summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Typos in FreeIPA messagesOndrej Hamada2012-03-231-2/+2
| | | | | | | Rebased patch sent by Yuri Chornoivan (yurchor@ukr.net). Fixes 'occured' and 'commond' typos in FreeIPA messages. https://fedorahosted.org/freeipa/ticket/2526
* Wait for child process to terminate after receiving SIGINT in ipautil.run.Jan Cholasta2012-03-231-8/+5
| | | | | | | Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in ipa-replica-conncheck. https://fedorahosted.org/freeipa/ticket/2127
* Added mac address to host pagePetr Vobornik2012-03-205-0/+17
| | | | | | Part of support for ether maps. https://fedorahosted.org/freeipa/ticket/2548
* DNS forwarder validatorPetr Vobornik2012-03-202-3/+35
| | | | | | | | DNS forwarder's value can consist of IP address and a port. The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator. https://fedorahosted.org/freeipa/ticket/2490
* Add support of new options in dnsconfigPetr Vobornik2012-03-203-1/+30
| | | | | | | | | | | dnsconfig was extended of new attributes, so reflecting it in UI. New attributes: * idnsForwardPolicy * idnsAllowSyncPTR * idnsZoneRefresh https://fedorahosted.org/freeipa/ticket/2489
* Fixed rpm build warning - extension.js listed twicePetr Vobornik2012-03-195-2/+17
| | | | | | | | | | | | | Building the ipa rpms returns this: warning: File listed twice: /usr/share/ipa/ui/extension.js This is because of a glob: %{_usr}/share/ipa/ui/*.js and then more specifically: %config(noreplace) %{_usr}/share/ipa/ui/extension.js https://fedorahosted.org/freeipa/ticket/2253
* Show_content on refresh successPetr Vobornik2012-03-195-0/+6
| | | | | | If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem. https://fedorahosted.org/freeipa/ticket/2449
* Content is no more overwritten by error messagePetr Vobornik2012-03-196-6/+111
| | | | | | | | | | | | | | | | | When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable. This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again. From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen. Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed. Reproduction: 1) display any nested entity - ie DNS record 2) delete its parent pkey from path - &dnszone-pkey=example.com 3) reload the page with this path https://fedorahosted.org/freeipa/ticket/2449
* Better hbactest validation messagePetr Vobornik2012-03-154-17/+91
| | | | | | | | HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet. When a link is clicked user is redirected to value's facet. https://fedorahosted.org/freeipa/ticket/2182
* Fixed evaluating checkbox dirty statusPetr Vobornik2012-03-154-18/+24
| | | | | | | | | | | | Problem: When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be. Cause: IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false. This patch is fixing the problem. https://fedorahosted.org/freeipa/ticket/2494
* Add subject key identifier to the dogtag server cert profile.Rob Crittenden2012-03-151-0/+13
| | | | | | | | | | This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. https://fedorahosted.org/freeipa/ticket/2446
* Certificate serial number in hex format - ui testing dataPetr Vobornik2012-03-142-0/+2
| | | | | | Updated UI static content to contain value and label for certificate serial_number_hex. https://fedorahosted.org/freeipa/ticket/1991
* Display serial number as HEX (DECIMAL) when showing certificates.Rob Crittenden2012-03-141-0/+8
| | | | https://fedorahosted.org/freeipa/ticket/1991
* Fixed checkbox value in table without pkeyPetr Vobornik2012-03-141-0/+1
| | | | | | When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string). https://fedorahosted.org/freeipa/ticket/2404
* Fixed mask validation in network_validatorPetr Vobornik2012-03-141-7/+5
| | | | | | | | | | Network validator allowed invalid mask format: * leading zeros: 192.168.0.1/0024 * trailing chars: 192.168.0.1/24abcd It was fixed. https://fedorahosted.org/freeipa/ticket/2493
* Fix nsslapd-anonlimitsdn dn in cn=configRob Crittenden2012-03-131-1/+1
| | | | | | | | | The dn value needs to be quoted otherwise it is interpreted to be a multi-value. This will replace whatever value is currently set. https://fedorahosted.org/freeipa/ticket/2452
* Refresh resolvers after DNS installMartin Kosek2012-03-113-8/+13
| | | | | | | | | | | | | | Server framework calls acutil.res_send() to send DNS queries used for various DNS tests. However, once acutil is imported it does not change its list of configured resolvers even when /etc/resolv.conf is changed. This may lead to unexpected resolution issues. We should at least reload httpd when we change /etc/resolv.conf to point to FreeIPA nameserver to force a new import of acutil and thus workaround this bug until it is resolved in authconfig. https://fedorahosted.org/freeipa/ticket/2481
* Add support for sudoOrderRob Crittenden2012-03-013-2/+4
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Removed CSV creation from UIPetr Vobornik2012-03-028-41/+18
| | | | | | Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed. https://fedorahosted.org/freeipa/ticket/2227
* Fix typos in ipa-replica-manage man pageMartin Kosek2012-03-021-3/+3
| | | | | | Based on contribution by Brian Harrington. https://fedorahosted.org/freeipa/ticket/2428
* Improved usability of login dialogPetr Vobornik2012-03-022-6/+45
| | | | | | | | | | | | | | | | | | Usability was imporved in Unauthorized/Login dialog. When the dialog is opened a link which switches to login form is focus so user can do following: 1) press enter (login form is displayed and username field is focused ) 2) type username 3) press tab 4) type password 5) press enter this sequence will execute login request. When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button. https://fedorahosted.org/freeipa/ticket/2450
* Forms based authentication UIPetr Voborník2012-03-0215-160/+516
| | | | | | | | | | | | | | | | | | | | Support for forms based authentication was added to UI. It consist of: 1) new login page Page url is [ipa server]/ipa/ui/login.html Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown. 2) new enhanced error dialog - authorization_dialog. This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires. It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button. login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css. https://fedorahosted.org/freeipa/ticket/2450
* Added logout buttonPetr Voborník2012-02-287-5/+97
| | | | | | | | | | Logout button was added to Web UI. Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html. logout.html is a simple page with "You have been logged out" text and a link to return back to main page. https://fedorahosted.org/freeipa/ticket/2363
* Don't delete system users that are added during installation.Rob Crittenden2012-02-291-13/+0
| | | | | | | | | We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423
* Warn that deleting replica is irreversible, try to detect reconnection.Rob Crittenden2012-02-292-1/+24
| | | | | | | | | | | | | Using ipa-replica-manage del <replica> is irreversible. You can't turn around and do a connect to it, all heck will break loose. This is because we clean up all references to the replica when we delete so if we connect to it again we'll end up deleting all of its principals. When a connection is deleted then the agreement is removed on both sides. What isn't removed is the nsDS5ReplicaBindDN so we can use that to determine if we previously had a connection. https://fedorahosted.org/freeipa/ticket/2126
* Fix nested netgroups in NIS.Rob Crittenden2012-02-292-1/+6
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-291-0/+6
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Added attrs to permission when target is group or filterPetr Voborník2012-02-293-36/+122
| | | | | | | | | | | | Option to set attributes in permission was missing for target 'group' and 'filter'. Attribute_table_widget with type=group is shown for target=group. For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter. Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal. https://fedorahosted.org/freeipa/ticket/2372
* Multiple fields for one attributePetr Voborník2012-02-295-18/+21
| | | | | | | | | | Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur. This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute. Needed for: https://fedorahosted.org/freeipa/ticket/2372
* Fixed selection of single value in comboboxPetr Voborník2012-02-291-9/+15
| | | | | | | | | | | | When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before. This patch adds click handler to option elements. The handler calls select_on_change. When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed. This patch assumes that select event will be processed before click event. https://fedorahosted.org/freeipa/ticket/2070
* Fixed redirection in Add and edit in automember hostgroup.Petr Voborník2012-02-291-0/+14
| | | | | | Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet. https://fedorahosted.org/freeipa/ticket/2422
* Added unsupported_validatorPetr Voborník2012-02-293-5/+29
| | | | | | | | dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'. New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there. https://fedorahosted.org/freeipa/ticket/2351
* Fixed DNS record add handling of 4304 errorPetr Voborník2012-02-293-33/+59
| | | | | | | | Fixed hanling of 4304 error in DNS record add. Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version. https://fedorahosted.org/freeipa/ticket/2349
* Making validators to return true result if emptyPetr Voborník2012-02-292-37/+28
| | | | | | | | All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call. This fixes immediate displaying of error message in multivalued fields containing custom validators. https://fedorahosted.org/freeipa/ticket/2351
* Moved is_empty method from field to IPA objectPetr Voborník2012-02-293-23/+23
| | | | | | is_empty method represents IPA UI standard of evaluating whether value is empty. Therefore is should be placed in IPA object instead of IPA.field to allow reuse in different locations. https://fedorahosted.org/freeipa/ticket/2351
* New UI for DNS global configurationPetr Voborník2012-02-296-9/+106
| | | | | | UI for DNS global configuration was implemented. https://fedorahosted.org/freeipa/ticket/2350
* Fixed displaying of A6 RecordPetr Voborník2012-02-291-2/+2
| | | | | | | | UI was modified to reflect changes in #2309. Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record. https://fedorahosted.org/freeipa/ticket/2367
* DNS UI: added A,AAAA create reverse options to adder dialogPetr Voborník2012-02-291-20/+41
| | | | | | | | To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options. It's UI part of #2009. https://fedorahosted.org/freeipa/ticket/2349
* DNS Zone UI: added new attributesPetr Voborník2012-02-295-95/+227
| | | | | | | | | | | | | | | | | New attributes were added to DNS zone details facet. Attributes: idnsallowquery idnsallowtransfer idnsforwarders idnsforwardpolicy idnsallowsyncptr New network address validator created for idnsallowquery and idnsallowtransfer attributes. Network address validator also added to dnszone adder dialog - from_ip field. https://fedorahosted.org/freeipa/ticket/2351
* New checkboxes option: Mutual exclusivePetr Voborník2012-02-291-0/+10
| | | | | | | | | | Problem: UI doesn't have a control for selecting one or none value from given set of values. Solution: Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked. https://fedorahosted.org/freeipa/ticket/2351
* Static metadata update - new DNS optionsPetr Voborník2012-02-291-113/+694
| | | | Tickets: #2349 #2350 #2351 #2367
* Fix bad merge of not calling memberof task when re-initializing a replicaRob Crittenden2012-02-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2199
* Don't call memberof task when re-initializing a replica.Rob Crittenden2012-02-271-2/+5
| | | | | | | | | | | memberof is not in the EXCLUDE list of nsDS5ReplicatedAttributeListTotal so we have no need of running the task, memberof will come with the data. If that attribute doesn't exist then this agreement was created with an older version of 389-ds, we DO need to initialize memberOf. https://fedorahosted.org/freeipa/ticket/2199
* Implement password based session loginJohn Dennis2012-02-272-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-273-18/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Sanitize UDP checks in conncheckMartin Kosek2012-02-261-20/+38
| | | | | | | | | | | | | | | | | | UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
* Make sure 389-ds is running when adding memcache service in upgrade.Rob Crittenden2012-02-261-0/+4
| | | | | | | Adding the memcache service requires 389-ds to be running because we add an entry to cn=masters. https://fedorahosted.org/freeipa/ticket/2411
* Remove unused kpasswd.keytab and ldappwd files if they exist.Rob Crittenden2012-02-271-0/+14
| | | | | | These were used by ipa_kpasswd and krb5-server-ldap respectivily. https://fedorahosted.org/freeipa/ticket/2397
* Check for duplicate winsync agreement before trying to set one up.Rob Crittenden2012-02-271-13/+15
| | | | | | | | | We currently only support a single winsync agreement so all we need to do is check to see if we have one with the remote host. This also adds some minor exception handling cleanup. https://fedorahosted.org/freeipa/ticket/2130
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-271-42/+63
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
generated by cgit (git 2.34.1) at 2024-06-20 17:54:00 +0000