| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1933
Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata command
was removed.
JSON metadata are requested after successful response of the first batch command.
This approach should preserve functionality in IE (where request is missing after
authentication). Getting JSON metadata is split to two commands - this should prevent
the error in linked ticket. These two commands are paralelly executed by new
concurent_command object.
Concurrent command waits for all responses then it calls each command's success
handler.
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1933
Modified data files for offline testing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}
Note the difference in the positional parameters.
To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter.
THis is not ideal, but we are constrained by the existing API.
|
| |
|
|
|
|
|
|
|
| |
Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.
This significantly reduces the number of queries required for large groups.
https://fedorahosted.org/freeipa/ticket/1885
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1937
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1932
Description of problem:
Title is missing while configuring browser for the first time.
Actual results:
There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not.
Expected results:
Title "Identity Management" is always present.
Fixed:
* modified paths to images
* fixed padding in ssbrowser.html
* moved browser icons to ui folder
* deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed)
whitespaces
|
| |
|
|
|
|
|
|
| |
For every hostgroup a managed netgroup is created (if this is allowed).
Make sure that if a stand-alone netgroup exists, a hostgroup with the
same name cannot be created to prevent collisions.
https://fedorahosted.org/freeipa/ticket/1914
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running ipa-client-install on a system whose clock is not in sync
with the master, kinit fails and enrollment is aborted. Manual checking
of current time at the master and adjusting on the client-to-be is then
needed.
The patch tries to fetch SRV records for NTP servers of the domain we aim
to join and runs ntpdate to get time synchronized. If no SRV records are
found, sync with IPA server itself. If that fails, warn that time might
be not in sync with KDC.
https://fedorahosted.org/freeipa/ticket/1773
|
| |
|
|
|
|
|
|
|
| |
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the "Is this a POSIX group?:" box should disable the "GID:" field.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1900
|
| |
|
|
|
|
|
|
|
| |
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
|
| |
|
|
| |
options refer to the KDC's credentials
|
| |
|
|
|
|
|
|
|
|
|
| |
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
|
| |
|
|
|
|
|
| |
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
|
| |
|
|
|
|
|
|
| |
The radio buttons in association facet and radio widget are now
linked to their labels so that they can be selected by clicking
the labels.
Ticket #1782
|
| | |
|
| |
|
|
|
|
|
| |
The adder dialog has been modified to show a confirmation message
after each successful addition.
Ticket #1786
|
| |
|
|
|
|
|
|
|
| |
When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.
https://fedorahosted.org/freeipa/ticket/1770
|
| |
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1775
|
| |
|
|
|
|
|
|
|
|
| |
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1848
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
|
| |
|
|
| |
ticket 1627
|
| |
|
|
|
|
|
| |
The Delete button for sudo options in sudo rule details page now
will only work if there is at least one row selected.
Ticket #1896
|
| |
|
|
|
|
|
| |
The hard-coded 'undo' and 'undo all' labels have been moved into
internal.py to allow translation.
Ticket #1897
|
| |
|
|
|
|
|
|
| |
When group/user is migrated, the attribute used for RDN may be
multivalued. Make sure that we pick the value used in the RDN
which should be the unique one and not just the first one.
https://fedorahosted.org/freeipa/ticket/1892
|
| |
|
|
|
|
|
| |
The config default page has been fixed to provide a field for the
ipadefaultloginshell attribute.
Ticket #1895
|
| |
|
|
|
|
|
|
|
| |
When LDAP server contains more that one suffixes, the ipa client
installation does not detect it as IPA server and fails to install.
Fix ipa server discovery so that it correctly searches all naming
contexts for the IPA one.
https://fedorahosted.org/freeipa/ticket/1868
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1881
|
| |
|
|
|
| |
Make HBAC test hosts compliant with hostname restrictions placed
in ticket 1780.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
LDAPCreate reports "search criteria was not specific enough" when LDAP
object created in LDAPCreate shares its container with other LDAP objects
and there is one with the same name and RDN attribute.
Pass objectclass to find_entry_by_attr() function used to retrieve
newly created object for POST_CALLBACK to identify correct LDAP
object.
https://fedorahosted.org/freeipa/ticket/1864
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1454
The following widgets should call create_error_link() to create a space to show validation error messages:
IPA.checkbox_widget
IPA.checkboxes_widget
IPA.radio_widget
IPA.select_widget
IPA.table_widget
IPA.attributes_widget
IPA.rights_widget
IPA.target_section (it's a widget)
Solution:
* added call to checkbox, checkboxes, radio, select, table, attributes widget
* rights_widget inherits it from checkboxes_widget.
* target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state.
* table_widget displays error_link between pagination and summary.
Additional:
* added padding and unified font-weight for error message
|
| |
|
|
|
|
|
|
|
|
| |
A new IPA.dialog_button class has been added to encapsulate the
buttons in the dialog box so they can be managed more easily.
The adder dialog has been modified to disable the enroll button if
there is no entries selected.
Ticket #1856
|
| |
|
|
|
|
|
| |
The service type field in the service adder dialog has been modified
to use an editable combobox.
Ticket #1633.
|
| |
|
|
|
|
|
|
|
|
| |
The width of the 1st level tab has been modified to expand according
to the size of the tab label.
The width of the adder dialogs have been increased to allow longer
button labels.
Ticket #1825
|
| |
|
|
|
|
| |
The UI background has been replaced with new images from UXD.
Ticket #1842
|
| |
|
|
|
|
|
|
|
|
| |
ipa-ca-install can only add a dogtag CA to an IPA install.
ipa-replica-prepare can only be run on the initial master with a
selfsign backend.
https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1883
It's a regression introduced by patch for #1797
Reproduce:
* show user group foo
* click on user groups tab
* click on enroll button
Result:
User group 'foo' is listed in available list.
Expected result:
User group 'foo' is not listed in available list.
|
| |
|
|
|
|
|
| |
The IPA.association_adder_dialog has been modified not to show
search results that are already selected to prevent duplicates.
Ticket #1859
|
| |
|
|
|
|
| |
Limit hostnames to letters, digits and - with a maximum length of 255
https://fedorahosted.org/freeipa/ticket/1780
|
| |
|
|
|
|
|
|
| |
hbacrule-service-add/remove failures weren't being displayed because
no label was defined.
https://fedorahosted.org/freeipa/ticket/1863
https://fedorahosted.org/freeipa/ticket/1865
|
