summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Ensure network configuration file has proper permissionsgssapi-delegateAlexander Bokovoy2011-08-101-0/+10
| | | | | | | | | | As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not re-set, system may have no networking enabled after reboot. https://fedorahosted.org/freeipa/ticket/1606
* Fixed DNS zone adder dialog.Endi S. Dewata2011-08-102-38/+187
| | | | | | | The DNS zone adder dialog has been modified to use radio buttons to select whether to enter a zone name or a reverse zone IP network. Ticket #1575
* Fixed host adder dialog.Endi S. Dewata2011-08-102-17/+155
| | | | | | | | | | | | | | | | The host adder dialog has been modified to show separate fields for hostname and DNS zone. The hostname is a text field and the DNS zone is an editable drop-down list. The fields will have the following behavior: - If the user types a dot into the hostname field, the cursor will automatically move into the DNS zone field. - If the user pastes an FQDN into the hostname field, the value will automatically be split into hostname and DNS zone. - If the user selects a value from the drop-down list, it will only change the DNS zone, not the hostname. Ticket #1457
* Fixed error after login on IEEndi S. Dewata2011-08-092-14/+63
| | | | | | | | | | | The IE does not resend the request body during negotiation, so after after a successful authentication the server could not find the JSON request to parse. The Web UI has been modified to detect this error and resend the initialization request. Ticket #1540
* Ask for reverse DNS zone information in attended install right after asking ↵Jan Cholasta2011-08-092-34/+33
| | | | | | for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
* Fix idnsUpdatePolicy for reverse zone recordMartin Kosek2011-08-091-1/+2
| | | | | | | Make sure that idnsUpdatePolicy for reverse zone does not contain double trailing "dot" after server installation. https://fedorahosted.org/freeipa/ticket/1591
* Redirection after changing browser configurationPetr Vobornik2011-08-083-14/+40
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1502 Added redirection link. CSS styling of configuration page. Some CSS cleaning.
* Fixed facet group labels.Endi S. Dewata2011-08-087-35/+35
| | | | | | | | The facet group labels have been modified according to UXD spec. Some facet groups will have more descriptive labels. Some others will not have any labels because the facet tab is self-explanatory. Ticket #1423, #1561
* Fixed 3rd level tab style.Endi S. Dewata2011-08-081-19/+40
| | | | The 3rd level tab style has been adjusted according to UXD input.
* Improve dnszone-add error messageMartin Kosek2011-08-081-1/+7
| | | | | | | Check that NS address passed in dnszone-add is a domain name and not an IP address. Make this clear also the parameter help. https://fedorahosted.org/freeipa/ticket/1567
* Fixed adding host without DNS reverse zonePetr Vobornik2011-08-056-67/+163
| | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1481 Shows status dialog instead of error dialog (error 4304 is treated like success). Refactored error dialog. Added generic message dialog (IPA.message_dialog) Modified core tests to work with dialog.
* Linked entries in HBAC/sudo details page.Endi S. Dewata2011-08-044-34/+14
| | | | | | | The association tables in HBAC/sudo details page have been modified to link the entries to the appropriate details page. Ticket #1535
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-035-44/+18
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Improve error message in ipactlMartin Kosek2011-08-041-1/+22
| | | | | | | | | | | | If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558
* Resizable adder dialog box.Endi S. Dewata2011-08-023-63/+137
| | | | | | | | | The tables in the adder dialog have been modified to expand according to the size of the dialog. This patch also fixes the problem with row height on IE. Ticket #1542
* Fixed misaligned search icon.Endi S. Dewata2011-08-021-1/+2
| | | | | | | The magnifier icon for the search field has been fixed to display properly in all browsers. Ticket #1541
* Fixed missing icons.Endi S. Dewata2011-08-022-48/+64
| | | | | | | The Makefile.am and the spec file have been fixed to include all icons in the install/ui folder. Ticket #1559
* Hide continue option from automountkey-delMartin Kosek2011-08-022-1/+9
| | | | | | | This option makes no sense for automount keys. This should be removed in future versions. https://fedorahosted.org/freeipa/ticket/1529
* Fixed certificate buttons.Endi S. Dewata2011-08-023-11/+5
| | | | | | | The certificate buttons including Get, View, Revoke, Restore for hosts and services have been fixed to use the correct entity name. Ticket #1556
* Don't set the password expiration to the current timeSimo Sorce2011-07-311-11/+14
| | | | This fixes a regression in the previous patch in ticket #1526.
* Make proper LDAP configuration reporting for ipa-client-installAlexander Bokovoy2011-07-281-18/+29
| | | | Ticket https://fedorahosted.org/freeipa/ticket/1369
* use other_entity for adder columnsAdam Young2011-07-292-2/+6
| | | | | delay creation of the table until the columns have been set https://fedorahosted.org/freeipa/ticket/1544
* Modify /etc/sysconfig/network on a client when IPA manages hostnameAlexander Bokovoy2011-07-292-5/+62
| | | | https://fedorahosted.org/freeipa/ticket/1368
* Fix date order in changelog.Rob Crittenden2011-07-281-1/+1
|
* Deprecated managing users and runas user/group in sudorule add/modRob Crittenden2011-07-292-15/+27
| | | | | | | | We have helpers to manage these values so they shouldn't be available via add/mod. There is no logic behind them to do the right thing. https://fedorahosted.org/freeipa/ticket/1307 https://fedorahosted.org/freeipa/ticket/1320
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-285-1/+554
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Clean up existing DN object usageJohn Dennis2011-07-295-24/+19
|
* Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profileRob Crittenden2011-07-291-2/+6
| | | | | | | The caIPAserviceCert.cfg was updated to set the client cert flag on server certs we issue. https://fedorahosted.org/freeipa/ticket/1434
* When setting a host password don't set krbPasswordExpiration.Rob Crittenden2011-07-291-8/+12
| | | | | | | This can cause problems if a host is enrolled, unenrolled and a password set. The password will be marked as expired like all new passwords are. https://fedorahosted.org/freeipa/ticket/1526
* Added association facets for HBAC and sudo.Endi S. Dewata2011-07-282-80/+94
| | | | | | | The HBAC service, HBAC service group, sudo command and sudo command group have been modified to show the associations as facets. Ticket #1536
* Fixed missing memberof definition in HBAC service.Endi S. Dewata2011-07-281-1/+4
| | | | | | | The HBAC service class has been modified to define the memberof relationship with HBAC service group. Ticket #1546
* Fixed problem unprovisioning service.Endi S. Dewata2011-07-281-1/+1
| | | | | | | The IPA.service_provisioning_status_widget has been modified to execute the disable command with the right entity name. Ticket #1543
* Fix message in test case for checking minimum valuesRob Crittenden2011-07-281-1/+1
|
* dns section header i18n.Adam Young2011-07-283-3/+7
| | | | https://fedorahosted.org/freeipa/ticket/1493
* Fixed missing section header in sudo command group.Endi S. Dewata2011-07-281-1/+1
| | | | | | | The sudo command group details page has been fixed to use the correct label name. Ticket #1537.
* removing setters setup and initAdam Young2011-07-2829-1878/+1191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change widget and widget unit tests to hold on to entity, not entity name. Replacing entity_name with entity.name in most places. The one exception is columns for table_widget. Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies. cleanup entity assignment. removed template and layout, merged setup into create adder dialogs adjust height for external removed init from widget, isection, association, facet, host and service Make unit tests use factory. fix functional tests to click find link correctly. tweak to activation test, but still broken. moved initialization code to the end use --all for hbacrule find, so the type shows up now fixed dns exception code and exception handling for get_entity replace metadata look up with value from entity. fixed author lines removed duplicate columns in managed by facets. tweak to nav fix in order to initialize tab. more defensive code update metadata for true false one line init for entity_name in widget move init code to end of constructor functions moved constants to start of function for adder_dialog external fields for dialogs initialized at dialog creation sudo sections: move add fields and columns to widget definition. The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function. decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables return false at the end of click handler removed blank labels in sudo command section fix radio buttons for sudo category fixed table side for adder dialogs with external fields comments for future direction with add_columns https://fedorahosted.org/freeipa/ticket/1451 https://fedorahosted.org/freeipa/ticket/1462 https://fedorahosted.org/freeipa/ticket/1493 https://fedorahosted.org/freeipa/ticket/1497 https://fedorahosted.org/freeipa/ticket/1532 https://fedorahosted.org/freeipa/ticket/1534
* Make AVA, RDN & DN comparison case insensitive. No need for lowercase ↵John Dennis2011-07-272-140/+211
| | | | | | | | | | | | | | | | | | | | | | | | | | normalization. Replace deepcopy with constructor (i.e. type call) Can now "clone" with configuration changes by passing object of the same type to it's constructor, e.g. dn1 = DN(('cn', 'foo')) dn2 = DN(dn1) dn2 = DN(dn1, first_key_match=False) Remove pairwise grouping for RDN's. Had previously removed it for DN's, left it in for RDN's because it seemed to make sense because of the way RDN's work but consistency is a higher goal. Add keyword constructor parameters to pass configuration options. Make first_key_match a configuration keyword. Updated documentation. Updated unit test. FWIW, I noticed the unittest is now running 2x faster, not sure why, removal of deepcopy? Anyway, hard to argue with performance doubling.
* Fix invalid issuer in unit testsMartin Kosek2011-07-274-8/+14
| | | | | | | Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
* Fixed hard-coded label in Find button.Endi S. Dewata2011-07-281-1/+1
| | | | | The IPA.adder_dialog has been modified to use translated label for the Find button.
* Fixed hard-coded labels in sudo rules.Endi S. Dewata2011-07-281-6/+10
| | | | | | | The sudo rule interface has been modified to remove unused labels and use translated dialog box title. Ticket #1518
* Fixed problem setting host OTP.Endi S. Dewata2011-07-281-10/+14
| | | | | | | | The handler for host 'Set OTP' button has been modified to obtain the primary key from the entity and return false to stop the normal event processing. Ticket #1511
* Don't leave dangling map if adding an indirect map failsRob Crittenden2011-07-272-5/+21
| | | | | | | | When using the add_indirect helper we create a new map and then add a key for it all in one step. If adding the key fails for any reason be sure to remove the map we added. https://fedorahosted.org/freeipa/ticket/1520
* Fix external CA install.Jan Cholasta2011-07-261-25/+34
| | | | ticket 1523
* Fix automountkey commands summaryMartin Kosek2011-07-271-4/+12
| | | | | | | | | | | The summary value was set to primary key. However, the primary key may contain also an info option as a workaround for multiple direct maps problem. This patch sets the result 'value' and thus summary text to expected and consistent value. https://fedorahosted.org/freeipa/ticket/1524
* Fixed problem bookmarking Policy/IPA Server tabsEndi S. Dewata2011-07-261-9/+31
| | | | | | | | | When opening a bookmark, each tab level will be updated separately from top to bottom according to the URL state. The navigation code has been modified to recognize when an ancestor tab is being updated and not change the URL state. Ticket #1521
* Revert use of 'can be at least' to 'must be at least' in minvalue validatorRob Crittenden2011-07-261-1/+1
| | | | BZ https://bugzilla.redhat.com/show_bug.cgi?id=723969
* fixed empty dns record updatePetr Vobornik2011-07-253-2/+43
| | | | | | | https://fedorahosted.org/freeipa/ticket/1477 Redirection after updating empty DNS Record (which is deleted). Added hook to details facet for post update operation.
* Make sure that hostname specified by user is not an IP address.Jan Cholasta2011-07-253-1/+10
| | | | ticket 1375
* New icons for entitlement buttonsEndi S. Dewata2011-07-255-4/+19
| | | | | | | The entitlement facets have been modified to use the new icons provided by Kyle Baker. Ticket #1425
* Add an arch-specific Requires on cyrus-sasl-gssapiRob Crittenden2011-07-241-2/+5
| | | | | | | | If you had a 64-bit system and installed a 32-bit version of IPA then ipa-getkeytab probably wouldn't work because yum wouldn't know to pull in the 32-bit version of cyrus-sasl-gssapi. https://fedorahosted.org/freeipa/ticket/1499