| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certificates are passed through the IPA XML-RPC and JSON as binary
data in DER X509 format. Queries peformed against the LDAP server
also return binary DER X509 format. In all cases the binary DER
data is base-64 encoded.
PEM is standard text format for certificates. It also uses base64 to
encode the binary DER data, but had specific formatting
requirements. The base64 data must be wrapped inside PEM delimiters
and the base64 data must be line wrapped at 64 characters.
Most external software which accepts certificates as input will only
accept DER or PEM format (e.g. openssl & NSS). Although base64 is
closely related to PEM it is not PEM unless the PEM delimters are
present and the base64 data is line wrapped at 64 characters.
We already convert binary DER certificates which have been passed as
base64 in other parts of the IPA code. However this conversion has not
been available in the web UI. When the web UI presented certificates
it did so by filling a dialog box with a single line of base64 data. A
user could not copy this data and use it as input to openssl or NSS
for example.
We resolve this problem by introducing new javascript functions in
certificate.js. IPA.cert.pem_cert_format(text) will examine the text
input and if it's already in PEM format just return it unmodified,
otherwise it will line wrap the base64 data and add the PEM
delimiters. Thus it is safe to call on either a previously formated
PEM cert or a binary DER cert encoded as base64. This applies to
pem_csr_format() as well for CSR's.
Because pem_cert_format() is safe to call on either format the web UI
will see the use of the flag add_pem_delimiters was eliminated except
in the one case where the IPA.cert.download_dialog() was being abused
to display PKCS12 binary data (pkcs12 is neither a cert nor a cert
request). Because of the abuse of the cert.download_dialog() for
pkcs12 it was necessary to retain the flag which in effect said "do
not treat the data as PEM".
Modify the CSR (Certificate Signing Request) dialog box to accept a
PEM formatted CSR. Remove the artifical PEM delimiters above and below
the dialog box which were used to suggest the input needed to be sans
the delimiters. The dialog box continues to accept bare base64 thus
allowing either text format.
Also note this solves the display of certificate data in the UI
without touching anything existing code in the server or command line,
thus it's isolated.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1987
There is no way to add root or any external user as a RunAs User for a Sudo
Rule.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1946
|
|
|
|
|
|
|
|
| |
There may already be a record in /etc/hosts for chosen IP address
which may not be detected under some circumstances. Make sure
that /etc/hosts is checked properly.
https://fedorahosted.org/freeipa/ticket/1923
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.
This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.
https://fedorahosted.org/freeipa/ticket/1931
|
|
|
|
|
|
|
|
|
| |
Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.
https://fedorahosted.org/freeipa/ticket/1923
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the webui for the case wherea user is not admin but has a role. In
that case, the UI should show the full administrative tabset, but was
instead limited to the selfservice tabset.
The problem was rolegroup had been renamed to role but the UI hadn't
been updated to reflect this.
Addresses
https://bugzilla.redhat.com/show_bug.cgi?id=745957
https://fedorahosted.org/freeipa/ticket/1970
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1867
https://fedorahosted.org/freeipa/ticket/1888
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were quite errors in es.po, it was difficult or impossible to
track down where they came from, Transifex does not have good revision
history.
I fixed about 20% of the msgstr's in the file that had obvious
problems which could be spotted by a non-Spanish speaking person.
Spurious backslashes and backslash-newlines had been introduced. I
tracked this particular problem down to a bug in polib. polib is a
Python library which can read/write po/mo files. In Fedora it's
packaged as python-polib. polib is used by the Transifex instance to
read/write po files. We don't currently use polib in IPA (that will
change soon though) but I wrote utilities using polib to help fix the
bad po file and analyze what had gone wrong. I discovered that if one
simply uses polib to read a po file into memory and they write that po
file back out from memory you don't end up with the same contents if
there are backslashed escapes in the file. I tracked this down to the
escape() and unescape() functions in polib. This caused me to look to
see if upstream polib had been fixed. It had. Therefore I think the
spurious backslashes were introduced when Transifex was using an older
broken version of polib. I filed this Fedora bug
https://bugzilla.redhat.com/show_bug.cgi?id=744419 to get the fixes
into python-polib. I manually corrected all the backslash errors.
I compared all 1329 translations from a known good version of es.po
with the current version and generated a new es.po by taking the
translation (e.g. msgstr) from the two po files which was obviously
correct. In those instances where neither msgstr was obviosuly correct
the deleted the translation entirely.
I also wrote utilities to validate any "substitution" variables
appearing in the text. I discovered a number of instances where the
substitution variable had been malformed by the translator such that
it was syntactically invalid. This is how we originally discovered
problems with the translation, it was throwing Python exceptions. I
fixed all those errors.
I also found approximately 80 translations where the leading
whitespace had been altered by the translator. Those also were fixed.
I cannot verify that the remaining translations are a correct Spanish
translation of the original text (in fact a number of them I looked at
seemed dubious to me, for example it omitted recongnizable
keywords). But I do believe that the obvious errors are fixed and we
shouldn't be throwing any more Python exceptions because of malformed
substitution variables.
|
|
|
|
| |
ticket 1358
|
|
|
|
|
|
|
| |
In checking to see if the dogtag proxy configuration needed to be updated
we didn't handle the case where dogtag isn't installed at all.
https://fedorahosted.org/freeipa/ticket/1951
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1944
No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1933
Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata command
was removed.
JSON metadata are requested after successful response of the first batch command.
This approach should preserve functionality in IE (where request is missing after
authentication). Getting JSON metadata is split to two commands - this should prevent
the error in linked ticket. These two commands are paralelly executed by new
concurent_command object.
Concurrent command waits for all responses then it calls each command's success
handler.
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1933
Modified data files for offline testing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1932
Description of problem:
Title is missing while configuring browser for the first time.
Actual results:
There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not.
Expected results:
Title "Identity Management" is always present.
Fixed:
* modified paths to images
* fixed padding in ssbrowser.html
* moved browser icons to ui folder
* deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed)
whitespaces
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the "Is this a POSIX group?:" box should disable the "GID:" field.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1900
|
|
|
|
|
|
|
|
|
| |
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
|
|
|
|
| |
options refer to the KDC's credentials
|
|
|
|
|
|
|
|
|
|
|
| |
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
|
|
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
|
|
|
|
|
|
|
| |
The Delete button for sudo options in sudo rule details page now
will only work if there is at least one row selected.
Ticket #1896
|
|
|
|
|
|
|
| |
The hard-coded 'undo' and 'undo all' labels have been moved into
internal.py to allow translation.
Ticket #1897
|
|
|
|
|
|
|
| |
The config default page has been fixed to provide a field for the
ipadefaultloginshell attribute.
Ticket #1895
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1454
The following widgets should call create_error_link() to create a space to show validation error messages:
IPA.checkbox_widget
IPA.checkboxes_widget
IPA.radio_widget
IPA.select_widget
IPA.table_widget
IPA.attributes_widget
IPA.rights_widget
IPA.target_section (it's a widget)
Solution:
* added call to checkbox, checkboxes, radio, select, table, attributes widget
* rights_widget inherits it from checkboxes_widget.
* target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state.
* table_widget displays error_link between pagination and summary.
Additional:
* added padding and unified font-weight for error message
|
|
|
|
|
|
|
|
|
|
| |
A new IPA.dialog_button class has been added to encapsulate the
buttons in the dialog box so they can be managed more easily.
The adder dialog has been modified to disable the enroll button if
there is no entries selected.
Ticket #1856
|
|
|
|
|
|
|
|
|
|
| |
The width of the 1st level tab has been modified to expand according
to the size of the tab label.
The width of the adder dialogs have been increased to allow longer
button labels.
Ticket #1825
|
|
|
|
|
|
| |
The UI background has been replaced with new images from UXD.
Ticket #1842
|
|
|
|
|
|
|
|
|
|
| |
ipa-ca-install can only add a dogtag CA to an IPA install.
ipa-replica-prepare can only be run on the initial master with a
selfsign backend.
https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1883
It's a regression introduced by patch for #1797
Reproduce:
* show user group foo
* click on user groups tab
* click on enroll button
Result:
User group 'foo' is listed in available list.
Expected result:
User group 'foo' is not listed in available list.
|
|
|
|
|
|
|
| |
The IPA.association_adder_dialog has been modified not to show
search results that are already selected to prevent duplicates.
Ticket #1859
|
|
|
|
|
|
|
| |
This patch broke installation of a new master. Reverting until
we develop a better solution.
This reverts commit 384d4e8f5018aa1f829139572fa29abef375c5a3.
|
|
|
|
|
|
|
| |
The IPA.adder_dialog has been modified such that it shows the >>
arrow first then the << arrow.
Ticket #1858
|
|
|
|
|
|
| |
hostname.
ticket 1717
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1841
The column header for the attributes table (IPA.attributes_widget) does not cover the entire width of the table. This problem appears in the adder dialog and details page for permissions, self-service permissions, and delegations.
|
|
|
|
|
|
|
| |
This also corrects a slight bug where if add is True then we always
re-update the file.
https://fedorahosted.org/freeipa/ticket/1755
|
|
|
|
|
|
|
|
| |
Some jQuery objects in various locations have been modified to use
text() to show values obtained from the server (except messages).
The text() will automatically encode special characters.
Ticket #1798
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA.combobox_widget has been modified such that if the drop-down
list doesn't contain the stored value (due to search limit) it will
not select anything from the list.
The widget has also been modified not to select the value that matches
the filter automatically because that might not be the user's intention.
Ticket #1819
|
|
|
|
|
|
|
| |
Since the undo flag is now automatically set to false in dialogs,
it's no longer necessary to specify it in the field specs.
Ticket #1394
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPA.dialog has been modified to store sections instead of fields.
If there is no sections specified, it will create a default section.
The adder dialog for automount map has been modified such that the
fields related to indirect map are stored in a section which will
only be visible when the map type is set to indirect.
The adder dialog for host has been modified such that it uses a
custom section for hostname and DNS zone and standard section for
the other fields.
Ticket #1394
|
|
|
|
|
|
|
|
|
|
| |
The IPA.association_adder_dialog has been modified to use an exclusion
list to hide entries that are already enrolled.
The IPA.adder_dialog has been modified to store the columns directly
in the available & selected tables.
Ticket #1797
|
|
|
|
|
|
|
| |
The details facet for DNS zone has been modified to use dnszone-
enable/disable for idnszoneactive and dnszone-mod for other fields.
Ticket #1813
|
|
|
|
|
|
|
| |
The replication plugin is no longer shipped as a separate package.
Remove the code checking its existence.
https://fedorahosted.org/freeipa/ticket/1815
|
|
|
|
|
|
|
| |
The host unprovisioning dialog has been modified to provide a cancel
button.
Ticket #1811
|