summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Become 3.1.3release-3-1-3Martin Kosek2013-03-261-1/+1
|
* Bump selinux-policy requiresMartin Kosek2013-03-261-1/+4
| | | | | | The higher version is reported to fix a Fedora 17 to 18 upgrade issue. https://fedorahosted.org/freeipa/ticket/3399
* Add logging to join commandTomas Babej2013-03-251-6/+20
| | | | | | | | | The following is mentioned in the log now: - existence of host entry (if it already does exist) - missing krbprincipalname and its new value (if there was no principal name set) https://fedorahosted.org/freeipa/ticket/3481
* Use default NETBIOS name in unattended ipa-adtrust-installAna Krivokapic2013-03-221-1/+4
| | | | | | | | Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-224-0/+43
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Add 389 DS plugin for special idnsSOASerial attribute handlingPetr Spacek2013-03-225-0/+255
| | | | | | | | | Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com>
* Load extension.js after UI AMD modules.Petr Vobornik2013-03-221-3/+6
| | | | | | | | This patch is fix for upcoming ipa-3-1 minor release. Loading of extension.js was removed with introduction of AMD modules. This patch returns the feature to avoid regressions. In 3.2 it will be handled differently (multiple plugins).
* Added Web UI support for service PAC type option: NONEPetr Vobornik2013-03-221-1/+1
| | | | | | Checkbox for NONE option was added. https://fedorahosted.org/freeipa/ticket/3404
* Process exceptions when talking to DogtagAlexander Bokovoy2013-03-211-1/+4
| | | | | | | | | | The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492
* Improve client install LDAP cert retrieval fallbackMartin Kosek2013-03-211-1/+1
| | | | | | | | CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512
* Use temporary CCACHE in ipa-client-installMartin Kosek2013-03-211-0/+7
| | | | | | | | ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512
* ipa-client discovery with anonymous access offMartin Kosek2013-03-201-5/+1
| | | | | | | | | | | | | When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519
* Realm Domains pageAna Krivokapic2013-03-189-7/+190
| | | | | | Add support for Realm Domains to web UI. https://fedorahosted.org/freeipa/ticket/3407
* Web UI:Choose different search option for cert-findPetr Vobornik2013-03-185-4/+140
| | | | | | | | | | This extends certificate search page by search option select. Therefore the search is not restricted to 'subject'. It should be replaced by https://fedorahosted.org/freeipa/ticket/191 in a future. https://fedorahosted.org/freeipa/ticket/3419
* Web UI:Certificate pagesPetr Vobornik2013-03-1813-31/+621
| | | | | | | | | | | | | | | | | Following pages were added to Web UI: * certificated details * certificate search Certificate is not regular object so it gets no metadata. Therefore artificial metadata were created for it to allow usage of search and details facet. Search and details facet were modified to allow removing of add/remove/update/ reset buttons - certificates have no mod operation and they are not added by standard means. User can revoke and restore certificated in details facet. https://fedorahosted.org/freeipa/ticket/3419
* Fix internal error for ipa show-mappingsAna Krivokapic2013-03-181-1/+1
| | | | | | The run() method of the show_mappings command was missing the **options parameter in its signature, causing the ipa show-mappings to fail with an internal error.
* Web UI: configurable SID blacklistsPetr Vobornik2013-03-183-0/+16
| | | | | | | Added blacklists section, with ipantsidblacklistincoming and ipantsidblacklistoutgoing multivalued textbox fields, into trust details page. https://fedorahosted.org/freeipa/ticket/3289
* Fix handling of no_update flag in Web UIPetr Vobornik2013-03-181-2/+2
| | | | | | There was an incorrect check for no_update flag. Check was performed as if the flag was an attribute of object not an item of array. Hence, the flag never caused any effect.
* Fix dirty state update of editable comboboxPetr Vobornik2013-03-182-25/+3
| | | | | | Editable combobox didn't update it's dirty state correctly. CB had it's own internal value changed event, which was incorrectly used. It was removed and widget's value_changed event was used instead.
* Combobox keyboard supportPetr Vobornik2013-03-181-27/+186
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Combobox can be controlled just by using keyboard. When value list is closed, user can: * use UP and DOWN error to open list, it will focus the list and select previous/next value * when CB is non-editable, user can start typing, first character will open list, second will be entered into search input. Note: I wanted to copy the first char to the search box as well, but I did not figure out reliable method for converting keycode to char for non ASCII keyboard layouts * ESCAPE, ENTER, TAB keys are handled to allow keyboard operations in a container When value list is opened: * CB tries to keep focus on either search input or a select * when focus is lost, the value list is closed. So user can click anywhere on a page to close it - two comboboxes can't be opened on the same time * hitting TAB key switches between search and select * if CB is not searchable, hitting TAB will close the value list and select input textbox * hitting ESCAPE on will close the value list * hitting ENTER on search input will invoke search operation * hitting ENTER on select will close the value list * hitting UP/DOWN arrows will select previous/next values Additional modifications: * opening arrow and search button were made non-focusable. It fixes the 'wrong focus area' bug and simplifies keyboard usage. It doesn't affect mouse usage. https://fedorahosted.org/freeipa/ticket/3324
* Remove check for alphabetic only characters from domain name validationAna Krivokapic2013-03-151-3/+0
| | | | | | | The .isalpha() check in validate_domain_name() was too strict, causing some commands like ipa dnsrecord-add to fail. https://fedorahosted.org/freeipa/ticket/3385
* Improve some error handling in ipa-replica-manageRob Crittenden2013-03-141-2/+5
| | | | | | | | | | | | If you break a replica install after the agreement is created but before it gets much further you'll be in the situation where an agreement exists, no cn=masters entry exists, and the RUV may not be set yet. This adds some error handling so the broken install can be safely removed. https://fedorahosted.org/freeipa/ticket/3444
* Fix client discovery crashMartin Kosek2013-03-142-4/+16
| | | | | | | | | | | | | Client discovery LDAP search assumes that the remote LDAP server will send an entry with lowercase attribute names. When it discovers for example on openldap which sends it in CamelCase, the discovery crashes. Convert retrieved entry to CIDict to avoid this error. Also add a fallback to ipa-client-install server discovery process so that it rather skips the faulty server instead of crashing. https://fedorahosted.org/freeipa/ticket/3446
* Enforce exact SID match when adding or modifying a ID rangeTomas Babej2013-03-142-14/+38
| | | | | | | | SID validation in idrange.py now enforces exact match on SIDs, thus one can no longer use SID of an object in a trusted domain as a trusted domain SID. https://fedorahosted.org/freeipa/ticket/3432
* Avoid multiple client discovery with fixed server listMartin Kosek2013-03-141-0/+11
| | | | | | | | | | | | In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
* Preserve order of servers in ipa-client-installMartin Kosek2013-03-141-7/+10
| | | | | | | | | | | | When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418
* Remove implicit Str to DN conversion using *-attrTomas Babej2013-03-132-72/+154
| | | | | | | | | | | DNs represented as strings and passed via --setattr or --addattr are no longer implicitly converted to DN type. This solves various errors associated with this behaviour, see tickets below. Unit tests added. https://fedorahosted.org/freeipa/ticket/3348 https://fedorahosted.org/freeipa/ticket/3349
* Make sure uninstall script prompts for reboot as lastTomas Babej2013-03-131-19/+35
| | | | | | | | | | | Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463
* Perform secondary rid range overlap check for local ranges onlyTomas Babej2013-03-111-16/+25
| | | | | | | | | | | Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391
* Fix installing server with external CAPetr Viktorin2013-03-083-65/+74
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Don't base64-encode the CA cert when uploading it during an upgrade.Rob Crittenden2013-03-071-2/+1
| | | | | | | | We want to store the raw value. Tools like ldapsearch will automatically base64 encode the value because it's binary so we don't want to duplicate that. https://fedorahosted.org/freeipa/ticket/3477
* Fix internal error in output_for_cli method of sudorule_{enable,disable}.Jan Cholasta2013-03-061-4/+4
| | | | | | | Also fix incorrect super method call in output_for_cli method of sudorule_{add,remove}_option. https://fedorahosted.org/freeipa/ticket/3489
* Remove disabled entries from sudoers compat tree.Jan Cholasta2013-03-062-1/+3
| | | | | | | The removal is triggered by generating an invalid RDN when ipaEnabledFlag of the original entry is FALSE. https://fedorahosted.org/freeipa/ticket/3437
* Fix remove while iterating in suppress_netgroup_memberof.Jan Cholasta2013-03-063-3/+2
| | | | https://fedorahosted.org/freeipa/ticket/3464
* Fix includedir directive in krb5.conf templateMartin Kosek2013-02-281-1/+1
| | | | | | | We did not have the includedir directory with a trailing slash which made rpm update add a redundant line. https://fedorahosted.org/freeipa/ticket/3132
* ipa-pwd: Unchecked return value ipapwd_chpwop()Sumit Bose2013-02-281-1/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3427
* ipa-extdom: Double-free in ipa_extdom_common.cSumit Bose2013-02-281-1/+0
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3426
* ipa-lockout: Wrong sizeof argument in ipa_lockout.cSumit Bose2013-02-281-1/+1
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3425
* ipa-kdb: Dereference after null check in ipa_kdb_mspac.cSumit Bose2013-02-281-1/+1
| | | | | | A wrong logic was used to check ipactx. Fixes https://fedorahosted.org/freeipa/ticket/3424
* ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()Sumit Bose2013-02-281-1/+1
| | | | | | | ipa_mspac_well_known_sids is a globally defined array so the check was always true. Fixes https://fedorahosted.org/freeipa/ticket/3423
* ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()Sumit Bose2013-02-281-5/+4
| | | | | | | There was a code path where ret was used instead of kerr to save a return value. Fixes https://fedorahosted.org/freeipa/ticket/3422
* ipa-kdb: remove unused variableSumit Bose2013-02-281-1/+1
|
* Remove ORDERING for IA5 attributeTypesMartin Kosek2013-02-272-9/+6
| | | | | | | | IA5 string syntax does not have a compatible ORDERING matching rule. Simply use default ORDERING for these attributeTypes as we already do in other cases. https://fedorahosted.org/freeipa/ticket/3398
* cli: Do interactive prompting after a context is createdPetr Viktorin2013-02-262-4/+5
| | | | | | | | | | Some commands require a connection for interactive prompting. Prompt after the connection is created. Option parsing is still done before connecting so that help can be printed out without a Kerberos ticket. https://fedorahosted.org/freeipa/ticket/3453
* Add trusted domain range objectclass when using idrange-modTomas Babej2013-02-261-0/+5
| | | | | | When modifing the idrange, one was able to add ipa NT trusted AD domain sid without objectclass ipatrustedaddomainrange being added. This patch fixes the issue.
* Make options checks in idrange-add/mod consistentTomas Babej2013-02-262-17/+91
| | | | | | | | | | | | Both now enforce the following checks: - dom_sid and secondary_rid_base cannot be used together - rid_base must be used together if dom_rid is set - secondary_rid_base and rid_base must be used together if dom_rid is not set Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170
* Make sure appropriate exit status is returned in make-testTomas Babej2013-02-251-0/+2
| | | | | The make-test script now returns 1 in case that any of the test cases that were run failed.
* Fix permission validation and normalization in aci.pyPetr Viktorin2013-02-221-13/+10
| | | | | | | | | The code split the permission string on commas, essentially doing poor man's CSV parsing. So if a permission contained a comma-separated list of valid permissions, validation would pass but we'd get errors later. https://fedorahosted.org/freeipa/ticket/3420
* Add missing v3 schema on upgrades, fix typo in schema.Rob Crittenden2013-02-223-18/+33
| | | | | | | | Add mising ipaExternalMember attribute and ipaExternalGroup objectclass. Replacing mis-spelled ORDERING value on new install and upgrades. https://fedorahosted.org/freeipa/ticket/3398
* Use default.conf as flag of IPA client being installedTomas Babej2013-02-221-3/+18
| | | | | | | | | | | | | | When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331
generated by cgit (git 2.34.1) at 2024-05-05 03:11:46 +0000