freeipa.git, branch master FreeIPA project Fix problems in help system 2011-10-20T22:25:27+00:00 Rob Crittenden rcritten@redhat.com 2011-10-18T17:32:36+00:00 f098b213eb3d2e8e5d47689a226f81a0d1b35262 Fixes 3 issues: - If a topic has all its commands disabled, it should be disabled - If a command is disabled its help should be disabled - The show-mappings help was missing a doc string so no help was displayed https://fedorahosted.org/freeipa/ticket/1998 
Fixes 3 issues:

- If a topic has all its commands disabled, it should be disabled
- If a command is disabled its help should be disabled
- The show-mappings help was missing a doc string so no help was displayed

https://fedorahosted.org/freeipa/ticket/1998
Ticket 1201 - Unable to Download Certificate with Browser 2011-10-21T15:29:47+00:00 John Dennis jdennis@redhat.com 2011-10-18T22:19:25+00:00 9a039acb224ab3dd6c739f141233000b50c28e6f Certificates are passed through the IPA XML-RPC and JSON as binary data in DER X509 format. Queries peformed against the LDAP server also return binary DER X509 format. In all cases the binary DER data is base-64 encoded. PEM is standard text format for certificates. It also uses base64 to encode the binary DER data, but had specific formatting requirements. The base64 data must be wrapped inside PEM delimiters and the base64 data must be line wrapped at 64 characters. Most external software which accepts certificates as input will only accept DER or PEM format (e.g. openssl & NSS). Although base64 is closely related to PEM it is not PEM unless the PEM delimters are present and the base64 data is line wrapped at 64 characters. We already convert binary DER certificates which have been passed as base64 in other parts of the IPA code. However this conversion has not been available in the web UI. When the web UI presented certificates it did so by filling a dialog box with a single line of base64 data. A user could not copy this data and use it as input to openssl or NSS for example. We resolve this problem by introducing new javascript functions in certificate.js. IPA.cert.pem_cert_format(text) will examine the text input and if it's already in PEM format just return it unmodified, otherwise it will line wrap the base64 data and add the PEM delimiters. Thus it is safe to call on either a previously formated PEM cert or a binary DER cert encoded as base64. This applies to pem_csr_format() as well for CSR's. Because pem_cert_format() is safe to call on either format the web UI will see the use of the flag add_pem_delimiters was eliminated except in the one case where the IPA.cert.download_dialog() was being abused to display PKCS12 binary data (pkcs12 is neither a cert nor a cert request). Because of the abuse of the cert.download_dialog() for pkcs12 it was necessary to retain the flag which in effect said "do not treat the data as PEM". Modify the CSR (Certificate Signing Request) dialog box to accept a PEM formatted CSR. Remove the artifical PEM delimiters above and below the dialog box which were used to suggest the input needed to be sans the delimiters. The dialog box continues to accept bare base64 thus allowing either text format. Also note this solves the display of certificate data in the UI without touching anything existing code in the server or command line, thus it's isolated. 
Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.

PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.

Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl & NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.

We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.

We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.

Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said "do
not treat the data as PEM".

Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input needed to be sans
the delimiters. The dialog box continues to accept bare base64 thus
allowing either text format.

Also note this solves the display of certificate data in the UI
without touching anything existing code in the server or command line,
thus it's isolated.
hbactest fails while you have svcgroup in hbacrule 2011-10-20T21:23:21+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-10-16T21:23:26+00:00 c9ef39918abc41f0f68c4e6c1b4495fb0a4c976b https://fedorahosted.org/freeipa/ticket/1988 
https://fedorahosted.org/freeipa/ticket/1988
Fix client krb5 domain mapping and DNS 2011-10-21T12:53:12+00:00 Martin Kosek mkosek@redhat.com 2011-10-21T09:18:26+00:00 bb6e720393d9060bfcc0161853b94b0d5f15a2d5 Add Kerberos mapping for clients outside of server domain. Otherwise certmonger had problems issuing the certificate. Also make sure that client DNS records on the server are set before certmonger is started and certificate is requested. Based on Lars Sjostrom patch. https://fedorahosted.org/freeipa/ticket/2006 
Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.

Based on Lars Sjostrom patch.

https://fedorahosted.org/freeipa/ticket/2006
Fixing infinite loop in UI navigation unit test. 2011-10-20T15:13:58+00:00 Petr Vobornik pvoborni@redhat.com 2011-10-20T14:37:48+00:00 40f9f52a76907960edc293a84c1af281f674ecad https://fedorahosted.org/freeipa/ticket/1531 It's a fix for regression introduced by previous patch. 
https://fedorahosted.org/freeipa/ticket/1531

It's a fix for regression introduced by previous patch.
Fixed dependency problem in UI test. 2011-10-20T14:17:10+00:00 Endi S. Dewata edewata@redhat.com 2011-10-20T14:12:14+00:00 24cedc41541d140e3a7571499e1944b5beae56e4 






Fixed: Duplicate CSS definitions
2011-10-19T12:44:44+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-11T07:42:35+00:00

1dda03120e5873d231072468c5637c4718656ed3

https://fedorahosted.org/freeipa/ticket/1565

The ipa.css, ipa_error.css and ipa_migration.css contain some duplicate definitions which cause maintenance problems.

Additional changes:
* fixed whitespaces in ipa.css
* unified headings in config pages





https://fedorahosted.org/freeipa/ticket/1565

The ipa.css, ipa_error.css and ipa_migration.css contain some duplicate definitions which cause maintenance problems.

Additional changes:
* fixed whitespaces in ipa.css
* unified headings in config pages







Circular entity dependency
2011-10-18T18:19:06+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-10T11:34:15+00:00

27ea90792fb06e7e62f81c352936232ee10894ff

https://fedorahosted.org/freeipa/ticket/1531

Each entity is created together with its dependent objects (e.g. facets and dialog boxes). This causes a circular dependency problem because some of the objects need to obtain a reference to another entity that has not been created.

Currently this is handled by storing only the other entity name and resolve it when needed (e.g. during rendering stage). In IPA.search_facet this delays the creation of the table widget, making it more difficult to customize.

One solution is to do the object creation in 2 steps:

 * create all entity objects only
 * create the dependent objects in each entity

Implemented solution:
 * all entities are created on application start
 * dependant objects (facets and dialogs) are created at once on their first use in entity.





https://fedorahosted.org/freeipa/ticket/1531

Each entity is created together with its dependent objects (e.g. facets and dialog boxes). This causes a circular dependency problem because some of the objects need to obtain a reference to another entity that has not been created.

Currently this is handled by storing only the other entity name and resolve it when needed (e.g. during rendering stage). In IPA.search_facet this delays the creation of the table widget, making it more difficult to customize.

One solution is to do the object creation in 2 steps:

 * create all entity objects only
 * create the dependent objects in each entity

Implemented solution:
 * all entities are created on application start
 * dependant objects (facets and dialogs) are created at once on their first use in entity.







Fixed: Unable to add external user for RunAs User for Sudo rules
2011-10-17T16:01:16+00:00

Petr Vobornik
pvoborni@redhat.com

2011-10-17T09:48:03+00:00

1e5391422143c17a94008a0703099c5f877e46fd

https://fedorahosted.org/freeipa/ticket/1987

There is no way to add root or any external user as a RunAs User for a Sudo
Rule.





https://fedorahosted.org/freeipa/ticket/1987

There is no way to add root or any external user as a RunAs User for a Sudo
Rule.







Improve hostgroup/netgroup collision checks
2011-10-17T15:09:46+00:00

Martin Kosek
mkosek@redhat.com

2011-10-17T12:26:13+00:00

99d938152fbef41f2d48d4088e5ba39bc820e9de

When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.

This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.

https://fedorahosted.org/freeipa/ticket/1914





When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.

This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.

https://fedorahosted.org/freeipa/ticket/1914