summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
...
* Added logout buttonPetr Voborník2012-02-287-5/+97
| | | | | | | | | | Logout button was added to Web UI. Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html. logout.html is a simple page with "You have been logged out" text and a link to return back to main page. https://fedorahosted.org/freeipa/ticket/2363
* Don't delete system users that are added during installation.Rob Crittenden2012-02-291-13/+0
| | | | | | | | | We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423
* Warn that deleting replica is irreversible, try to detect reconnection.Rob Crittenden2012-02-292-1/+24
| | | | | | | | | | | | | Using ipa-replica-manage del <replica> is irreversible. You can't turn around and do a connect to it, all heck will break loose. This is because we clean up all references to the replica when we delete so if we connect to it again we'll end up deleting all of its principals. When a connection is deleted then the agreement is removed on both sides. What isn't removed is the nsDS5ReplicaBindDN so we can use that to determine if we previously had a connection. https://fedorahosted.org/freeipa/ticket/2126
* Fix nested netgroups in NIS.Rob Crittenden2012-02-292-1/+6
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-291-0/+6
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Added attrs to permission when target is group or filterPetr Voborník2012-02-293-36/+122
| | | | | | | | | | | | Option to set attributes in permission was missing for target 'group' and 'filter'. Attribute_table_widget with type=group is shown for target=group. For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter. Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal. https://fedorahosted.org/freeipa/ticket/2372
* Multiple fields for one attributePetr Voborník2012-02-295-18/+21
| | | | | | | | | | Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur. This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute. Needed for: https://fedorahosted.org/freeipa/ticket/2372
* Fixed selection of single value in comboboxPetr Voborník2012-02-291-9/+15
| | | | | | | | | | | | When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before. This patch adds click handler to option elements. The handler calls select_on_change. When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed. This patch assumes that select event will be processed before click event. https://fedorahosted.org/freeipa/ticket/2070
* Fixed redirection in Add and edit in automember hostgroup.Petr Voborník2012-02-291-0/+14
| | | | | | Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet. https://fedorahosted.org/freeipa/ticket/2422
* Added unsupported_validatorPetr Voborník2012-02-293-5/+29
| | | | | | | | dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'. New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there. https://fedorahosted.org/freeipa/ticket/2351
* Fixed DNS record add handling of 4304 errorPetr Voborník2012-02-293-33/+59
| | | | | | | | Fixed hanling of 4304 error in DNS record add. Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version. https://fedorahosted.org/freeipa/ticket/2349
* Making validators to return true result if emptyPetr Voborník2012-02-292-37/+28
| | | | | | | | All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call. This fixes immediate displaying of error message in multivalued fields containing custom validators. https://fedorahosted.org/freeipa/ticket/2351
* Moved is_empty method from field to IPA objectPetr Voborník2012-02-293-23/+23
| | | | | | is_empty method represents IPA UI standard of evaluating whether value is empty. Therefore is should be placed in IPA object instead of IPA.field to allow reuse in different locations. https://fedorahosted.org/freeipa/ticket/2351
* New UI for DNS global configurationPetr Voborník2012-02-296-9/+106
| | | | | | UI for DNS global configuration was implemented. https://fedorahosted.org/freeipa/ticket/2350
* Fixed displaying of A6 RecordPetr Voborník2012-02-291-2/+2
| | | | | | | | UI was modified to reflect changes in #2309. Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record. https://fedorahosted.org/freeipa/ticket/2367
* DNS UI: added A,AAAA create reverse options to adder dialogPetr Voborník2012-02-291-20/+41
| | | | | | | | To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options. It's UI part of #2009. https://fedorahosted.org/freeipa/ticket/2349
* DNS Zone UI: added new attributesPetr Voborník2012-02-295-95/+227
| | | | | | | | | | | | | | | | | New attributes were added to DNS zone details facet. Attributes: idnsallowquery idnsallowtransfer idnsforwarders idnsforwardpolicy idnsallowsyncptr New network address validator created for idnsallowquery and idnsallowtransfer attributes. Network address validator also added to dnszone adder dialog - from_ip field. https://fedorahosted.org/freeipa/ticket/2351
* New checkboxes option: Mutual exclusivePetr Voborník2012-02-291-0/+10
| | | | | | | | | | Problem: UI doesn't have a control for selecting one or none value from given set of values. Solution: Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked. https://fedorahosted.org/freeipa/ticket/2351
* Static metadata update - new DNS optionsPetr Voborník2012-02-291-113/+694
| | | | Tickets: #2349 #2350 #2351 #2367
* Fix bad merge of not calling memberof task when re-initializing a replicaRob Crittenden2012-02-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2199
* Don't call memberof task when re-initializing a replica.Rob Crittenden2012-02-271-2/+5
| | | | | | | | | | | memberof is not in the EXCLUDE list of nsDS5ReplicatedAttributeListTotal so we have no need of running the task, memberof will come with the data. If that attribute doesn't exist then this agreement was created with an older version of 389-ds, we DO need to initialize memberOf. https://fedorahosted.org/freeipa/ticket/2199
* Implement password based session loginJohn Dennis2012-02-272-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-273-18/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Sanitize UDP checks in conncheckMartin Kosek2012-02-261-20/+38
| | | | | | | | | | | | | | | | | | UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
* Make sure 389-ds is running when adding memcache service in upgrade.Rob Crittenden2012-02-261-0/+4
| | | | | | | Adding the memcache service requires 389-ds to be running because we add an entry to cn=masters. https://fedorahosted.org/freeipa/ticket/2411
* Remove unused kpasswd.keytab and ldappwd files if they exist.Rob Crittenden2012-02-271-0/+14
| | | | | | These were used by ipa_kpasswd and krb5-server-ldap respectivily. https://fedorahosted.org/freeipa/ticket/2397
* Check for duplicate winsync agreement before trying to set one up.Rob Crittenden2012-02-271-13/+15
| | | | | | | | | We currently only support a single winsync agreement so all we need to do is check to see if we have one with the remote host. This also adds some minor exception handling cleanup. https://fedorahosted.org/freeipa/ticket/2130
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-271-42/+63
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
* Global DNS optionsMartin Kosek2012-02-242-0/+4
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-243-2/+82
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-232-1/+5
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* update translation pot fileJohn Dennis2012-02-211-235/+240
|
* pulled new po files from TransifexJohn Dennis2012-02-2123-87604/+86410
|
* Update pot file and list of explicit Python files needing translationJohn Dennis2012-02-212-1339/+2082
|
* Added missing configuration optionsPetr Voborník2012-02-203-0/+22
| | | | | | | | | | Missing options were added to Web UI's IPA Server/Configuration page. * ipaconfigstring * ipaselinuxusermaporder * ipaselinuxusermapdefault https://fedorahosted.org/freeipa/ticket/2285 https://fedorahosted.org/freeipa/ticket/2400
* Fixed problem when attributes_widget was displaying empty optionPetr Voborník2012-02-201-1/+6
| | | | | | Attribute table was modified to skip creation of option for empty value. https://fedorahosted.org/freeipa/ticket/2291
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-202-1/+6
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Ease zonemgr restrictionsMartin Kosek2012-02-204-4/+4
| | | | | | | | | | | | Admin e-mail validator currently requires an email to be in a second-level domain (hostmaster@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Configure ipa_memcached when a replica is installed.Rob Crittenden2012-02-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2401
* Enable ipa_memcached when upgradingRob Crittenden2012-02-162-0/+13
| | | | | | | | | | Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Remove Apache ccache on upgrade.Rob Crittenden2012-02-151-0/+4
| | | | | | | Make this removal a common function that can be shared between installer and upgrade tool. https://fedorahosted.org/freeipa/ticket/2395
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-151-1/+1
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-153-1/+11
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-151-1/+63
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
generated by cgit (git 2.34.1) at 2024-09-24 03:43:01 +0000