summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become IPA 2.1.3release-2-1-3Rob Crittenden2011-10-171-1/+1
|
* Fixed: Unable to add external user for RunAs User for Sudo rulesPetr Vobornik2011-10-171-0/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/1987 There is no way to add root or any external user as a RunAs User for a Sudo Rule.
* Improve hostgroup/netgroup collision checksMartin Kosek2011-10-172-2/+32
| | | | | | | | | | | | | | | When the NGP plugin is enabled, a managed netgroup is created for every hostgroup. We already check that netgroup with the same name does not exist and provide a meaningful error message. However, this error message was also printed when a duplicate hostgroup existed. This patch checks for duplicate hostgroup existence first and netgroup on the second place. It also makes sure that when NGP plugin is (temporarily) disabled, a colliding netgroup cannot be created. https://fedorahosted.org/freeipa/ticket/1914
* Fix typo in invalid PTR record error messageRob Crittenden2011-10-131-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1982
* If our domain is already configured in sssd.conf start with a new config.Rob Crittenden2011-10-131-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/1989
* Update all LDAP configuration files that we can.Rob Crittenden2011-10-131-2/+5
| | | | | | | LDAP can be configured in any number of places, we need to update everything we find. https://fedorahosted.org/freeipa/ticket/1986
* Use set class instead of dictview class as set is wider supportedAlexander Bokovoy2011-10-131-2/+2
|
* Handle an empty value in a name/value pair in config_replace_variables()Rob Crittenden2011-10-131-1/+3
| | | | | | | | | This would blow up if you tried to append a value to an entry that looked like: NAME= https://fedorahosted.org/freeipa/ticket/1983
* Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)Rob Crittenden2011-10-131-3/+5
|
* Fix ipa-client-install -U option alignmentMartin Kosek2011-10-141-0/+1
|
* Document --preserve-sssd option of ipa-client-installAlexander Bokovoy2011-10-141-0/+9
| | | | | | | | | | | Add documentation about --preserve-sssd, an ipa-client-install's option to honor previously available SSSD configuration in case it is not possible to merge it cleanly with the new one. In this case ipa-client-install will fail and ask user to fix SSSD config before continuing. Additional fix for https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Add explicit instructions to ipa-replica-manage for winsync replicationRob Crittenden2011-10-141-2/+29
| | | | https://fedorahosted.org/freeipa/ticket/1946
* Save the value of hostname even if it doesn't appear in /etc/sysconfig/networkRob Crittenden2011-10-131-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1871
* Check /etc/hosts file in ipa-server-installMartin Kosek2011-10-133-10/+42
| | | | | | | | There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-134-7/+27
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Check hostname resolution sanityMartin Kosek2011-10-132-4/+12
| | | | | | | | | Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
* Fix dynamic display of UI tabs based on rightsAdam Young2011-10-121-2/+2
| | | | | | | | | | | | | Fixes the webui for the case wherea user is not admin but has a role. In that case, the UI should show the full administrative tabset, but was instead limited to the selfservice tabset. The problem was rolegroup had been renamed to role but the UI hadn't been updated to reflect this. Addresses https://bugzilla.redhat.com/show_bug.cgi?id=745957 https://fedorahosted.org/freeipa/ticket/1970
* Work around limits not being updatable in 389-ds.Rob Crittenden2011-10-121-1/+1
| | | | | | | | | The bug to fix updates, BZ 741744, isn't working. For the short term add the attributes we want to update to the REPLACE whitelist so rather than using an ADD and DEL operation it will use a REPLACE. https://fedorahosted.org/freeipa/ticket/1888
* updates: Change default limits on ldap searchesSimo Sorce2011-10-121-0/+20
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/1867 https://fedorahosted.org/freeipa/ticket/1888
* Fix has_upg() to work with relocated managed entries configuration.Rob Crittenden2011-10-131-18/+17
| | | | https://fedorahosted.org/freeipa/ticket/1964
* Refactor authconfig use in ipa-client-installAlexander Bokovoy2011-10-122-20/+103
| | | | | | | | | | | | | When certain features are being configured via authconfig, we need to remember what was configured and what was the state before it so that during uninstall we restore proper state of the services. Mostly it affects sssd configuration with multiple domains but also pre-existing LDAP and krb5 configurations. This should fix following tickets: https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Make IPv4 address parsing more strictMartin Kosek2011-10-131-3/+9
| | | | | | | | | Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for IP address parsing. We will use the same function in IPv4/IPv6 conversions + be stricter and don't allow IP addresses such as '1.1.1' at the same time. https://fedorahosted.org/freeipa/ticket/1965
* Optimize member/memberof searches in LDAPMartin Kosek2011-10-121-5/+4
| | | | | | | | | | | | When investigating if member/memberof attribute is direct/indirect we do a lot of LDAP SCOPE_SUBTREE searches when we actually search just for one item. Make sure we search only with SCOPE_BASE to improve the performance. One not so efficient iteration was also changed to list comprehension to speed things up a tiny bit. https://fedorahosted.org/freeipa/ticket/1885
* ipa-client-install hangs if the discovered server is unresponsiveMartin Kosek2011-10-122-3/+6
| | | | | | | | Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960
* Improve handling of GIDs when migrating groupsMartin Kosek2011-10-113-15/+67
| | | | | | | | | | | | Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866
* Ticket 1718 - Fix Spanish po translation fileJohn Dennis2011-10-111-540/+429
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were quite errors in es.po, it was difficult or impossible to track down where they came from, Transifex does not have good revision history. I fixed about 20% of the msgstr's in the file that had obvious problems which could be spotted by a non-Spanish speaking person. Spurious backslashes and backslash-newlines had been introduced. I tracked this particular problem down to a bug in polib. polib is a Python library which can read/write po/mo files. In Fedora it's packaged as python-polib. polib is used by the Transifex instance to read/write po files. We don't currently use polib in IPA (that will change soon though) but I wrote utilities using polib to help fix the bad po file and analyze what had gone wrong. I discovered that if one simply uses polib to read a po file into memory and they write that po file back out from memory you don't end up with the same contents if there are backslashed escapes in the file. I tracked this down to the escape() and unescape() functions in polib. This caused me to look to see if upstream polib had been fixed. It had. Therefore I think the spurious backslashes were introduced when Transifex was using an older broken version of polib. I filed this Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=744419 to get the fixes into python-polib. I manually corrected all the backslash errors. I compared all 1329 translations from a known good version of es.po with the current version and generated a new es.po by taking the translation (e.g. msgstr) from the two po files which was obviously correct. In those instances where neither msgstr was obviosuly correct the deleted the translation entirely. I also wrote utilities to validate any "substitution" variables appearing in the text. I discovered a number of instances where the substitution variable had been malformed by the translator such that it was syntactically invalid. This is how we originally discovered problems with the translation, it was throwing Python exceptions. I fixed all those errors. I also found approximately 80 translations where the leading whitespace had been altered by the translator. Those also were fixed. I cannot verify that the remaining translations are a correct Spanish translation of the original text (in fact a number of them I looked at seemed dubious to me, for example it omitted recongnizable keywords). But I do believe that the obvious errors are fixed and we shouldn't be throwing any more Python exceptions because of malformed substitution variables.
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-112-12/+0
| | | | ticket 1358
* Don't leak passwords through kdb5_ldap_util command line arguments.Jan Cholasta2011-10-111-2/+10
| | | | ticket 1948
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-113-109/+94
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common ↵Alexander Bokovoy2011-10-111-21/+9
| | | | | | | | | | | backup_config_and_replace_variables() tool systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of /etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we need to make sure it is always existing and pointing to our realm. Partial fix for: https://fedorahosted.org/freeipa/ticket/1192
* Refactor backup_and_replace_hostname() into a flexible config modification toolAlexander Bokovoy2011-10-112-40/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | backup_and_replace_hostname() was doing three things: 1. Given config file in 'key=value' style, replace value for a specified key (HOSTNAME) 2. Backup original file and install a replacement 3. Restore original security context after editing We have several more places where parts of the functionality are needed, thus making two tools in ipapython.ipautil: 1. config_replace_variables(filepath, replacevars=dict(), appendvars=dict()) Replaces or appends values to specified keys, adding new key=value pairs if key was absent 2. backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()) Backups config file and calls config_replace_variables() A caller must handle security context after using these two tools. In addition, as before, there is ipapython.services.backup_and_replace_hostname() that uses these common tools and restores security context after editing. The code will be used extensively for systemd integration for Fedora 16. Fixes: https://fedorahosted.org/freeipa/ticket/1871
* Fix upgrades of selfsign serverRob Crittenden2011-10-111-0/+3
| | | | | | | In checking to see if the dogtag proxy configuration needed to be updated we didn't handle the case where dogtag isn't installed at all. https://fedorahosted.org/freeipa/ticket/1951
* Disallow deletion of global password policy.Jan Cholasta2011-10-122-0/+21
| | | | ticket 1936
* Added missing fields to password policy pagePetr Vobornik2011-10-101-2/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/1944 No editable fields exist for "maxfail", "failinterval" "lockouttime" and "priority" in password policy page.
* Include indirect membership and canonicalize hosts during HBAC rules testingAlexander Bokovoy2011-10-101-7/+23
| | | | | | | | | | | | | | | | | | | | | | When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: <user <name foobar groups [hbacusers,ipausers]> service <name sshd groups []> targethost <name vm-101.ipa.local groups []> srchost <name vm-101.ipa.local groups []> > Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949
* Force kerberos realm to be a stringAlexander Bokovoy2011-10-101-1/+1
| | | | | | Fixes issue with Python linter on Fedora 16 where it assumes for C modules-provided objects that they are of type _Chainmap during static analysis.
* Fix dnszone-add name_from_ip server validationMartin Kosek2011-10-112-1/+56
| | | | | | | | | | | | Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. Also implement 2 unit cases testing this option https://fedorahosted.org/freeipa/ticket/1941
* Fix i18n in config pluginMartin Kosek2011-10-111-2/+2
|
* Improve default user/group object class validationMartin Kosek2011-10-112-1/+27
| | | | | | | | | | | | When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893
* Increase number of 'getent passwd attempts' to 10Alexander Bokovoy2011-10-111-4/+4
| | | | | | | | During ipa-client-install SSSD is not always started up properly for some reason, things like "getent passwd admin" do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-096-25/+67
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Become IPA 2.1.2release-2-1-2Rob Crittenden2011-10-061-1/+1
|
* Force the upgrade of pki-setup when upgrading the RPMSAdam Young2011-10-071-2/+7
|
* Execute pki proxy setup when server is upgraded if neededAdam Young2011-10-071-2/+21
|
* Make mod_nss renegotiation configuration a public functionAdam Young2011-10-071-4/+4
|
* Split Web UI initialization to several smaller callsPetr Vobornik2011-10-071-8/+174
| | | | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1933 Web UI init method was modified to get initialization data in 3 calls. First call remains the same as before except that the json_metadata command was removed. JSON metadata are requested after successful response of the first batch command. This approach should preserve functionality in IE (where request is missing after authentication). Getting JSON metadata is split to two commands - this should prevent the error in linked ticket. These two commands are paralelly executed by new concurent_command object. Concurrent command waits for all responses then it calls each command's success handler.
* Split Web UI initialization to several smaller calls #2Petr Vobornik2011-10-073-16692/+17145
| | | | | | https://fedorahosted.org/freeipa/ticket/1933 Modified data files for offline testing.
* split metadata callAdam Young2011-10-071-14/+18
| | | | | | | | | | | | | The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this: {"method":"json_metadata","params":[["all",""],{}],"id":0} And just the methods call it like this: {"method":"json_metadata","params":[["","all"],{}],"id":0} Note the difference in the positional parameters. To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter. THis is not ideal, but we are constrained by the existing API.
* When calculating indirect membership don't test nesting on users and hosts.Rob Crittenden2011-10-061-0/+8
| | | | | | | | | Members are dereferenced when calculating indirect membership. We don't need to check hosts and users for members. This significantly reduces the number of queries required for large groups. https://fedorahosted.org/freeipa/ticket/1885
* Make sure ipa-client-install returns correct error codeMartin Kosek2011-10-071-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1937
generated by cgit (git 2.34.1) at 2024-05-02 15:18:01 +0000