones with the same name. Will be fixed in separate patch. - bugs caused by bugs in API (adding/removal of own tokens in self-service, inability to enter key on token creation - https://fedorahosted.org/freeipa/ticket/4099) - datetime format (widget+validator) will be implemented in separate patch - no support of not reviewed CLI patches (HOTP..) Cgit: http://fedorapeople.org/cgit/pvoborni/public_git/freeipa.git/log/?h=otp https://fedorahosted.org/freeipa/ticket/3369 Patches were rebased because of minor conflict with trusted domains patch. -- Petr Vobornik From d5374e3a8cae167f45e972a4576ac0cb05b54edf Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 12 Sep 2013 15:29:01 +0200 Subject: [PATCH] UI for OTP tokens https://fedorahosted.org/freeipa/ticket/3369 --- install/ui/doc/categories.json | 1 + install/ui/src/freeipa/app.js | 1 + install/ui/src/freeipa/navigation/menu_spec.js | 10 +- install/ui/src/freeipa/otptoken.js | 306 + install/ui/src/freeipa/search.js | 18 +- install/ui/test/data/ipa_init.json | 5 + ipalib/plugins/internal.py | 9 +- 7 files changed, 339 insertions(+), 11 deletions(-) create mode 100644 install/ui/src/freeipa/otptoken.js diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json index 9f04c4b28bd889947926faa990653e023b8954b0..02487e542c64eb1ab3dac76f497c186f41fe489b 100644 --- a/install/ui/doc/categories.json +++ b/install/ui/doc/categories.json @@ -218,6 +218,7 @@ name: Plugins, classes: [ aci, +otptoken, user ] } diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 2fbe0775c4dd58ed4a741a222323de82b7eb92f7..05bef374f4b25f4f052d9f107291c5b7a0914bbc 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -41,6 +41,7 @@ define([ './host', './idrange', './netgroup', +'./otptoken', './policy', './realmdomains', './rule', diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 9d4c5eff9b6c2b5a64a2f83f73fcec87aef7443d..e531a9f6d4446b1d395b6bb6dfd011877ac61530 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -56,7 +56,8 @@ var nav = {}; ] }, { entity: 'cert', label: '@i18n:tabs.cert' }, -{ entity: 'realmdomains' } +{ entity: 'realmdomains' }, +{ entity: 'otptoken' } ] }, {name: 'policy', label: '@i18n:tabs.policy', children: [ @@ -148,10 +149,13 @@ nav.self_service = { { name: 'identity', label: '@i18n:tabs.identity', -children: [{entity: 'user'}] +children: [ +{ entity: 'user' }, +{ entity: 'otptoken' } +] } ] }; return nav; -}); \ No newline at end of file +}); diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js new file mode 100644 index ..9a3ce66156a4bb5de2ca48aea16adc2a8668d8ae --- /dev/null +++ b/install/ui/src/freeipa/otptoken.js @@ -0,0 +1,306 @@ +/* Authors: + *Petr Vobornik pvobo...@redhat.com + * + * Copyright (C) 2013 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General
Re: [Freeipa-devel] [PATCH] 531-541 OTP UI
On 5.2.2014 18:54, Alexander Bokovoy wrote: On Wed, 05 Feb 2014, Nathaniel McCallum wrote: On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote: from ipaserver.dcerpc import DomainValidator Patch 541 is NACK because ipaserver.dcerpc only exists in freeipa-server-trust-ad. I agree. Instead of modifying a highly specialized code in ipaserver.dcerpc, you can extend a general purpose kinit code in ipapython/ipautil.py or add a separate one there to handle FAST part. I've implemented new version of patch 541 which doesn't use dcerpc module (attached). This new version might be incorrect as well. The new form based login works as follows: - calls kinit with HTTP keytab to get armor ccache - calls kinit with user credantials and armor_ccache - calls kdestroy to cleanup the armor_ccache It was inspired by existing code in dcerpc.py and rpcserver.py. The question is whether we should avoid calling sub-processes and rather use krbV lib as in ipapython.ipautil.kinit_hostprincipal. Rob mentioned that subprocess calls within Apache are quite expensive. -- Petr Vobornik From ab506a6312515b2f668fda22484c129d6556f8f4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 9 Jan 2014 14:54:30 +0100 Subject: [PATCH] Support OTP in form based auth OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369 --- ipaserver/rpcserver.py | 38 -- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index a58c853553daba322be40f15f243082feacf2edd..c05740ded0ecfd3ccc51f33f8e8bfdd80ebf06bc 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -42,12 +42,14 @@ from ipalib.rpc import (xml_dumps, xml_loads, from ipalib.util import parse_time_duration, normalize_name from ipapython.dn import DN from ipaserver.plugins.ldap2 import ldap2 -from ipalib.session import (session_mgr, AuthManager, get_ipa_ccache_name, +from ipalib.session import ( +session_mgr, AuthManager, get_ipa_ccache_name, load_ccache_data, bind_ipa_ccache, release_ipa_ccache, fmt_time, -default_max_session_duration) +default_max_session_duration, krbccache_dir, krbccache_prefix) from ipalib.backend import Backend from ipalib.krb_utils import ( -KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name) +KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name, +krb5_format_service_principal_name) from ipapython import ipautil from ipapython.version import VERSION from ipalib.text import _ @@ -973,15 +975,39 @@ class login_password(Backend, KerberosSession, HTTP_Status): return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response) def kinit(self, user, realm, password, ccache_name): +# get http service ccache as an armor for FAST to enable OTP authentication +armor_principal = krb5_format_service_principal_name( +'HTTP', self.api.env.host, realm) +keytab = '/etc/httpd/conf/ipa.keytab' +armor_name = %sA_%s % (krbccache_prefix, user) +armor_path = os.path.join(krbccache_dir, armor_name) + +self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s', + armor_principal, keytab, armor_path) + +(stdout, stderr, returncode) = ipautil.run( +['/usr/bin/kinit', '-kt', keytab, armor_principal], +env={'KRB5CCNAME': armor_path}, raiseonerr=False) + +if returncode != 0: +raise CCacheError() + # Format the user as a kerberos principal principal = krb5_format_principal_name(user, realm) -(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal], - env={'KRB5CCNAME':ccache_name}, - stdin=password, raiseonerr=False) +(stdout, stderr, returncode) = ipautil.run( +['/usr/bin/kinit', principal, '-T', armor_path], +env={'KRB5CCNAME': ccache_name}, stdin=password, raiseonerr=False) + self.debug('kinit: principal=%s returncode=%s, stderr=%s', principal, returncode, stderr) +self.debug('Cleanup the armor ccache') +ipautil.run( +['/usr/bin/kdestroy', '-A', '-c', armor_path], +env={'KRB5CCNAME': armor_path}, +raiseonerr=False) + if returncode != 0: raise InvalidSessionPassword(principal=principal, message=unicode(stderr)) -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Web services in freeIPA
Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
On 6.2.2014 15:22, Alexandre Santos wrote: Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos The url you saw is most-likely for XML RPC API. You can check: https://hostname/ipa/xml - XML RPC API https://hostname/ipa/json - JSON RPC API https://hostname/ipa/session/xml XML RPC API with session support https://hostname/ipa/session/json JSON RPC API with session support https://hostname/ipa/ui - Web UI https://hostname/ipa/config/unauthorized.html - some config and error pages We don't have docs for the APIs yet. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
Thanks, I think I have what i need. Best regards On 06 Feb 2014, at 14:33, Petr Vobornik pvobo...@redhat.com wrote: On 6.2.2014 15:22, Alexandre Santos wrote: Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos The url you saw is most-likely for XML RPC API. You can check: https://hostname/ipa/xml - XML RPC API https://hostname/ipa/json - JSON RPC API https://hostname/ipa/session/xml XML RPC API with session support https://hostname/ipa/session/json JSON RPC API with session support https://hostname/ipa/ui - Web UI https://hostname/ipa/config/unauthorized.html - some config and error pages We don't have docs for the APIs yet. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024, 0025] Classless support for reverse domains
On Thu, 2014-02-06 at 10:59 +0100, Jan Cholasta wrote: Hi, On 31.1.2014 16:06, Martin Basti wrote: Reverse domain names in form 0/28.0.10.10.in-addr.arpa. are now allowed. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Patches attached. I add Petr2 to CC, to inspect RFC issues, with allowing '/' in IPv6 I think the validation should be more strict. IPv4 reverse zones should allow slash only in the label for the last octet (i.e. 0/25.1.168.192 is valid, 0.1/25.168.192 is not). IPv6 reverse zones should not allow slash at all. I havent found anything about IPv6, RFCs don't forbids it. 1.0/25.1.168.192.in-addr.arpa. is also valid, it could be used to CNAME records The slashes in domain names are referenced as the best practise in RFC, there are not strict rules. +def _cname_hostname_validator(ugettext, value): Can you name this _bind_cname_hostname_validator, so that it is clear it is related to _bind_hostname_validator? I will rename it +#classless reverse zones can contain slash '/' +if not zone_is_reverse(normalized_zone) and (normalized_zone.count('/') 0): +raise errors.ValidationError(name='name', +error=_(Only reverse zones can contain '/' in labels)) This should be handled in _domain_name_validator. Validation in pre_callback should be done only when the validation depends on values of multiple parameters, which is not this case. I will move it +def _reverse_zone_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): Rename this to _idnsname_pre_callback and you won't have to call it explicitly in run_precallback_validators. I will rename it +if addr.count('/') 0: I think if '/' in addr: would be better. I will change it -def validate_dns_label(dns_label, allow_underscore=False): +def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): IMO instead of adding a new boolean argument, it would be nicer to replace allow_underscore with an argument (e.g. allowed_chars) which takes a string of extra allowed characters. But I have to handle not only allowed chars, but position of the chars in the label string too. Honza -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
On 02/06/2014 01:16 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza Adding a whole new update plugin for this little change seems as a overengineering for me. Why does a simple remove: sourcehostcategory: all not work? Also, I would be OK with even just not adding it in new installation only. It is a benign attribute which also may not be deprecated in older version (and replicated) replicas. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
Is there any examples that can guide me. Thanks Alexandre Santos On 06 Feb 2014, at 14:33, Petr Vobornik pvobo...@redhat.com wrote: On 6.2.2014 15:22, Alexandre Santos wrote: Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos The url you saw is most-likely for XML RPC API. You can check: https://hostname/ipa/xml - XML RPC API https://hostname/ipa/json - JSON RPC API https://hostname/ipa/session/xml XML RPC API with session support https://hostname/ipa/session/json JSON RPC API with session support https://hostname/ipa/ui - Web UI https://hostname/ipa/config/unauthorized.html - some config and error pages We don't have docs for the APIs yet. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
As Petr said, we do not have a proper documentation for using RPC for controlling IPA. But I think you can start with looking at [1] to see the template and try running our commands with -vv which will show you how we call the API: $ ipa -vv user-show admin Martin [1] http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ On 02/06/2014 04:04 PM, Alexandre Santos wrote: Is there any examples that can guide me. Thanks Alexandre Santos On 06 Feb 2014, at 14:33, Petr Vobornik pvobo...@redhat.com wrote: On 6.2.2014 15:22, Alexandre Santos wrote: Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos The url you saw is most-likely for XML RPC API. You can check: https://hostname/ipa/xml - XML RPC API https://hostname/ipa/json - JSON RPC API https://hostname/ipa/session/xml XML RPC API with session support https://hostname/ipa/session/json JSON RPC API with session support https://hostname/ipa/ui - Web UI https://hostname/ipa/config/unauthorized.html - some config and error pages We don't have docs for the APIs yet. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
On 6.2.2014 16:04, Martin Kosek wrote: On 02/06/2014 01:16 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza Adding a whole new update plugin for this little change seems as a overengineering for me. Why does a simple remove: sourcehostcategory: all not work? Because there is no simple dn: ... to put above it, since it uses auto-generated ipaUniqueId. Also, I would be OK with even just not adding it in new installation only. It is a benign attribute which also may not be deprecated in older version (and replicated) replicas. If it is not removed, it will still be shown in hbacrule commands' output. Is it OK to remove sourcehostcategory from hbacrule.default_attributes? I'm not sure why it was left there when source hosts were deprecated. Martin -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
On 02/06/2014 04:21 PM, Jan Cholasta wrote: On 6.2.2014 16:04, Martin Kosek wrote: On 02/06/2014 01:16 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza Adding a whole new update plugin for this little change seems as a overengineering for me. Why does a simple remove: sourcehostcategory: all not work? Because there is no simple dn: ... to put above it, since it uses auto-generated ipaUniqueId. Ah, I see. Also, I would be OK with even just not adding it in new installation only. It is a benign attribute which also may not be deprecated in older version (and replicated) replicas. If it is not removed, it will still be shown in hbacrule commands' output. Is it OK to remove sourcehostcategory from hbacrule.default_attributes? I'm not sure why it was left there when source hosts were deprecated. Makes sense. I think removing it from default LDIF + from default_attributes will do the trick. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0024, 0025] Classless support for reverse domains
On 6.2.2014 15:57, Martin Basti wrote: On Thu, 2014-02-06 at 10:59 +0100, Jan Cholasta wrote: Hi, On 31.1.2014 16:06, Martin Basti wrote: Reverse domain names in form 0/28.0.10.10.in-addr.arpa. are now allowed. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Patches attached. I add Petr2 to CC, to inspect RFC issues, with allowing '/' in IPv6 I think the validation should be more strict. IPv4 reverse zones should allow slash only in the label for the last octet (i.e. 0/25.1.168.192 is valid, 0.1/25.168.192 is not). IPv6 reverse zones should not allow slash at all. I havent found anything about IPv6, RFCs don't forbids it. AFAIK the RFCs do not forbid anything, but we do validation anyway, so we might as well do it right, otherwise there is no point in doing it. 1.0/25.1.168.192.in-addr.arpa. is also valid, it could be used to CNAME records Yes, obviously. It's 1.0.1/25.168.192.in-addr.arpa. I'm concerned about. The slashes in domain names are referenced as the best practise in RFC, there are not strict rules. +def _cname_hostname_validator(ugettext, value): Can you name this _bind_cname_hostname_validator, so that it is clear it is related to _bind_hostname_validator? I will rename it +#classless reverse zones can contain slash '/' +if not zone_is_reverse(normalized_zone) and (normalized_zone.count('/') 0): +raise errors.ValidationError(name='name', +error=_(Only reverse zones can contain '/' in labels)) This should be handled in _domain_name_validator. Validation in pre_callback should be done only when the validation depends on values of multiple parameters, which is not this case. I will move it +def _reverse_zone_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): Rename this to _idnsname_pre_callback and you won't have to call it explicitly in run_precallback_validators. I will rename it +if addr.count('/') 0: I think if '/' in addr: would be better. I will change it -def validate_dns_label(dns_label, allow_underscore=False): +def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): IMO instead of adding a new boolean argument, it would be nicer to replace allow_underscore with an argument (e.g. allowed_chars) which takes a string of extra allowed characters. But I have to handle not only allowed chars, but position of the chars in the label string too. Why? Is there a RFC that forbids it? My point is, adding a new argument for each extra character is bad, there should be a better way of doing that. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
On 02/06/2014 10:12 AM, Martin Kosek wrote: As Petr said, we do not have a proper documentation for using RPC for controlling IPA. But I think you can start with looking at [1] to see the template and try running our commands with -vv which will show you how we call the API: $ ipa -vv user-show admin Are we still suggesting using XML interface? I though we were planning to prefer JSON rather than XML, something changed here? Martin [1] http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ On 02/06/2014 04:04 PM, Alexandre Santos wrote: Is there any examples that can guide me. Thanks Alexandre Santos On 06 Feb 2014, at 14:33, Petr Vobornik pvobo...@redhat.com wrote: On 6.2.2014 15:22, Alexandre Santos wrote: Hi, I´m starting in freeIPA and I would like to know what web apps are available for use, like create user, delete user and so on. I´ve seen that when i use the command ipa -vv user-add” a url for the app if given. I would like to know if there is any information about that. Thanks Alexandre Santos The url you saw is most-likely for XML RPC API. You can check: https://hostname/ipa/xml - XML RPC API https://hostname/ipa/json - JSON RPC API https://hostname/ipa/session/xml XML RPC API with session support https://hostname/ipa/session/json JSON RPC API with session support https://hostname/ipa/ui - Web UI https://hostname/ipa/config/unauthorized.html - some config and error pages We don't have docs for the APIs yet. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
On 6.2.2014 16:20, Martin Kosek wrote: On 02/06/2014 04:21 PM, Jan Cholasta wrote: On 6.2.2014 16:04, Martin Kosek wrote: On 02/06/2014 01:16 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza Adding a whole new update plugin for this little change seems as a overengineering for me. Why does a simple remove: sourcehostcategory: all not work? Because there is no simple dn: ... to put above it, since it uses auto-generated ipaUniqueId. Ah, I see. Also, I would be OK with even just not adding it in new installation only. It is a benign attribute which also may not be deprecated in older version (and replicated) replicas. If it is not removed, it will still be shown in hbacrule commands' output. Is it OK to remove sourcehostcategory from hbacrule.default_attributes? I'm not sure why it was left there when source hosts were deprecated. Makes sense. I think removing it from default LDIF + from default_attributes will do the trick. Martin Updated patch attached. -- Jan Cholasta From d56b3f8e63bae9db3d13df49d42a4f35a50e67b6 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 6 Feb 2014 12:33:43 +0100 Subject: [PATCH] Remove sourcehostcategory from the default HBAC rule. https://fedorahosted.org/freeipa/ticket/4158 --- install/share/default-hbac.ldif | 1 - ipalib/plugins/hbacrule.py | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif index b7b6ba2..52fd30e 100644 --- a/install/share/default-hbac.ldif +++ b/install/share/default-hbac.ldif @@ -7,7 +7,6 @@ cn: allow_all accessruletype: allow usercategory: all hostcategory: all -sourcehostcategory: all servicecategory: all ipaenabledflag: TRUE description: Allow all users to access any host from any host diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 0f0fef0..99758b2 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -118,7 +118,7 @@ class hbacrule(LDAPObject): default_attributes = [ 'cn', 'ipaenabledflag', 'description', 'usercategory', 'hostcategory', -'sourcehostcategory', 'servicecategory', 'ipaenabledflag', +'servicecategory', 'ipaenabledflag', 'memberuser', 'sourcehost', 'memberhost', 'memberservice', 'memberhostgroup', 'externalhost', ] -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 239 Remove sourcehostcategory from the default HBAC rule
On 02/06/2014 04:46 PM, Jan Cholasta wrote: On 6.2.2014 16:20, Martin Kosek wrote: On 02/06/2014 04:21 PM, Jan Cholasta wrote: On 6.2.2014 16:04, Martin Kosek wrote: On 02/06/2014 01:16 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4158. Honza Adding a whole new update plugin for this little change seems as a overengineering for me. Why does a simple remove: sourcehostcategory: all not work? Because there is no simple dn: ... to put above it, since it uses auto-generated ipaUniqueId. Ah, I see. Also, I would be OK with even just not adding it in new installation only. It is a benign attribute which also may not be deprecated in older version (and replicated) replicas. If it is not removed, it will still be shown in hbacrule commands' output. Is it OK to remove sourcehostcategory from hbacrule.default_attributes? I'm not sure why it was left there when source hosts were deprecated. Makes sense. I think removing it from default LDIF + from default_attributes will do the trick. Martin Updated patch attached. ACK. Pushed to master, ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0035] ipa-kdb: validate that an OTP user has tokens
This patch is independent of any of my other patches and can be merged out of order. Nathaniel From b0ffd3ca5ce905d2df1b7c7f8a8ee82a9e9af4a7 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 6 Feb 2014 10:56:46 -0500 Subject: [PATCH] ipa-kdb: validate that an OTP user has tokens This handles the case where a user is configured for OTP in ipaUserAuthType, but the user has not yet created any tokens. Until the user creates tokens, the user should still be able to log in via password. This logic already exists in LDAP, but ipa-kdb needs to perform the same validation to know what data to return to the KDC. https://fedorahosted.org/freeipa/ticket/4154 --- daemons/ipa-kdb/ipa_kdb.c| 10 ++- daemons/ipa-kdb/ipa_kdb.h| 6 +- daemons/ipa-kdb/ipa_kdb_principals.c | 144 ++- 3 files changed, 135 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index c807bbcfa14285db96f78fc4f7b0cdd04da445b7..0f3996cdfa35374c005bc1ed174dea0816a27747 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -186,13 +186,13 @@ static const struct { { } }; -void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le, - enum ipadb_user_auth *userauth) +void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, + enum ipadb_user_auth *userauth) { struct berval **vals; int i, j; -*userauth = IPADB_USER_AUTH_EMPTY; +*userauth = IPADB_USER_AUTH_NONE; vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); if (!vals) return; @@ -205,6 +205,8 @@ void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le, } } } + +ldap_value_free_len(vals); } int ipadb_get_global_configs(struct ipadb_context *ipactx) @@ -239,7 +241,7 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx) } /* Check for permitted authentication types. */ -ipadb_get_user_auth(ipactx-lcontext, res, ipactx-user_auth); +ipadb_parse_user_auth(ipactx-lcontext, res, ipactx-user_auth); vals = ldap_get_values_len(ipactx-lcontext, first, ipaConfigString); diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 5ad256b0ecaa74a53ba0d1465462a58e7f138603..6c036e3b6403a3b5fde544dc49c9d7efbaa6ca9b 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -80,7 +80,7 @@ struct ipadb_mspac; enum ipadb_user_auth { - IPADB_USER_AUTH_EMPTY= 0, + IPADB_USER_AUTH_NONE = 0, IPADB_USER_AUTH_DISABLED = 1 0, IPADB_USER_AUTH_PASSWORD = 1 1, IPADB_USER_AUTH_RADIUS = 1 2, @@ -275,5 +275,5 @@ void ipadb_audit_as_req(krb5_context kcontext, krb5_error_code error_code); /* AUTH METHODS */ -void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le, - enum ipadb_user_auth *user_auth); +void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, + enum ipadb_user_auth *user_auth); diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index a52095225eead84ba586ee7cd14510feb39b9d3b..8a8d67bb13dd1fd0dedef9dab0296b1c12d58281 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -66,6 +66,7 @@ static char *std_principal_attrs[] = { passwordHistory, IPA_KRB_AUTHZ_DATA_ATTR, IPA_USER_AUTH_TYPE, +ipatokenRadiusConfigLink, objectClass, NULL @@ -224,6 +225,122 @@ static int ipadb_ldap_attr_to_key_data(LDAP *lcontext, LDAPMessage *le, return ret; } +static void ipadb_validate_otp(struct ipadb_context *ipactx, + LDAPMessage *lentry, + enum ipadb_user_auth *ua) +{ +static const char *attrs[] = { dn, NULL }; +static const char *dttmpl = %Y%m%d%H%M%SZ; +static const char *ftmpl = ( +(objectClass=ipaToken)(ipatokenOwner=%s) +(|(ipatokenNotBefore=%s)(!(ipatokenNotBefore=*))) +(|(ipatokenNotAfter=%s)(!(ipatokenNotAfter=*))) +(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*))) +); +krb5_error_code kerr = 0; +LDAPMessage *res = NULL; +char datetime[16] = {}; +char *filter = NULL; +struct tm tm = {}; +char *dn = NULL; +time_t now = 0; +int count = 0; + +if (!(*ua IPADB_USER_AUTH_OTP)) +return; + +/* Get the current time. */ +if (time(now) == (time_t) -1) +return; +if (gmtime_r(now, tm) == NULL) +return; + +/* Make the current time string. */ +if (strftime(datetime, sizeof(datetime), dttmpl, tm) == 0) +return; + +/* Make the filter. */ +dn = ldap_get_dn(ipactx-lcontext, lentry); +if (dn == NULL) +return; +count = asprintf(filter, ftmpl, dn, datetime, datetime); +ldap_memfree(dn); +if (count 0) +
Re: [Freeipa-devel] [PATCHES 0024, 0025] Classless support for reverse domains
On Thu, 2014-02-06 at 16:37 +0100, Jan Cholasta wrote: On 6.2.2014 15:57, Martin Basti wrote: On Thu, 2014-02-06 at 10:59 +0100, Jan Cholasta wrote: Hi, On 31.1.2014 16:06, Martin Basti wrote: Reverse domain names in form 0/28.0.10.10.in-addr.arpa. are now allowed. Ticket: https://fedorahosted.org/freeipa/ticket/4143 Patches attached. I add Petr2 to CC, to inspect RFC issues, with allowing '/' in IPv6 I think the validation should be more strict. IPv4 reverse zones should allow slash only in the label for the last octet (i.e. 0/25.1.168.192 is valid, 0.1/25.168.192 is not). IPv6 reverse zones should not allow slash at all. I havent found anything about IPv6, RFCs don't forbids it. AFAIK the RFCs do not forbid anything, but we do validation anyway, so we might as well do it right, otherwise there is no point in doing it. OK, I leave there only IPv4 1.0/25.1.168.192.in-addr.arpa. is also valid, it could be used to CNAME records Yes, obviously. It's 1.0.1/25.168.192.in-addr.arpa. I'm concerned about. http://tools.ietf.org/html/rfc6672#section-6.2 This can give a very strange positions of / in FQDN Optionally, I could permit only 1 slash in domain name, but I have to inspect first if user can do something useful with subnet of subnet in DNS, like 1.0/25.128/25.168.192.in-addr.arpa The slashes in domain names are referenced as the best practise in RFC, there are not strict rules. +def _cname_hostname_validator(ugettext, value): Can you name this _bind_cname_hostname_validator, so that it is clear it is related to _bind_hostname_validator? I will rename it +#classless reverse zones can contain slash '/' +if not zone_is_reverse(normalized_zone) and (normalized_zone.count('/') 0): +raise errors.ValidationError(name='name', +error=_(Only reverse zones can contain '/' in labels)) This should be handled in _domain_name_validator. Validation in pre_callback should be done only when the validation depends on values of multiple parameters, which is not this case. I will move it +def _reverse_zone_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): Rename this to _idnsname_pre_callback and you won't have to call it explicitly in run_precallback_validators. I will rename it +if addr.count('/') 0: I think if '/' in addr: would be better. I will change it -def validate_dns_label(dns_label, allow_underscore=False): +def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): IMO instead of adding a new boolean argument, it would be nicer to replace allow_underscore with an argument (e.g. allowed_chars) which takes a string of extra allowed characters. But I have to handle not only allowed chars, but position of the chars in the label string too. Why? Is there a RFC that forbids it? My point is, adding a new argument for each extra character is bad, there should be a better way of doing that. I agree, but for example: _ should be at start (it is not required be at the start in IPA), / and - in the middle. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Web services in freeIPA
On 02/06/2014 04:29 PM, Dmitri Pal wrote: On 02/06/2014 10:12 AM, Martin Kosek wrote: As Petr said, we do not have a proper documentation for using RPC for controlling IPA. But I think you can start with looking at [1] to see the template and try running our commands with -vv which will show you how we call the API: $ ipa -vv user-show admin Are we still suggesting using XML interface? I though we were planning to prefer JSON rather than XML, something changed here? No, we prefer JSON. In currently developed FreeIPA version (3.4) we already switched to it by default [1]. So if the command above is run in this version, it will show the actual JSON-RPC query asked on the server. If run in older FreeIPA client, it will still use the XML-RPC. Martin [1] https://fedorahosted.org/freeipa/ticket/3299 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Second batch of ipatests fixes and improvements
On Thu, 2014-02-06 at 07:06 +0100, Tomas Babej wrote: Hi, the attached patches fix the following tickets https://fedorahosted.org/freeipa/ticket/4134 https://fedorahosted.org/freeipa/ticket/4132 and some additional errors as well. Comments in the commit messages. 0146: ACK 0147: ACK 0148: ACK 0149: ACK 0150: ACK Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens
On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: This patch is independent from my patches 0028-0031 and can be merged in any order. This patch has a bug, but I can't figure it out. We need to set nsslapd-access-userattr-strict on cn=config to off. However, during the rpm installation, I get this error: DEBUG Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Deleting attributes is not allowed', 'desc': 'Server is unwilling to perform'} ERROR Update failed: Server is unwilling to perform: Deleting attributes is not allowed I'm not sure what is causing this. Does anyone have any suggestions? Attached is a new revision of this patch. It uses the new SELFDN support present in 389-ds-base 1.3.2.11 that was a result of the previous review of this patch. It currently depends on the HOTP patch (0033-2). However, if we wish to merge this first, this could be easily rebased. From a235d3949d81d4ddde31e386b4a7fa47df4240a2 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 6 Feb 2014 11:27:29 -0500 Subject: [PATCH] Update ACIs to permit users to add/delete their own tokens --- freeipa.spec.in| 6 +++--- install/share/default-aci.ldif | 1 + install/updates/40-otp.update | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 628efbfe0a2601557d6e8847798332bf34bc9a79..16378e1313503c2367174304cb7e07a6aee4decd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -21,7 +21,7 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel = 1.3.2.10 +BuildRequires: 389-ds-base-devel = 1.3.2.11 BuildRequires: svrcore-devel BuildRequires: policycoreutils = %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -97,7 +97,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base = 1.3.2.10 +Requires: 389-ds-base = 1.3.2.11 Requires: openldap-clients 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss = 3.14.3-2 @@ -153,7 +153,7 @@ Requires: zip Requires: policycoreutils = %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger = 0.65 -Requires(pre): 389-ds-base = 1.3.2.10 +Requires(pre): 389-ds-base = 1.3.2.11 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 76dd93f4ef2ca5ff6974e6c7ce53f5b7149e55d9..b1c2cbc109dc910cc38c4219a094ffac02a12a57 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -104,3 +104,4 @@ aci: (targetfilter = (objectClass=ipaToken))(targetattrs = objectclass || ipa aci: (targetfilter = (objectClass=ipaToken))(targetattrs = ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial)(version 3.0; acl Users can write basic token info; allow (write) userattr = ipatokenOwner#USERDN;) aci: (targetfilter = (objectClass=ipatokenTOTP))(targetattrs = ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep)(version 3.0; acl Users can add TOTP token secrets; allow (write, search) userattr = ipatokenOwner#USERDN;) aci: (targetfilter = (objectClass=ipatokenHOTP))(targetattrs = ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter)(version 3.0; acl Users can add HOTP token secrets; allow (write, search) userattr = ipatokenOwner#USERDN;) +aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create and delete tokens; allow (add, delete) userattr = ipatokenOwner#SELFDN;) diff --git a/install/updates/40-otp.update b/install/updates/40-otp.update index 750d0f8b3134fb4a81f4d35a1743b8c48113a88f..4384c7351f9a7e3eab18aa38b584c7dabcee7cf5 100644 --- a/install/updates/40-otp.update +++ b/install/updates/40-otp.update @@ -8,6 +8,7 @@ add: aci:'(targetfilter = (objectClass=ipaToken))(targetattrs = objectclass | add: aci:'(targetfilter = (objectClass=ipaToken))(targetattrs = ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial)(version 3.0; acl Users can write basic token info; allow (write) userattr = ipatokenOwner#USERDN;)' add: aci:'(targetfilter = (objectClass=ipatokenTOTP))(targetattrs = ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep)(version 3.0; acl Users can add TOTP token secrets; allow (write, search) userattr = ipatokenOwner#USERDN;)' add: aci:'(targetfilter = (objectClass=ipatokenHOTP))(targetattrs = ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter)(version
[Freeipa-devel] Third batch of ipatests fixes
Hello, this is the third and final batch. Please note that patch 148 has been already ACKed by Nathaniel :) (by mistake, so please look it over again) Details in the commit messages. Tomas From aa4808ec50b22ff7e412599c0da2b691a978bc7d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 5 Feb 2014 02:30:14 +0100 Subject: [PATCH] ipatests: Add test cases for subdomain users on legacy clients Adds test cases for: * getent subdomain user on legacy client * getent subdomain group on legacy client * getent id subdomain user on legacy client * ssh into legacy client with subdomain user * ssh into legacy client with disabled subdomain user --- ipatests/test_integration/test_legacy_clients.py | 122 +-- 1 file changed, 113 insertions(+), 9 deletions(-) diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py index b4fd13175154ffeb7c7ca102d8cf64862053e763..06c34f3ce5e0bf5103374eba363bff07aa067d8c 100644 --- a/ipatests/test_integration/test_legacy_clients.py +++ b/ipatests/test_integration/test_legacy_clients.py @@ -48,6 +48,8 @@ class BaseTestLegacyClient(object): testuser_uid_regex = None testuser_gid_regex = None +subdomain_testuser_uid_regex = None +subdomain_testuser_gid_regex = None @classmethod def setup_class(cls): @@ -55,6 +57,15 @@ class BaseTestLegacyClient(object): cls.ad = cls.ad_domains[0].ads[0] cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0]) + +# Determine whether the subdomain AD is available +try: +child_ad = cls.host_by_role(cls.optional_extra_roles[0]) +cls.ad_subdomain = '.'.join( + child_ad.external_hostname.split('.')[1:]) +except LookupError: +cls.ad_subdomain = None + tasks.apply_common_fixes(cls.legacy_client) for f in cls.backup_files: @@ -114,21 +125,21 @@ class BaseTestLegacyClient(object): testuser = 'testuser@%s' % self.ad.domain.name result = self.legacy_client.run_command(['getent', 'passwd', testuser]) -testuser_stdout = testuser@%s:*:%s:%s:\ - Test User:/home/testuser:/bin/sh\ - % (self.ad.domain.name, - self.testuser_uid_regex, - self.testuser_gid_regex) +testuser_regex = testuser@%s:*:%s:%s:\ + Test User:/home/testuser:/bin/sh\ + % (re.escape(self.ad.domain.name), +self.testuser_uid_regex, +self.testuser_gid_regex) -assert testuser_stdout in result.stdout_text +assert re.search(testuser_regex, result.stdout_text) def test_getent_ad_group(self): self.clear_sssd_caches() testgroup = 'testgroup@%s' % self.ad.domain.name result = self.legacy_client.run_command(['getent', 'group', testgroup]) -testgroup_stdout = %s:\*:%s: % (testgroup, self.testuser_gid_regex) -assert re.search(testgroup_stdout, result.stdout_text) +testgroup_regex = %s:\*:%s: % (testgroup, self.testuser_gid_regex) +assert re.search(testgroup_regex, result.stdout_text) def test_id_ad_user(self): self.clear_sssd_caches() @@ -217,6 +228,92 @@ class BaseTestLegacyClient(object): assert result.returncode != 0 +def test_getent_subdomain_ad_user(self): +if not self.ad_subdomain: +raise nose.SkipTest('AD for the subdomain is not available.') + +self.clear_sssd_caches() +testuser = 'subdomaintestuser@%s' % self.ad_subdomain +result = self.legacy_client.run_command(['getent', 'passwd', testuser]) + +testuser_regex = subdomaintestuser@%s:*:%s:%s:\ + Subdomain Test User:/home/subdomaintestuser:/bin/sh\ + % (re.escape(self.ad_subdomain), +self.subdomain_testuser_uid_regex, +self.subdomain_testuser_gid_regex) + +assert re.search(testuser_regex, result.stdout_text) + +def test_getent_subdomain_ad_group(self): +if not self.ad_subdomain: +raise nose.SkipTest('AD for the subdomain is not available.') + +self.clear_sssd_caches() +testgroup = 'subdomaintestgroup@%s' % self.ad_subdomain +result = self.legacy_client.run_command(['getent', 'group', testgroup]) + +testgroup_stdout = %s:\*:%s: % (testgroup, self.testuser_gid_regex) +assert re.search(testgroup_stdout, result.stdout_text) + +def test_id_subdomain_ad_user(self): +if not self.ad_subdomain: +raise nose.SkipTest('AD for the subdomain is not available.') + +self.clear_sssd_caches() +testuser = 'subdomaintestuser@%s' % self.ad_subdomain +testgroup =