Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 08/12/2015 02:20 PM, Jan Cholasta wrote: On 12.8.2015 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Fixed broken user_show on preserved user. Updated patch attached. Pushed to: master: 391ccabb9f0629b3d172d31cdab9067e4bd4e5dd ipa-4-2: cd81727d6243de2c613afec6dd0bf9a41c724354 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza -- Jan Cholasta From 852dd8cd7c518c3c1ae7248cbd39811594e5b6d7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 12 Aug 2015 11:03:40 +0200 Subject: [PATCH] ULC: Prevent preserved users from being assigned membership https://fedorahosted.org/freeipa/ticket/5170 --- ipalib/plugins/user.py | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 8599392..83354a4 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -342,7 +342,7 @@ class user(baseuser): ), ) -def get_dn(self, *keys, **options): +def get_either_dn(self, *keys, **options): ''' Returns the DN of a user The user can be active (active container) or delete (delete container) @@ -351,7 +351,7 @@ class user(baseuser): ldap = self.backend # Check that this value is a Active user try: -active_dn = super(user, self).get_dn(*keys, **options) +active_dn = self.get_dn(*keys, **options) ldap.get_entry(active_dn, ['dn']) # The Active user exists @@ -402,7 +402,7 @@ class user_add(baseuser_add): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -assert isinstance(dn, DN) +dn = self.obj.get_either_dn(*keys, **options) if not options.get('noprivate', False): try: # The Managed Entries plugin will allow a user to be created @@ -599,7 +599,7 @@ class user_del(baseuser_del): return super(user_del, self).forward(*keys, **options) def pre_callback(self, ldap, dn, *keys, **options): -assert isinstance(dn, DN) +dn = self.obj.get_either_dn(*keys, **options) # For User life Cycle: user-del is a common plugin # command to delete active user (active container) and @@ -625,7 +625,7 @@ class user_del(baseuser_del): def execute(self, *keys, **options): -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) # We are going to permanent delete or the user is already in the delete container. delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn) @@ -644,7 +644,7 @@ class user_del(baseuser_del): ldap = self.obj.backend # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9').. -active_dn = self.obj.get_dn(*keys, **options) +active_dn = self.obj.get_either_dn(*keys, **options) superior_dn = DN(self.obj.delete_container_dn, api.env.basedn) delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn) self.log.debug(preserve move %s - %s % (active_dn, delete_dn)) @@ -701,6 +701,7 @@ class user_mod(baseuser_mod): has_output_params = baseuser_mod.has_output_params + user_output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +dn = self.obj.get_either_dn(*keys, **options) self.pre_common_callback(ldap, dn, entry_attrs, **options) validate_nsaccountlock(entry_attrs) return dn @@ -778,6 +779,7 @@ class user_show(baseuser_show): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +dn = self.obj.get_either_dn(*keys, **options) convert_nsaccountlock(entry_attrs) self.post_common_callback(ldap, dn, entry_attrs, **options) self.obj.get_preserved_attribute(entry_attrs, options) @@ -813,7 +815,7 @@ class user_undel(LDAPQuery): ldap = self.obj.backend # First check that the user exists and is a delete one -delete_dn = self.obj.get_dn(*keys, **options) +delete_dn = self.obj.get_either_dn(*keys, **options) if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)): raise errors.ValidationError( name=self.obj.primary_key.cli_name, @@ -860,7 +862,7 @@ class user_disable(LDAPQuery): check_protected_member(keys[-1]) -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) ldap.deactivate_entry(dn) return dict( @@ -880,7 +882,7 @@ class user_enable(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) ldap.activate_entry(dn) @@ -904,7 +906,7 @@ class user_unlock(LDAPQuery): msg_summary = _('Unlocked account %(value)s') def execute(self, *keys, **options): -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) entry = self.obj.backend.get_entry( dn,
Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 12.8.2015 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Fixed broken user_show on preserved user. Updated patch attached. -- Jan Cholasta From dc4c4f940d97fa62396cb122672b436ee3176230 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 12 Aug 2015 11:03:40 +0200 Subject: [PATCH] ULC: Prevent preserved users from being assigned membership https://fedorahosted.org/freeipa/ticket/5170 --- ipalib/plugins/user.py | 31 ++- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 8599392..4ea770e 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -342,7 +342,7 @@ class user(baseuser): ), ) -def get_dn(self, *keys, **options): +def get_either_dn(self, *keys, **options): ''' Returns the DN of a user The user can be active (active container) or delete (delete container) @@ -351,7 +351,7 @@ class user(baseuser): ldap = self.backend # Check that this value is a Active user try: -active_dn = super(user, self).get_dn(*keys, **options) +active_dn = self.get_dn(*keys, **options) ldap.get_entry(active_dn, ['dn']) # The Active user exists @@ -402,7 +402,7 @@ class user_add(baseuser_add): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -assert isinstance(dn, DN) +dn = self.obj.get_either_dn(*keys, **options) if not options.get('noprivate', False): try: # The Managed Entries plugin will allow a user to be created @@ -599,7 +599,7 @@ class user_del(baseuser_del): return super(user_del, self).forward(*keys, **options) def pre_callback(self, ldap, dn, *keys, **options): -assert isinstance(dn, DN) +dn = self.obj.get_either_dn(*keys, **options) # For User life Cycle: user-del is a common plugin # command to delete active user (active container) and @@ -625,7 +625,7 @@ class user_del(baseuser_del): def execute(self, *keys, **options): -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) # We are going to permanent delete or the user is already in the delete container. delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn) @@ -644,7 +644,7 @@ class user_del(baseuser_del): ldap = self.obj.backend # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9').. -active_dn = self.obj.get_dn(*keys, **options) +active_dn = self.obj.get_either_dn(*keys, **options) superior_dn = DN(self.obj.delete_container_dn, api.env.basedn) delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn) self.log.debug(preserve move %s - %s % (active_dn, delete_dn)) @@ -701,6 +701,7 @@ class user_mod(baseuser_mod): has_output_params = baseuser_mod.has_output_params + user_output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): +dn = self.obj.get_either_dn(*keys, **options) self.pre_common_callback(ldap, dn, entry_attrs, **options) validate_nsaccountlock(entry_attrs) return dn @@ -777,6 +778,10 @@ class user_show(baseuser_show): ), ) +def pre_callback(self, ldap, dn, attrs_list, *keys, **options): +dn = self.obj.get_either_dn(*keys, **options) +return dn + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): convert_nsaccountlock(entry_attrs) self.post_common_callback(ldap, dn, entry_attrs, **options) @@ -813,7 +818,7 @@ class user_undel(LDAPQuery): ldap = self.obj.backend # First check that the user exists and is a delete one -delete_dn = self.obj.get_dn(*keys, **options) +delete_dn = self.obj.get_either_dn(*keys, **options) if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)): raise errors.ValidationError( name=self.obj.primary_key.cli_name, @@ -860,7 +865,7 @@ class user_disable(LDAPQuery): check_protected_member(keys[-1]) -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) ldap.deactivate_entry(dn) return dict( @@ -880,7 +885,7 @@ class user_enable(LDAPQuery): def execute(self, *keys, **options): ldap = self.obj.backend -dn = self.obj.get_dn(*keys, **options) +dn = self.obj.get_either_dn(*keys, **options) ldap.activate_entry(dn) @@ -904,7 +909,7 @@ class user_unlock(LDAPQuery): msg_summary = _('Unlocked account %(value)s') def execute(self, *keys, **options): -dn =
Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership
On 12/08/15 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 231fe6997dffe5f9045c26a74dc5a2082e07a10d Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 27 Jun 2014 13:04:03 +0200 Subject: [PATCH] Fix objectClass casing in LDIF to prevent schema update error When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- install/share/60basev3.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 6282dc16af108dfa3c392cdbbb5a54bf78915406..7c2599ceff0a60eb3fcb2f68fde3561a6ed41c1c 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -66,4 +66,4 @@ dn: objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' ) -objectclasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v3') +objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v3') -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 03:41 PM, Rich Megginson wrote: On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. Yup, python-ldap bug: https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Already fixed in master, or whatever CVS has. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 471 Fix objectClass casing in LDIF to prevent schema update error
On 06/27/2014 04:26 PM, Petr Viktorin wrote: On 06/27/2014 03:41 PM, Rich Megginson wrote: On 06/27/2014 05:41 AM, Martin Kosek wrote: When a new objectclass was defined as objectclass and not objectClass, it made the schema updater skip some objectclasses. https://fedorahosted.org/freeipa/ticket/4405 --- This fixed the 3.3.5 - 4.0 upgrade for me. The root cause is quite strange for me though and I am not sure if this is intended. I assume there may be other issue in updater or python-ldap. ack, although the ldap updater code should be changed - attribute types should be case insensitive. Yup, python-ldap bug: https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Already fixed in master, or whatever CVS has. Good, so it is tracked and will (hopefully) get to Fedora eventually. Pushed to master as per Rich's ack. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 471
Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 471 crypto cleanup
Drop our x509v3 asn.1 parser and use the new capabilities of python-nss. Include a lot more information when returning a certificate. I'm including an API change here too. I'm renaming cert-get to cert-show to be more consistent with other plugins. I don't know of any external apps that use cert-get so we should be ok there. rob freeipa-471-cert.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel