| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/617
|
|
|
|
| |
Fixes the delegation add dialog
|
|
|
|
|
|
|
|
|
|
|
|
| |
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
|
|
|
|
| |
the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done
|
|
|
|
| |
don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements the role, privilege, permission, delegation and selfservice entities ui.
Targetgroup has been added to the object types.
The groups lists need to be filter. The filter is currently hidden, with a
hyperlink that reads 'filter' to unhide it. Each keystroke in this filter
performs an AJAX request to the server.
There are bugs on the server side that block some of the functionality from
completing
Creating a Permission requires one of 4 target types. The add dialog in this
version assumes the user will want to create a filter type. They can change
this on the edit page.
Most search results come back with the values as arrays, but ACIs seem not to.
Search and details both required special code to handle non-arrays.
The unit tests now make use of the 'module' aspect of QUnit. This means that
future unit test will also need to specify the module. The advantage is that
multiple tests can share a common setup and teardown.
Bugs that need to be fixed before this works 100% are
https://fedorahosted.org/freeipa/ticket/634
https://fedorahosted.org/freeipa/ticket/633
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
|
|
|
| |
ticket 502
|
|
|
|
|
| |
There is no need for these to be done as updates, just add these entries
to the bootstrapping.
|
|
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
|
|
|
|
|
|
| |
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
|
|
|
|
| |
Was origially KInit but the command is kinit
|
|
|
|
| |
Change the link in the error message to the one that will actually fix the problem
|
| |
|
|
|
|
| |
ticket 599
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The user details facet has been modified such that when the account
is activated/deactivated the page will be reloaded.
Some methods in the framework have been changed:
- The ipa_widget.clear() has been removed because it can be replaced
by existing reset().
- The ipa_widget.set_values() has been renamed into update().
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/543
|
|
|
|
|
|
|
| |
If the ticket is expired or otherwise unusable it should fall back to the DM
password. It was prompted for correctly but wasn't being passed on.
ticket 549
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/613
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
|
|
|
|
|
|
| |
Make the cert subject base read-only. This is here only so replicated servers
know their base.
ticket 466
|
|
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
|
|
|
|
|
|
|
|
|
|
| |
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
|
|
|
|
|
| |
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
|
|
|
|
|
|
| |
replaced expand contract +- with icons
removed background for action buttons and gave them their own class
Major css cleanup
|
|
|
|
|
|
|
|
|
| |
The '+' and '-' signs before the section headers in details facet
are now enclosed in square brackets. The section content is now
hidden/shown using slideToggle().
The ipa_details_create() and ipa_details_setup() have been moved
into ipa_details_facet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SUDO rule details facet has been updated to support the latest UI
spec. The facet consists of 5 sections: general, users, hosts, commands,
and run-as.
The general section contains the SUDO rule description and status. If
the status is changed, the sudorule-enable/disable will be invoked.
The other sections contain radio buttons for the association category
and tables for the members. When a member is added or removed, the
category will be adjusted appropriately. If the category is changed to
'all', 'allow', or 'deny', all members will be removed.
The last section is currently not working because backend support is
not yet available.
The adder dialog boxes for users, groups, and hosts has been modified
to accept external identities. The layout for the base adder dialog
was updated. The base dialog class was updated to support templates.
The SUDO dialog boxes were implemented using templates. New CSS
classes were added to ipa.css.
The HBAC rule details facet has been updated as well.
|
|
|
|
|
|
|
| |
Also move down some dsinstance related operation close to other dsinstance
operations.
Fixes: https://fedorahosted.org/freeipa/ticket/595
|
| |
|
|
|
|
| |
URL was always ipa/json. This means nothing to the end user.
|
|
|
|
|
|
| |
Also add fixes for ipa-replica-install as that had issues too.
Fixes: https://fedorahosted.org/freeipa/ticket/527
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The entity.default_facet has been removed, instead the first facet
registered to the entity will be considered as the default facet.
So, the 'setup' parameter has been removed from tab definitions
because it's no longer necessary. The ipa_details_only_setup() has
been removed as well.
An 'entity' parameter has been added to tab definitions to specify
which entity corresponds to a tab item. The tab label has been
changed to use entity label if available.
Some hard-coded labels have been removed. The unit tests have been
updated.
|
|
|
|
| |
ticket 496
|
|
|
|
| |
more general, so that we don't have to hard code for SUDO and HBAC, and now to support ACI
|
|
|
|
|
|
|
| |
Instead of allocating a completely random start between 1M and 2G and a range
of 1M values, give 10000 possible 200k ranges. They all start at a 200k
boundary so they generate more readable IDs, at least until there arent't too
many users/replicas involved.
|
|
|
|
|
|
|
|
|
|
| |
The ipa_add_dialog has been fixed to initialize the fields which
will get the labels from metadata. Hard-coded labels have been
removed from field declarations.
The superior() method has been removed because it doesn't work with
multi-level inheritance. Superclass method for now is called using
<class name>_<method> (e.g. widget_init).
|
|
|
|
|
| |
The association facet for SUDO Command Groups has been removed and
replaced with an association table in the details page.
|
|
|
|
|
|
|
|
|
|
| |
The ipa_column has been modified to get the label from metadata
during initialization. The ipa_table_widget has been modified to
initialize the columns. Hard-coded labels have been removed from
column declarations.
The ipa_adder_dialog has been modified to execute a search at the
end of setup.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The association facet for HBAC Service Groups has been removed
and replaced with an association table in the details page.
The ipa_association_table_widget has been modified to support
multiple columns in the table itself and in the adder dialog.
The ipa_association_adder_dialog and ipa_association_facet have
been refactored.
The ipa_sudorule_association_widget and ipa_rule_association_widget
has been removed because their functionalities have been merged into
ipa_association_table_widget.
|
|
|
|
|
|
|
|
|
|
|
| |
Updated the user,group,host, hostgroup, netgroup, service, and all policy
entities to use the newer framework functions, in order to
replaced the old array style definitions which did not support i18n.
update a few of the newer framerwork functions to get the lables from the
meta data.
Fixed the unit tests which were expecting a details facet for users,
no longer automatically created
|
|
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The create_association_facets() has been modified such that it
does not generate duplicate links. This is done by assigning the
proper labels and hiding non-assignable associations.
Each association will get a label based on the attribute used:
- memberof: Membership in <entity name>
- member.*: <entity name> Members
- managedby: Managed by <entity name>
The following associations will be hidden:
- memberindirect
- enrolledby
The internal.py was modified to return localized labels.
The test data has been updated.
|
|
|
|
|
| |
The interface for access time has been removed from HBAC details
page. The code has been commented out, but not removed.
|