| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
| |
Notification of success was added to:
* details facet: update
* association facet and association widget: add, delete items
* attribute facet: delete items (notification of add should be handled in entity adder dialog)
* sudo rule: add, remove option
* dnsrecord: add, update, delete
https://fedorahosted.org/freeipa/ticket/2977
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When a permission is edited, and Type switched, the attributes selected for
previous Type are still selected, and update fails, if they are invalid for the
new Type. But it should get deselected or not even listed if Type changes.
Fix:
When Type is changed, attribute list is refreshed and still applicable attributes
are chosen. If Type is reverted back, previously chosen attributes are back as chosen.
If attributes are extended outside Web UI by not listed attr, this attr is listed at
the list end.
Note:
If user makes change in attribute list before type change, this change is forgotten.
https://fedorahosted.org/freeipa/ticket/2617
|
|
|
|
|
|
| |
Search in HBAC test wasn't working because expired flag wasn't set.
https://fedorahosted.org/freeipa/ticket/2931
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.
When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.
One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.
https://fedorahosted.org/freeipa/ticket/2440
|
|
|
|
|
|
|
|
|
| |
If match_entry == NULL all principals should be iterated.
Additionally this patch adds a check in ipadb_filter_escape() to make
sure that the input is not NULL.
Fixes: https://fedorahosted.org/freeipa/ticket/3011
|
|
|
|
|
|
|
|
|
|
| |
Generalize the fix_replica_memberof update plugin to allow updating more
replication attributes.
Add nsds5ReplicaStripAttrs to replication agreements on update and
replica install.
https://fedorahosted.org/freeipa/ticket/2534
|
|
|
|
|
|
|
|
| |
Password policies in pwpolicy-find are now sorted in the expected
numerical manner. Also tweaks one of the unit tests so that it
tests this behaviour.
https://fedorahosted.org/freeipa/ticket/3039
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Under certain circumstances, replica installation may fail in
"enable GSSAPI for replication" step when it cannot sync LDAP service
principals. There is often not much we can do as Directory Server
may be in an unrecoverable state but we should at least wait longer
before we give up.
A function checking replication status was also fixed to give more
accurate results by properly comparing start/end time of the
replication process and returning an error message to calling
function. This error message is then returned to user if do not
manage to get the LDAP service principals to give him a pointer
to the actual issue.
https://fedorahosted.org/freeipa/ticket/2950
|
|
|
|
|
|
|
| |
Remove the debug argument to synconce_ntp since we always want the logs
to be verbose.
https://fedorahosted.org/freeipa/ticket/3048
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2953
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.
In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.
Use ScriptError instead of NotFoundError in bindinstance install.
https://fedorahosted.org/freeipa/ticket/1953
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.
* Moved the code in del_user to the common subroutine
check_protected_member() and call it from both user_del and
user_disable. Note, unlike user_del user_disable does not have a
'pre' callback therefore the check function is called in
user_disable's execute routine.
* Make check_protected_member() aware of disabled members. It's not
sufficient to check which members of the protected group are
present, one must only consider those members which are enabled.
* Add tests to test_user_plugin.py.
- verify you cannot delete nor disable the last member of the admin
group
- verify when the admin group contains disabled users in addition to
enabled users only the enabled users are considered when
determining if the last admin is about to be disabled or deleted.
* Replace duplicated hardcoded values in the tests with variables or
subroutines, this makes the individual tests a bit more succinct and
easier to copy/modify.
* Update error msg to reflect either deleting or disabling is an error.
https://fedorahosted.org/freeipa/ticket/2979
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The manager LDAP attribute is a dn pointing inside the user
container. When passed on the command it is typically a bare user
uid. The search filter will only succeed if the bare uid is converted
to a full dn because that is what is stored in the value for the
manager attribute.
The search failure is solved by calling _normalize_manager() which
does the conversion to a dn (if not already a dn).
It feels like this type of conversion should be performed in the pre
callback which allows one to modify the filter. But when the pre
callback is invoked it's complex string with the manager attribute
already inserted. This is because the LDAPSearch.execute() method
processes the options dict and constructs a filter component for each
key/value in the options dict prior to invoking the pre callback. If
we wanted to modify the manager value in the filter in the pre
callback we would have to decompose the filter string, perform dn
checking and then reassemble the filter. It's much cleaner to perform
the dn operations on the manager value before it gets embedded into
what otherwise might be a very complex filter. This is the reason why
the normalization is perfored in the execute method as opposed to the
pre callback. Other classes do similar things in their execute methods
as opposed to their callbacks's, selinuxusermap_find is one example.
Patch also introduces new unit test to verify.
https://fedorahosted.org/freeipa/ticket/2264
|
|
|
|
|
|
|
| |
Both commands now produce the same output regarding
the attributelevelrights.
https://fedorahosted.org/freeipa/ticket/2875
|
|
|
|
|
|
|
|
| |
This patch adds option to disable sorting when paging. It allowed to enable paging in password policy with order of items untouched (they are sorted on server side by priority).
Also fixing issue when paging is disabled and command summary = null. It displayed 'null' in facet footer.
https://fedorahosted.org/freeipa/ticket/2677
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User was not notified about success of actions executed from action list, action panel or facet cotrol bar.
This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation).
This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked.
This call is used(directly or indirectly) in:
* search facets: delete, disable, enable actions
* details facets: delete action
* user details facet: reset password action
* host details facet: unprovision, set OTP actions
* service details facet: unprovision action
* host and service details facet: request, revoke, restore certificates actions
* group details facet: change to POSIX/external actions
* dns zone details facet: add/remove permission actions
https://fedorahosted.org/freeipa/ticket/2977
|
|
|
|
|
|
| |
Web UI itself wasn't negatively affected.
https://fedorahosted.org/freeipa/ticket/2897
|
|
|
|
|
|
|
|
| |
Move of click handler in patch for #2834 causes failure of automation tests.
This patch reverts the problematic part. It should not affect function of fix for #2824.
https://fedorahosted.org/freeipa/ticket/3014
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3001
|
|
|
|
| |
Update list of active developers working on IPA.
|
|
|
|
|
|
|
| |
Command ipa host-del with --updatedns now can deal both with hosts
which zones are in FQDN form with or without a trailing dot.
https://fedorahosted.org/freeipa/ticket/2809
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though managedBy output parameter was only used for failed host
managedBy memberships, it was defined in global baseldap.py
classes. Incorrect label was then being displayed also for DNS zone
per-zone permission attribute with the same name.
Move managedBy output parameter to host plugin. Define proper managedBy
output parameter in DNS plugin to improve clarity of this attribute.
https://fedorahosted.org/freeipa/ticket/2946
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2850 - Ipactl exception not handled well
There were various places in ipactl which intialized IpactlError with
None as the msg. If you called str() on that exception all was well
because ScriptError.__str__() converted a msg with None to the empty
string (IpactlError is subclassed from ScriptError). But a few places
directly access e.msg which will be None if initialized that way. It's
hard to tell from the stack traces but I'm pretty sure it's those
places which use e.msg directly which will cause the problems seen in
the bug report.
I do not believe it is ever correct to initialize an exception message
to None, I don't even understand what that means. On the other hand
initializing to the empty string is sensible and for that matter is
the default for the class.
This patch makes two fixes:
1) The ScriptError initializer will now convert a msg parameter of
None to the empty string.
2) All places that initialized IpactlError's msg parameter to None
removed the None initializer allowing the msg parameter to default
to the empty string.
I don't know how to test the fix for Ticket #2850 because it's not
clear how it got into that state in the first place, but I do believe
initialing the msg value to None is clearly wrong and should fix the
problem.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2805
|
|
|
|
|
|
|
|
|
| |
The credentials of the admin user will be used to obtain Kerberos ticket before
configuring cross-realm trusts support and afterwards, to ensure that the
ticket contains MS-PAC information required to actually add a trust with Active
Directory domain via 'ipa trust-add --type=ad' command.
https://fedorahosted.org/freeipa/ticket/2852
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because the attrs & values in DN's, RDN's and AVA's are comparison case-
insensitive the hash value between two objects which compare as equal but
differ in case must also yield the same hash value. This is critical when
these objects are used as a dict key or in a set because dicts and sets
use the object's __hash__ value in conjunction with the objects __eq__
method to lookup the object.
The defect is the DN, RDN & AVA objects computed their hash from the case-
preserving string representation thus two otherwise equal objects
incorrectly yielded different hash values.
The problem manifests itself when one of these objects is used as a key in
a dict, for example a dn.
dn1 = DN(('cn', 'Bob'))
dn2 = DN(('cn', 'bob'))
dn1 == dn2 --> True
hash(dn1) == hash(dn2) --> False
d = {}
d[dn1] = x
d[dn2] = y
len(d) --> 2
The patch fixes the above by lower casing the string representation of
the object prior to computing it's hash.
The patch also corrects a spelling mistake and a bogus return value in
ldapupdate.py which happened to be discovered while researching this
bug.
|
|
|
|
|
| |
Dependency on samba4-winbind has been added to the package
freeipa-server-trust-ad.
|
|
|
|
|
|
| |
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,
Part 2 of https://fedorahosted.org/freeipa/ticket/3016
|
|
|
|
|
|
|
| |
With this change ipasam is able to ask for ipaNTHash generation and if
corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash.
Part 1 of https://fedorahosted.org/freeipa/ticket/3016
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.
ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.
With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.
https://fedorahosted.org/freeipa/ticket/3009
|
|
|
|
|
| |
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
|
|
|
|
|
|
|
|
|
|
|
| |
Range web UI was implemented.
It consist of:
* new menu item - 'ranges' in 'IPA Server' tab
* new search page
* new details page
https://fedorahosted.org/freeipa/ticket/2894
|