summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA v3 beta 1 (3.0.0.pre1)beta_1-3-0-0Rob Crittenden2012-07-011-3/+3
|
* Use DN objects instead of strings in adtrustinstanceSumit Bose2012-07-011-16/+25
|
* Create default range entry after upgradeMartin Kosek2012-07-023-3/+95
| | | | | | | | | | Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891
* Fix compatibility with Fedora 18.Rob Crittenden2012-07-023-5/+36
| | | | | | | | We need a Requires on openssl, the mod_rewrite syntax has changed so we can dump some unused configuration and we need a newer version of mod_auth_kerb to pick up the new location of delegated ccache. https://fedorahosted.org/freeipa/ticket/2839
* Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}Petr Viktorin2012-07-025-15/+19
| | | | | | | | | | | Make permission commands not pass options that the underlying ACI commands do not understand. Update tests. Remove some extraneous imports of the `copy` module. https://fedorahosted.org/freeipa/ticket/2885
* Add missing option to range_add in API.txtRob Crittenden2012-06-301-2/+4
| | | | Fix build
* Add range check preop pluginSumit Bose2012-06-297-0/+510
| | | | | | | To make sure that ID ranges do not overlap this plugin checks new additions and changes for conflicts with existing ranges. https://fedorahosted.org/freeipa/ticket/2185
* Add CLI for ID rangesSumit Bose2012-06-294-1/+273
| | | | https://fedorahosted.org/freeipa/ticket/2185
* Set RID bases for local domain during ipa-adtrust-installSumit Bose2012-06-292-2/+96
|
* Add objects for initial ID rangeSumit Bose2012-06-294-0/+29
|
* Extend LDAP schemaSumit Bose2012-06-291-0/+8
| | | | | | | | | | | The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well.
* Use lower case names in LDAP to meet freeIPA conventionSumit Bose2012-06-291-11/+11
|
* Continuation of removing of not supported command options from Web UIPetr Vobornik2012-06-293-4/+2
| | | | | | | | | This patch removes following non-existing command options: * all,rights in host_disable * record_type in dns_record_add * all,rights in various xxx_remove_xxx commands used in rule_association_table_field (removing association) https://fedorahosted.org/freeipa/ticket/2878
* Refactored associatin facet to use facet buttons with actionsPetr Vobornik2012-06-292-45/+119
| | | | | | | Association facet was refactored to use new concept of control buttons. It is the last facet type which don't use this concept. It fixes regression introduced by previous refactoring of table facet (delete button was never enabled). https://fedorahosted.org/freeipa/ticket/2876
* Web UI password is going to expire in n days notificationPetr Vobornik2012-06-298-45/+217
| | | | | | | | This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...'). Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link). https://fedorahosted.org/freeipa/ticket/2625
* Add support for external group membersAlexander Bokovoy2012-06-2811-29/+358
| | | | | | | | | When using ipaExternalGroup/ipaExternalMember attributes it is possible to add group members which don't exist in IPA database. This is primarily is required for AD trusts support and therefore validation is accepting only secure identifier (SID) format. https://fedorahosted.org/freeipa/ticket/2664
* Per-domain DNS record permissionsMartin Kosek2012-06-2811-24/+278
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511
* Add missing libsss_idmap Requires on freeipa-server-trust-adMartin Kosek2012-06-281-0/+1
|
* Add external domain extop DS pluginSumit Bose2012-06-2812-7/+1225
| | | | | | This extop can be used by clients of the IPA domain, e.g. sssd, to retrieve data from trusted external domains. It can be used e.g. to map Windows SIDs to user or groups names and back.
* Add configure check for C Unit-Test framework checkSumit Bose2012-06-281-0/+10
| | | | The framework can be found at http://check.sourceforge.net.
* Filter groups in the PACSumit Bose2012-06-281-1/+452
| | | | | | If one or more of the external groups given in the PAC can be found in the ipaExternalGroup objects and these objects are members of local groups, the SIDs of the local groups are added to the PAC.
* Add sidgen postop and taskSumit Bose2012-06-2812-0/+1390
| | | | | | | | A postop plugin is added to create the SID for new created users and groups. A directory server task allows to set the SID for existing users and groups. Fixes https://fedorahosted.org/freeipa/ticket/2825
* Add error condition handling to the SASL bind callback in ipasamAlexander Bokovoy2012-06-281-12/+80
| | | | https://fedorahosted.org/freeipa/ticket/2877
* Support requests for DOMAIN$ account for trusted domains in ipasam moduleAlexander Bokovoy2012-06-281-13/+20
| | | | https://fedorahosted.org/freeipa/ticket/2870
* Defer adding ipa-cifs-delegation-targets until the Updates phase.Rob Crittenden2012-06-271-3/+5
| | | | | | | It was likely that this would fail being in an LDIF so let an update file add this potentially conflicting entry instead. https://fedorahosted.org/freeipa/ticket/2837
* Change random passwords behaviourOndrej Hamada2012-06-272-6/+80
| | | | | | | | | | | | | | Improved options checking so that host-mod operation is not changing password for enrolled host when '--random' option is used. Unit tests added. https://fedorahosted.org/freeipa/ticket/2799 Updated set of characters that is used for generating random passwords for ipa hosts. All characters that might need escaping were removed. https://fedorahosted.org/freeipa/ticket/2800
* Action panel for certificatesPetr Vobornik2012-06-273-427/+452
| | | | | | | | This is a continuation of effor which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets. New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluater updates state and actions get disabled or enabled. https://fedorahosted.org/freeipa/ticket/2250
* Remove ipaNTHash from global allow ACIMartin Kosek2012-06-262-4/+9
| | | | | | | | ipaNTHash contains security sensitive information, it should be hidden just like other password attributes. As a part of preparation for ticket #2511, the ACI allowing global access is also updated to hide DNS zones. https://fedorahosted.org/freeipa/ticket/2856
* Improve output validationPetr Viktorin2012-06-252-12/+31
| | | | | | | | | | | We only checked the length of Command output dictionaries. A misspelled key in would not be caught. Fix the problem by checking if the sets of keys are equal. Add a test. Split the test methods into more manageable pieces. https://fedorahosted.org/freeipa/ticket/2860
* Typo fixesPetr Viktorin2012-06-254-8/+8
|
* Configure automount using autofs or sssd.Rob Crittenden2012-06-258-2/+601
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* Same password validatorPetr Vobornik2012-06-263-0/+26
| | | | | | | | | | This patch adds validator which compares passwords in two fields. In future it should be used in various password reset dialogs. A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password). https://fedorahosted.org/freeipa/ticket/2829
* Trust Web UIPetr Vobornik2012-06-2517-28/+1145
| | | | | | | | | | | | | | | | | | | | | | | | | This patch adds Web UI for trusts. Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet. Adder dialog supports two ways if adding a trust: 1) adding with domain name, admin name and admin password. 2) adding with domain name, shared secret Search page shows only list of realm names which are trusts' cns. Details page is read only. It contains following attributes: * Realm name (cn) * Domain NetBIOS name (ipantflatname) * Domain Security Identifier (ipanttrusteddomainsid) * Trust direction (trustdirection) * Trust type (trusttype) trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code. Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata. https://fedorahosted.org/freeipa/ticket/2829
* Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad'Alexander Bokovoy2012-06-252-6/+25
|
* Use correct SID attribute for trusted domainsAlexander Bokovoy2012-06-251-2/+2
| | | | | | We have two SID attributes, ipaNTSecurityIdentifier and ipaNTTrustedDomainSID. First is used for recording SID of our users/groups, second is to store SID of a remote trusted domain.
* Add logging to ipa-upgradeconfigRob Crittenden2012-06-213-9/+40
| | | | | | | | | Log to the same file as ipa-ldap-updater --upgrade, /var/log/ipaupgrade.log Will output basic stauts information if executed from the command-line. https://fedorahosted.org/freeipa/ticket/2696
* Custom Web UI error message for IPA error 911Petr Vobornik2012-06-222-1/+26
| | | | | | | | Error message for IPA error 911 is not very clear for end users. This patch changes the message and adds an advice how to get rid of the error. https://fedorahosted.org/freeipa/ticket/2778
* Set network.http.sendRefererHeader to 2 on browser configPetr Vobornik2012-06-221-9/+15
| | | | | | | | | | IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader https://fedorahosted.org/freeipa/ticket/2778
* Re-format ipa-adtrust-install final message to be within 80 characters wideAlexander Bokovoy2012-06-221-24/+28
| | | | https://fedorahosted.org/freeipa/ticket/2857
* restart dirsrv as part of ipa-adtrust-installAlexander Bokovoy2012-06-221-4/+4
| | | | | | | | | We should restart Directory Server when performing AD trusts configuration to enable new CLDAP plugin and force KDC to notice MS PAC is now available. Previously we only restarted KDC but if dirsrv is restarted, KDC will notice its socket disappeared and will refresh itself http://fedorahosted.org/freeipa/ticket/2862
* Added password reset capabilities to unauthorized dialogPetr Vobornik2012-06-213-104/+314
| | | | | | | | Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog. If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form. https://fedorahosted.org/freeipa/ticket/2755
* Separate reset password pagePetr Vobornik2012-06-217-3/+251
| | | | | | This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page. https://fedorahosted.org/freeipa/ticket/2755
* Case sensitive renaming of objectsOndrej Hamada2012-06-202-5/+13
| | | | | | | | When renaming object its case sensitivity is obeyed. This was DS bug. Unit tests were corrected and minimal DS version was updated in spec file. https://fedorahosted.org/freeipa/ticket/2620
* Fail on unknown Command optionsPetr Viktorin2012-06-2010-28/+123
| | | | | | | | | | | | | | | | | | When unknown keyword arguments are passed to a Command, raise an error instead of ignoring them. Options used when IPA calls its commands internally are listed in a new Command attribute called internal_options, and allowed. Previous patches (0b01751c, c45174d6, c5689e7f) made IPA not use unknown keyword arguments in its own commands and tests, but since that some violations were reintroduced in permission_find and tests. Fix those. Tests included; both a frontend unittest and a XML-RPC test via the ping plugin (which was untested previously). https://fedorahosted.org/freeipa/ticket/2509
* Decimal parameter conversion and normalizationMartin Kosek2012-06-172-6/+141
| | | | | | | | | | | | | | | | | Parameter Decimal does not have a sufficient value checks. Some values cause Decimal parameter with a custom precision to crash with an unhandled exception. Improve parameter conversion and normalization operations to handle decimal exceptions more gracefully. Decimal parameter now also has new attributes enabling 2 new validation/normalization methods: * exponential: when False, decimal number is normalized to its non-exponential form * numberclass: a set of allowed decimal number classes (e.g. +Infinity, -Normal, ...) that are enforced for every Decimal parameter value https://fedorahosted.org/freeipa/ticket/2705
* Improve autodiscovery loggingPetr Viktorin2012-06-172-65/+150
| | | | | | | | | | | | | | | | | | | | Track the source of discovered values (e.g. from option, interactive, retrieved from DNS), and show it in the log in the configuration overview and on erorrs involving the value. Add additional log messages explaining the autodiscovery process. For domains the discovery tries to get LDAP SRV records from, log reasons explaining why the domain was chosen. Also, prevent the same domain from being searched multiple times. Add names for error codes, and show them in the log. Also, modernize the discovery code a bit: move away from the Java-style accessors, don't needlessly pre-declare variables, make IPADiscovery a new-style class. https://fedorahosted.org/freeipa/ticket/2553
* Improve ipa-client-install debug outputPetr Viktorin2012-06-172-199/+279
| | | | | | | | | | | | | | | | | | The client does a fair bit of work when trying to validate the hostnames, do discovery and verify that the server it gets back is an IPA server. The debug logging around this was horrid with very little state information, duplicate log messages or just nothing at all. In many cases errors were printed only to stderr/stdout. This patch makes the logging and output go through the IPA log manager. It sets up logging so that INFO, WARNING, and ERROR messages show up on the console. If -d is given, DEBUG messages are also printed. All messages also go to the log file. The only exception is user input: prompts are only printed to the console, but if the user provides any information it is echoed in a DEBUG-level message. https://fedorahosted.org/freeipa/ticket/2553
* Increase LimitRequestFieldSize in Apache config to support a 64KiB PACRob Crittenden2012-06-181-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/2767
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-132-2/+10
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282
* Store session cookie in ccache for cli usersRob Crittenden2012-06-147-79/+499
| | | | | | | | | Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
generated by cgit (git 2.34.1) at 2024-05-03 19:25:43 +0000