| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
|
|
|
|
|
|
| |
Makefiles for new FF kerberos authentication extension
ihttps://fedorahosted.org/freeipa/ticket/3094
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later.
How it works:
Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages.
Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page)
* introspection of client (read ipa client install config and such)
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
|
|
|
|
|
|
|
| |
Additionally this patch removes a comment which makes no sense at this
place anymore.
Fixes https://fedorahosted.org/freeipa/ticket/3023
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3038
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/2972
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/2967
|
|
|
|
|
|
|
|
|
|
|
|
| |
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.
Add both indexes to new and updated IPA installs.
https://fedorahosted.org/freeipa/ticket/3020
https://fedorahosted.org/freeipa/ticket/3025
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.
Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).
https://fedorahosted.org/freeipa/ticket/2790
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Forward and reverse resolution of the newly created replica is already
checked via get_host_name (which calls verify_fqdn).
Add the same check for the existing master.
Additionally, if DNS is installed on the remote host, check forward
and reverse resolution of both replicas using that DNS only
(ignoring /etc/hosts). These checks give only warnings and, in interactive
installs, a "Continue?" prompt.
https://fedorahosted.org/freeipa/ticket/2845
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2515
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.
Test case has been added to cover the new default.
https://fedorahosted.org/freeipa/ticket/2461
|
|
|
|
|
|
| |
There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases.
https://fedorahosted.org/freeipa/ticket/3066
|
|
|
|
|
|
| |
Web UI notification of 'Add verification step after trust creation'
https://fedorahosted.org/freeipa/ticket/2763
|
|
|
|
|
|
|
|
|
|
|
| |
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
|
|
|
|
|
|
|
| |
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
https://fedorahosted.org/freeipa/ticket/2846
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3089
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you have a replication topology like A <-> B <-> C and you try
to delete server B that will leave A and C orphaned. It may also
prevent re-installation of a new master on B because the cn=masters
entry for it probably still exists on at least one of the other masters.
Check on each master that it connects to to ensure that it isn't the
last link, and fail if it is. If any of the masters are not up then
warn that this could be a bad thing but let the user continue if
they want.
Add a new option to the del command, --cleanup, which runs the
replica_cleanup() routine to completely clean up references to a master.
https://fedorahosted.org/freeipa/ticket/2797
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv
list-ruv can be use to list the update vectors the master has
configugured
clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.
https://fedorahosted.org/freeipa/ticket/2303
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
|
|
|
|
|
|
|
|
|
|
|
| |
Attribute types of attributes designed to hold DN values are not
supposed to hold own ORDERING or SUBSTR matching rules (which were
even not correct in this case).
Update these attributes to only define an EQUALITY rule just like
other DN attribute types in IPA.
https://fedorahosted.org/freeipa/ticket/2866
|
|
|
|
| |
Generated by running `make update-pot` in install/po
|
|
|
|
|
|
|
|
|
| |
configuration.
If both --no-ssh and --no-sshd are specified, do not configure the SSH service
in SSSD.
ticket 3070
|
|
|
|
|
|
|
| |
Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.
https://fedorahosted.org/freeipa/ticket/3045
|
|
|
|
|
|
|
|
| |
Facets which performs AJAX call after update refresh (clear dirty state) after calling callback of dirty dialog. It might lead to multiple openings of dirty dialog.
Assuming that calling dirty dialog's callback can be evaluated as "dirty state is gone", we can call reset in the callback to prevent the issue. There will be an incorrect state in the facet for a moment. It will be fixed soon on execute of callback of the refresh AJAX call. It is not an issue because it will happen in background. User will be looking on different facet.
https://fedorahosted.org/freeipa/ticket/2667
|
|
|
|
|
|
|
|
| |
Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object.
Label was changed to reflect that the key don't have to be plain base64 encoded blob.
https://fedorahosted.org/freeipa/ticket/2989
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.
The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.
Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.
https://fedorahosted.org/freeipa/ticket/3006
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is changing confirmation of actions according to ticket #3035, see the ticket description.
It does following changes:
* Confirmation of update action was removed.
* Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry.
* New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations.
https://fedorahosted.org/freeipa/ticket/3035
|
|
|
|
|
|
|
|
|
|
|
| |
This will sync down the POSIX attributes from AD so we need to be careful
to not mess with them when they are already set. This includes
uidNumber, gidNumber, homeDirectory, loginShell and gecos.
http://port389.org/wiki/WinSync_Posix
http://port389.org/wiki/Windows_Sync_Plugin_API#Version_3_API_functions
https://fedorahosted.org/freeipa/ticket/3007
|
|
|
|
|
| |
Loopback address, "localhost" and "localnets" ACIs are no longer
an issue for bind-dyndb-ldap. Allow them in our Web UI validators as well.
|
|
|
|
|
|
| |
While deleting an entry it now resets a facet if there are unsaved changes. It prevents pop up of various error dialogs when UI tries to redirect to search page after successful delete.
https://fedorahosted.org/freeipa/ticket/3047
|
|
|
|
|
|
| |
Testing metadata needs to be updated because of fix in json serialization.
https://fedorahosted.org/freeipa/ticket/3052
|
|
|
|
|
|
| |
Medatadata validator didn't have check for decimal values. It was added.
https://fedorahosted.org/freeipa/ticket/3052
|
|
|
|
|
|
|
|
|
|
|
| |
Notification of success was added to:
* details facet: update
* association facet and association widget: add, delete items
* attribute facet: delete items (notification of add should be handled in entity adder dialog)
* sudo rule: add, remove option
* dnsrecord: add, update, delete
https://fedorahosted.org/freeipa/ticket/2977
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When a permission is edited, and Type switched, the attributes selected for
previous Type are still selected, and update fails, if they are invalid for the
new Type. But it should get deselected or not even listed if Type changes.
Fix:
When Type is changed, attribute list is refreshed and still applicable attributes
are chosen. If Type is reverted back, previously chosen attributes are back as chosen.
If attributes are extended outside Web UI by not listed attr, this attr is listed at
the list end.
Note:
If user makes change in attribute list before type change, this change is forgotten.
https://fedorahosted.org/freeipa/ticket/2617
|
|
|
|
|
|
| |
Search in HBAC test wasn't working because expired flag wasn't set.
https://fedorahosted.org/freeipa/ticket/2931
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.
When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.
One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.
https://fedorahosted.org/freeipa/ticket/2440
|
|
|
|
|
|
|
|
| |
This patch adds option to disable sorting when paging. It allowed to enable paging in password policy with order of items untouched (they are sorted on server side by priority).
Also fixing issue when paging is disabled and command summary = null. It displayed 'null' in facet footer.
https://fedorahosted.org/freeipa/ticket/2677
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User was not notified about success of actions executed from action list, action panel or facet cotrol bar.
This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation).
This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked.
This call is used(directly or indirectly) in:
* search facets: delete, disable, enable actions
* details facets: delete action
* user details facet: reset password action
* host details facet: unprovision, set OTP actions
* service details facet: unprovision action
* host and service details facet: request, revoke, restore certificates actions
* group details facet: change to POSIX/external actions
* dns zone details facet: add/remove permission actions
https://fedorahosted.org/freeipa/ticket/2977
|
|
|
|
|
|
| |
Web UI itself wasn't negatively affected.
https://fedorahosted.org/freeipa/ticket/2897
|
|
|
|
|
|
|
|
| |
Move of click handler in patch for #2834 causes failure of automation tests.
This patch reverts the problematic part. It should not affect function of fix for #2824.
https://fedorahosted.org/freeipa/ticket/3014
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2850 - Ipactl exception not handled well
There were various places in ipactl which intialized IpactlError with
None as the msg. If you called str() on that exception all was well
because ScriptError.__str__() converted a msg with None to the empty
string (IpactlError is subclassed from ScriptError). But a few places
directly access e.msg which will be None if initialized that way. It's
hard to tell from the stack traces but I'm pretty sure it's those
places which use e.msg directly which will cause the problems seen in
the bug report.
I do not believe it is ever correct to initialize an exception message
to None, I don't even understand what that means. On the other hand
initializing to the empty string is sensible and for that matter is
the default for the class.
This patch makes two fixes:
1) The ScriptError initializer will now convert a msg parameter of
None to the empty string.
2) All places that initialized IpactlError's msg parameter to None
removed the None initializer allowing the msg parameter to default
to the empty string.
I don't know how to test the fix for Ticket #2850 because it's not
clear how it got into that state in the first place, but I do believe
initialing the msg value to None is clearly wrong and should fix the
problem.
|
|
|
|
|
|
|
|
|
| |
The credentials of the admin user will be used to obtain Kerberos ticket before
configuring cross-realm trusts support and afterwards, to ensure that the
ticket contains MS-PAC information required to actually add a trust with Active
Directory domain via 'ipa trust-add --type=ad' command.
https://fedorahosted.org/freeipa/ticket/2852
|
|
|
|
|
|
| |
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,
Part 2 of https://fedorahosted.org/freeipa/ticket/3016
|
|
|
|
|
|
|
|
|
|
|
| |
Range web UI was implemented.
It consist of:
* new menu item - 'ranges' in 'IPA Server' tab
* new search page
* new details page
https://fedorahosted.org/freeipa/ticket/2894
|
|
|
|
|
|
|
|
| |
ipa-server-install with external CA could not be run in
an unattended mode as DM password was required to decipher answer
cache.
https://fedorahosted.org/freeipa/ticket/2793
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is illegal to have more than one CN attribute in a certificate
subject. The subject command line arg is actually inserting a dn
between a leading RDN with a CN attribute and a suffix. The final
subject must have only CN attribute therefore the subject command line
arg must not contain CN. The patch modifies the subject validation to
prohibit CN. It also improves the error messages to clearly indicate
which command line parameter caused the failure and why.
While fixing the above it discovered the logic used for subject
validation with an external CA was flawed. DN objects were not being
used when they should be (certificate subject and issuer fields are dn
syntax). That code was also fixed so that the comparisions between
subjects and issuers were performed with DN objects. While fixing this
it was noted the object type relationship between IPA DN objects and
x509 DN objects was awkward, ticket 3003 was opened to address this.
|
| |
|