| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
As network configuration file is created as temporary file, it has stricter permissions than
we need for the target system configuration file. Ensure permissions are properly reset before
installing file.
If permissions are not re-set, system may have no networking enabled after reboot.
https://fedorahosted.org/freeipa/ticket/1606
|
|
|
|
|
|
|
| |
The DNS zone adder dialog has been modified to use radio buttons to
select whether to enter a zone name or a reverse zone IP network.
Ticket #1575
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The host adder dialog has been modified to show separate fields for
hostname and DNS zone. The hostname is a text field and the DNS zone
is an editable drop-down list. The fields will have the following
behavior:
- If the user types a dot into the hostname field, the cursor will
automatically move into the DNS zone field.
- If the user pastes an FQDN into the hostname field, the value will
automatically be split into hostname and DNS zone.
- If the user selects a value from the drop-down list, it will only
change the DNS zone, not the hostname.
Ticket #1457
|
|
|
|
|
|
|
|
|
|
|
| |
The IE does not resend the request body during negotiation, so after
after a successful authentication the server could not find the JSON
request to parse.
The Web UI has been modified to detect this error and resend the
initialization request.
Ticket #1540
|
|
|
|
|
|
| |
for DNS forwarders, so that DNS configuration is done in one place.
ticket 1522
|
|
|
|
|
|
|
| |
Make sure that idnsUpdatePolicy for reverse zone does not contain
double trailing "dot" after server installation.
https://fedorahosted.org/freeipa/ticket/1591
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1502
Added redirection link.
CSS styling of configuration page.
Some CSS cleaning.
|
|
|
|
|
|
|
|
| |
The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.
Ticket #1423, #1561
|
|
|
|
| |
The 3rd level tab style has been adjusted according to UXD input.
|
|
|
|
|
|
|
| |
Check that NS address passed in dnszone-add is a domain name and
not an IP address. Make this clear also the parameter help.
https://fedorahosted.org/freeipa/ticket/1567
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1481
Shows status dialog instead of error dialog (error 4304 is treated like success).
Refactored error dialog.
Added generic message dialog (IPA.message_dialog)
Modified core tests to work with dialog.
|
|
|
|
|
|
|
| |
The association tables in HBAC/sudo details page have been modified
to link the entries to the appropriate details page.
Ticket #1535
|
|
|
|
|
|
|
|
| |
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a hostname configured in /etc/ipa/default.conf is changed and
is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX
ipactl gives an unintelligible error.
This patch improves the error message and also offers a list of
configured master so that the hostname setting in IPA configuration
can be easily fixed.
https://fedorahosted.org/freeipa/ticket/1558
|
|
|
|
|
|
|
|
|
| |
The tables in the adder dialog have been modified to expand
according to the size of the dialog.
This patch also fixes the problem with row height on IE.
Ticket #1542
|
|
|
|
|
|
|
| |
The magnifier icon for the search field has been fixed to display
properly in all browsers.
Ticket #1541
|
|
|
|
|
|
|
| |
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.
Ticket #1559
|
|
|
|
|
|
|
| |
This option makes no sense for automount keys. This should be
removed in future versions.
https://fedorahosted.org/freeipa/ticket/1529
|
|
|
|
|
|
|
| |
The certificate buttons including Get, View, Revoke, Restore for hosts
and services have been fixed to use the correct entity name.
Ticket #1556
|
|
|
|
| |
This fixes a regression in the previous patch in ticket #1526.
|
|
|
|
| |
Ticket https://fedorahosted.org/freeipa/ticket/1369
|
|
|
|
|
| |
delay creation of the table until the columns have been set
https://fedorahosted.org/freeipa/ticket/1544
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1368
|
| |
|
|
|
|
|
|
|
|
| |
We have helpers to manage these values so they shouldn't be available
via add/mod. There is no logic behind them to do the right thing.
https://fedorahosted.org/freeipa/ticket/1307
https://fedorahosted.org/freeipa/ticket/1320
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
|
| |
|
|
|
|
|
|
|
| |
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.
https://fedorahosted.org/freeipa/ticket/1434
|
|
|
|
|
|
|
| |
This can cause problems if a host is enrolled, unenrolled and a password
set. The password will be marked as expired like all new passwords are.
https://fedorahosted.org/freeipa/ticket/1526
|
|
|
|
|
|
|
| |
The HBAC service, HBAC service group, sudo command and sudo command
group have been modified to show the associations as facets.
Ticket #1536
|
|
|
|
|
|
|
| |
The HBAC service class has been modified to define the memberof
relationship with HBAC service group.
Ticket #1546
|
|
|
|
|
|
|
| |
The IPA.service_provisioning_status_widget has been modified to
execute the disable command with the right entity name.
Ticket #1543
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1493
|
|
|
|
|
|
|
| |
The sudo command group details page has been fixed to use the
correct label name.
Ticket #1537.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change widget and widget unit tests to hold on to entity, not entity name.
Replacing entity_name with entity.name in most places.
The one exception is columns for table_widget.
Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.
cleanup entity assignment.
removed template and layout,
merged setup into create
adder dialogs adjust height for external
removed init from widget, isection, association, facet, host and service
Make unit tests use factory.
fix functional tests to click find link correctly.
tweak to activation test, but still broken.
moved initialization code to the end
use --all for hbacrule find, so the type shows up now
fixed dns exception code and exception handling for get_entity
replace metadata look up with value from entity.
fixed author lines
removed duplicate columns in managed by facets.
tweak to nav fix in order to initialize tab.
more defensive code
update metadata for true false
one line init for entity_name in widget
move init code to end of constructor functions
moved constants to start of function for adder_dialog
external fields for dialogs initialized at dialog creation
sudo sections: move add fields and columns to widget definition.
The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.
decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables
return false at the end of click handler
removed blank labels in sudo command section
fix radio buttons for sudo category
fixed table side for adder dialogs with external fields
comments for future direction with add_columns
https://fedorahosted.org/freeipa/ticket/1451
https://fedorahosted.org/freeipa/ticket/1462
https://fedorahosted.org/freeipa/ticket/1493
https://fedorahosted.org/freeipa/ticket/1497
https://fedorahosted.org/freeipa/ticket/1532
https://fedorahosted.org/freeipa/ticket/1534
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
normalization.
Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)
Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.
Add keyword constructor parameters to pass configuration options.
Make first_key_match a configuration keyword.
Updated documentation.
Updated unit test.
FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.
|
|
|
|
|
|
|
| |
Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=<realm>).
https://fedorahosted.org/freeipa/ticket/1527
|
|
|
|
|
| |
The IPA.adder_dialog has been modified to use translated label for
the Find button.
|
|
|
|
|
|
|
| |
The sudo rule interface has been modified to remove unused labels
and use translated dialog box title.
Ticket #1518
|
|
|
|
|
|
|
|
| |
The handler for host 'Set OTP' button has been modified to obtain
the primary key from the entity and return false to stop the normal
event processing.
Ticket #1511
|
|
|
|
|
|
|
|
| |
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.
https://fedorahosted.org/freeipa/ticket/1520
|
|
|
|
| |
ticket 1523
|
|
|
|
|
|
|
|
|
|
|
| |
The summary value was set to primary key. However, the primary key
may contain also an info option as a workaround for multiple direct
maps problem.
This patch sets the result 'value' and thus summary text to
expected and consistent value.
https://fedorahosted.org/freeipa/ticket/1524
|
|
|
|
|
|
|
|
|
| |
When opening a bookmark, each tab level will be updated separately
from top to bottom according to the URL state. The navigation code
has been modified to recognize when an ancestor tab is being updated
and not change the URL state.
Ticket #1521
|
|
|
|
| |
BZ https://bugzilla.redhat.com/show_bug.cgi?id=723969
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1477
Redirection after updating empty DNS Record (which is deleted).
Added hook to details facet for post update operation.
|
|
|
|
| |
ticket 1375
|
|
|
|
|
|
|
| |
The entitlement facets have been modified to use the new icons
provided by Kyle Baker.
Ticket #1425
|
|
|
|
|
|
|
|
| |
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.
https://fedorahosted.org/freeipa/ticket/1499
|