Commit message (Collapse)AuthorAgeFilesLines
* Add error condition handling to the SASL bind callback in ipasamadworkAlexander Bokovoy2012-06-271-12/+80
| | | |
* Ensure that winbind service is also started when ipa-adtrust-install is runAlexander Bokovoy2012-06-271-4/+5
* Support requests for DOMAIN$ account for trusted domains in ipasam moduleAlexander Bokovoy2012-06-271-13/+20
| | | |
* Add support for external group membersAlexander Bokovoy2012-06-279-23/+351
| | | | | | | | | When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format.
* Map remote to local groupsSumit Bose2012-06-261-1/+532
* WIP: add range check pluginSumit Bose2012-06-266-0/+489
* Add CLI for ID rangesSumit Bose2012-06-263-0/+179
* Set RID bases for local domain during ipa-adtrust-installSumit Bose2012-06-262-2/+55
* Add objects for initial ID rangeSumit Bose2012-06-264-0/+29
* Extend LDAP schemaSumit Bose2012-06-261-0/+8
| | | | | | | | | | | The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well.
* Add sidgen postop and taskSumit Bose2012-06-2612-0/+1390
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes
* Add external domain extop DS pluginSumit Bose2012-06-2612-3/+1220
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add configure check for C Unit-Test framework checkSumit Bose2012-06-261-0/+10
| | | | The framework can be found at
* Trust Web UIPetr Vobornik2012-06-2517-28/+1145
| | | | | | | | | | | | | | | | | | | | | | | | | This patch adds Web UI for trusts. Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet. Adder dialog supports two ways if adding a trust: 1) adding with domain name, admin name and admin password. 2) adding with domain name, shared secret Search page shows only list of realm names which are trusts' cns. Details page is read only. It contains following attributes: * Realm name (cn) * Domain NetBIOS name (ipantflatname) * Domain Security Identifier (ipanttrusteddomainsid) * Trust direction (trustdirection) * Trust type (trusttype) trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code. Fields in details pages are using labels defined in It is temporary solution until including of command.has_output_params will be added to metadata.
* Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad'Alexander Bokovoy2012-06-252-6/+25
* Use correct SID attribute for trusted domainsAlexander Bokovoy2012-06-251-2/+2
| | | | | | We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID. First is used for recording SID of our users/groups, second is to store SID of a remote trusted domain.
* Add logging to ipa-upgradeconfigRob Crittenden2012-06-213-9/+40
| | | | | | | | | Log to the same file as ipa-ldap-updater --upgrade, /var/log/ipaupgrade.log Will output basic stauts information if executed from the command-line.
* Custom Web UI error message for IPA error 911Petr Vobornik2012-06-222-1/+26
| | | | | | | | Error message for IPA error 911 is not very clear for end users. This patch changes the message and adds an advice how to get rid of the error.
* Set network.http.sendRefererHeader to 2 on browser configPetr Vobornik2012-06-221-9/+15
| | | | | | | | | | IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values:
* Re-format ipa-adtrust-install final message to be within 80 characters wideAlexander Bokovoy2012-06-221-24/+28
| | | |
* restart dirsrv as part of ipa-adtrust-installAlexander Bokovoy2012-06-221-4/+4
| | | | | | | | | We should restart Directory Server when performing AD trusts configuration to enable new CLDAP plugin and force KDC to notice MS PAC is now available. Previously we only restarted KDC but if dirsrv is restarted, KDC will notice its socket disappeared and will refresh itself
* Added password reset capabilities to unauthorized dialogPetr Vobornik2012-06-213-104/+314
| | | | | | | | Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
* Separate reset password pagePetr Vobornik2012-06-217-3/+251
| | | | | | This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.
* Case sensitive renaming of objectsOndrej Hamada2012-06-202-5/+13
| | | | | | | | When renaming object its case sensitivity is obeyed. This was DS bug. Unit tests were corrected and minimal DS version was updated in spec file.
* Fail on unknown Command optionsPetr Viktorin2012-06-2010-28/+123
| | | | | | | | | | | | | | | | | | When unknown keyword arguments are passed to a Command, raise an error instead of ignoring them. Options used when IPA calls its commands internally are listed in a new Command attribute called internal_options, and allowed. Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use unknown keyword arguments in its own commands and tests, but since that some violations were reintroduced in permission_find and tests. Fix those. Tests included; both a frontend unittest and a XML-RPC test via the ping plugin (which was untested previously).
* Decimal parameter conversion and normalizationMartin Kosek2012-06-172-6/+141
| | | | | | | | | | | | | | | | | Parameter Decimal does not have a sufficient value checks. Some values cause Decimal parameter with a custom precision to crash with an unhandled exception. Improve parameter conversion and normalization operations to handle decimal exceptions more gracefully. Decimal parameter now also has new attributes enabling 2 new validation/normalization methods: * exponential: when False, decimal number is normalized to its non-exponential form * numberclass: a set of allowed decimal number classes (e.g. +Infinity, -Normal, ...) that are enforced for every Decimal parameter value
* Improve autodiscovery loggingPetr Viktorin2012-06-172-65/+150
| | | | | | | | | | | | | | | | | | | | Track the source of discovered values (e.g. from option, interactive, retrieved from DNS), and show it in the log in the configuration overview and on erorrs involving the value. Add additional log messages explaining the autodiscovery process. For domains the discovery tries to get LDAP SRV records from, log reasons explaining why the domain was chosen. Also, prevent the same domain from being searched multiple times. Add names for error codes, and show them in the log. Also, modernize the discovery code a bit: move away from the Java-style accessors, don't needlessly pre-declare variables, make IPADiscovery a new-style class.
* Improve ipa-client-install debug outputPetr Viktorin2012-06-172-199/+279
| | | | | | | | | | | | | | | | | | The client does a fair bit of work when trying to validate the hostnames, do discovery and verify that the server it gets back is an IPA server. The debug logging around this was horrid with very little state information, duplicate log messages or just nothing at all. In many cases errors were printed only to stderr/stdout. This patch makes the logging and output go through the IPA log manager. It sets up logging so that INFO, WARNING, and ERROR messages show up on the console. If -d is given, DEBUG messages are also printed. All messages also go to the log file. The only exception is user input: prompts are only printed to the console, but if the user provides any information it is echoed in a DEBUG-level message.
* Increase LimitRequestFieldSize in Apache config to support a 64KiB PACRob Crittenden2012-06-181-1/+4
| | | |
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-132-2/+10
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first.
* Store session cookie in ccache for cli usersRob Crittenden2012-06-147-79/+499
| | | | | | | | | Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later.
* Remove trust work unit test failuresMartin Kosek2012-06-143-67/+35
| | | | | | Trust work that was pushed recently requires few changes in unit tests to prevent test failures. This patch also removes repetitive construction of group DN in group unit tests.
* Rework the CallbackInterfacePetr Viktorin2012-06-144-211/+229
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix several problems with the callback interface: - Automatically registered callbacks (i.e. methods named exc_callback, pre_callback etc) were registered on every instantiation. Fix: Do not register callbacks in __init__; instead return the method when asked for it. - The calling code had to distinguish between bound methods and plain functions by checking the 'im_self' attribute. Fix: Always return the "default" callback as an unbound method. Registered callbacks now always take the extra `self` argument, whether they happen to be bound methods or not. Calling code now always needs to pass the `self` argument. - Did not work well with inheritance: due to the fact that Python looks up missing attributes in superclasses, callbacks could get attached to a superclass if it was instantiated early enough. * Fix: Instead of attribute lookup, use a dictionary with class keys. - The interface included the callback types, which are LDAP-specific. Fix: Create generic register_callback and get_callback mehods, move LDAP-specific code to BaseLDAPCommand Update code that calls the callbacks. Add tests. Remove lint exceptions for CallbackInterface. *
* Action panel for service provisioningPetr Vobornik2012-06-131-79/+107
| | | | | | | | Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog. Action for action panel and all required status evaluators for enabling/disabling of that action were also created.
* Action panel for host enrollmentPetr Vobornik2012-06-135-135/+277
| | | | | | Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section.
* Move AD trust support code to freeipa-server-trust-ad subpackageAlexander Bokovoy2012-06-131-5/+14
| | | | | | | | | | | DCERPC code in AD trusts implementation depends on Samba 4 Python bindings. Make this dependency optional for main freeipa-server package by moving the dependency to freeipa-server-trust-ad subpackage. Main interface to AD trusts (ipalib/plugins/ will still stay, as well as LDIF files and updates as they are not causing real dependency.
* Password change capability for form-based authMartin Kosek2012-06-115-3/+277
| | | | | | | | | | | | | | | | | | | | | | IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed by LDAP password change command. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
* Only set sebools when necessaryMartin Kosek2012-06-101-15/+46
| | | | | | | | | setsebool -P was run for every package upgrade or server installation even though the sebools were already set to the new value. Only set sebools which are different from current system values. This speeds up ipa-upgradeconfig or package update by 150 seconds.
* Enable psearch on upgradesMartin Kosek2012-06-102-8/+174
| | | | | | | | | | | | | From IPA 3.0, persistent search is a preferred mechanism for new DNS zone detection and is also needed for other features (DNSSEC, SOA serial updates). Enable psearch and make sure connections attribute is right. This step is done just once for a case when user switched the persistent search back to disabled on purpose. ipa-upgradeconfig was updated to accept --debug option in case somebody would want to see debug messages.
* Enable persistent search by defaultMartin Kosek2012-06-107-35/+41
| | | | | | | | | | | From IPA version 3.0, the persistent search is a preferred mechanism to for DNS zone list management. It will be also a requirement for several bind-dyndb-ldap features, like SOA serial automatic updates or DNSSEC. Make this mechanism default in ipa-server-install and ipa-dns-istall.
* Add sysupgrade state fileMartin Kosek2012-06-105-13/+91
| | | | | | | | | | | | | When IPA package is being updated, some of the configuration files are also updated. Sometimes it may be useful to store upgrade meta information for next package upgrades. For example an information that some config file was already updated and we don't want to update it again if user purposedly reverted the change. This patch adds a new StateFile in /var/lib/ipa/sysupgrade which is capable of holding this information. New module was created to provide simple API to access the upgrade state information.
* Fix update plugin orderPetr Viktorin2012-06-101-15/+5
| | | | | | | | | Sort a filtered list in the update plugin ordering method. Unlike the previous algorithm, this always gives a correct order. It should also be faster and more readable.
* Clean keytabs before installing new keys into themPetr Viktorin2012-06-111-0/+15
| | | | | | | | | In ipa-client-install (which is also called from server/replica installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be sure that there aren't any remnants from a previous install of IPA or another KDC altogether.
* Move some krb5 keys related functions from ipa-client to utilSumit Bose2012-06-113-376/+403
* ipasam: remove unused struct elementsSumit Bose2012-06-111-11/+0
* Use exop instead of kadmin.localSumit Bose2012-06-113-28/+81
* Only allow root to run update pluginsPetr Viktorin2012-06-072-16/+17
| | | | | | | | | | | | Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user. This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options.
* Update of serverconfig ipaconfigstring optionsPetr Vobornik2012-06-061-1/+4
| | | | | | | | | | | | Patch "Add options to reduce writes from KDC" adds two more possible values to config plugins ipaconfigstring configuration options. These are: * KDC:Disable Last Success * KDC:Disable Lockout This patch adds them to Web UI
* Add support for disabling KDC writesSimo Sorce2012-06-065-2/+78
| | | | | | | | | | | Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working.
* Prevent deletion of the last adminPetr Viktorin2012-06-065-3/+150
| | | | | | | | Raise an error when trying to delete the last user in the 'admins' group, or remove the last member from the group, or delete the group itself.