summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add test for backup/delete system users/restorePetr Viktorin2014-09-241-10/+48
| | | | | | Regression test for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add basic test for backup & restorePetr Viktorin2014-09-241-0/+110
| | | | | | https://fedorahosted.org/freeipa/ticket/3893 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Set the default attributes for RootDSETomas Babej2014-09-242-0/+10
| | | | | | | | | | | With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr attribute to enumerate the list of attributes that should be returned even if not specified explicitly. Use the behaviour to get the same attributes returned from searches on rootDSE as in 1.3.1. https://fedorahosted.org/freeipa/ticket/4288 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Include the ipa command in client-only buildJan Cholasta2014-09-232-6/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4536 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Include ipaplatform in client-only buildJan Cholasta2014-09-233-3/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4533 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Allow RPM upgrade from ipa-* packagesJan Cholasta2014-09-231-5/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/4532 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix certmonger code causing the ca_renewal_master update plugin to failJan Cholasta2014-09-232-2/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4547 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa_backup: Log where the backup is be storedPetr Viktorin2014-09-231-0/+2
| | | | | | This makes managing multiple backups & logs easier. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* backup,restore: Don't overwrite /etc/{passwd,group}Petr Viktorin2014-09-232-3/+3
| | | | | | | | | | The /etc/passwd and /etc/group files are not saved and restored. The DS user is always created on restore, and the PKI user is created if a CA is being restored. https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa_restore: Split the services listPetr Viktorin2014-09-231-1/+1
| | | | | | | | | | | Make a proper list from the comma-separated string found in the config. The only current use of backup_services is in run: if 'CA' in self.backup_services: Without this change, this picked up the 'CA' from 'MEMCACHE'. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaserver.install: Consolidate system user creationPetr Viktorin2014-09-236-69/+68
| | | | | | | | | | | | | | Sytem users and their groups are always created together. Also, users & groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Dogtag 10.2 to spec.fileMartin Basti2014-09-221-2/+2
| | | | | | Dogtag 10.2 is required due to support a Vault feature Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib: host_del: Extend LDAPDelete's takes_options instead of overridingTomas Babej2014-09-173-6/+4
| | | | | | | | | | | The host-del command did not accept --continue option, since the takes_options was overriden and did not take the options from LDAPDelete. Fix the behaviour. https://fedorahosted.org/freeipa/ticket/4473 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Re-enable uninstall feature for ipa-kra-installAde Lee2014-09-153-9/+10
| | | | | | | | | | | | | The underlying Dogtag issue (Dogtag ticket 1113) has been fixed. We can therefore re-enable the uninstall option for ipa-kra-install. Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds a debug statement to provide status to the user when an uninstall is done. Also, re-added the no_host_dns option which is used when unpacking a replica file. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Allow deleting obsolete permissions; remove operational attribute permissionsPetr Viktorin2014-09-122-22/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Auto-add operational atttributes to read permissionsPetr Viktorin2014-09-124-43/+96
| | | | | | | | | | | The attributes entryusn, createtimestamp, and modifytimestamp should be readable whenever thir entry is, i.e. when we allow reading the objectclass. Automatically add them to every read permission that includes objectclass. https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Update referential integrity config for DS 1.3.3Petr Viktorin2014-09-122-43/+24
| | | | | | | | | | | | | | | | | | | | | | | Hisorically DS provided defaults for the referential integrity plugin in nsslapd-pluginArg*: nsslapd-pluginarg3: member nsslapd-pluginarg4: uniquemember nsslapd-pluginarg5: owner nsslapd-pluginarg6: seeAlso In 389-ds 1.3.3, the multi-valued referint-membership-attr is used instead. The old way still works, but it requires that the values are numbered consecutively, so IPA's defaults that started with 7 were not taken into account. Convert IPA defaults to use referint-membership-attr. https://fedorahosted.org/freeipa/ticket/4537 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Update SSL ciphers configured in 389-ds-baseLudwig Krispenz2014-09-124-8/+12
| | | | | | | | | | use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* webui: hide otp fields based on token typePetr Vobornik2014-09-111-3/+8
| | | | | | | | - uses hide empty feature https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: hide non-readable fieldsPetr Vobornik2014-09-113-2/+51
| | | | | | | | | | | | hide widgets if associated field had received attribute level rights without 'r' right. Explicit rights are required to avoid hiding of special widgets which are not associated with any LDAP attribute. https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: hide empty fields and sectionsPetr Vobornik2014-09-112-11/+93
| | | | | | | | | | Hide widgets without a value. Must be explicitly turned on. In widget by `hidden_if_empty` flag. Or globally by `hide_empty_widgets` flag. Global hiding can be individually turned off by `ignore_empty_hiding` flag. https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: widget initializationPetr Vobornik2014-09-111-0/+9
| | | | | | | | | | | | - used `ctor_init` instead of `init` to avoid name collision with existing logic - `ctor_init` is called right after widget instantiation. Basically support better inheritance for the old class system which doesn't have proper contructors https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: better value-change reportingPetr Vobornik2014-09-116-29/+25
| | | | | | | | | - widget save() save method should try to always return value even if read only - report value-change event with actual value to allow processing of the value https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: display fields based on otp token typePetr Vobornik2014-09-111-1/+22
| | | | | | | | - in adder dialog https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add i18n for the rest of QR code stringsPetr Vobornik2014-09-113-8/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add token from user pagePetr Vobornik2014-09-113-3/+60
| | | | | | | | | | Add 'Add OTP Token' action to user action menu. This option is disabled in self-service when viewing other users. https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: better otp token type labelPetr Vobornik2014-09-113-6/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: add measurement unit to otp token time fieldsPetr Vobornik2014-09-111-3/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4402 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Fix typo causing ipa-upgradeconfig to fail.David Kupka2014-09-111-1/+1
| | | | | | | | Replace 'post-certsave-command' by 'cert-postsave-command'. https://fedorahosted.org/freeipa/ticket/4529 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Update qrcode support for newer python-qrcodeNathaniel McCallum2014-09-112-4/+4
| | | | | | | | | This substantially reduces the FreeIPA dependencies and allows QR codes to fit in a standard terminal. https://fedorahosted.org/freeipa/ticket/4430 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* install: create ff krb extension on every install, replica install and upgradePetr Vobornik2014-09-113-19/+2
| | | | | | | | | | We don't want to copy the extension from master to replica because the replica may use newer version of FreeIPA and therefore the extension code might be obsolete. Same reason for upgrades. https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: append network.negotiate-auth.trusted-urisPetr Vobornik2014-09-111-1/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Fix hardcoded lib dir in freeipa.specGabe2014-09-091-3/+3
| | | | | | | | - Migrate hardcoded tmpfiles.d paths to %{_tmpfilesdir} macro in spec file https://fedorahosted.org/freeipa/ticket/4528 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use autobind when updating CA people entries during certificate renewalJan Cholasta2014-09-092-12/+4
| | | | | | | | | Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump selinux-policy in the spec file. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove internaldb password from password.confAna Krivokapic2014-09-091-0/+3
| | | | | | | | | Remove internaldb password from password.conf after switching over to client certificate authentication. The password is no longer needed. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* webui: notify psw change success only oncePetr Vobornik2014-09-081-2/+0
| | | | | | | | | | | Password change initiated from header menu notified success twice. First one in `dialogs.password.dialog` and second one in a success callback. The second notification was removed. Caused by: https://fedorahosted.org/freeipa/changeset/870db2f677dff01750aeec104c90fce3ca0e54be/ Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: switch associators if default doesn't workPetr Vobornik2014-09-081-0/+10
| | | | | | | | | | Make association auto-magic little bit less stupid. Now it supports adding of new attribute member with add_member and remove_member methods only on one side of the relationship. https://fedorahosted.org/freeipa/ticket/4507 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: do not show login error when switching back from otp sync screenPetr Vobornik2014-09-082-4/+24
| | | | | | | | Errors should reflect only a result of last operation. https://fedorahosted.org/freeipa/ticket/4470 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* webui: adjust behavior of bounce urlPetr Vobornik2014-09-082-2/+46
| | | | | | | | | | | | | | | | | | | | | - bounce url param was renamed from 'redirect' to 'url' - support for 'delay' param added Behavior: - "Continue to next page" link is shown if 'url' is present - page is no longer automatically redirected if 'url' is present - automatic redirect is controlled by 'delay' param - it specifies number of seconds until redirection - info message 'You will be redirected in Xs' is show to notify the user that something will happen. It's useful even if delay is 0 or negative because redirection might be slow. - counter is decremented every second - delay is ignored if parsed as NaN https://fedorahosted.org/freeipa/ticket/4440 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* No longer generate a machine certificate on client installsRob Crittenden2014-09-051-66/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4449 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Backup CS.cfg before modifying itJan Cholasta2014-09-052-0/+22
| | | | | | https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-056-10/+32
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* webui: extract complex pkey on Add and EditPetr Vobornik2014-09-051-3/+4
| | | | | | | | | | DNS zone 'Add and Edit' failed because of new DNS name encoding. This patch makes sure that keys are extracted properly. https://fedorahosted.org/freeipa/ticket/4520 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Allow user to force Kerberos realm during installation.David Kupka2014-09-052-21/+33
| | | | | | | | | User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/4444 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-056-44/+59
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add managed read permissions for compat treePetr Viktorin2014-09-055-0/+49
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Do not restart apache server when not necessary.David Kupka2014-09-051-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4352 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Tests: DNS wildcard recordsMartin Basti2014-09-051-1/+46
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4488 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* FIX DNS wildcard records (RFC4592)Martin Basti2014-09-051-0/+22
| | | | | | | | | | Make validation more strict * DS, NS, DNAME owners should not be a wildcard domanin name * zone name should not be a wildcard domain name Ticket: https://fedorahosted.org/freeipa/ticket/4488 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix DNS record rename testMartin Basti2014-09-051-15/+14
| | | | | | | | | | bind-dyndb-ldap's bug caused test failure https://fedorahosted.org/bind-dyndb-ldap/ticket/123 Owners with NS record works with the bug Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Kosek <mkosek@redhat.com>