Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 08/12/2015 02:20 PM, Jan Cholasta wrote: On 12.8.2015 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Fixed broken user_show on preserved user. Updated patch attached. Pushed to: master: 391ccabb9f0629b3d172d31cdab9067e4bd4e5dd ipa-4-2: cd81727d6243de2c613afec6dd0bf9a41c724354 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170.
Honza
--
Jan Cholasta
From 852dd8cd7c518c3c1ae7248cbd39811594e5b6d7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 12 Aug 2015 11:03:40 +0200
Subject: [PATCH] ULC: Prevent preserved users from being assigned membership
https://fedorahosted.org/freeipa/ticket/5170
---
ipalib/plugins/user.py | 28 +++-
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 8599392..83354a4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -342,7 +342,7 @@ class user(baseuser):
),
)
-def get_dn(self, *keys, **options):
+def get_either_dn(self, *keys, **options):
'''
Returns the DN of a user
The user can be active (active container) or delete (delete container)
@@ -351,7 +351,7 @@ class user(baseuser):
ldap = self.backend
# Check that this value is a Active user
try:
-active_dn = super(user, self).get_dn(*keys, **options)
+active_dn = self.get_dn(*keys, **options)
ldap.get_entry(active_dn, ['dn'])
# The Active user exists
@@ -402,7 +402,7 @@ class user_add(baseuser_add):
)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
if not options.get('noprivate', False):
try:
# The Managed Entries plugin will allow a user to be created
@@ -599,7 +599,7 @@ class user_del(baseuser_del):
return super(user_del, self).forward(*keys, **options)
def pre_callback(self, ldap, dn, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
@@ -625,7 +625,7 @@ class user_del(baseuser_del):
def execute(self, *keys, **options):
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
@@ -644,7 +644,7 @@ class user_del(baseuser_del):
ldap = self.obj.backend
# need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
-active_dn = self.obj.get_dn(*keys, **options)
+active_dn = self.obj.get_either_dn(*keys, **options)
superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
self.log.debug(preserve move %s - %s % (active_dn, delete_dn))
@@ -701,6 +701,7 @@ class user_mod(baseuser_mod):
has_output_params = baseuser_mod.has_output_params + user_output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
self.pre_common_callback(ldap, dn, entry_attrs, **options)
validate_nsaccountlock(entry_attrs)
return dn
@@ -778,6 +779,7 @@ class user_show(baseuser_show):
)
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
convert_nsaccountlock(entry_attrs)
self.post_common_callback(ldap, dn, entry_attrs, **options)
self.obj.get_preserved_attribute(entry_attrs, options)
@@ -813,7 +815,7 @@ class user_undel(LDAPQuery):
ldap = self.obj.backend
# First check that the user exists and is a delete one
-delete_dn = self.obj.get_dn(*keys, **options)
+delete_dn = self.obj.get_either_dn(*keys, **options)
if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)):
raise errors.ValidationError(
name=self.obj.primary_key.cli_name,
@@ -860,7 +862,7 @@ class user_disable(LDAPQuery):
check_protected_member(keys[-1])
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
ldap.deactivate_entry(dn)
return dict(
@@ -880,7 +882,7 @@ class user_enable(LDAPQuery):
def execute(self, *keys, **options):
ldap = self.obj.backend
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
ldap.activate_entry(dn)
@@ -904,7 +906,7 @@ class user_unlock(LDAPQuery):
msg_summary = _('Unlocked account %(value)s')
def execute(self, *keys, **options):
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
entry = self.obj.backend.get_entry(
dn,
Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 12.8.2015 12:22, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170.
Honza
Fixed broken user_show on preserved user. Updated patch attached.
--
Jan Cholasta
From dc4c4f940d97fa62396cb122672b436ee3176230 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 12 Aug 2015 11:03:40 +0200
Subject: [PATCH] ULC: Prevent preserved users from being assigned membership
https://fedorahosted.org/freeipa/ticket/5170
---
ipalib/plugins/user.py | 31 ++-
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 8599392..4ea770e 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -342,7 +342,7 @@ class user(baseuser):
),
)
-def get_dn(self, *keys, **options):
+def get_either_dn(self, *keys, **options):
'''
Returns the DN of a user
The user can be active (active container) or delete (delete container)
@@ -351,7 +351,7 @@ class user(baseuser):
ldap = self.backend
# Check that this value is a Active user
try:
-active_dn = super(user, self).get_dn(*keys, **options)
+active_dn = self.get_dn(*keys, **options)
ldap.get_entry(active_dn, ['dn'])
# The Active user exists
@@ -402,7 +402,7 @@ class user_add(baseuser_add):
)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
if not options.get('noprivate', False):
try:
# The Managed Entries plugin will allow a user to be created
@@ -599,7 +599,7 @@ class user_del(baseuser_del):
return super(user_del, self).forward(*keys, **options)
def pre_callback(self, ldap, dn, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
# For User life Cycle: user-del is a common plugin
# command to delete active user (active container) and
@@ -625,7 +625,7 @@ class user_del(baseuser_del):
def execute(self, *keys, **options):
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
# We are going to permanent delete or the user is already in the delete container.
delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
@@ -644,7 +644,7 @@ class user_del(baseuser_del):
ldap = self.obj.backend
# need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
-active_dn = self.obj.get_dn(*keys, **options)
+active_dn = self.obj.get_either_dn(*keys, **options)
superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
self.log.debug(preserve move %s - %s % (active_dn, delete_dn))
@@ -701,6 +701,7 @@ class user_mod(baseuser_mod):
has_output_params = baseuser_mod.has_output_params + user_output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
self.pre_common_callback(ldap, dn, entry_attrs, **options)
validate_nsaccountlock(entry_attrs)
return dn
@@ -777,6 +778,10 @@ class user_show(baseuser_show):
),
)
+def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
+return dn
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
convert_nsaccountlock(entry_attrs)
self.post_common_callback(ldap, dn, entry_attrs, **options)
@@ -813,7 +818,7 @@ class user_undel(LDAPQuery):
ldap = self.obj.backend
# First check that the user exists and is a delete one
-delete_dn = self.obj.get_dn(*keys, **options)
+delete_dn = self.obj.get_either_dn(*keys, **options)
if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)):
raise errors.ValidationError(
name=self.obj.primary_key.cli_name,
@@ -860,7 +865,7 @@ class user_disable(LDAPQuery):
check_protected_member(keys[-1])
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
ldap.deactivate_entry(dn)
return dict(
@@ -880,7 +885,7 @@ class user_enable(LDAPQuery):
def execute(self, *keys, **options):
ldap = self.obj.backend
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
ldap.activate_entry(dn)
@@ -904,7 +909,7 @@ class user_unlock(LDAPQuery):
msg_summary = _('Unlocked account %(value)s')
def execute(self, *keys, **options):
-dn =
Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 12/08/15 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 231fe6997dffe5f9045c26a74dc5a2082e07a10d Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 27 Jun 2014 13:04:03 +0200 Subject: [PATCH] Fix objectClass casing in LDIF to prevent schema update error When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- install/share/60basev3.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 6282dc16af108dfa3c392cdbbb5a54bf78915406..7c2599ceff0a60eb3fcb2f68fde3561a6ed41c1c 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -66,4 +66,4 @@ dn: objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' ) -objectclasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v3') +objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v3') -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 03:41 PM, Rich Megginson wrote: On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. Yup, python-ldap bug: https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Already fixed in master, or whatever CVS has. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 04:26 PM, Petr Viktorin wrote: On 06/27/2014 03:41 PM, Rich Megginson wrote: On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. Yup, python-ldap bug: https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Already fixed in master, or whatever CVS has. Good, so it is tracked and will (hopefully) get to Fedora eventually. Pushed to master as per Rich's ack. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 471
Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 471 crypto cleanup
Drop our x509v3 asn.1 parser and use the new capabilities of python-nss. Include a lot more information when returning a certificate. I'm including an API change here too. I'm renaming cert-get to cert-show to be more consistent with other plugins. I don't know of any external apps that use cert-get so we should be ok there. rob freeipa-471-cert.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
