| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The reset password dialog for user has been modified to provide
a field to specify the current password when changing the user's
own password.
Ticket #2065
|
|
|
|
|
|
|
|
|
|
|
|
| |
New option --pkey-only is available for all LDAPSearch based classes
with primary key visible in the output. This option makes LDAPSearch
commands search for primary attribute only.
This may be useful when manipulating large data sets. User can at
first retrieve all primary keys in a relatively small data package
and then run further commands with retrieved primary keys.
https://fedorahosted.org/freeipa/ticket/1262
|
|
|
|
|
|
|
|
|
|
| |
Labels using the word "enroll" (except for host enrollment) have
been modified to use more relevant words.
The IPA.add_dialog has been renamed into IPA.entity_adder_dialog
for clarity.
Ticket #1642
|
|
|
|
|
|
|
| |
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
|
|
|
|
|
|
|
|
|
|
|
| |
Do at least a basic validation of DNS zone manager mail address.
Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.
https://fedorahosted.org/freeipa/ticket/1966
|
|
|
|
|
|
|
|
|
| |
The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.
Ticket #1696, #1973
|
|
|
|
|
|
|
|
|
|
| |
Fixes 3 issues:
- If a topic has all its commands disabled, it should be disabled
- If a command is disabled its help should be disabled
- The show-mappings help was missing a doc string so no help was displayed
https://fedorahosted.org/freeipa/ticket/1998
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1988
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.
This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.
https://fedorahosted.org/freeipa/ticket/1914
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1982
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.
Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.
https://fedorahosted.org/freeipa/ticket/1866
|
|
|
|
| |
ticket 1936
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.
Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.
This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
Request to evaluate:
<user <name foobar groups [hbacusers,ipausers]>
service <name sshd groups []>
targethost <name vm-101.ipa.local groups []>
srchost <name vm-101.ipa.local groups []>
>
Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}
Note the difference in the positional parameters.
To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter.
THis is not ideal, but we are constrained by the existing API.
|
|
|
|
|
|
|
|
| |
For every hostgroup a managed netgroup is created (if this is allowed).
Make sure that if a stand-alone netgroup exists, a hostgroup with the
same name cannot be created to prevent collisions.
https://fedorahosted.org/freeipa/ticket/1914
|
|
|
|
|
|
|
| |
The adder dialog has been modified to show a confirmation message
after each successful addition.
Ticket #1786
|
|
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1848
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
|
|
|
|
| |
ticket 1627
|
|
|
|
|
|
|
| |
The hard-coded 'undo' and 'undo all' labels have been moved into
internal.py to allow translation.
Ticket #1897
|
|
|
|
|
|
|
|
| |
When group/user is migrated, the attribute used for RDN may be
multivalued. Make sure that we pick the value used in the RDN
which should be the unique one and not just the first one.
https://fedorahosted.org/freeipa/ticket/1892
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAPCreate reports "search criteria was not specific enough" when LDAP
object created in LDAPCreate shares its container with other LDAP objects
and there is one with the same name and RDN attribute.
Pass objectclass to find_entry_by_attr() function used to retrieve
newly created object for POST_CALLBACK to identify correct LDAP
object.
https://fedorahosted.org/freeipa/ticket/1864
|
|
|
|
|
|
| |
Limit hostnames to letters, digits and - with a maximum length of 255
https://fedorahosted.org/freeipa/ticket/1780
|
|
|
|
|
|
|
|
| |
hbacrule-service-add/remove failures weren't being displayed because
no label was defined.
https://fedorahosted.org/freeipa/ticket/1863
https://fedorahosted.org/freeipa/ticket/1865
|
|
|
|
|
|
|
| |
Fix NotFound error messages in hbacrule commands so that the text is
consistent with the rest of the framework.
https://fedorahosted.org/freeipa/ticket/1861
|
|
|
|
|
|
|
| |
Use same normalization and validation in passwd plugin and add some
tests for invalid principals
https://fedorahosted.org/freeipa/ticket/1778
|
|
|
|
|
|
|
|
|
| |
Fix get_url_list() so that the configured master server is there
just once. This fix lets /usr/bin/ipa try connecting to all IPA
masters just once and not print confusing server list with
dupled master.
https://fedorahosted.org/freeipa/ticket/1817
|
|
|
|
|
|
|
| |
By design these managed netgroups are not supposed to show unless you
specifically want to see them.
https://fedorahosted.org/freeipa/ticket/1738
|
|
|
|
|
|
|
|
|
| |
The validator will still fire, just after the load_files() call. Basically
it will hit the validator twice. The first time it will exit because the
value of csr is a filename. The second time it will run the validator against
the contents of the file.
ticket https://fedorahosted.org/freeipa/ticket/1777
|
|
|
|
|
|
|
| |
The labels for the run-as users and groups tables in sudo rule details
page have been modified to improve the clarity.
Ticket #1752
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1747
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1763
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1763
When external host is specified in HBAC rule, it needs to be added to
the set of source hosts this rule applies to. Add (list of external hosts)
explicitly when converting FreeIPA rules to PyHBAC objects.
|
| |
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/1740
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1741
HBAC rules address PAM services, thus service names should correspond to proper PAM names.
|
|
|
|
|
|
| |
Setting a password invalidates the existing keytab
https://fedorahosted.org/freeipa/ticket/1719
|
|
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
|
|
|
|
|
|
| |
The hard-coded label in IPA.facet has been moved into internal.py to
allow translation.
Ticket #1701
|
|
|
|
|
|
|
|
|
|
|
| |
Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).
A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.
Ticket #1701
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
|
|
|
|
|
|
|
| |
By design these managed netgroups are not supposed to show unless you
specifically want to see them.
https://fedorahosted.org/freeipa/ticket/1738
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1563
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Add sudorule docstring headline
2) Fix naming inconsistency in Sudo plugins help and summaries,
especially capitalization of Sudo objects - Sudo Rule, Sudo
Command and Sudo Command Group
3) Add missing summaries for sudorule-add-option and
sudorule-remove-option. To keep backward compatibility with
older clients, just print the missing summary with
output_for_cli(), don't expand Output.
https://fedorahosted.org/freeipa/ticket/1595
https://fedorahosted.org/freeipa/ticket/1596
|
|
|
|
|
|
|
|
| |
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.
ticket https://fedorahosted.org/freeipa/ticket/1574
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|