| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.
Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.
https://fedorahosted.org/freeipa/ticket/2440
|
|
|
|
|
|
|
|
|
|
|
| |
When ADD command is being executed and a single-value object attribute
is being set with both option and addattr IPA ends up in an internal
error.
Make better value sanitizing job in this case and let IPA throw
a user-friendly error. Unit test exercising this situation is added.
https://fedorahosted.org/freeipa/ticket/2429
|
| |
|
|
|
|
| |
Generated by running `make update-pot` in install/po
|
|
|
|
|
|
| |
Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it.
Discovered after "Cast DNS SOA serial maximum boundary to long"
|
|
|
|
|
|
|
|
|
| |
configuration.
If both --no-ssh and --no-sshd are specified, do not configure the SSH service
in SSSD.
ticket 3070
|
|
|
|
| |
ticket 3069
|
|
|
|
| |
This fixes an oversight in the earlier patch
|
|
|
|
|
|
|
| |
Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.
https://fedorahosted.org/freeipa/ticket/3045
|
|
|
|
|
|
|
|
|
| |
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983
|
|
|
|
|
| |
The fix to ticket #2982 removed a kinit call when the client was installed
as part of a master. Re-add the kinit call in this case.
|
|
|
|
|
|
|
|
| |
Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog.
Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet.
https://fedorahosted.org/freeipa/ticket/2667
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients install, they use kinit to obtain a TGT, which uses DNS to find
the KDC to connect to. It might happen that the newly created principal
has not replicated to selected KDC yet, making kinit fail and aborting the
install.
The client sets a temporary krb5 config file while installing via $KRB5_CONFIG.
Modify this file so that the kerberos library only uses the specific server
we're installing under, and call kinit while it's still in place.
Clean up the configure_krb5_conf function to remove unused arguments. For
clarity, use keyword arguments when calling it.
https://fedorahosted.org/freeipa/ticket/2982
|
|
|
|
|
|
|
|
| |
Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object.
Label was changed to reflect that the key don't have to be plain base64 encoded blob.
https://fedorahosted.org/freeipa/ticket/2989
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Public keys in the old format (raw RFC 4253 blob) are automatically
converted to OpenSSH-style public keys. OpenSSH-style public keys are now
stored in LDAP.
Changed sshpubkeyfp to be an output parameter, as that is what it actually
is.
Allow parameter normalizers to be used on values of any type, not just
unicode, so that public key blobs (which are str) can be normalized to
OpenSSH-style public keys.
ticket 2932, 2935
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.
The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.
Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.
https://fedorahosted.org/freeipa/ticket/3006
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2968
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2971
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/2970
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3018
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/2969
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/2999
|
| |
|
|
|
|
|
|
| |
This will fix i386 builds where the SOA serial value written
in API.txt was already of a long type while on x86_64 it was still
of an int type.
|
|
|
|
|
| |
localhost and localnets ACIs are now allowed. Update the respective
unit test.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2810
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.
Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.
https://fedorahosted.org/freeipa/ticket/2919
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is changing confirmation of actions according to ticket #3035, see the ticket description.
It does following changes:
* Confirmation of update action was removed.
* Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry.
* New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations.
https://fedorahosted.org/freeipa/ticket/3035
|
|
|
|
|
|
|
| |
If the DB is bigger than nsslapd-cachememsize then a warning will be
logged by 389-ds-base.
https://fedorahosted.org/freeipa/ticket/2739
|
|
|
|
|
|
|
| |
Set correct boundaries for DNS SOA serial parameters (see RFC 1035,
2181).
https://fedorahosted.org/freeipa/ticket/2568
|
|
|
|
|
|
|
|
|
|
|
|
| |
Numeric parameters in ipalib were limited by XMLRPC boundaries for
integer (2^31-1) which is too low for some LDAP attributes like DNS
SOA serial field.
Transfer numbers which are not in XMLRPC boundary as a string and not
as a number to workaround this limitation. Int parameter had to be
updated to also accept Python's long type as valid int type.
https://fedorahosted.org/freeipa/ticket/2568
|
|
|
|
|
|
|
|
|
|
|
| |
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.
http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions
https://fedorahosted.org/freeipa/ticket/3007
|
|
|
|
|
| |
Loopback address, "localhost" and "localnets" ACIs are no longer
an issue for bind-dyndb-ldap. Allow them in our Web UI validators as well.
|
|
|
|
|
| |
Loopback address, "localhost" and "localnets" ACIs are no longer
an issue for bind-dyndb-ldap. Allow them in our validators.
|
|
|
|
|
|
| |
While deleting an entry it now resets a facet if there are unsaved changes. It prevents pop up of various error dialogs when UI tries to redirect to search page after successful delete.
https://fedorahosted.org/freeipa/ticket/3047
|
|
|
|
|
|
| |
Testing metadata needs to be updated because of fix in json serialization.
https://fedorahosted.org/freeipa/ticket/3052
|
|
|
|
|
|
| |
Medatadata validator didn't have check for decimal values. It was added.
https://fedorahosted.org/freeipa/ticket/3052
|
|
|
|
|
|
|
|
| |
There were following problems:
1. DNs and Decimals weren't properly serialized. Serialization output was object with empty __base64__ attribute. It was fixed by converting them to string.
2. numberical values equal to 0 were excluded from metadata. It broke many of minvalue checks in Web UI. Now excluding only None and False values as initally intended.
https://fedorahosted.org/freeipa/ticket/3052
|
|
|
|
|
|
|
|
|
|
|
| |
Notification of success was added to:
* details facet: update
* association facet and association widget: add, delete items
* attribute facet: delete items (notification of add should be handled in entity adder dialog)
* sudo rule: add, remove option
* dnsrecord: add, update, delete
https://fedorahosted.org/freeipa/ticket/2977
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When a permission is edited, and Type switched, the attributes selected for
previous Type are still selected, and update fails, if they are invalid for the
new Type. But it should get deselected or not even listed if Type changes.
Fix:
When Type is changed, attribute list is refreshed and still applicable attributes
are chosen. If Type is reverted back, previously chosen attributes are back as chosen.
If attributes are extended outside Web UI by not listed attr, this attr is listed at
the list end.
Note:
If user makes change in attribute list before type change, this change is forgotten.
https://fedorahosted.org/freeipa/ticket/2617
|
|
|
|
|
|
| |
Search in HBAC test wasn't working because expired flag wasn't set.
https://fedorahosted.org/freeipa/ticket/2931
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|