| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
Mutually exclusive checkboxes were unusual. They are not in use anymore. The functionality is removed.
https://fedorahosted.org/freeipa/ticket/2599
|
|
|
|
|
|
|
|
| |
DNS forward policy fields were using mutually exclusive checkboxes. Such behavior is unusual for users.
Checkboxes were changed to radios.
https://fedorahosted.org/freeipa/ticket/2599
|
|
|
|
|
|
|
|
| |
Permission form was missing attrs field for target=subtree. All other target types have it.
It uses multivalued text widget, same as filter, because we can't predict the target type.
https://fedorahosted.org/freeipa/ticket/2592
|
|
|
|
|
|
| |
It could lead to state where attributes from other object type were displayed instead of the correct ones.
https://fedorahosted.org/freeipa/ticket/2590
|
|
|
|
|
|
|
|
| |
This patch is changing netgroup web ui to look more like hbac or sudo rule UI. This change allows to define and display user category, host category and external host.
The core of the change is changing member attributes (user, group, host, hostgroup) to use rule_details_widget instead of separate association facets. In host case it allows to display and add external hosts.
https://fedorahosted.org/freeipa/ticket/2578
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
|
|
|
|
|
|
|
|
|
|
| |
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.
This requires slapi-nis 0.40+
https://fedorahosted.org/freeipa/ticket/2192
|
|
|
|
|
|
|
|
|
|
|
|
| |
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.
This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2603
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When some facet perform action which modifies data, some other facet may become expired.
Example: User modifies group's description. Now group search facet contains old data and has to be refreshed.
Solution:
New event was added to facet: on_update. It should be executed when facet performs action which modifies data ie: details facet update or add entry to dnsrecord.
Then entity policies were introduced. Entity policies are a objects which are stored in entity.policies. They have similar function as facet_policies - performing communications and other functionality between facets. This way facets don't have to contain such logic and thus they aren't dependant on each other.
This patch adds IPA.facet_update_policy, IPA.adder_facet_update_policy, IPA.search_facet_update_policy, IPA.details_facet_update_policy.
IPA.facet_update_policy: On facets_created it bind itself to [current entity].[source facet].[event]. Default event is on_update. When the event is executed it sets expiration flag to [dest entity].[dest facet].
IPA.search_facet_update_policy: IPA.facet_update_policy where source facet = search, dest facet = details, dest entity = current entity. Its a default policy for updatein changes from search facet to details facet. Right now it isn't needed but it will be needed when action lists come to play.
IPA.details_facet_update_policy: same as IPA.search_facet_update_policy just reversed. Very important.
IPA.adder_facet_update_policy: similar functionality, just source of the event is dialog. Default event is added (new event in entity_adder_dialog).
Entity policies should be specified in entity's spec object. If none are specified a default ones are used. Default policies are: IPA.search_facet_update_policy and IPA.details_facet_update_policy.
https://fedorahosted.org/freeipa/ticket/2075
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
For performance reason a facet may cache the data in browser's memory. There should be a flag to indicate whether a facet has expired and should be refreshed. The expired flag could be set by these events:
1) any update operation
2) changing search filter in search facet
3) switching page in a multi-paged search/association facet
4) switching direct/indirect view in association facet
5) facet expiration time
A facet should be able to use these methods to refresh itself:
6) on demand: an expired facet should be refreshed when a user opens it.
7) automatic: an open facet should automatically refresh itself when it expires.
Solution:
This patch solves cases: #2, #3, #5, #6. Case #4 works without any change. Case #1 will be solved later. Case #7 is deffered.
Default expiration timeout was set to 10 minutes.
In this patch are also updated facet.needs_update methods to reflect changes in containing facets.
https://fedorahosted.org/freeipa/ticket/2075
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UDP port checks in ipa-replica-conncheck are too strict. The entire
conncheck fails when UDP ports cannot be verified as open. However,
UDP protocol is unrealiable by its nature and the port can also not
be checked if there is an application already bound to it. This can
happen for example when ipa-replica-conncheck is run as a part of
ipa-ca-install and the replica services are thus already running.
This patch changes the behavior of UDP port checks. The conncheck
script now rather reports a warning that UDP port cannot be verified
but does not fail the entire test.
https://fedorahosted.org/freeipa/ticket/2514
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy. We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.
* add python-polib to BuildRequires
* Remove the logic for creating the test lang from Makefile.in and
replace it with calls to test_i18n.py
* add argument parsing, usage, configuration parameters, etc. to
test_i18n.py to make it easier to use and configurable.
* add function to generate a test po and mo file. It also
writes the files and creates the test directory structure.
* Took the existing validate code and refactored it into validation
function. It used to just pick one string and test it, now it
iterates over all strings and all plural forms.
* Validate anonymous Python format substitutions in pot file
* added support for plural forms.
* Add pot po file validation for variable substitution
* In install/po subdir you can now do:
$ make test
$ make validate-pot
$ make validate-po
* The options for running test_i18n.py are:
$ ./test_i18n.py --help
Usage:
test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]
Options:
-h, --help show this help message and exit
-s, --show-strings show the offending string when an error is detected
--pedantic be aggressive when validating
-v, --verbose be informative
--traceback print the traceback when an exception occurs
Operational Mode:
You must select one these modes to run in
-g, --test-gettext create the test translation file(s) and exercise them
-c, --create-test create the test translation file(s)
-P, --validate-pot validate pot file(s)
-p, --validate-po validate po file(s)
Run Time Parameters:
These may be used to modify the run time defaults
--test-lang=TEST_LANG
test po file uses this as it's basename (default=test)
--lang=LANG lang used for locale, MUST be a valid lang
(default=xh_ZA)
--domain=DOMAIN translation domain used during test (default=ipa)
--locale=LOCALE locale used during test (default=test_locale)
--pot-file=POT_FILE
default pot file, used when validating pot file or
generating test po and mo files (default=ipa.pot)
https://fedorahosted.org/freeipa/ticket/2044
|
|
|
|
|
|
|
|
|
|
|
|
| |
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
|
|
|
|
|
|
|
|
|
|
|
|
| |
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
|
|
|
|
|
|
|
|
| |
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.
https://fedorahosted.org/freeipa/ticket/2542
|
|
|
|
|
|
|
| |
Rebased patch sent by Yuri Chornoivan (yurchor@ukr.net). Fixes 'occured'
and 'commond' typos in FreeIPA messages.
https://fedorahosted.org/freeipa/ticket/2526
|
|
|
|
|
|
|
| |
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.
https://fedorahosted.org/freeipa/ticket/2127
|
|
|
|
|
|
| |
Part of support for ether maps.
https://fedorahosted.org/freeipa/ticket/2548
|
|
|
|
|
|
|
|
| |
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
|
|
|
|
|
|
|
|
|
|
|
| |
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js
This is because of a glob:
%{_usr}/share/ipa/ui/*.js
and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js
https://fedorahosted.org/freeipa/ticket/2253
|
|
|
|
|
|
| |
If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem.
https://fedorahosted.org/freeipa/ticket/2449
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
|
|
|
|
|
|
|
|
| |
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.
Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.
This patch is fixing the problem.
https://fedorahosted.org/freeipa/ticket/2494
|
|
|
|
|
|
|
|
|
|
| |
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
|
|
|
|
|
|
| |
Updated UI static content to contain value and label for certificate serial_number_hex.
https://fedorahosted.org/freeipa/ticket/1991
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
|
|
|
|
|
| |
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
|
|
|
|
|
|
|
|
|
|
| |
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
|
|
|
|
|
|
|
|
|
| |
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
|
|
|
|
|
|
|
|
|
|
| |
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
|
|
|
|
|
|
| |
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed.
https://fedorahosted.org/freeipa/ticket/2227
|
|
|
|
|
|
| |
Based on contribution by Brian Harrington.
https://fedorahosted.org/freeipa/ticket/2428
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usability was imporved in Unauthorized/Login dialog.
When the dialog is opened a link which switches to login form is focus so user can do following:
1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter
this sequence will execute login request.
When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.
https://fedorahosted.org/freeipa/ticket/2450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
|
|
|
|
|
|
|
|
|
|
| |
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
|
|
|
|
|
|
|
|
|
| |
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using ipa-replica-manage del <replica> is irreversible. You can't
turn around and do a connect to it, all heck will break loose. This is
because we clean up all references to the replica when we delete so if
we connect to it again we'll end up deleting all of its principals.
When a connection is deleted then the agreement is removed on both sides.
What isn't removed is the nsDS5ReplicaBindDN so we can use that to
determine if we previously had a connection.
https://fedorahosted.org/freeipa/ticket/2126
|
|
|
|
|
|
|
|
| |
We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.
https://fedorahosted.org/freeipa/ticket/2359
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
|
|
|
|
|
|
|
|
|
|
|
|
| |
Option to set attributes in permission was missing for target 'group' and 'filter'.
Attribute_table_widget with type=group is shown for target=group.
For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter.
Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal.
https://fedorahosted.org/freeipa/ticket/2372
|
|
|
|
|
|
|
|
|
|
| |
Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur.
This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute.
Needed for:
https://fedorahosted.org/freeipa/ticket/2372
|
|
|
|
|
|
|
|
|
|
|
|
| |
When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before.
This patch adds click handler to option elements. The handler calls select_on_change.
When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed.
This patch assumes that select event will be processed before click event.
https://fedorahosted.org/freeipa/ticket/2070
|
|
|
|
|
|
| |
Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet.
https://fedorahosted.org/freeipa/ticket/2422
|
|
|
|
|
|
|
|
| |
dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'.
New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there.
https://fedorahosted.org/freeipa/ticket/2351
|
|
|
|
|
|
|
|
| |
Fixed hanling of 4304 error in DNS record add.
Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version.
https://fedorahosted.org/freeipa/ticket/2349
|
|
|
|
|
|
|
|
| |
All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call.
This fixes immediate displaying of error message in multivalued fields containing custom validators.
https://fedorahosted.org/freeipa/ticket/2351
|