Sysaccounts#104
Open
abbra wants to merge 55 commits into
Open
Conversation
Reviewer's Guide by SourceryThis pull request introduces the concept of system accounts, which are LDAP accounts for applications to query the LDAP database. It also adds API commands to manage these accounts, including add, delete, find, show, enable, and disable. No diagrams generated as the changes look simple and do not need a visual representation. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey @abbra - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- The ACI configuration allows modification of the
userpasswordattribute, which could be a security risk if not properly controlled. (link)
Overall Comments:
- Consider adding tests to verify the behavior of the new sysaccount commands.
- Ensure that the new sysaccount commands are properly integrated into the IPA CLI.
Here's what I looked at during the review
- 🟡 General issues: 3 issues found
- 🔴 Security: 1 blocking issue
- 🟢 Testing: all looks good
- 🟡 Complexity: 1 issue found
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| 'account', 'simplesecurityobject' | ||
| ] | ||
| possible_objectclasses = ['ipaallowedoperations', 'nsmemberof'] | ||
| permission_filter_objectclasses = ['simplesecuretyobject'] |
There was a problem hiding this comment.
suggestion (typo): Typo in the permission_filter_objectclasses value.
The value 'simplesecuretyobject' appears to be a typo. It should likely be 'simplesecurityobject' to match the object_class defined and the intended LDAP schema.
Suggested change
| permission_filter_objectclasses = ['simplesecuretyobject'] | |
| permission_filter_objectclasses = ['simplesecurityobject'] |
Comment on lines
+160
to
+164
| def populate_krbcanonicalname(self, entry_attrs, options): | ||
| if options.get('raw', False): | ||
| return | ||
| entry_attrs.setdefault( | ||
| 'krbcanonicalname', entry_attrs['krbprincipalname']) |
There was a problem hiding this comment.
suggestion (bug_risk): Potential risk for KeyError in populate_krbcanonicalname.
If 'krbprincipalname' might be absent in entry_attrs, using entry_attrs.get('krbprincipalname', '') could help avoid an unexpected KeyError when calling setdefault.
Suggested change
| def populate_krbcanonicalname(self, entry_attrs, options): | |
| if options.get('raw', False): | |
| return | |
| entry_attrs.setdefault( | |
| 'krbcanonicalname', entry_attrs['krbprincipalname']) | |
| def populate_krbcanonicalname(self, entry_attrs, options): | |
| if options.get('raw', False): | |
| return | |
| entry_attrs.setdefault( | |
| 'krbcanonicalname', entry_attrs.get('krbprincipalname', '')) |
| dn: dc=ipa,dc=example | ||
| aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) | ||
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetfilter = "(objectclass=simplesecuretyobject)")(version 3.0;acl "permission:System: Add System Accounts";allow (add) groupdn = "ldap:///cn=System: Add System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) |
There was a problem hiding this comment.
issue (typo): Typo: "simplesecuretyobject" should be "simplesecurityobject".
Suggested implementation:
aci: (targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Add System Accounts";allow (add) groupdn = "ldap:///cn=System: Add System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Modify System Accounts";allow (write) groupdn = "ldap:///cn=System: Modify System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "createtimestamp || entryusn || memberof || modifytimestamp || objectclass || uid")(targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Read System Accounts";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Remove System Accounts";allow (delete) groupdn = "ldap:///cn=System: Remove System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
Owner
Author
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey @abbra - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- The ACI contains the
userpasswordattribute, which is a secret. (link)
Overall Comments:
- Consider adding a test case that attempts to delete one of the required system accounts to ensure the appropriate error is raised.
- The sysaccount object class list seems incomplete - are 'ipaobject' and 'top' missing?
Here's what I looked at during the review
- 🟡 General issues: 1 issue found
- 🔴 Security: 1 blocking issue
- 🟢 Testing: all looks good
- 🟡 Complexity: 1 issue found
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
|
||
| self.obj.get_password_attributes(ldap, dn, entry_attrs) | ||
| ldap.deactivate_entry(dn) | ||
| if entry_attrs['has_keytab']: |
There was a problem hiding this comment.
suggestion (bug_risk): Safeguard access to 'has_keytab'.
To avoid potential KeyErrors, consider using entry_attrs.get('has_keytab', False) in case the attribute is missing in some entries.
Suggested change
| if entry_attrs['has_keytab']: | |
| if entry_attrs.get('has_keytab', False): |
| true_rdn, key, parent_dn | ||
| ) | ||
|
|
||
| def get_primary_key_from_dn(self, dn): |
There was a problem hiding this comment.
issue (complexity): Consider refactoring get_primary_key_from_dn and extracting the inline sort_key function in sysaccount_find to reduce nesting and improve clarity, without altering functionality or introducing new logic.
Consider simplifying some nested blocks to reduce cognitive overhead. For example, refactor `get_primary_key_from_dn` by extracting a helper function:
# Before
def get_primary_key_from_dn(self, dn):
assert isinstance(dn, DN)
try:
entry_attrs = self.backend.get_entry(dn, [self.primary_key.name])
try:
return entry_attrs[self.primary_key.name][0]
except (KeyError, IndexError):
return ''
except errors.NotFound:
pass
try:
return dn['krbprincipalname']
except KeyError:
return str(dn)
# After
def _get_entry_primary_key(self, dn):
try:
entry_attrs = self.backend.get_entry(dn, [self.primary_key.name])
return entry_attrs.get(self.primary_key.name, [None])[0]
except errors.NotFound:
return None
def get_primary_key_from_dn(self, dn):
assert isinstance(dn, DN)
primary = self._get_entry_primary_key(dn)
if primary:
return primary
return dn.get('krbprincipalname', str(dn))Similarly, for the inline sort_key function in sysaccount_find, extract it to improve clarity:
# Before inside post_callback:
def sort_key(x):
if 'krbcanonicalname' in x:
return x['krbcanonicalname'][0]
else:
return x['krbprincipalname'][0]
entries.sort(key=sort_key)
# After extracting:
def _extract_sort_key(entry):
# Prefer krbcanonicalname; fallback to krbprincipalname; default to empty string.
attr = entry.get('krbcanonicalname') or entry.get('krbprincipalname') or ['']
return attr[0]
# then in post_callback:
entries.sort(key=_extract_sort_key)These changes keep functionality intact while reducing nesting and duplication.
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Add System Accounts";allow (add) groupdn = "ldap:///cn=System: Add System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) | ||
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetattr = "userpassword")(targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Modify System Accounts";allow (write) groupdn = "ldap:///cn=System: Modify System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) |
There was a problem hiding this comment.
🚨 issue (security): The ACI contains the userpassword attribute, which is a secret.
| from ipalib import output | ||
| from ipapython.dn import DN | ||
|
|
||
| __doc__ = _(""" |
There was a problem hiding this comment.
issue (code-quality): Don't assign to builtin variable \_\_doc\_\_ (avoid-builtin-shadow)
Explanation
Python has a number ofbuiltin variables: functions and constants thatform a part of the language, such as
list, getattr, and type(See https://docs.python.org/3/library/functions.html).
It is valid, in the language, to re-bind such variables:
list = [1, 2, 3]However, this is considered poor practice.
- It will confuse other developers.
- It will confuse syntax highlighters and linters.
- It means you can no longer use that builtin for its original purpose.
How can you solve this?
Rename the variable something more specific, such as integers.
In a pinch, my_list and similar names are colloquially-recognized
placeholders.
Owner
Author
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey @abbra - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- The ACI contains the
userpasswordattribute, which is a secret. (link)
Overall Comments:
- Consider adding a comment to explain why the jitter window is being adjusted for anonymous PKINIT requests.
- The new sysaccount plugin introduces a lot of code - can you extract some common functionality into a shared module?
Here's what I looked at during the review
- 🟡 General issues: 1 issue found
- 🔴 Security: 1 blocking issue
- 🟢 Testing: all looks good
- 🟡 Complexity: 1 issue found
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+283
to
+288
| ldap.deactivate_entry(dn) | ||
| if entry_attrs['has_keytab']: | ||
| ldap.remove_principal_key(dn) | ||
| done_work = True | ||
|
|
||
| if not done_work: |
There was a problem hiding this comment.
issue (bug_risk): Revisit the disable logic when keytab is absent.
In sysaccount_disable, deactivating the entry is performed regardless, but done_work is only set if a keytab removal happens. As a result, an account without a keytab may be deactivated yet still trigger an AlreadyInactive error. Please verify if this behavior is intended or if the logic should also treat a deactivated entry without keytab removal as successfully disabled.
| true_rdn, key, parent_dn | ||
| ) | ||
|
|
||
| def get_primary_key_from_dn(self, dn): |
There was a problem hiding this comment.
issue (complexity): Consider extracting helper methods to simplify nested error handling and improve code maintainability by flattening the control flow and separating concerns, for example, in get_primary_key_from_dn and sysaccount_find.post_callback methods, which will improve readability and maintainability without altering the functionality.
Consider extracting helper methods to simplify the nested error‐handling in methods like get_primary_key_from_dn. For example, you could extract the attribute extraction logic into its own helper function and then use early returns. This keeps responsibilities separate and flattens the control flow. One approach:
def _get_attr_value(self, entry_attrs, attr):
"""Return first value of attribute or None if missing."""
try:
return entry_attrs[attr][0]
except (KeyError, IndexError):
return None
def get_primary_key_from_dn(self, dn):
"""Refactored: tries fetching primary key from LDAP entry then falls back."""
try:
entry_attrs = self.backend.get_entry(dn, [self.primary_key.name])
primary = self._get_attr_value(entry_attrs, self.primary_key.name)
if primary is not None:
return primary
except errors.NotFound:
pass
# Fallback to krbprincipalname or DN string representation
return dn.get('krbprincipalname', str(dn))Similarly, if other methods (like sysaccount_find.post_callback) mix sorting, error handling, and formatting logic, consider extracting the sort key logic:
def _sort_key(self, entry):
return entry.get('krbcanonicalname', entry.get('krbprincipalname'))[0]
def post_callback(self, ldap, entries, truncated, *args, **options):
entries.sort(key=self._sort_key)
if options.get('pkey_only', False):
return truncated
for entry_attrs in entries:
# Process each entry using a dedicated helper if needed.
self._finalize_entry(ldap, entry_attrs)
return truncatedThis separates concerns and flattens nested structures, improving maintainability while keeping functionality intact.
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Add System Accounts";allow (add) groupdn = "ldap:///cn=System: Add System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) | ||
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetattr = "userpassword")(targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Modify System Accounts";allow (write) groupdn = "ldap:///cn=System: Modify System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) |
There was a problem hiding this comment.
🚨 issue (security): The ACI contains the userpassword attribute, which is a secret.
| from ipalib import output | ||
| from ipapython.dn import DN | ||
|
|
||
| __doc__ = _(""" |
There was a problem hiding this comment.
issue (code-quality): Don't assign to builtin variable \_\_doc\_\_ (avoid-builtin-shadow)
Explanation
Python has a number ofbuiltin variables: functions and constants thatform a part of the language, such as
list, getattr, and type(See https://docs.python.org/3/library/functions.html).
It is valid, in the language, to re-bind such variables:
list = [1, 2, 3]However, this is considered poor practice.
- It will confuse other developers.
- It will confuse syntax highlighters and linters.
- It means you can no longer use that builtin for its original purpose.
How can you solve this?
Rename the variable something more specific, such as integers.
In a pinch, my_list and similar names are colloquially-recognized
placeholders.
Owner
Author
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey @abbra - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- The ACI contains the attribute
userpassword, which is often used to store passwords. Please ensure that this is intentional and that appropriate security measures are in place. (link)
Overall Comments:
- The sysaccount object should have a description to explain its purpose.
- Consider adding a test suite to verify the functionality of the new sysaccount API.
Here's what I looked at during the review
- 🟢 General issues: all looks good
- 🔴 Security: 1 blocking issue
- 🟢 Testing: all looks good
- 🟡 Complexity: 1 issue found
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| attribute. If the attribute is not found, assume old-style entry which | ||
| should have only single value of krbprincipalname and return it. | ||
|
|
||
| Otherwise return input DN. |
There was a problem hiding this comment.
issue (complexity): Consider refactoring duplicated code into helper functions to improve readability and maintainability, such as extracting the try/except block in get_primary_key_from_dn and the sorting logic in sysaccount_find into separate functions .
Consider extracting common patterns into helper functions/modules to reduce duplication and nesting. For example, you can refactor the nested try/except logic from get_primary_key_from_dn into a dedicated function. You can also extract the inline sorting function from the post_callback method into a standalone helper.
Example for refactoring get_primary_key_from_dn:
def resolve_primary_key(backend, primary_key, dn):
try:
entry_attrs = backend.get_entry(dn, [primary_key.name])
return entry_attrs.get(primary_key.name, [''])[0]
except (errors.NotFound, KeyError, IndexError):
pass
return dn.get('krbprincipalname', str(dn))Then update your method as:
def get_primary_key_from_dn(self, dn):
assert isinstance(dn, DN)
return resolve_primary_key(self.backend, self.primary_key, dn)Example for refactoring the inline sort key in sysaccount_find:
def sort_by_canonical_or_principal(entry):
if 'krbcanonicalname' in entry:
return entry['krbcanonicalname'][0]
return entry['krbprincipalname'][0]
# In the post_callback:
entries.sort(key=sort_by_canonical_or_principal)By isolating repeated logic, you improve readability and maintainability while keeping the existing functionality unchanged.
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Add System Accounts";allow (add) groupdn = "ldap:///cn=System: Add System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) | ||
| dn: cn=sysaccounts,cn=etc,dc=ipa,dc=example | ||
| aci: (targetattr = "userpassword")(targetfilter = "(objectclass=simplesecurityobject)")(version 3.0;acl "permission:System: Modify System Accounts";allow (write) groupdn = "ldap:///cn=System: Modify System Accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) |
There was a problem hiding this comment.
🚨 issue (security): The ACI contains the attribute userpassword, which is often used to store passwords. Please ensure that this is intentional and that appropriate security measures are in place.
| from ipalib import output | ||
| from ipapython.dn import DN | ||
|
|
||
| __doc__ = _(""" |
There was a problem hiding this comment.
issue (code-quality): Don't assign to builtin variable \_\_doc\_\_ (avoid-builtin-shadow)
Explanation
Python has a number ofbuiltin variables: functions and constants thatform a part of the language, such as
list, getattr, and type(See https://docs.python.org/3/library/functions.html).
It is valid, in the language, to re-bind such variables:
list = [1, 2, 3]However, this is considered poor practice.
- It will confuse other developers.
- It will confuse syntax highlighters and linters.
- It means you can no longer use that builtin for its original purpose.
How can you solve this?
Rename the variable something more specific, such as integers.
In a pinch, my_list and similar names are colloquially-recognized
placeholders.
abbra
force-pushed
the
sysaccounts
branch
2 times, most recently
from
8189074 to
a504d83
Compare
abbra
force-pushed
the
sysaccounts
branch
2 times, most recently
from
8fab406 to
51b4bea
Compare
… contains slash characters Fixes: https://pagure.io/freeipa/issue/8924 Signed-off-by: Sam Morris <sam@robots.org.uk> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
abbra
force-pushed
the
sysaccounts
branch
14 times, most recently
from
fee6397 to
4b1d23a
Compare
We already have libpwquality plumbed in. The ask here was to support the quality credits as well. There are four credits: digits, uppers, lowers and others These either count complexity towards satisfying the minimum length or set the minimum number of a type allowed. If any of the four credits is configured then it will cause the password policy plugin to go through the libpwquality. Reminder that libpwquality sets its own min password length floor that should be overridden already. If min_classes is set as well then that is still enforced. Fixes: https://pagure.io/freeipa/issue/9835 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: David Hanina <dhanina@redhat.com>
- Tests to cover both root domain and subdomain users: - Test that adding AD users/groups without the external group to HBAC rules fails. - Test HBAC rule denies SSH access for AD users. - Test HBAC rule allows SSH access for AD users in external group. - Test HBAC rule denies sudo access for AD users when rule doesn't include them. - Test HBAC rule allows sudo access for AD users in external group. Related : https://pagure.io/freeipa/issue/9845 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
abbra
force-pushed
the
sysaccounts
branch
2 times, most recently
from
a81a43c to
fb65681
Compare
…icy without certs and including --no-dnssec-validation 2. Relaxed policy with external CA and including --no-dnssec-validation Automated with Cursor+Claude Related: https://issues.redhat.com/browse/IDM-2894 Signed-off-by: PRANAV THUBE <pthube@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Antonio Torres <antorres@redhat.com>
This repalces the straight string parsing from IPAv3.0.0. It should be much more robust and result in a valid configuration file when complete. aug.save() will assure that as it will raise an error otherwise. This will handle the following cases: * db_library = ipadb.so : do nothing * db_library is missing, set to ipadb.so * db_library is something else, replace wih ipadb.so Fixes: https://pagure.io/freeipa/issue/9862 Related: https://pagure.io/freeipa/issue/5913 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
It's required to install git for copr, so we can fetch the webui submodule. Updates webui to use clean-install, updates dependencies and replaces SWC with Babel for build due to being architecture agnostic. Signed-off-by: David Hanina <dhanina@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9744 Signed-off-by: Aleksandr Sharov <asharov@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: David Hanina <dhanina@redhat.com>
abbra
force-pushed
the
sysaccounts
branch
2 times, most recently
from
d60634e to
f37a69f
Compare
Fedora 42 now ships PKI 11.7.0-5 and certmonger 0.79.21-1. Update the vagrant image to 0.0.9 in order to pull the new versions. Related: IDM-3437 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This reverts commit db188b9. PKI 11.7.0-3 in fedora 42 fixes the issue with subca cert issuance. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The error message returned by ipa ca-show has changed with PKI 11.7. Adapt the test to succeed with old and new versions. Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test moves the date in the future, performs checks and in the teardown method uninstalls and moves the date back to the current time. It often fails in the teardown part because certmonger is in the process of renewing the expired certificates. Apply the same strategy as other tests fiddling with the date: stop certmonger and remove the tracking requests before uninstallation. Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test is unstable because of PKI ticket 4677 Mark as xfail for now. Related: dogtagpki/pki#4677 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to generate the private key for a a LWCA (subca) on an HSM the name of the subca needs to be the HSM token name : name_of_subca, e.g. ipa_token:test. This works fine now without any code changes but it requires that admins always remember to include the prefix which is unlikely (everyone makes mistakes). So do it for them if an HSM is present and a token is not provided. We only support one token at a time in IPA so for now this is sufficient. One can also mix-and-match including the token and not. For example you can run: $ ipa ca-add test --subject cn=test $ ipa ca-show ipa_token:test It shouldn't be an issue if a lwca name contains a colon. Fixes: https://pagure.io/freeipa/issue/9865 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
There seem to be a difference between API notes in different files: some contain CRLF, some LF only, and also some empty lines are present while they should not be there. Normalize the remaining API docs. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: David Hanina <dhanina@redhat.com>
Collation should be the same for API files or we will end up with differences between development environments. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: David Hanina <dhanina@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: David Hanina <dhanina@redhat.com>
This reverts commit b94848c. Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The Modrdn plugin doesn't check whether the operation it processes is replicated. This results in duplicate operations on each replica, for example, when deleting a saved user. To fix this behavior, a check was added to the Modrdn plugin that the operation is not replicated. Fixes: https://pagure.io/freeipa/issue/9867 Signed-off-by: vectinx <vectinx@yandex.ru> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fedora 43 is now available, switch azure CI to this version. Fixes: IDM-3231 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
The command launching autogen.sh ends with \ and on fedora 43 this causes a build failure checking build system type... Invalid configuration '\': machine '\-unknown' not recognized configure: error: /bin/sh ./config.sub \ failed Remove the trailing \ Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Instead of using chromium from the distribution, use the browser provided with Pupeteer and disbale the sandbox Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Add new attribute, SysAcctManagersDNs, to store list of DNs allowed to reset user passwords without forcing the users to change them afterwards. This list will differ from the use of PassSyncManagersDNs by the fact that password policy checks will still apply to those password changes. Fixes: https://pagure.io/freeipa/issue/9842 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Introduce support for LDAP-based system accounts by adding a dedicated
sysaccount plugin with full CLI commands, extending role membership to
include system accounts, and providing warnings for passsync
configuration updates across servers, along with corresponding
documentation and tests.
New Features:
Implement system accounts LDAP object with CLI commands for add,
delete, modify, find, show, enable, and disable.
Enhancements:
Extend role and baseldap plugins to support sysaccount membership
and manage passsync managers with a ServerSysacctMgrUpdateRequired
warning.
Documentation:
Add a design document for system accounts and regenerate API docs
for sysaccount commands and role membership.
Tests:
Update existing role and service plugin tests to cover sysaccount
membership.
Fixes: https://pagure.io/freeipa/issue/9842
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
The integration test was created with the help of claude.ai by providing the following prompt: >> given the design document in doc/designs/sysaccounts.md, write an >> integration test for sysaccounts module Fixes: https://pagure.io/freeipa/issue/9842 Assisted-by: Claude <noreply@anthropic.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
This pull request introduces the concept of system accounts, which are LDAP accounts for applications that do not support Kerberos authentication. It also includes API commands to manage these accounts.
New Features: