| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Recommened way of setting boolean HTML attributes is by $.prop(boolean) method not $.attr(boolean) because it sets DOM object property not an attribute. Latter works because of jquery's backward compatibility. This patch makes things clearer.
Some info about prop and attr: http://stackoverflow.com/a/5876747
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
| |
Occurance: select_widget
Update to latest version of jQuery uncovered this issue.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
| |
ACI tests were crashing because of misconfigured facet.
Entity link test were crashing because of incorrect jquery selector.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
Buttons in association dialog and action list have different style and behavior than buttons in dialogs. This patch unifies it by using jquery.button widget.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa.css had to be updated to work with updated jquery-ui. This patch removes several duplicate styles.
Following issues were fixed:
* dialogs titles in IE and Opera were black instead of green
* no black line in first navigation level in IE and Opera
* all browsers (FF, IE, Chrome, Opera) have the same style for buttons and headers
* dialogs has borders again (should we remove its shadow?)
Known issues:
* selected tab-1 in Chrome and Opera doesn't overlaps background line as in IE and FF. Not sure how to fix without breaking (there are border overlaps) the latter ones. I think it looks good enough.
* some buttons are missing padding. Will be fixed in next patch.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
Clicks events should be better defined by jquery calls (usually addEventListener) not as elements attributes. Definition as element attribute causes problems after upgrade to jquery 1.7.2. Two occurances were removed.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
| |
jquery-ui was regenerated to up to date version.
Border radius and IPA custom colors were added to theme so we don't have to override them in ipa.css.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
| |
jquery library wasn't updated for a long time.
https://fedorahosted.org/freeipa/ticket/2817
|
| |
|
|
|
|
|
|
|
|
| |
Following options were added to Web UI
* PAC Type in service
* PAC Type in configuration
Testing metadata for objects and commands were regenerated.
https://fedorahosted.org/freeipa/ticket/2958
|
| |
|
|
|
|
| |
Create a per-service default as well.
https://fedorahosted.org/freeipa/ticket/2184
|
| |
|
|
|
|
|
| |
First select's content is displayed under second comboxes content when select is opened when second combobox is opened
Bonus for:
https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
| |
There's probably a bug regarding z-index stacking in Chrome and IE. It appears when combobox is used in dialog. Combobox's select area had z-index=1010. When first jquery dialogs is open it has z-index=1000. Further dialogs have higher z-index. When dialog's z-index exceeds 1010 option in select control can't be selected. IMO it is a browser bug because select control lies in dialog content's stacking context so it should be functional even with z-index=1.
This patch raises select area's z-index to 9000000 which should prevent the issue for some time. Also it make's combobox's z-index configurable so we can solve combobox stacking (ie in service-add dialog).
Second part of:
https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When setting up AD trusts support, ipa-adtrust-install utility
needs to be run as:
- root, for performing Samba configuration and using LDAPI/autobind
- kinit-ed IPA admin user, to ensure proper ACIs are granted to
fetch keytab
As result, we can get rid of Directory Manager credentials in ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/2815
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the pot file to match current source, and pull
translations from Transifex
The commands used to create this commit were:
tx pull -fa # needs an account and transifex client setup
cd install/po
make update-pot
(update LINGUAS to contain all languages with translations, and no empty ones)
make update-po
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The .po files we use for translations have two shortcomings when used in Git:
- They include file locations, which change each time the source is updated.
This results in large, unreadable diffs that don't merge well.
- They include source strings for untranslated messages, wasting space
unnecessarily.
Update the Makefile so that the extraneous information is stripped when the
files are updated or pulled form Transifex, and empty translation files are
removed entirely.
Also, translations are normalized to a common style. This should help diffs
and merges.
The validator requires file location comments to identify the programming
language, and to produce good error reports.
To make this work, merge the comments in before validation.
First patch for: https://fedorahosted.org/freeipa/ticket/2435
|
| |
|
|
|
|
|
|
|
|
| |
In IE when a window is small (horizontal scrollbar is displayed) click or keyboard input on various parts of UI makes search tables scroll to top. It prevents from selecting items in a table. This issue happens when using absolute positioned element with overflow style. It's a bug in IE.
Two workarounds were added to make UI usable in IE.
Adding position:relative; style to body element fixes the problem in search pages. It doesn't help in association dialogs though.
The bug doesn't occur when some child element has focus. It's possible to set focus to first visible checkbox while scrolling down but user experience is very bad. Better solution seems to scroll back when IE scrolls to top on mousedown. That way mouse click event happens on the target element and it can gain focus and therefore be selected. Some glitches still remains but is usable.
https://fedorahosted.org/freeipa/ticket/2835
|
| |
|
|
|
|
|
|
|
|
| |
It's hard to detect if or which type dialog is displayed becouse not all dialogs have IDs.
On dialog open, it's id or name (if id is not set) is used for containing element id. Many of dialog types were missing id or name so name was added to each dialog type.
In HTML, element's id should be unique. Our framework allows opening two dialogs with the same id. It may lead to state where getElementById method may have unpredicted behaviour. Therefore attribute 'data-name' with dialog's name was added to dialog's containing element. Automation framework can search more reliable by using this attribute instead of id.
https://fedorahosted.org/freeipa/ticket/2853
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.
Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.
The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.
All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.
First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
|
| |
|
|
|
|
|
|
| |
When installing a replica file on the wrong server we warn that this will
likely fail and prompt to Continue. This prompt should default to
False, not True.
https://fedorahosted.org/freeipa/ticket/2325
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade script set the "psearch" directive in some circumstances,
but did not remember that it was set, so later, when setting
minimum_connections, it assumed psearch is not set.
Also, the script did not set minimum_connections if the directive wasn't
already there. It should be set in that case.
Related to https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning. This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.
Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
|
| |
|
|
|
|
|
|
| |
This is just a typo, we were checking one side twice and never the other
side. So depending on which side you run the command you'd be able or not
to remove the replication agreement even if it was the last one.
First part of ticket: https://fedorahosted.org/freeipa/ticket/2925
|
| |
|
|
|
|
| |
Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed.
https://fedorahosted.org/freeipa/ticket/2832
|
| |
|
|
|
|
|
|
| |
Attributes widget is using overflow css rule in tbody element. IE9 doesn't handle it well.
To fix the issue, attributes widget was slightly modified and conditional css stylesheet was added just for fixing IE problems.
https://fedorahosted.org/freeipa/ticket/2822
|
| |
|
|
|
|
|
|
|
| |
There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it.
This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem.
https://fedorahosted.org/freeipa/ticket/2806
and half of: https://fedorahosted.org/freeipa/ticket/2834
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.
Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.
Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.
https://fedorahosted.org/freeipa/ticket/2892
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
|
| |
|
|
|
| |
Extra new line in .TH section of the man page caused invalid
wrapping.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.
Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.
https://fedorahosted.org/freeipa/ticket/2687
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for new per-domain permissions to Web UI.
User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.
For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.
Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.
New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.
https://fedorahosted.org/freeipa/ticket/2851
|
| |
|
|
| |
The page said `-y` but the actual option is `-p`.
|
| |
|
|
|
| |
Add a check in the WebUI to use the admin navigation if a user is a
indirect member of a role.
|
| |
|
|
|
|
| |
Added measurement units for kerberos ticket policy.
https://fedorahosted.org/freeipa/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.
This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).
Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.
This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.
https://fedorahosted.org/freeipa/ticket/2437
|
| |
|
|
|
|
|
|
| |
Message 'Logged in as: user@FREEIPA.ORG' was displayed before user was logged in. It was wrong.
Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more user@FREEIPA.ORG :) .
https://fedorahosted.org/freeipa/ticket/2882
|
| |
|
|
|
|
|
|
| |
Configaration was the last navigation item in IPA server tab. Trusts changed it. It was wrong because configuration is like 'other settings' and so it should be last.
This patch moves configuration navigation item to the last position again.
https://fedorahosted.org/freeipa/ticket/2900
|
| |
|
|
|
|
|
|
| |
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.
Rework ccache handling to avoid re-initing every time callback is called
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.
A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.
https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
|
| |
|
|
|
|
|
|
|
|
| |
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.
Default range LDIF entry for new install was fixed so that new
installation does not crash.
https://fedorahosted.org/freeipa/ticket/2891
|
| |
|
|
|
|
|
|
| |
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.
https://fedorahosted.org/freeipa/ticket/2839
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.
The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaDomainIDRange) or the ranges reserved
for AD domains (ipaTrustedADDomainRange). To be able to map the Posix
IDs to a RID and back the corresponding ranges can be saved here as
well.
|
| |
|
|
|
|
|
|
|
| |
This patch removes following non-existing command options:
* all,rights in host_disable
* record_type in dns_record_add
* all,rights in various xxx_remove_xxx commands used in rule_association_table_field (removing association)
https://fedorahosted.org/freeipa/ticket/2878
|
| |
|
|
|
|
|
| |
Association facet was refactored to use new concept of control buttons. It is the last facet type which don't use this concept.
It fixes regression introduced by previous refactoring of table facet (delete button was never enabled).
https://fedorahosted.org/freeipa/ticket/2876
|
| |
|
|
|
|
|
|
| |
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
|
| |
|
|
|
|
|
| |
It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.
https://fedorahosted.org/freeipa/ticket/2837
|
