| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch for ticket 3964 changed the installer so that it does not
always wait for CA if the proxy is not configured. However,
it was found out that it may freeze an installation when
a step subsequent after CA restart call the CA and receives no
reply.
Change the wait so that it always waits for CA to start up. If
HTTP proxy is already configured, it should wait on port 443.
If not, it should wait on local PKI port 8443.
https://fedorahosted.org/freeipa/ticket/3973
|
| |
|
|
|
|
|
|
|
|
|
| |
When trying to create a new ordered test case by inheriting
from already defined test case, by overriding few of its methods,
the execution order of the tests is as follows:
- first all non-overriden test methods from the parent test class
- then all overriden tests methods
This patch makes sure that methods are executed in the logical order,
that is, the order defined in the parent class.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Installation: https://github.com/senchalabs/jsduck/wiki/Installation Basically it requires ruby and jsduck gem.
Usage:
$ cd install/ui/doc
$ make
Documentation will be generated into: install/ui/build/code_doc directory
|
| |
|
|
| |
Part of ongoing Web UI documentation effort. Source code is annotated in a way that it can be processed by documentation generator.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issue:
* There was no caching policy specified.
* -> Browsers use their own default policy.
* -> After upgrade, some Web UI files might have been actualized some not.
* -> With schema change may result into weird bugs in Web UI
Solution considerations:
1. Detect server version change and hard-reload at runtime
Detection is easy. Problem is the reload. Obvious candidate 'window.location.reload(true)' works in Firefox but not in Chrome because expected behavior when parameter is used is not in standard and therefore Chromium/WebKit authors did not implement it.
2. Application Cache
HTML 5 technology which lets web apps to run offline. Besides weird issues with event handlers which I encountered, this would be an ideal candidate. Simple change of manifest file would lead to reload of all files (requires reload of page to used the new files).
Showstopper was usage with untrusted certificate. If user did not add exception for the cert or its CA and would visit the page for a second time, all AJAX calls would fail.
3. Set Expires to now() for everything
Web UI rarely changes so this is an overkill. Setting it to different value is not a solution either. We can't predict when the upgrade will happen and when new Web UI will be needed.
Solution:
* Implemented a mini loader which loads basic resources. Dojo loader takes action after Dojo is loaded.
* The loader adds a version parameter (?v=__NUM_VERSION__) to all requests.
* Version is defined in the loader. It's set to current in `make version-update`.
* All static pages use this loader to fetch their resources.
* Version is also passed to dojo loader as cache-bust for the same effect.
* Expire header was set to 'access time plus 1 year' for /ui folder. Exceptions are HTML files and loader (set to immediate expiration).
Possible issues:
* Images are cached but not requested with version param.
* Images with version and without are considered different
* -> We would have to attach version to all URIs - in CSS and in JS. But we should avoid changing jQuery UI CSS.
* Proposed solution is to change image name when changing image. Image change is done rarely.
* Version is set by build and therefore updated just on server update. It might cause trouble with different update schedule of plugins.
* No action taken to address this issue yet.
* We might leave it on plugin devs (own .conf in /etc/httpd/conf.d/)
* or set expires to now for all plugins
* running `make version-update` is required in order to use static version of UI for testing
https://fedorahosted.org/freeipa/ticket/3798
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3944
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Majority of the attributes set in the setup method can be set in the
__init__ method where they are actually defined (and set to None).
This is true for attributes that hold constant values and for
attributes that have their values derived from api.env dictionary.
Creates a new __setup_default_attributes method, that is called
from within __init__ and setup (in case the passed values for
hostname or domain do not correspond to that what is set in api.env,
doing otherwise could cause unexpected behaviour).
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
| |
In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install,
print a warning that we will break existing samba configuration and ask for
a confirmation in the interactive mode.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
| |
|
|
|
|
| |
For the AD trusts where the ID range for the root level domain is of
ipa-ad-trust-posix type, do not create a separate ranges for the
subdomains, since POSIX attributes provide global mapping.
|
| |
|
|
|
|
|
| |
Change re-initialize command to consider memberOf fixup task only
for non-winsync replication agreements.
https://fedorahosted.org/freeipa/ticket/3854
|
| |
|
|
|
|
|
|
| |
The installers used custom self.realm_name instead of standard
self.realm defined in Service class. It caused crashes in some cases
when Service class methods expected the self.realm to be filled.
https://fedorahosted.org/freeipa/ticket/3854
|
| |
|
|
|
|
|
|
| |
Proxy configuration was not detected correctly. Both
ipa-pki-proxy.conf and ipa.conf need to be in place and httpd
restarted to be able to check it's status.
https://fedorahosted.org/freeipa/ticket/3964
|
| |
|
|
|
|
|
|
| |
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
|
| |
|
|
|
| |
The StrEnum and Int tests are restructured to allow sharing the tests.
Individual *Enum tests are separated into methods.
|
| | |
|
| |
|
|
|
| |
Int already needed to take both int and long. This makes the functionality
available for all Param classes.
|
| | |
|
| |
|
|
| |
Options should be Param subclasses.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
|
| | |
|
| |
|
|
|
|
|
| |
Having '%' in DM password causes pkispawn to crash. Do not allow
users to enter it until pkispawn is fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=953488
|
| |
|
|
|
| |
Previously NSPRError was given arguments in the wrong order.
Fix this by naming the arguments.
|
| |
|
|
|
|
| |
This helps forward compatibility: the anon ACI is scheduled for removal.
https://fedorahosted.org/freeipa/ticket/3956
|
| |
|
|
|
|
|
|
|
| |
With old servers, it is possible that xmlclient.connect() succeeds
but commands fail with a Kerberos error.
Verify that commands succeed by sending a ping after connecting.
Follow-up to: https://fedorahosted.org/freeipa/ticket/3931
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To make sure the installation works with older servers,
use XML-RPC directly, with a version set explicitly so the request
is not rejected.
RPC was chosen over ldapmodify, because going through the API allows
the server to process the request properly, or even cleanly reject
it if there are incompatible changes in future versions.
https://fedorahosted.org/freeipa/ticket/3931
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This task was added with a DN colliding with privilege update memberOf
task being run later and caused this task to be ineffective and thus
miss some privilege membership, like "SELinux User Map Administrators"
DNS update plugin do not need to run any task at all as privileges
will be updated later in scope of 55-pbacmemberof.update
https://fedorahosted.org/freeipa/ticket/3877
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3897
|
| |
|
|
|
|
|
| |
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.
Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.
We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.
Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
|
| |
|
|
|
|
| |
We don't store trust type, attributes, and direction for subdomains
of the existing trust. Since trust is always forest level, these parameters
can be added as defaults when they are missing.
|
| | |
|
| |
|
|
|
|
|
|
| |
Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.
Remove support for authenticating as trust account because it should not
really be used other than within Samba.
|
| |
|
|
|
| |
When reporting argument errors, show also a context -- what is processed,
what is the name of the command.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add IPA CLI to manage trust domains.
ipa trust-fetch-domains <trust> -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust> -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
By default all discovered trust domains are allowed to access IPA resources
IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
part of https://fedorahosted.org/freeipa/ticket/3909
|
| |
|
|
|
|
|
|
| |
Use realmdomains information to prepopulate forest trust info. As result,
all additional domains should now be enabled from the beginning, unless they
really conflict with existing DNS domains on AD side.
https://fedorahosted.org/freeipa/ticket/3919
|
| |
|
|
|
|
| |
If an exception is expected, but another one is raised, the CLITestContext
raised a generic AssertionError.
Pass through the original exception instead
|
| | |
|
