summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* Ticket 1201 - Unable to Download Certificate with BrowserJohn Dennis2011-10-212-15/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certificates are passed through the IPA XML-RPC and JSON as binary data in DER X509 format. Queries peformed against the LDAP server also return binary DER X509 format. In all cases the binary DER data is base-64 encoded. PEM is standard text format for certificates. It also uses base64 to encode the binary DER data, but had specific formatting requirements. The base64 data must be wrapped inside PEM delimiters and the base64 data must be line wrapped at 64 characters. Most external software which accepts certificates as input will only accept DER or PEM format (e.g. openssl & NSS). Although base64 is closely related to PEM it is not PEM unless the PEM delimters are present and the base64 data is line wrapped at 64 characters. We already convert binary DER certificates which have been passed as base64 in other parts of the IPA code. However this conversion has not been available in the web UI. When the web UI presented certificates it did so by filling a dialog box with a single line of base64 data. A user could not copy this data and use it as input to openssl or NSS for example. We resolve this problem by introducing new javascript functions in certificate.js. IPA.cert.pem_cert_format(text) will examine the text input and if it's already in PEM format just return it unmodified, otherwise it will line wrap the base64 data and add the PEM delimiters. Thus it is safe to call on either a previously formated PEM cert or a binary DER cert encoded as base64. This applies to pem_csr_format() as well for CSR's. Because pem_cert_format() is safe to call on either format the web UI will see the use of the flag add_pem_delimiters was eliminated except in the one case where the IPA.cert.download_dialog() was being abused to display PKCS12 binary data (pkcs12 is neither a cert nor a cert request). Because of the abuse of the cert.download_dialog() for pkcs12 it was necessary to retain the flag which in effect said "do not treat the data as PEM". Modify the CSR (Certificate Signing Request) dialog box to accept a PEM formatted CSR. Remove the artifical PEM delimiters above and below the dialog box which were used to suggest the input needed to be sans the delimiters. The dialog box continues to accept bare base64 thus allowing either text format. Also note this solves the display of certificate data in the UI without touching anything existing code in the server or command line, thus it's isolated.
* Fixed: Unable to add external user for RunAs User for Sudo rulesPetr Vobornik2011-10-171-0/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/1987 There is no way to add root or any external user as a RunAs User for a Sudo Rule.
* Add explicit instructions to ipa-replica-manage for winsync replicationRob Crittenden2011-10-141-2/+29
| | | | https://fedorahosted.org/freeipa/ticket/1946
* Check /etc/hosts file in ipa-server-installMartin Kosek2011-10-131-0/+22
| | | | | | | | There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-132-1/+24
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Check hostname resolution sanityMartin Kosek2011-10-131-1/+1
| | | | | | | | | Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
* Fix dynamic display of UI tabs based on rightsAdam Young2011-10-121-2/+2
| | | | | | | | | | | | | Fixes the webui for the case wherea user is not admin but has a role. In that case, the UI should show the full administrative tabset, but was instead limited to the selfservice tabset. The problem was rolegroup had been renamed to role but the UI hadn't been updated to reflect this. Addresses https://bugzilla.redhat.com/show_bug.cgi?id=745957 https://fedorahosted.org/freeipa/ticket/1970
* updates: Change default limits on ldap searchesSimo Sorce2011-10-121-0/+20
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/1867 https://fedorahosted.org/freeipa/ticket/1888
* Ticket 1718 - Fix Spanish po translation fileJohn Dennis2011-10-111-540/+429
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were quite errors in es.po, it was difficult or impossible to track down where they came from, Transifex does not have good revision history. I fixed about 20% of the msgstr's in the file that had obvious problems which could be spotted by a non-Spanish speaking person. Spurious backslashes and backslash-newlines had been introduced. I tracked this particular problem down to a bug in polib. polib is a Python library which can read/write po/mo files. In Fedora it's packaged as python-polib. polib is used by the Transifex instance to read/write po files. We don't currently use polib in IPA (that will change soon though) but I wrote utilities using polib to help fix the bad po file and analyze what had gone wrong. I discovered that if one simply uses polib to read a po file into memory and they write that po file back out from memory you don't end up with the same contents if there are backslashed escapes in the file. I tracked this down to the escape() and unescape() functions in polib. This caused me to look to see if upstream polib had been fixed. It had. Therefore I think the spurious backslashes were introduced when Transifex was using an older broken version of polib. I filed this Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=744419 to get the fixes into python-polib. I manually corrected all the backslash errors. I compared all 1329 translations from a known good version of es.po with the current version and generated a new es.po by taking the translation (e.g. msgstr) from the two po files which was obviously correct. In those instances where neither msgstr was obviosuly correct the deleted the translation entirely. I also wrote utilities to validate any "substitution" variables appearing in the text. I discovered a number of instances where the substitution variable had been malformed by the translator such that it was syntactically invalid. This is how we originally discovered problems with the translation, it was throwing Python exceptions. I fixed all those errors. I also found approximately 80 translations where the leading whitespace had been altered by the translator. Those also were fixed. I cannot verify that the remaining translations are a correct Spanish translation of the original text (in fact a number of them I looked at seemed dubious to me, for example it omitted recongnizable keywords). But I do believe that the obvious errors are fixed and we shouldn't be throwing any more Python exceptions because of malformed substitution variables.
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Fix upgrades of selfsign serverRob Crittenden2011-10-111-0/+3
| | | | | | | In checking to see if the dogtag proxy configuration needed to be updated we didn't handle the case where dogtag isn't installed at all. https://fedorahosted.org/freeipa/ticket/1951
* Added missing fields to password policy pagePetr Vobornik2011-10-101-2/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/1944 No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-095-23/+53
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Execute pki proxy setup when server is upgraded if neededAdam Young2011-10-071-2/+21
|
* Split Web UI initialization to several smaller callsPetr Vobornik2011-10-071-8/+174
| | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1933 Web UI init method was modified to get initialization data in 3 calls. First call remains the same as before except that the json_metadata command was removed. JSON metadata are requested after successful response of the first batch command. This approach should preserve functionality in IE (where request is missing after authentication). Getting JSON metadata is split to two commands - this should prevent the error in linked ticket. These two commands are paralelly executed by new concurent_command object. Concurrent command waits for all responses then it calls each command's success handler.
* Split Web UI initialization to several smaller calls #2Petr Vobornik2011-10-073-16692/+17145
| | | | | | https://fedorahosted.org/freeipa/ticket/1933 Modified data files for offline testing.
* Fixed links to images in config and migration pagesPetr Vobornik2011-10-0617-77/+71
| | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1932 Description of problem: Title is missing while configuring browser for the first time. Actual results: There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not. Expected results: Title "Identity Management" is always present. Fixed: * modified paths to images * fixed padding in ssbrowser.html * moved browser icons to ui folder * deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed) whitespaces
* Disables gid field if not posix group in group adder dialogPetr Vobornik2011-10-062-1/+39
| | | | | | https://fedorahosted.org/freeipa/ticket/1922 gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the "Is this a POSIX group?:" box should disable the "GID:" field.
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-064-17/+12
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* replica-prepare: anonymous binds may be disallowedSimo Sorce2011-10-063-26/+31
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1900
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-0613-9/+44
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* - note that PKCS#12 files also contain private keys, and that the "pkinit" ↵Nalin Dahyabhai2011-10-041-3/+6
| | | | options refer to the KDC's credentials
* Work around pkisilent bugs.Jan Cholasta2011-10-041-6/+25
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-054-10/+10
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* list users from nested groups, tooNalin Dahyabhai2011-10-051-1/+1
|
* Migration: don't assume there is only one naming context, add logging.Rob Crittenden2011-10-042-15/+34
| | | | | | | | | | We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. https://fedorahosted.org/freeipa/ticket/1834 https://fedorahosted.org/freeipa/ticket/1835
* Be more clear about selfsign optionMartin Kosek2011-10-042-5/+13
| | | | | | | | | | | | | | Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
* Disable sudo options Delete button if nothing selected.Endi S. Dewata2011-10-031-4/+22
| | | | | | | The Delete button for sudo options in sudo rule details page now will only work if there is at least one row selected. Ticket #1896
* I18n clean-up.Endi S. Dewata2011-10-032-2/+4
| | | | | | | The hard-coded 'undo' and 'undo all' labels have been moved into internal.py to allow translation. Ticket #1897
* Fixed missing default shell field.Endi S. Dewata2011-09-301-0/+1
| | | | | | | The config default page has been fixed to provide a field for the ipadefaultloginshell attribute. Ticket #1895
* Fixed: Some widgets do not have space for validation error messagePetr Vobornik2011-09-294-11/+45
| | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1454 The following widgets should call create_error_link() to create a space to show validation error messages: IPA.checkbox_widget IPA.checkboxes_widget IPA.radio_widget IPA.select_widget IPA.table_widget IPA.attributes_widget IPA.rights_widget IPA.target_section (it's a widget) Solution: * added call to checkbox, checkboxes, radio, select, table, attributes widget * rights_widget inherits it from checkboxes_widget. * target_section IS NOT a widget as it doesn't inherit from widget. It's still a section, which shows different widgets based on its state. * table_widget displays error_link between pagination and summary. Additional: * added padding and unified font-weight for error message
* Disable enroll button if nothing selected.Endi S. Dewata2011-09-2911-259/+520
| | | | | | | | | | A new IPA.dialog_button class has been added to encapsulate the buttons in the dialog box so they can be managed more easily. The adder dialog has been modified to disable the enroll button if there is no entries selected. Ticket #1856
* Fixed tab and dialog widths.Endi S. Dewata2011-09-297-8/+3
| | | | | | | | | | The width of the 1st level tab has been modified to expand according to the size of the tab label. The width of the adder dialogs have been increased to allow longer button labels. Ticket #1825
* Updated color scheme.Endi S. Dewata2011-09-283-0/+0
| | | | | | The UI background has been replaced with new images from UXD. Ticket #1842
* Detect CA installation type in ipa-replica-prepare and ipa-ca-install.Rob Crittenden2011-09-272-7/+9
| | | | | | | | | | ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
* Fixed: Enrolment dialog offers to add entity to reflexive association.Petr Vobornik2011-09-271-0/+2
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1883 It's a regression introduced by patch for #1797 Reproduce: * show user group foo * click on user groups tab * click on enroll button Result: User group 'foo' is listed in available list. Expected result: User group 'foo' is not listed in available list.
* Fixed duplicate entries in enrollment dialog.Endi S. Dewata2011-09-272-45/+22
| | | | | | | The IPA.association_adder_dialog has been modified not to show search results that are already selected to prevent duplicates. Ticket #1859
* Revert "Always require SSL in the Kerberos authorization block."Martin Kosek2011-09-272-3/+2
| | | | | | | This patch broke installation of a new master. Reverting until we develop a better solution. This reverts commit 384d4e8f5018aa1f829139572fa29abef375c5a3.
* Fixed add/delete arrows position.Endi S. Dewata2011-09-261-4/+4
| | | | | | | The IPA.adder_dialog has been modified such that it shows the >> arrow first then the << arrow. Ticket #1858
* Fix ipa-replica-prepare always warning the user about not using the system ↵Jan Cholasta2011-09-261-1/+1
| | | | | | hostname. ticket 1717
* Fixed: Column header for attributes table should be full widthPetr Vobornik2011-09-262-23/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/1841 The column header for the attributes table (IPA.attributes_widget) does not cover the entire width of the table. This problem appears in the adder dialog and details page for permissions, self-service permissions, and delegations.
* Always require SSL in the Kerberos authorization block.Rob Crittenden2011-09-232-2/+3
| | | | | | | This also corrects a slight bug where if add is True then we always re-update the file. https://fedorahosted.org/freeipa/ticket/1755
* Fixed problem displaying special characters.Endi S. Dewata2011-09-238-38/+35
| | | | | | | | Some jQuery objects in various locations have been modified to use text() to show values obtained from the server (except messages). The text() will automatically encode special characters. Ticket #1798
* Fixed problem on combobox with search limit.Endi S. Dewata2011-09-231-12/+7
| | | | | | | | | | | The IPA.combobox_widget has been modified such that if the drop-down list doesn't contain the stored value (due to search limit) it will not select anything from the list. The widget has also been modified not to select the value that matches the filter automatically because that might not be the user's intention. Ticket #1819
* Removed undo flags from dialog field specs.Endi S. Dewata2011-09-2310-96/+51
| | | | | | | Since the undo flag is now automatically set to false in dialogs, it's no longer necessary to specify it in the field specs. Ticket #1394
* Modified dialog to use sections.Endi S. Dewata2011-09-2316-407/+378
| | | | | | | | | | | | | | | The IPA.dialog has been modified to store sections instead of fields. If there is no sections specified, it will create a default section. The adder dialog for automount map has been modified such that the fields related to indirect map are stored in a section which will only be visible when the map type is set to indirect. The adder dialog for host has been modified such that it uses a custom section for hostname and DNS zone and standard section for the other fields. Ticket #1394
* Fixed problem enrolling member with the same name.Endi S. Dewata2011-09-223-91/+67
| | | | | | | | | | The IPA.association_adder_dialog has been modified to use an exclusion list to hide entries that are already enrolled. The IPA.adder_dialog has been modified to store the columns directly in the available & selected tables. Ticket #1797
* Fixed problem enabling/disabling DNS zone.Endi S. Dewata2011-09-223-31/+142
| | | | | | | The details facet for DNS zone has been modified to use dnszone- enable/disable for idnszoneactive and dnszone-mod for other fields. Ticket #1813
* Remove checks for ds-replication pluginMartin Kosek2011-09-222-6/+2
| | | | | | | The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
* Fixed missing cancel button in unprovisioning dialog.Endi S. Dewata2011-09-211-0/+4
| | | | | | | The host unprovisioning dialog has been modified to provide a cancel button. Ticket #1811
generated by cgit (git 2.34.1) at 2024-06-06 11:15:52 +0000