summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Resolve external members from trusted domain via Global Catalog30gatepoAlexander Bokovoy2012-10-312-22/+27
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Use single warning message in idrange module and idrange-addAlexander Bokovoy2012-10-311-22/+15
| | | | Complements fix to https://fedorahosted.org/freeipa/ticket/3116
* Close connection after each request, avoid NSS shutdown problem.Rob Crittenden2012-10-241-5/+24
| | | | | | | The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180
* Fixed incorrect link to browser config after session expirationPetr Vobornik2012-10-241-1/+1
| | | | | | Fixed typo in message placeholder. https://fedorahosted.org/freeipa/ticket/3187
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-191-1/+1
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Add instructions support to PublicErrorAlexander Bokovoy2012-10-111-9/+12
| | | | | | | | | | | | | | | When long additional text should follow the error message, one can supply instructions parameter to a class derived from PublicError. This will cause following text added to the error message: Additional instructions: <additional text> `instructions' optional parameter could be a list or anything that coerces into unicode(). List entries will be joined with '\n'. https://fedorahosted.org/freeipa/ticket/3167
* Do not show full SSH public keys in command output by default.Jan Cholasta2012-10-111-3/+3
|
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Minor fixes for default SMB groupMartin Kosek2012-10-091-1/+1
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* support multi-line error messages in exceptionsAlexander Bokovoy2012-10-091-3/+9
|
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-041-1/+1
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-031-0/+15
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-021-1/+6
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-032-6/+20
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Improve user addition to default group in user-addTomas Babej2012-10-031-1/+9
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
* Only use service PAC type as an overrideMartin Kosek2012-10-032-11/+30
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Do not produce unindexed search on every DEL commandMartin Kosek2012-10-012-1/+23
| | | | | | | | | | | | Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
* Improve StrEnum validation error messageMartin Kosek2012-10-011-5/+10
| | | | | | | | Do not print list of possible values as "%r" but simply as a list of quoted values which should make it easier to read for users. Also add a special case when there is just one allowed value. https://fedorahosted.org/freeipa/ticket/2869
* Fix NS records in installationPetr Viktorin2012-09-271-0/+3
| | | | | | | | Our installation added two final dots to the NS records, so the records were invalid, Bind ignored the entire zone, and name resolution didn't work. Fix this error and add a check for empty DNS labels to the validator
* Validate SELinux users in config-modMartin Kosek2012-09-271-17/+32
| | | | | | | | config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-262-19/+19
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-241-2/+1
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Fix idrange plugin helpMartin Kosek2012-09-201-4/+4
| | | | | range plugin was renamed to idrange. Update plugin help to reflect this change.
* Use default reverse zone consistentlyMartin Kosek2012-09-192-1/+28
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Add verification of the AD trustAlexander Bokovoy2012-09-171-5/+7
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-3/+6
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-3/+3
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-189-16/+16
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Fix addattr internal errorMartin Kosek2012-09-161-1/+11
| | | | | | | | | | | When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429
* JSON serialization of long typePetr Vobornik2012-09-131-1/+1
| | | | | | Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it. Discovered after "Cast DNS SOA serial maximum boundary to long"
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-131-3/+6
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Make sure selinuxusemap behaves consistently to HBAC ruleTomas Babej2012-09-121-18/+58
| | | | | | | | | Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-061-1/+1
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-064-47/+70
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Trust CLI: mark trust-mod for future useSumit Bose2012-09-071-1/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2968
* Trust CLI: return more details of added trustSumit Bose2012-09-071-0/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2971
* Trust CLI: Return more details when searching trustsSumit Bose2012-09-071-0/+13
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2970
* Do not create trust if murmur hash is not available and base-id not givenSumit Bose2012-09-071-6/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3018
* IDRange CLI: Add documentationSumit Bose2012-09-071-2/+127
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2969
* IDRange CLI: allow to work without argumentsSumit Bose2012-09-071-6/+16
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2999
generated by cgit (git 2.34.1) at 2024-09-20 11:17:50 +0000