| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ticket 2963
|
| |
|
|
|
|
|
|
| |
This check the PAC we receive is consistent.
realm, flat name and domain sid must much our understanding or the trustd
realm and no additional sids beyond the own realm ones must be present.
Ticket #2849
|
| |
|
|
|
| |
This way multiple functions can manipulate the logon info structure until all
operations we want to do on it are done and then fold it back once.
|
| |
|
|
|
|
|
|
|
| |
The function filter_pac was not filtering the pac at all, it was merely
augmenting it with additional data relevant to the IPA server.
Change the name of the function to avoid confusion.
While there I also simplified and cleaed up the code a bit with regard to
variable names and usage.
|
| |
|
|
| |
This list is used to validate data in mspac filtering
|
| |
|
|
|
| |
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
|
| |
|
|
|
|
|
|
|
| |
bind-dyndb-ldap with SOA serial autoincrement was released. Bump
the package version in the spec file. The version is bumped for
F18 only as it was released only to rawhide and we don't want to
break development on F17.
https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A change to ipa-ldap-updater (and thus an RPM update %post scriptlet)
avoiding redundat "IPA is not configured" message in stderr introdocued
in c20d4c71b87365b3b8d9c53418a79f992e68cd00 was reverted in another
patch (b5c1ce88a4a3b35adb3b22bc68fb10b49322641a).
Return the change back to avoid this message during every RPM update
when IPA is not configured. admintool framework was also fixed to
avoid print an empty line when an exception without an error message
is raised.
https://fedorahosted.org/freeipa/ticket/2892
|
| |
|
|
|
|
|
|
| |
Recommened way of setting boolean HTML attributes is by $.prop(boolean) method not $.attr(boolean) because it sets DOM object property not an attribute. Latter works because of jquery's backward compatibility. This patch makes things clearer.
Some info about prop and attr: http://stackoverflow.com/a/5876747
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
| |
Occurance: select_widget
Update to latest version of jQuery uncovered this issue.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
| |
ACI tests were crashing because of misconfigured facet.
Entity link test were crashing because of incorrect jquery selector.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
Buttons in association dialog and action list have different style and behavior than buttons in dialogs. This patch unifies it by using jquery.button widget.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa.css had to be updated to work with updated jquery-ui. This patch removes several duplicate styles.
Following issues were fixed:
* dialogs titles in IE and Opera were black instead of green
* no black line in first navigation level in IE and Opera
* all browsers (FF, IE, Chrome, Opera) have the same style for buttons and headers
* dialogs has borders again (should we remove its shadow?)
Known issues:
* selected tab-1 in Chrome and Opera doesn't overlaps background line as in IE and FF. Not sure how to fix without breaking (there are border overlaps) the latter ones. I think it looks good enough.
* some buttons are missing padding. Will be fixed in next patch.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
Clicks events should be better defined by jquery calls (usually addEventListener) not as elements attributes. Definition as element attribute causes problems after upgrade to jquery 1.7.2. Two occurances were removed.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
| |
jquery-ui was regenerated to up to date version.
Border radius and IPA custom colors were added to theme so we don't have to override them in ipa.css.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
jquery library wasn't updated for a long time.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
|
|
| |
Following options were added to Web UI
* PAC Type in service
* PAC Type in configuration
Testing metadata for objects and commands were regenerated.
https://fedorahosted.org/freeipa/ticket/2958
|
| |
|
|
|
|
| |
Create a per-service default as well.
https://fedorahosted.org/freeipa/ticket/2184
|
| |
|
|
|
|
|
| |
First select's content is displayed under second comboxes content when select is opened when second combobox is opened
Bonus for:
https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
| |
There's probably a bug regarding z-index stacking in Chrome and IE. It appears when combobox is used in dialog. Combobox's select area had z-index=1010. When first jquery dialogs is open it has z-index=1000. Further dialogs have higher z-index. When dialog's z-index exceeds 1010 option in select control can't be selected. IMO it is a browser bug because select control lies in dialog content's stacking context so it should be functional even with z-index=1.
This patch raises select area's z-index to 9000000 which should prevent the issue for some time. Also it make's combobox's z-index configurable so we can solve combobox stacking (ie in service-add dialog).
Second part of:
https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When setting up AD trusts support, ipa-adtrust-install utility
needs to be run as:
- root, for performing Samba configuration and using LDAPI/autobind
- kinit-ed IPA admin user, to ensure proper ACIs are granted to
fetch keytab
As result, we can get rid of Directory Manager credentials in ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/2815
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the pot file to match current source, and pull
translations from Transifex
The commands used to create this commit were:
tx pull -fa # needs an account and transifex client setup
cd install/po
make update-pot
(update LINGUAS to contain all languages with translations, and no empty ones)
make update-po
|
| |
|
|
| |
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
| |
The NT Hash is the same thing as the RC4-HMAC key, so we add a function to
extract it from krb5 keys if they are available to avoid forcing a password
change when configuring trust relationships.
|
| |
|
|
|
| |
Avoid the need to allocate/free a Slapi_Mod and avoid checking for attribute
equvalence after a match (use if/else)
|
| |
|
|
|
|
|
|
| |
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
|
| |
|
|
|
|
|
| |
The DNA magic value can be arbitrarily changed by admins so we cannot use a
const value to check. And we relly do not need to check at all. If the DNA
plugin is broken and leaves magic values to reach the post-op stage we have
bigger problems. So just simply get rid of this check.
|
| |
|
|
|
| |
Also move them in the right spot (if ! only client) so that they are required
only when building the server.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The .po files we use for translations have two shortcomings when used in Git:
- They include file locations, which change each time the source is updated.
This results in large, unreadable diffs that don't merge well.
- They include source strings for untranslated messages, wasting space
unnecessarily.
Update the Makefile so that the extraneous information is stripped when the
files are updated or pulled form Transifex, and empty translation files are
removed entirely.
Also, translations are normalized to a common style. This should help diffs
and merges.
The validator requires file location comments to identify the programming
language, and to produce good error reports.
To make this work, merge the comments in before validation.
First patch for: https://fedorahosted.org/freeipa/ticket/2435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two problems in task naming in LDAP updates:
1. Randomness may be scarce in virtual machines
2. Random number is added to the time value rounded to a second
The second issue leads to values that may repeat themselves as time
only grows and random number is non-negative as well, so
t2+r2 can be equal to t1+t2 generated earlier.
Since task name is a DN, there is no strict requirement to use an integer value.
Instead, we generate an UUID and use its 60-bit time, 14-bit sequential number,
and attribute name.
https://fedorahosted.org/freeipa/ticket/2942
|
| |
|
|
|
|
|
|
|
|
| |
In IE when a window is small (horizontal scrollbar is displayed) click or keyboard input on various parts of UI makes search tables scroll to top. It prevents from selecting items in a table. This issue happens when using absolute positioned element with overflow style. It's a bug in IE.
Two workarounds were added to make UI usable in IE.
Adding position:relative; style to body element fixes the problem in search pages. It doesn't help in association dialogs though.
The bug doesn't occur when some child element has focus. It's possible to set focus to first visible checkbox while scrolling down but user experience is very bad. Better solution seems to scroll back when IE scrolls to top on mousedown. That way mouse click event happens on the target element and it can gain focus and therefore be selected. Some glitches still remains but is usable.
https://fedorahosted.org/freeipa/ticket/2835
|
| |
|
|
|
|
|
|
|
|
| |
It's hard to detect if or which type dialog is displayed becouse not all dialogs have IDs.
On dialog open, it's id or name (if id is not set) is used for containing element id. Many of dialog types were missing id or name so name was added to each dialog type.
In HTML, element's id should be unique. Our framework allows opening two dialogs with the same id. It may lead to state where getElementById method may have unpredicted behaviour. Therefore attribute 'data-name' with dialog's name was added to dialog's containing element. Automation framework can search more reliable by using this attribute instead of id.
https://fedorahosted.org/freeipa/ticket/2853
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.
Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.
The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.
All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.
First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
|
| |
|
|
|
|
|
|
| |
When installing a replica file on the wrong server we warn that this will
likely fail and prompt to Continue. This prompt should default to
False, not True.
https://fedorahosted.org/freeipa/ticket/2325
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade script set the "psearch" directive in some circumstances,
but did not remember that it was set, so later, when setting
minimum_connections, it assumed psearch is not set.
Also, the script did not set minimum_connections if the directive wasn't
already there. It should be set in that case.
Related to https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return "Key has been revoked".
Wrap the operations in a try/except so we can ignore keyring failures.
This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.
https://fedorahosted.org/freeipa/ticket/2880
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning. This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.
Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
|
| |
|
|
|
|
|
|
| |
This is just a typo, we were checking one side twice and never the other
side. So depending on which side you run the command you'd be able or not
to remove the replication agreement even if it was the last one.
First part of ticket: https://fedorahosted.org/freeipa/ticket/2925
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
| |
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().
https://fedorahosted.org/freeipa/ticket/2929
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
|
| |
|
|
|
|
| |
'reason'
https://fedorahosted.org/freeipa/ticket/2865
|
| |
|
|
|
|
| |
Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed.
https://fedorahosted.org/freeipa/ticket/2832
|
| |
|
|
|
|
|
|
| |
Attributes widget is using overflow css rule in tbody element. IE9 doesn't handle it well.
To fix the issue, attributes widget was slightly modified and conditional css stylesheet was added just for fixing IE problems.
https://fedorahosted.org/freeipa/ticket/2822
|
| |
|
|
|
|
|
|
|
| |
There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it.
This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem.
https://fedorahosted.org/freeipa/ticket/2806
and half of: https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
|
| |
RFC 1912 states that no record (besides PTR) is allowed to coexist
with any other record type. When BIND detects this situation, it
refuses to load such records.
Enforce the constrain for dnsrecord-mod and dnsrecord-add commands.
https://fedorahosted.org/freeipa/ticket/2601
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.
Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.
Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.
https://fedorahosted.org/freeipa/ticket/2892
|
