| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This new freeform user attribute will allow provisioning systems
to add custom tags for user objects which can be later used for
automember rules or for additional local interpretation.
Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
https://fedorahosted.org/freeipa/ticket/3588
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly
if they use inconsistent capitalization.
This patch works around the bug in IPA schema files.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Note: git's --word-diff option is recommended for viewing these changes
|
|
|
|
|
|
| |
Some schema was only delivered in updates. Add it back as ldif files.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new schema updater only compares textual representations of schema
elements, as formatted by python-ldap.
This works well, but it is too strict for the current schema files in two ways:
- For attribute names in MAY and MUST, the correct letter case must be used
- AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if
they are the same as its supertype's.
When these restrictions are not followed, the updater will always overwrite
the schema element. This is harmless but it fills up the log unnecessarily.
Modify the schema files to conform to these restrictions.
Part of the work for https://fedorahosted.org/freeipa/ticket/3454
Note: git's --word-diff option is recommended for viewing these changes
|
|
|
|
|
|
|
| |
As schema is now handled by the schema updater, these entries
are superfluous.
https://fedorahosted.org/freeipa/ticket/3454
|
| |
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3928
|
|
|
|
|
|
| |
Also fix object_name and object_name_plural for automember rules.
https://fedorahosted.org/freeipa/ticket/2708
|
|
|
|
|
| |
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3368
|
|
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4011
|
|
|
|
|
|
|
| |
Remove this ipaConfigString value as LM hash is deprecated and in
fact even insecure.
https://fedorahosted.org/freeipa/ticket/3795
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3795
|
|
|
|
|
|
| |
- was broken by navigation and application controller refactoring
https://fedorahosted.org/freeipa/ticket/4003
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3975
|
|
|
|
|
|
|
|
|
|
|
| |
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
|
|
|
|
|
|
|
|
|
|
|
|
| |
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
|
|
|
|
|
|
|
|
|
|
|
| |
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:
* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd
https://fedorahosted.org/freeipa/ticket/3672
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Installation: https://github.com/senchalabs/jsduck/wiki/Installation Basically it requires ruby and jsduck gem.
Usage:
$ cd install/ui/doc
$ make
Documentation will be generated into: install/ui/build/code_doc directory
|
|
|
|
| |
Part of ongoing Web UI documentation effort. Source code is annotated in a way that it can be processed by documentation generator.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issue:
* There was no caching policy specified.
* -> Browsers use their own default policy.
* -> After upgrade, some Web UI files might have been actualized some not.
* -> With schema change may result into weird bugs in Web UI
Solution considerations:
1. Detect server version change and hard-reload at runtime
Detection is easy. Problem is the reload. Obvious candidate 'window.location.reload(true)' works in Firefox but not in Chrome because expected behavior when parameter is used is not in standard and therefore Chromium/WebKit authors did not implement it.
2. Application Cache
HTML 5 technology which lets web apps to run offline. Besides weird issues with event handlers which I encountered, this would be an ideal candidate. Simple change of manifest file would lead to reload of all files (requires reload of page to used the new files).
Showstopper was usage with untrusted certificate. If user did not add exception for the cert or its CA and would visit the page for a second time, all AJAX calls would fail.
3. Set Expires to now() for everything
Web UI rarely changes so this is an overkill. Setting it to different value is not a solution either. We can't predict when the upgrade will happen and when new Web UI will be needed.
Solution:
* Implemented a mini loader which loads basic resources. Dojo loader takes action after Dojo is loaded.
* The loader adds a version parameter (?v=__NUM_VERSION__) to all requests.
* Version is defined in the loader. It's set to current in `make version-update`.
* All static pages use this loader to fetch their resources.
* Version is also passed to dojo loader as cache-bust for the same effect.
* Expire header was set to 'access time plus 1 year' for /ui folder. Exceptions are HTML files and loader (set to immediate expiration).
Possible issues:
* Images are cached but not requested with version param.
* Images with version and without are considered different
* -> We would have to attach version to all URIs - in CSS and in JS. But we should avoid changing jQuery UI CSS.
* Proposed solution is to change image name when changing image. Image change is done rarely.
* Version is set by build and therefore updated just on server update. It might cause trouble with different update schedule of plugins.
* No action taken to address this issue yet.
* We might leave it on plugin devs (own .conf in /etc/httpd/conf.d/)
* or set expires to now for all plugins
* running `make version-update` is required in order to use static version of UI for testing
https://fedorahosted.org/freeipa/ticket/3798
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.
This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.
The following steps are undertaken:
* Remove /var/run/samba/krb5cc_samba
* Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
* Remove /var/lib/samba/*.tdb files
Additionally, we make sure winbind service is stopped from within the
stop() method.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
| |
In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install,
print a warning that we will break existing samba configuration and ask for
a confirmation in the interactive mode.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are not able to properly restore the Samba server to the
working state after running ipa-adtrust-install, we should not keep
the smb.conf in the fstore.
This patch makes sure that any backed up smb.conf is removed from
the backup and that this file is not backed up anymore.
Part of: https://fedorahosted.org/freeipa/ticket/3479
|
|
|
|
|
|
|
| |
Change re-initialize command to consider memberOf fixup task only
for non-winsync replication agreements.
https://fedorahosted.org/freeipa/ticket/3854
|
|
|
|
|
|
|
|
| |
Deprecate this option and do not offer it in installation tools.
Without this option enabled, advanced DNS features like DNSSEC
would not work.
https://fedorahosted.org/freeipa/ticket/3962
|
|
|
|
|
|
|
| |
Having '%' in DM password causes pkispawn to crash. Do not allow
users to enter it until pkispawn is fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=953488
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This task was added with a DN colliding with privilege update memberOf
task being run later and caused this task to be ineffective and thus
miss some privilege membership, like "SELinux User Map Administrators"
DNS update plugin do not need to run any task at all as privileges
will be updated later in scope of 55-pbacmemberof.update
https://fedorahosted.org/freeipa/ticket/3877
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3897
|
|
|
|
|
|
|
| |
This works around pk12util refusing to use empty password files, which prevents
the use of PKCS#12 files with empty password.
https://fedorahosted.org/freeipa/ticket/3897
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.
Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).
Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.
https://fedorahosted.org/freeipa/ticket/3924
|
|
|
|
|
|
| |
Map type radio used old way of defining that its value should not be used in add command. Recent patch related to 'enable' attribute hardened/fixed the behavior of radio widgets so they are disabled in UI as well when enabled==false. Automount did not reflect this change.
https://fedorahosted.org/freeipa/ticket/3954
|
|
|
|
|
|
|
|
| |
Old host entries are missing object class with krbticketflags attribute. Therefore UI does not receive attrlevelrights for it. This OC is added when ipakrbokasdelegate is set.
This patch adds the usual hack for such cases.
https://fedorahosted.org/freeipa/ticket/3940
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3907
|
|
|
|
|
|
| |
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.
https://fedorahosted.org/freeipa/ticket/3915
|
|
|
|
|
|
|
|
| |
DS is contacted during server uninstallation, in order to obtain information
about replication agreements. If DS is unavailable, warn and continue with
uninstallation.
https://fedorahosted.org/freeipa/ticket/3867
|
| |
|
|
|
|
|
|
|
|
| |
The search had an incorrect scope and therefore it didn't find any RUV.
This issue prevented removing of replica.
https://fedorahosted.org/freeipa/ticket/3876
|
|
|
|
|
|
|
| |
Add a warning when trying to uninstall a replica that has active replication
agreements.
https://fedorahosted.org/freeipa/ticket/3867
|
|
|
|
|
|
|
| |
ipa-restore would fail if DS user did not exist. Check for presence of DS
user and group and create them if needed.
https://fedorahosted.org/freeipa/ticket/3856
|
|
|
|
|
|
| |
Adding a trust creates a range -> range search facet should be marked as expired.
https://fedorahosted.org/freeipa/ticket/3874
|