summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Added missing fields to password policy pagePetr Vobornik2011-10-101-2/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/1944 No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.
* Include indirect membership and canonicalize hosts during HBAC rules testingAlexander Bokovoy2011-10-101-7/+23
| | | | | | | | | | | | | | | | | | | | | | When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: <user <name foobar groups [hbacusers,ipausers]> service <name sshd groups []> targethost <name vm-101.ipa.local groups []> srchost <name vm-101.ipa.local groups []> > Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949
* Force kerberos realm to be a stringAlexander Bokovoy2011-10-101-1/+1
| | | | | | Fixes issue with Python linter on Fedora 16 where it assumes for C modules-provided objects that they are of type _Chainmap during static analysis.
* Fix dnszone-add name_from_ip server validationMartin Kosek2011-10-112-1/+56
| | | | | | | | | | | | Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. Also implement 2 unit cases testing this option https://fedorahosted.org/freeipa/ticket/1941
* Fix i18n in config pluginMartin Kosek2011-10-111-2/+2
|
* Improve default user/group object class validationMartin Kosek2011-10-112-1/+27
| | | | | | | | | | | | When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893
* Increase number of 'getent passwd attempts' to 10Alexander Bokovoy2011-10-111-4/+4
| | | | | | | | During ipa-client-install SSSD is not always started up properly for some reason, things like "getent passwd admin" do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-096-25/+67
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Force the upgrade of pki-setup when upgrading the RPMSAdam Young2011-10-091-2/+6
|
* Execute pki proxy setup when server is upgraded if neededAdam Young2011-10-091-2/+21
|
* Make mod_nss renegotiation configuration a public functionAdam Young2011-10-091-4/+4
|
* Split Web UI initialization to several smaller callsPetr Vobornik2011-10-091-8/+174
| | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1933 Web UI init method was modified to get initialization data in 3 calls. First call remains the same as before except that the json_metadata command was removed. JSON metadata are requested after successful response of the first batch command. This approach should preserve functionality in IE (where request is missing after authentication). Getting JSON metadata is split to two commands - this should prevent the error in linked ticket. These two commands are paralelly executed by new concurent_command object. Concurrent command waits for all responses then it calls each command's success handler.
* Split Web UI initialization to several smaller calls #2Petr Vobornik2011-10-093-16692/+17145
| | | | | | https://fedorahosted.org/freeipa/ticket/1933 Modified data files for offline testing.
* split metadata callAdam Young2011-10-091-14/+18
| | | | | | | | | | | | | The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this: {"method":"json_metadata","params":[["all",""],{}],"id":0} And just the methods call it like this: {"method":"json_metadata","params":[["","all"],{}],"id":0} Note the difference in the positional parameters. To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter. THis is not ideal, but we are constrained by the existing API.
* When calculating indirect membership don't test nesting on users and hosts.Rob Crittenden2011-10-061-0/+8
| | | | | | | | | Members are dereferenced when calculating indirect membership. We don't need to check hosts and users for members. This significantly reduces the number of queries required for large groups. https://fedorahosted.org/freeipa/ticket/1885
* Make sure ipa-client-install returns correct error codeMartin Kosek2011-10-071-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1937
* Fixed links to images in config and migration pagesPetr Vobornik2011-10-0617-77/+71
| | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1932 Description of problem: Title is missing while configuring browser for the first time. Actual results: There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not. Expected results: Title "Identity Management" is always present. Fixed: * modified paths to images * fixed padding in ssbrowser.html * moved browser icons to ui folder * deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed) whitespaces
* Prevent collisions of hostgroup and netgroupMartin Kosek2011-10-061-0/+11
| | | | | | | | For every hostgroup a managed netgroup is created (if this is allowed). Make sure that if a stand-alone netgroup exists, a hostgroup with the same name cannot be created to prevent collisions. https://fedorahosted.org/freeipa/ticket/1914
* Before kinit, try to sync time with the NTP servers of the domain we are joiningAlexander Bokovoy2011-10-063-0/+58
| | | | | | | | | | | | | | When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773
* ipa-kdb: Fix legacy password hashes generationSimo Sorce2011-10-062-3/+2
| | | | | | | | | We were not searching for objectclass so the test to se if a user had the posixAccount attribute was failing and the user was not marked as ipa_user. This in turn caused us to not synchronize legacy hashes by not trying to store the userPassword attribute. Fixes: https://fedorahosted.org/freeipa/ticket/1820
* Disables gid field if not posix group in group adder dialogPetr Vobornik2011-10-062-1/+39
| | | | | | https://fedorahosted.org/freeipa/ticket/1922 gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the "Is this a POSIX group?:" box should disable the "GID:" field.
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-065-30/+40
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* replica-prepare: anonymous binds may be disallowedSimo Sorce2011-10-064-32/+48
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1900
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-0615-34/+81
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* - note that PKCS#12 files also contain private keys, and that the "pkinit" ↵Nalin Dahyabhai2011-10-041-3/+6
| | | | options refer to the KDC's credentials
* Work around pkisilent bugs.Jan Cholasta2011-10-044-25/+58
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* ipa-pwd-extop: allow password change on all connections with SSF>1Sumit Bose2011-10-052-26/+12
| | | | | | | Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
* Added selectable labels for radio buttons.Endi S. Dewata2011-10-052-8/+29
| | | | | | | | The radio buttons in association facet and radio widget are now linked to their labels so that they can be selected by clicking the labels. Ticket #1782
* Fix 'referenced before assignment' warningAlexander Bokovoy2011-10-051-0/+1
|
* Added confirmation when adding multiple entries.Endi S. Dewata2011-10-0510-19/+57
| | | | | | | The adder dialog has been modified to show a confirmation message after each successful addition. Ticket #1786
* Setup and restore ntp configuration on the client side properlyAlexander Bokovoy2011-10-052-16/+62
| | | | | | | | | When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers point to IPA NTP server as well. When restoring the client during ipa-client-install --uninstall, make sure NTP configuration is fully restored and NTP service is disabled if it was disabled before the installation. https://fedorahosted.org/freeipa/ticket/1770
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-0515-40/+59
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* list users from nested groups, tooNalin Dahyabhai2011-10-051-1/+1
|
* Configure pam_krb5 on the client only if sssd is not configuredAlexander Bokovoy2011-10-041-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/1775
* Migration: don't assume there is only one naming context, add logging.Rob Crittenden2011-10-042-15/+34
| | | | | | | | | | We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. https://fedorahosted.org/freeipa/ticket/1834 https://fedorahosted.org/freeipa/ticket/1835
* Unroll StrEnum values when displaying helpAlexander Bokovoy2011-10-031-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1848
* Require current password when using passwd to change your own password.Rob Crittenden2011-10-047-8/+59
| | | | | | | | | | | | | | | | | | Add a new required parameter, current_password. In order to ask this first I added a new parameter option, sortorder. The lower the value the earlier it will be prompted for. I also changed the way autofill works. It will attempt to get the default and if it doesn't get anything will continue prompting interactively. Since current_password is required I'm passing a magic value that means changing someone else's password. We need to pass something since current_password is required. The python-ldap passwd command doesn't seem to use the old password at all so I do a simple bind to validate it. https://fedorahosted.org/freeipa/ticket/1808
* Be more clear about selfsign optionMartin Kosek2011-10-042-5/+13
| | | | | | | | | | | | | | Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
* Validate name_from_ip parameter of dnszone.Jan Cholasta2011-10-041-1/+22
| | | | ticket 1627
* Disable sudo options Delete button if nothing selected.Endi S. Dewata2011-10-031-4/+22
| | | | | | | The Delete button for sudo options in sudo rule details page now will only work if there is at least one row selected. Ticket #1896
* I18n clean-up.Endi S. Dewata2011-10-033-2/+6
| | | | | | | The hard-coded 'undo' and 'undo all' labels have been moved into internal.py to allow translation. Ticket #1897
* migrate process cannot handle multivalued pkey attributeMartin Kosek2011-10-031-1/+17
| | | | | | | | When group/user is migrated, the attribute used for RDN may be multivalued. Make sure that we pick the value used in the RDN which should be the unique one and not just the first one. https://fedorahosted.org/freeipa/ticket/1892
* Fixed missing default shell field.Endi S. Dewata2011-09-301-0/+1
| | | | | | | The config default page has been fixed to provide a field for the ipadefaultloginshell attribute. Ticket #1895
* ipa-client assumes a single namingcontextMartin Kosek2011-09-302-18/+51
| | | | | | | | | When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868
* ipa-client-install: Fix joining when LDAP access is restrictedSimo Sorce2011-09-302-22/+43
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1881
* Fix HBAC tests hostnamesMartin Kosek2011-09-301-2/+2
| | | | | Make HBAC test hosts compliant with hostname restrictions placed in ticket 1780.
* Fix LDAPCreate search failureMartin Kosek2011-09-301-1/+6
| | | | | | | | | | | | LDAPCreate reports "search criteria was not specific enough" when LDAP object created in LDAPCreate shares its container with other LDAP objects and there is one with the same name and RDN attribute. Pass objectclass to find_entry_by_attr() function used to retrieve newly created object for POST_CALLBACK to identify correct LDAP object. https://fedorahosted.org/freeipa/ticket/1864
* Fixed: Some widgets do not have space for validation error messagePetr Vobornik2011-09-294-11/+45
| | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1454 The following widgets should call create_error_link() to create a space to show validation error messages: IPA.checkbox_widget IPA.checkboxes_widget IPA.radio_widget IPA.select_widget IPA.table_widget IPA.attributes_widget IPA.rights_widget IPA.target_section (it's a widget) Solution: * added call to checkbox, checkboxes, radio, select, table, attributes widget * rights_widget inherits it from checkboxes_widget. * target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state. * table_widget displays error_link between pagination and summary. Additional: * added padding and unified font-weight for error message
* Disable enroll button if nothing selected.Endi S. Dewata2011-09-2911-259/+520
| | | | | | | | | | A new IPA.dialog_button class has been added to encapsulate the buttons in the dialog box so they can be managed more easily. The adder dialog has been modified to disable the enroll button if there is no entries selected. Ticket #1856
* Use editable combobox for service type.Endi S. Dewata2011-09-292-32/+44
| | | | | | | The service type field in the service adder dialog has been modified to use an editable combobox. Ticket #1633.
generated by cgit (git 2.34.1) at 2024-06-02 00:10:57 +0000