| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
The higher version is reported to fix a Fedora 17 to 18 upgrade issue.
https://fedorahosted.org/freeipa/ticket/3399
|
|
|
|
|
|
|
|
|
| |
The following is mentioned in the log now:
- existence of host entry (if it already does exist)
- missing krbprincipalname and its new value (if there was no
principal name set)
https://fedorahosted.org/freeipa/ticket/3481
|
|
|
|
|
|
|
|
| |
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.
https://fedorahosted.org/freeipa/ticket/3497
|
|
|
|
|
|
|
|
|
|
| |
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.
https://fedorahosted.org/freeipa/ticket/3347
|
|
|
|
|
|
|
|
|
| |
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.
https://fedorahosted.org/freeipa/ticket/3347
Signed-off-by: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
| |
This patch is fix for upcoming ipa-3-1 minor release.
Loading of extension.js was removed with introduction of AMD modules. This patch returns the feature to avoid regressions.
In 3.2 it will be handled differently (multiple plugins).
|
|
|
|
|
|
| |
Checkbox for NONE option was added.
https://fedorahosted.org/freeipa/ticket/3404
|
|
|
|
|
|
|
|
|
|
| |
The problem is the ca_status() uses an HTTP GET operation to check Dogtag's
status. Under some circumstances Dogtag may take a long time to respond, so the
HTTP GET may time out much earlier than 2 minutes. And since the above code
doesn't catch the exception, the whole loop fails immediately, so it doesn't
wait for a full 2 minutes as expected.
https://fedorahosted.org/freeipa/ticket/3492
|
|
|
|
|
|
|
|
| |
CA certificate retrieval function did not fallback from LDAP to
HTTP based retrieval in case of an LDAP error, when for example
GSSAPI authentication failed.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
| |
ipa-client-install failed if user had set his own KRB5CCNAME in his
environment. Use a temporary CCACHE for the installer to avoid these
kind of errors.
https://fedorahosted.org/freeipa/ticket/3512
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.
Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.
https://fedorahosted.org/freeipa/ticket/3519
|
|
|
|
|
|
| |
Add support for Realm Domains to web UI.
https://fedorahosted.org/freeipa/ticket/3407
|
|
|
|
|
|
|
|
|
|
| |
This extends certificate search page by search option select. Therefore
the search is not restricted to 'subject'.
It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a
future.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following pages were added to Web UI:
* certificated details
* certificate search
Certificate is not regular object so it gets no metadata. Therefore artificial
metadata were created for it to allow usage of search and details facet.
Search and details facet were modified to allow removing of add/remove/update/
reset buttons - certificates have no mod operation and they are not added by
standard means.
User can revoke and restore certificated in details facet.
https://fedorahosted.org/freeipa/ticket/3419
|
|
|
|
|
|
| |
The run() method of the show_mappings command was missing
the **options parameter in its signature, causing the
ipa show-mappings to fail with an internal error.
|
|
|
|
|
|
|
| |
Added blacklists section, with ipantsidblacklistincoming and
ipantsidblacklistoutgoing multivalued textbox fields, into trust details page.
https://fedorahosted.org/freeipa/ticket/3289
|
|
|
|
|
|
| |
There was an incorrect check for no_update flag. Check was performed as
if the flag was an attribute of object not an item of array. Hence, the
flag never caused any effect.
|
|
|
|
|
|
| |
Editable combobox didn't update it's dirty state correctly. CB had it's own
internal value changed event, which was incorrectly used. It was removed and
widget's value_changed event was used instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Combobox can be controlled just by using keyboard.
When value list is closed, user can:
* use UP and DOWN error to open list, it will focus the list and
select previous/next value
* when CB is non-editable, user can start typing, first character will open
list, second will be entered into search input. Note: I wanted to copy the
first char to the search box as well, but I did not figure out reliable
method for converting keycode to char for non ASCII keyboard layouts
* ESCAPE, ENTER, TAB keys are handled to allow keyboard operations in a
container
When value list is opened:
* CB tries to keep focus on either search input or a select
* when focus is lost, the value list is closed. So user can click anywhere
on a page to close it - two comboboxes can't be opened on the same time
* hitting TAB key switches between search and select
* if CB is not searchable, hitting TAB will close the value list and select
input textbox
* hitting ESCAPE on will close the value list
* hitting ENTER on search input will invoke search operation
* hitting ENTER on select will close the value list
* hitting UP/DOWN arrows will select previous/next values
Additional modifications:
* opening arrow and search button were made non-focusable. It fixes the
'wrong focus area' bug and simplifies keyboard usage. It doesn't affect
mouse usage.
https://fedorahosted.org/freeipa/ticket/3324
|
|
|
|
|
|
|
| |
The .isalpha() check in validate_domain_name() was too strict,
causing some commands like ipa dnsrecord-add to fail.
https://fedorahosted.org/freeipa/ticket/3385
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you break a replica install after the agreement is created but
before it gets much further you'll be in the situation where an
agreement exists, no cn=masters entry exists, and the RUV may not
be set yet.
This adds some error handling so the broken install can be safely
removed.
https://fedorahosted.org/freeipa/ticket/3444
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Client discovery LDAP search assumes that the remote LDAP server will
send an entry with lowercase attribute names. When it discovers for
example on openldap which sends it in CamelCase, the discovery
crashes.
Convert retrieved entry to CIDict to avoid this error. Also add
a fallback to ipa-client-install server discovery process so that
it rather skips the faulty server instead of crashing.
https://fedorahosted.org/freeipa/ticket/3446
|
|
|
|
|
|
|
|
| |
SID validation in idrange.py now enforces exact match on SIDs, thus
one can no longer use SID of an object in a trusted domain as a
trusted domain SID.
https://fedorahosted.org/freeipa/ticket/3432
|
|
|
|
|
|
|
|
|
|
|
|
| |
In client discovery module, we used to run up to three discovery
processes even though we received a fixed list of servers to connect
to. This could result in up to 3 identical "not an IPA server" error
messages when the passed server is not an IPA server.
Error out immediately when we are discovering against a fixed set
of servers.
Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
|
|
|
|
|
|
|
|
|
|
|
|
| |
When multiple servers are passed via --server option, ipadiscovery
module changed its order. Make sure that we preserve it.
Also make sure that user is always warned when a tested server is
not available as then the server will be excluded from the fixed
server list. Log messages were made more informative so that user
knows which server is actually failing to be verified.
https://fedorahosted.org/freeipa/ticket/3418
|
|
|
|
|
|
|
|
|
|
|
| |
DNs represented as strings and passed via --setattr or --addattr
are no longer implicitly converted to DN type. This solves various
errors associated with this behaviour, see tickets below.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/3348
https://fedorahosted.org/freeipa/ticket/3349
|
|
|
|
|
|
|
|
|
|
|
| |
Parts of client uninstall logic could be skipped in attended
uninstallation if user agreed to reboot the machine. Particulary,
the uninstall script would not try to remove /etc/ipa/default.conf
and therefore subsequent installation would fail, client being
detected as already configured.
https://fedorahosted.org/freeipa/ticket/3462
https://fedorahosted.org/freeipa/ticket/3463
|
|
|
|
|
|
|
|
|
|
|
| |
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.
Change CAInstance to behave correctly in two-step install.
Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.
https://fedorahosted.org/freeipa/ticket/3459
|
|
|
|
|
|
|
|
| |
We want to store the raw value. Tools like ldapsearch will automatically
base64 encode the value because it's binary so we don't want to duplicate
that.
https://fedorahosted.org/freeipa/ticket/3477
|
|
|
|
|
|
|
| |
Also fix incorrect super method call in output_for_cli method of
sudorule_{add,remove}_option.
https://fedorahosted.org/freeipa/ticket/3489
|
|
|
|
|
|
|
| |
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.
https://fedorahosted.org/freeipa/ticket/3437
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3464
|
|
|
|
|
|
|
| |
We did not have the includedir directory with a trailing slash which made
rpm update add a redundant line.
https://fedorahosted.org/freeipa/ticket/3132
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3427
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3426
|
|
|
|
| |
Fixes https://fedorahosted.org/freeipa/ticket/3425
|
|
|
|
|
|
| |
A wrong logic was used to check ipactx.
Fixes https://fedorahosted.org/freeipa/ticket/3424
|
|
|
|
|
|
|
| |
ipa_mspac_well_known_sids is a globally defined array so the check was
always true.
Fixes https://fedorahosted.org/freeipa/ticket/3423
|
|
|
|
|
|
|
| |
There was a code path where ret was used instead of kerr to save a
return value.
Fixes https://fedorahosted.org/freeipa/ticket/3422
|
| |
|
|
|
|
|
|
|
|
| |
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
|
|
|
|
|
|
|
|
|
|
| |
Some commands require a connection for interactive prompting.
Prompt after the connection is created.
Option parsing is still done before connecting so that help
can be printed out without a Kerberos ticket.
https://fedorahosted.org/freeipa/ticket/3453
|
|
|
|
|
|
| |
When modifing the idrange, one was able to add ipa NT trusted
AD domain sid without objectclass ipatrustedaddomainrange being
added. This patch fixes the issue.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both now enforce the following checks:
- dom_sid and secondary_rid_base cannot be used together
- rid_base must be used together if dom_rid is set
- secondary_rid_base and rid_base must be used together
if dom_rid is not set
Unit test for third check has been added.
http://fedorahosted.org/freeipa/ticket/3170
|
|
|
|
|
| |
The make-test script now returns 1 in case that any of the test
cases that were run failed.
|
|
|
|
|
|
|
|
|
| |
The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.
https://fedorahosted.org/freeipa/ticket/3420
|
|
|
|
|
|
|
|
| |
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing / uninstalling IPA client, the checks that
determine whether IPA client is installed now take the existence
of /etc/ipa/default.conf into consideration.
The client will not uninstall unless either something is backed
up or /etc/ipa/default.conf file does exist.
The client will not install if something is backed up or
default.conf file does exist (unless it's installation on master).
https://fedorahosted.org/freeipa/ticket/3331
|