[Freeipa-devel] [PATCH] Certificate management with self-signed CA
Hi, Please review the attached patch. Thanks! The certificate_status_widget has been modified to check for the environment variable ra_plugin to determine the CA used by IPA server. If self-signed CA is used, some operations will not be available (e.g. checking certificate status, revoking/restoring certificate), so the corresponding interface will be hidden. Other operations such as creating new certificate and viewing certificate are still available. -- Endi S. Dewata From 8ad43d4ffc323316e1f2796396758ddc3c6b9b39 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 1 Dec 2010 21:46:38 -0600 Subject: [PATCH] Certificate management with self-signed CA The certificate_status_widget has been modified to check for the environment variable ra_plugin to determine the CA used by IPA server. If self-signed CA is used, some operations will not be available (e.g. checking certificate status, revoking/restoring certificate), so the corresponding interface will be hidden. Other operations such as creating new certificate and viewing certificate are still available. --- install/static/certificate.js | 69 +--- 1 files changed, 43 insertions(+), 26 deletions(-) diff --git a/install/static/certificate.js b/install/static/certificate.js index 449b8f173d28c652a1d5790a30d808e551e7be84..67f9b1b35ec63d490f4a014e1d29772af917897f 100755 --- a/install/static/certificate.js +++ b/install/static/certificate.js @@ -404,6 +404,10 @@ function certificate_status_widget(spec) { that.get_entity_principal = spec.get_entity_principal; that.get_entity_certificate = spec.get_entity_certificate; +that.is_selfsign = function() { +return IPA.env.ra_plugin == 'selfsign'; +}; + that.create = function(container) { that.widget_create(container); @@ -428,11 +432,13 @@ function certificate_status_widget(spec) { 'value': 'Get' }).appendTo(td); -$('', { -'type': 'button', -'name': 'revoke', -'value': 'Revoke' -}).appendTo(td); +if (!that.is_selfsign()) { +$('', { +'type': 'button', +'name': 'revoke', +'value': 'Revoke' +}).appendTo(td); +} $('', { 'type': 'button', @@ -440,27 +446,29 @@ function certificate_status_widget(spec) { 'value': 'View' }).appendTo(td); -tr = $('').appendTo(table); +if (!that.is_selfsign()) { +tr = $('').appendTo(table); -td = $('').appendTo(tr); -$('', { -'class': 'certificate-status-revoked' -}).appendTo(td); +td = $('').appendTo(tr); +$('', { +'class': 'certificate-status-revoked' +}).appendTo(td); -td = $('').appendTo(tr); -td.append('Certificate Revoked:'); +td = $('').appendTo(tr); +td.append('Certificate Revoked:'); -td = $('').appendTo(tr); -td.append($('', { -'name': 'revocation_reason' -})); -td.append(' '); +td = $('').appendTo(tr); +td.append($('', { +'name': 'revocation_reason' +})); +td.append(' '); -$('', { -'type': 'button', -'name': 'restore', -'value': 'Restore' -}).appendTo(td); +$('', { +'type': 'button', +'name': 'restore', +'value': 'Restore' +}).appendTo(td); +} tr = $('').appendTo(table); @@ -567,17 +575,26 @@ function certificate_status_widget(spec) { function set_status(status, revocation_reason) { that.valid.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_VALID); -that.revoked.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_REVOKED); that.missing.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_MISSING); that.get_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden'); -that.revoke_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden'); that.view_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden'); -that.revocation_reason.html(revocation_reason == undefined ? '' : CRL_REASON[revocation_reason]); -that.restore_button.css('visibility', revocation_reason == 6 ? 'visible' : 'hidden'); + +if (!that.is_selfsign()) { +that.revoked.toggleClass('certificate-status-active', status == CERTIFICATE_STATUS_REVOKED); +that.revoke_button.css('visibility', status == CERTIFICATE_STATUS_VALID ? 'visible' : 'hidden'); +that.revocation_reason.html(revocation_reason == undefined ? '' : CRL_REASON[revocation_reason]); +that.restore
[Freeipa-devel] [PATCH] UI for host managedby
Hi, Please review the attached patch. Thanks! A custom facet has been added to manage the host's managedby attribute. The facet defines the add and remove methods, the columns for the association table and enrollment dialog, and the link for the primary key column. -- Endi S. Dewata From 0cd0435af1678a693e405d22b3b5ccd814c526a8 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 1 Dec 2010 20:25:44 -0600 Subject: [PATCH] UI for host managedby A custom facet has been added to manage the host's managedby attribute. The facet defines the add and remove methods, the columns for the association table and enrollment dialog, and the link for the primary key column. --- install/static/host.js | 66 1 files changed, 66 insertions(+), 0 deletions(-) diff --git a/install/static/host.js b/install/static/host.js index 5cfceba5cc8fbbee8922a05a6f220141bac357bb..4f3a636ebe3169cea87dd59536d822015191b041 100644 --- a/install/static/host.js +++ b/install/static/host.js @@ -58,6 +58,13 @@ function ipa_host() { }); that.add_facet(facet); +facet = ipa_host_managedby_host_facet({ +'name': 'managedby_host', +'label': 'Managed by Hosts', +'other_entity': 'host' +}); +that.add_facet(facet); + that.create_association_facets(); that.entity_init(); @@ -412,3 +419,62 @@ function host_certificate_status_widget(spec) { return that; } + +function ipa_host_managedby_host_facet(spec) { + +spec = spec || {}; + +var that = ipa_association_facet(spec); + +that.add_method = 'add_managedby'; +that.delete_method = 'remove_managedby'; + +that.init = function() { + +var column = that.create_column({ +name: 'fqdn', +label: 'Name', +primary_key: true +}); + +column.setup = function(container, record) { +container.empty(); + +var value = record[column.name]; +value = value ? value.toString() : ''; + +$('', { +'href': '#'+value, +'html': value, +'click': function (value) { +return function() { +var state = IPA.tab_state(that.other_entity); +state[that.other_entity + '-facet'] = 'details'; +state[that.other_entity + '-pkey'] = value; +$.bbq.pushState(state); +return false; +} +}(value) +}).appendTo(container); +}; + +that.create_column({name: 'description', label: 'Description'}); + +that.create_adder_column({ +name: 'fqdn', +label: 'Name', +primary_key: true, +width: '100px' +}); + +that.create_adder_column({ +name: 'description', +label: 'Description', +width: '100px' +}); + +that.association_facet_init(); +}; + +return that; +} \ No newline at end of file -- 1.6.6.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add new version of DNS plugin: complete rework with baseldap + unit tests.
On 11/24/2010 02:28 PM, Pavel Zůna wrote: On 2010-11-24 16:21, Adam Young wrote: On 11/24/2010 03:46 AM, Pavel Zuna wrote: On 11/24/2010 03:26 AM, Adam Young wrote: On 11/23/2010 09:37 AM, Pavel Zuna wrote: Finally managed to rewrite the DNS plugin again. Sorry, it took so long, we had training in the office and I also had a nasty bug in baseldap.py I couldn't find. Anyway, this version has it all: - changes we agreed on meeting, the "resource" abstraction is gone and we now only have zones and records = adding new record automatically updates and existing entry or creates it if it wasn't there and deleting the last record deletes the whole entry - all of it transparent to the user - unit tests - ipa help documentation Fixes tickets: #36 #450 I also closed bug #654412. It has a new patch sequence number, because it depends on another patch with a higher number and didn't want to create forward dependencies. Depends on my patches number: 35 (will repost if needed) 38 (posted a while ago on freeipa-devel) Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I keep getting an error when doing simple things like install and ipa help: [ayo...@ipa freeipa]$ ./ipa help dns2 ipa: ERROR: AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) Traceback (most recent call last): File "/home/ayoung/devel/freeipa/ipalib/cli.py", line 962, in run api.finalize() File "/home/ayoung/devel/freeipa/ipalib/plugable.py", line 615, in finalize p.instance.finalize() File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 724, in finalize self._create_param_namespace('args') File "/home/ayoung/devel/freeipa/ipalib/frontend.py", line 350, in _create_param_namespace sort=False File "/home/ayoung/devel/freeipa/ipalib/base.py", line 407, in __init__ (self.__class__.__name__, name, self.__map[name], member) AttributeError: cannot override NameSpace.idnsname value Str('idnsname', cli_name='name', doc=Gettext('Zone name (FQDN)', domain='ipa', localedir=None), label=Gettext('Zone name', domain='ipa', localedir=None), multivalue=False, normalizer=, primary_key=True, query=True, required=True) with Str('idnsname', attribute=True, cli_name='name', doc=Gettext('Record name', domain='ipa', localedir=None), label=Gettext('Record name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) ipa: ERROR: an internal error has occurred That's because you need my patch number 35 for it to work... Pavel OK, with that change, the patch applies and works. I've tested: creating a zone Creating an a record Adding an a record entry to an existing entry (calling ipa dnsrecord-add a second time with just a different ip address) Adding an record. Deleting one and multiple records One thing that is a little counter intuitive is that you have to specify which records to delete: just running ipa dnsrecord-del ayoung.test.ipa.redhat.com hiphop doesn't delete all records with the A name of hiphop. I think this is the right behavior, but it should be better documented. Ok, I'm going to add a few lines about it in the docstring (ipa help). Maybe we should have an option to delete all records associated with a resource name. For example when someone is deleting a host from DNS and wants all of its records gone. Have to hold off on pushing it due to F14: python-netaddr Isn't in F14, so we are adding a new python package with this plugin, too. Pavel ACK and pushed to master Note that I got an OK on the added dependency on python-netaddr. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Multicolumn enrollment dialog
Hi, Please review the attached patch. Thanks! https://fedorahosted.org/reviewboard/r/112/ The enrollment dialog has been modified to use scrollable tables that supports multiple columns to display the search results and selected entries. The columns are specified by calling create_adder_column() on the association facet. By default the tables will use only one column which is to display the primary keys. The following enrollment dialogs have been modified to use multiple columns: - Group's member_user - Service's managedby_host - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd The ipa_association_table_widget's add() and remove() have been moved into ipa_association_facet so they can be customized by facet's subclass. The ipa_table's add_row() has been renamed to add_record(). Some old code has been removed from ipa_facet_create_action_panel(). The code was used to generate association links from a single facet. It's no longer needed because now each association has its own facet. The test data has been updated. The IPA.nested_tabs() has been fixed to return the entity itself if IPA.tab_set is not defined. This is needed to pass unit test. -- Endi S. Dewata From ef4210e6c4d93c2d2b6eebec89e030d26d9aa39c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Wed, 1 Dec 2010 14:51:39 -0600 Subject: [PATCH] Multicolumn enrollment dialog The enrollment dialog has been modified to use scrollable tables that supports multiple columns to display the search results and selected entries. The columns are specified by calling create_adder_column() on the association facet. By default the tables will use only one column which is to display the primary keys. The following enrollment dialogs have been modified to use multiple columns: - Group's member_user - Service's managedby_host - HBAC Service Group's member_hbacsvc - SUDO Command Group's member_sudocmd The ipa_association_table_widget's add() and remove() have been moved into ipa_association_facet so they can be customized by facet's subclass. The ipa_table's add_row() has been renamed to add_record(). Some old code has been removed from ipa_facet_create_action_panel(). The code was used to generate association links from a single facet. It's no longer needed because now each association has its own facet. The test data has been updated. The IPA.nested_tabs() has been fixed to return the entity itself if IPA.tab_set is not defined. This is needed to pass unit test. --- install/static/associate.js| 245 install/static/entity.js | 22 +-- install/static/group.js| 13 ++ install/static/hbac.js |2 +- install/static/hbacsvcgroup.js | 22 +++- install/static/ipa.css |2 +- install/static/rule.js |2 +- install/static/search.js |2 +- install/static/service.js | 13 ++ install/static/sudocmdgroup.js | 22 +++- install/static/test/data/hbacsvc_find.json | 29 +++- install/static/widget.js | 208 12 files changed, 388 insertions(+), 194 deletions(-) diff --git a/install/static/associate.js b/install/static/associate.js index fbd1c63c98bbff0186e9cb17de3148514fb1a02e..a6edf748f7dc9b54292f7b8b469ce624e0ad5f8e 100644 --- a/install/static/associate.js +++ b/install/static/associate.js @@ -152,9 +152,13 @@ function ipa_association_adder_dialog(spec) { var pkey_name = IPA.metadata[that.other_entity].primary_key; that.create_column({ name: pkey_name, -primary_key: true +label: IPA.metadata[that.other_entity].label, +primary_key: true, +width: '200px' }); } + +that.adder_dialog_init(); }; that.search = function() { @@ -170,7 +174,7 @@ function ipa_association_adder_dialog(spec) { } var filter = that.get_filter(); -ipa_cmd('find', [filter], {}, on_success, null, that.other_entity); +ipa_cmd('find', [filter], {'all': true}, on_success, null, that.other_entity); }; that.add = function() { @@ -252,13 +256,11 @@ function ipa_association_table_widget(spec) { that.facet = spec.facet; that.other_entity = spec.other_entity; -that.superior_create = that.superior('create'); +that.add = spec.add; +that.remove = spec.remove; that.create = function(container) { -that.member_attribute = ipa_get_member_attribute( -that.entity_name, that.other_entity); - if (!that.columns.length) { var pkey_name = IPA.metadata[that.other_entity].primary_key; @@ -290,7 +292,7 @@ function ipa_association_table_widget(spec) { }; } -that.superior_create(container); +that.table_create(container);
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
On Wed, 01 Dec 2010 16:01:46 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Thu, 18 Nov 2010 23:11:51 -0500 > > Rob Crittenden wrote: > > > >> Re-implement access control using an updated model. > >> > >> The new model is based on permissions, privileges and roles. Most > >> importantly it corrects the reverse membership that caused problems > >> in the previous implementation. You add permission to privileges > >> and privileges to roles, not the other way around (even though it > >> works that way behind the scenes). > >> > >> A permission object is a combination of a simple group and an aci. > >> The linkage between the aci and the permission is the description > >> of the permission. This shows as the name/description of the aci. > >> > >> ldap:///self and groups granting groups (v1-style) are not > >> supported by this model (it will be provided separately). > >> > >> ticket 445 > >> > >> WARNING. The patch is humongous and changes a whole slew of stuff. > >> It patches cleanly against the master right now but it is quite > >> delicate so the sooner this is reviewed (without pushing anything > >> else) the better. > >> > >> The self-tests all pass for me as well as some spot checking. > >> > >> Also note that I currently define a single role and it has no > >> privileges. We will need to fill that in soon. > > > > > > Sorry Rob, but before I can ACK a change of this proportion in the > > Security model I want a wiki page with the model explained clearly > > and in detail. > > > > I am vetoing this patch until we have that. > > > > Note, I am *not* saying the patch is wrong, only that reviewing it > > w/o a reference model is basically impossible and it touches > > sensitive security stuff so I can't just let it pass hoping we got > > everything right. > > > > Simo. > > > > Adam found a bug when installing the DNS server. Updated patch > attached. Ack and pushed to master. I noticed a small glitch in the output of ipa role-add-privilege, it doesn't show the privilege just added, just the members. I think this can be addressed separately. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
On 12/01/2010 05:51 PM, Rob Crittenden wrote: Adam Young wrote: On 12/01/2010 05:07 PM, Adam Young wrote: The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. Ack rob Pushed to master. realized that this can be pushed as is. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 619 more aci target docs
Rob Crittenden wrote: I added some more documentation and examples to the aci plugin on targets. ticket 310 rob NACK Running behind with reviews, sorry. Just a few minor fixes: s/targetted/targeted/ s/"This is primarily meant to be able to allow users to add/remove members of a specific group only."/"This is primarily designed to enable users to add or remove members of a specific group." (I _think_ I understood that ok, and didn't change the meaning. Further, if this target is only designed for this purpose, you don't need "primarily". If it does something else, what is it?) I couldn't grok 100% the "subtree" target description. s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI is allowed to do, and are one or more of:" For consistency's sake, s/lets/allows/ etc. Also see below: allows members of the "addusers" taskgroup lets members of the editors... group? lets members of the admin group You might need to review the examples a bit. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 624 clear up config-show --all
There were some missing labels in config-show --all, I've added them. I also moved the aci one level higher so it doesn't show (it was confusing). I've made the cert subject base read-only. This isn't something trivially changed. I'm leaving cn without a label, there isn't anything clever to add for it. rob >From 99222f2837a88e65f60e38906ba67d21e8d8b2f1 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 1 Dec 2010 17:48:41 -0500 Subject: [PATCH] Set labels on all attributes in the config object. Make the cert subject base read-only. This is here only so replicated servers know their base. ticket 466 --- install/share/default-aci.ldif |2 +- ipalib/plugins/config.py | 36 +++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 4239227..d725cd5 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -18,7 +18,7 @@ changetype: modify add: aci aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;) -dn: cn=ipaConfig,cn=etc,$SUFFIX +dn: cn=etc,$SUFFIX changetype: modify add: aci aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index dd1b7be..04ca332 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -48,8 +48,19 @@ how many records may be returned on a given search. Server Configuration. --enable-migration=BOOL Enable migration mode - --subject=STR Base for certificate subjects (OU=Test,O=Example) + --pwdexpnotify=INT Password Expiration Notification (days) +The password notification value is stored here so it will be replicated. +It is not currently used to notify user's in advance of an expiring +password. + +Some attributes are read-only, provided for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plugin features: currently defines additional hashes that the + password will generate (there may be other conditions). """ from ipalib import api @@ -129,6 +140,29 @@ class config(LDAPObject): cli_name='subject', label=_('Certificate Subject base'), doc=_('Base for certificate subjects (OU=Test,O=Example)'), +flags=['no_update'], +), +List('ipagroupobjectclasses?', +cli_name='groupobjectclasses', +label=_('Default group objectclasses'), +doc=_('Default group objectclassses (comma-separated list)'), +), +List('ipauserobjectclasses?', +cli_name='userobjectclasses', +label=_('Default user objectclasses'), +doc=_('Default user objectclassses (comma-separated list)'), +), +Int('ipapwdexpadvnotify?', +cli_name='pwdexpnotify', +label=_('Password Expiration Notification'), +doc=_('Password Expiration Notification (days)'), +minvalue=0, +), +Str('ipaconfigstring?', +cli_name='ipaconfigstring', +label=_('Password plugin features'), +doc=_('Extra hashes to generate in password plugin'), +flags=['no_update'], ), ) -- 1.7.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
Adam Young wrote: On 12/01/2010 05:07 PM, Adam Young wrote: The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. Ack rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
On 12/01/2010 05:07 PM, Adam Young wrote: The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. posted the wrong version. THis one checks for presence of the group admins. On 12/01/2010 04:01 PM, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 18 Nov 2010 23:11:51 -0500 Rob Crittenden wrote: Re-implement access control using an updated model. The new model is based on permissions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). ticket 445 WARNING. The patch is humongous and changes a whole slew of stuff. It patches cleanly against the master right now but it is quite delicate so the sooner this is reviewed (without pushing anything else) the better. The self-tests all pass for me as well as some spot checking. Also note that I currently define a single role and it has no privileges. We will need to fill that in soon. Sorry Rob, but before I can ACK a change of this proportion in the Security model I want a wiki page with the model explained clearly and in detail. I am vetoing this patch until we have that. Note, I am *not* saying the patch is wrong, only that reviewing it w/o a reference model is basically impossible and it touches sensitive security stuff so I can't just let it pass hoping we got everything right. Simo. Adam found a bug when installing the DNS server. Updated patch attached. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 3be524d64ec63556f49d00860a57509df2b1ad69 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 1 Dec 2010 16:44:44 -0500 Subject: [PATCH] admin determination extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins added check for group admins --- install/static/webui.js | 15 +-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/install/static/webui.js b/install/static/webui.js index f168474e5ab1fd19cf4a11501b2b4131f8878d67..757c39d0e7312b34b70812b3b2ba8311fbcd1bbe 100644 --- a/install/static/webui.js +++ b/install/static/webui.js @@ -92,9 +92,21 @@ IPA.tab_state = function(entity_name){ } } + + /* main (document onready event handler) */ $(function() { +function should_show_all_ui(){ +var whoami = IPA.whoami; + +if (whoami.hasOwnProperty('memberof_group') && +whoami.memberof_group.indexOf('admins') !== -1) return true; + +return whoami.hasOwnProperty('memberof_rolegroup') && +whoami.memberof_rolegroup.length > 0; +} + function init_on_win(data, text_status, xhr) { $(window).bind('hashchange', window_hashchange); @@ -112,8 +124,7 @@ $(function() { var navigation = $('#navigation'); -if (whoami.hasOwnProperty('memberof_rolegroup') && -whoami.memberof_rolegroup.length > 0){ +if (should_show_all_ui()){ IPA.tab_set = admin_tab_set; nav_create(admin_tab_set, navigation, 'tabs'); } else { -- 1.7.2.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 612 re-implimit permissions
The attached patch is required on top of the changes, as the admin user no longer has any rolegroup, and thus would see the self service api. It should be pushed with this patch. On 12/01/2010 04:01 PM, Rob Crittenden wrote: Simo Sorce wrote: On Thu, 18 Nov 2010 23:11:51 -0500 Rob Crittenden wrote: Re-implement access control using an updated model. The new model is based on permissions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). ticket 445 WARNING. The patch is humongous and changes a whole slew of stuff. It patches cleanly against the master right now but it is quite delicate so the sooner this is reviewed (without pushing anything else) the better. The self-tests all pass for me as well as some spot checking. Also note that I currently define a single role and it has no privileges. We will need to fill that in soon. Sorry Rob, but before I can ACK a change of this proportion in the Security model I want a wiki page with the model explained clearly and in detail. I am vetoing this patch until we have that. Note, I am *not* saying the patch is wrong, only that reviewing it w/o a reference model is basically impossible and it touches sensitive security stuff so I can't just let it pass hoping we got everything right. Simo. Adam found a bug when installing the DNS server. Updated patch attached. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From a620d92d5b24d43aad12dddbef0932e9d49f0328 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 1 Dec 2010 16:44:44 -0500 Subject: [PATCH] admin determination extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins --- install/static/webui.js | 15 +-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/install/static/webui.js b/install/static/webui.js index f168474e5ab1fd19cf4a11501b2b4131f8878d67..1b9aa7c22a5780334b5cec31ab9162a488c0074c 100644 --- a/install/static/webui.js +++ b/install/static/webui.js @@ -92,9 +92,21 @@ IPA.tab_state = function(entity_name){ } } + + /* main (document onready event handler) */ $(function() { +function should_show_all_ui(){ +var whoami = IPA.whoami; + +if (whoami.hasOwnProperty('memberof_group') && +whoami.memberof_group !== undefined) return true; + +return whoami.hasOwnProperty('memberof_rolegroup') && +whoami.memberof_rolegroup.length > 0; +} + function init_on_win(data, text_status, xhr) { $(window).bind('hashchange', window_hashchange); @@ -112,8 +124,7 @@ $(function() { var navigation = $('#navigation'); -if (whoami.hasOwnProperty('memberof_rolegroup') && -whoami.memberof_rolegroup.length > 0){ +if (should_show_all_ui()){ IPA.tab_set = admin_tab_set; nav_create(admin_tab_set, navigation, 'tabs'); } else { -- 1.7.2.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0105-action-panel-sibling
On 11/30/2010 4:39 PM, Adam Young wrote: A note on this patch: I changed the labels on a couple of the entities for consitancy sake, including: Added 'HBAC' to the label for HBAC services Capitalized SUDO Removed the word Rule from the SUDO label Not sure if these will have any effect on the CLI. I suspect not, and that the QW team isn't writing tests for SUDO yet that makes use of the Label field. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 621 drop install/tools/README
On Tue, Nov 30, 2010 at 02:02:00PM -0500, Rob Crittenden wrote: > The README in install/tools is really for v1 and contains almost > nothing useful for v2 so I'm proposing to drop it altogether. > > I'm also adding a link to the QuickStart guide on the trac wiki. The > guide itself needs a lot of work but its a start. > > rob Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make the migration plugin more configurable
On Wed, Nov 24, 2010 at 04:54:19PM -0500, Rob Crittenden wrote: > Jakub Hrozek wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA1 > > > >On 11/22/2010 04:21 PM, Jakub Hrozek wrote: > >>On 11/22/2010 04:16 PM, Jakub Hrozek wrote: > >>>The code handles it (I just ran a quick test with --schema=RFC2307bis). > >> > >>>It just iterates through all members of a group -- be it user member of > >>>group member, it's just a DN for the plugin. > >> > >>> Jakub > >> > >>Sorry, I found another bug in the plugin. I'll send a new patch shortly, > >>so please don't waste time reviewing this one. > > > >New patch is attached. It fixes two more bugs of the original plugin - > >determines whether a group member is a user or a nested group by > >checking the DN, not just the RDN attribute name and does not hardcode > >primary keys. > > Will this blow up in convert_members_rfc2307bis() if a member isn't > contained in the users and groups containers? Should there be a > failsafe to skip over things that don't match (along with > appropriate reporting)? It wouldn't blow up but add the original DN into the member attribute which is probably worse. Thanks for catching this. I modified the patch to log all migrated users and groups with info() and skip those that don't match any of the containers while logging these entries with error(). > Or if one of users or groups search bases > isn't provided? > If one of them isn't provided, a default would be used. > It definitely doesn't like this: > # ipa migrate-ds --user-container='' > --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389 > > When passed the right set of options it does seem to do the right thing. > Sorry, but I don't quite understand the "--user-container=''" switch. Does it mean the users are rooted at the Base DN? Can you post the error or relevant log info? Please note that the default objectclass is person. >From 1b0f43c4449bd26ffe6c57a594f3eaf367cda2c4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 26 Oct 2010 16:10:42 -0400 Subject: [PATCH] Make the migration plugin more configurable This patch adds new options to the migration plugin: * the option to fine-tune the objectclass of users or groups being imported * the option to select the LDAP schema (RFC2307 or RFC2307bis) Also makes the logic that decides whether an entry is a nested group or user (for RFC2307bis) smarter by looking at the DNS. Does not hardcode primary keys for migrated entries. https://fedorahosted.org/freeipa/ticket/429 --- ipalib/plugins/migration.py | 136 ++- 1 files changed, 108 insertions(+), 28 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6dc9934..213c0ee 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -26,9 +26,10 @@ Example: Migrate users and groups from DS to IPA import logging import re +import ldap as _ldap from ipalib import api, errors, output -from ipalib import Command, List, Password, Str, Flag +from ipalib import Command, List, Password, Str, Flag, StrEnum from ipalib.cli import to_cli if api.env.in_server and api.env.context in ['lite', 'server']: try: @@ -44,8 +45,10 @@ from ipalib.text import Gettext # FIXME: remove once the other Gettext FIXME is _krb_err_msg = _('Kerberos principal %s already exists. Use \'ipa user-mod\' to set it manually.') _grp_err_msg = _('Failed to add user to the default group. Use \'ipa group-add-member\' to add manually.') +_supported_schemas = (u'RFC2307bis', u'RFC2307') -def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): + +def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): # get default primary group for new users if 'def_group_dn' not in ctx: def_group = config.get('ipadefaultprimarygroup') @@ -90,37 +93,80 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): # GROUP MIGRATION CALLBACKS AND VARS -def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx): -def convert_members(member_attr, overwrite=False): +def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): +def convert_members_rfc2307bis(member_attr, search_bases, overwrite=False): """ Convert DNs in member attributes to work in IPA. """ new_members = [] entry_attrs.setdefault(member_attr, []) for m in entry_attrs[member_attr]: -col = m.find(',') -if col == -1: +try: +# what str2dn returns looks like [[('cn', 'foo', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]] +rdn = _ldap.dn.str2dn(m ,flags=_ldap.DN_FORMAT_LDAPV3)[0] +rdnval = rdn[0][1] +except IndexError: +api.log.error('Malformed DN %s has no RDN?' % m) +continue + +if m.lower().endswith(search_bases['