summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fixed displaying of A6 RecordPetr Voborník2012-02-291-2/+2
| | | | | | | | UI was modified to reflect changes in #2309. Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record. https://fedorahosted.org/freeipa/ticket/2367
* DNS UI: added A,AAAA create reverse options to adder dialogPetr Voborník2012-02-291-20/+41
| | | | | | | | To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options. It's UI part of #2009. https://fedorahosted.org/freeipa/ticket/2349
* DNS Zone UI: added new attributesPetr Voborník2012-02-296-95/+228
| | | | | | | | | | | | | | | | | New attributes were added to DNS zone details facet. Attributes: idnsallowquery idnsallowtransfer idnsforwarders idnsforwardpolicy idnsallowsyncptr New network address validator created for idnsallowquery and idnsallowtransfer attributes. Network address validator also added to dnszone adder dialog - from_ip field. https://fedorahosted.org/freeipa/ticket/2351
* New checkboxes option: Mutual exclusivePetr Voborník2012-02-291-0/+10
| | | | | | | | | | Problem: UI doesn't have a control for selecting one or none value from given set of values. Solution: Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked. https://fedorahosted.org/freeipa/ticket/2351
* Static metadata update - new DNS optionsPetr Voborník2012-02-291-113/+694
| | | | Tickets: #2349 #2350 #2351 #2367
* Use stricter semantics when checking IP address for DNS recordsPetr Viktorin2012-02-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2379
* Fix bad merge of not calling memberof task when re-initializing a replicaRob Crittenden2012-02-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2199
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* Don't call memberof task when re-initializing a replica.Rob Crittenden2012-02-271-2/+5
| | | | | | | | | | | memberof is not in the EXCLUDE list of nsDS5ReplicatedAttributeListTotal so we have no need of running the task, memberof will come with the data. If that attribute doesn't exist then this agreement was created with an older version of 389-ds, we DO need to initialize memberOf. https://fedorahosted.org/freeipa/ticket/2199
* Improve dns error messageMartin Kosek2012-02-281-2/+8
| | | | | | | | | | Improve AttrValueNotFound exception error message raised in the DNS module when a deleted (modified) attribute value is not found in a record. In order to be consistent with previous DNS module implementation this error message should include an attribute label instead of an attribute name. https://fedorahosted.org/freeipa/ticket/2377
* Implement password based session loginJohn Dennis2012-02-278-98/+294
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
* Implement session activity timeoutJohn Dennis2012-02-276-50/+144
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-2712-126/+376
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Limit allowed characters in a netgroup name to alpha, digit, -, _ and .Rob Crittenden2012-02-275-14/+41
| | | | | | Apply this to hostgroup names as well since they can be linked. https://fedorahosted.org/freeipa/ticket/2221
* Make sure the nolog argument to ipautil.run is not a bare stringPetr Viktorin2012-02-262-1/+9
| | | | | | | | | | | ipautil.run expects a tuple of passwords for nolog; passing a single string causes all individual letters from that string to be replaced by Xes. This fixes such a call, and adds a sanity check to ipautil.run that prevents lone strings from being used in nolog. https://fedorahosted.org/freeipa/ticket/2419
* Add SSHFP update policy for existing zonesMartin Kosek2012-02-273-7/+40
| | | | | | | | | | | | | SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Don't run restorecon if SELinux is disabled or not present.Rob Crittenden2012-02-271-1/+12
| | | | | | | Also check for the existence of restorecon. This may be overkill but it will prevent a client installation from failing for no good reason. https://fedorahosted.org/freeipa/ticket/2368
* Sanitize UDP checks in conncheckMartin Kosek2012-02-262-36/+49
| | | | | | | | | | | | | | | | | | UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
* Add reverse DNS record when forward is createdMartin Kosek2012-02-275-247/+389
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding reverse DNS record may be a time consuming task, especially for IPv6 addresses. Having a way to automatically create a reverse record when a forward record is created could speed up the process. host-add command already has this possibility. This patch takes advantage of the new per-type API and adds new options for A/AAAA record types: --a-create-reverse and --aaaa-create-reverse. These commands can be used to automatically create reverse records for new A/AAAA addresses (both forward and reverse zones need to be managed by FreeIPA server): ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse This command would add a new A record to record foo in zone example.com and a PTR record to appropriate reverse zone for IP address 10.0.0.1 (for example PTR record 1 in zone 0.0.10.in-addr.arpa. pointing to foo.example.com.). Few modification were done to new DNS API to support this feature: - Refactor --ip-address option handling from host-add and place it to dns.py to be used by both modules - Add support for "extra" per-type options - Hide DNS record part options in dnsrecord_find command as they have no effect for this command https://fedorahosted.org/freeipa/ticket/2009
* Make sure 389-ds is running when adding memcache service in upgrade.Rob Crittenden2012-02-261-0/+4
| | | | | | | Adding the memcache service requires 389-ds to be running because we add an entry to cn=masters. https://fedorahosted.org/freeipa/ticket/2411
* Remove unused kpasswd.keytab and ldappwd files if they exist.Rob Crittenden2012-02-272-0/+57
| | | | | | These were used by ipa_kpasswd and krb5-server-ldap respectivily. https://fedorahosted.org/freeipa/ticket/2397
* Check for duplicate winsync agreement before trying to set one up.Rob Crittenden2012-02-271-13/+15
| | | | | | | | | We currently only support a single winsync agreement so all we need to do is check to see if we have one with the remote host. This also adds some minor exception handling cleanup. https://fedorahosted.org/freeipa/ticket/2130
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-272-43/+64
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
* Add Requires to ipa-client on oddjob-mkhomedirRob Crittenden2012-02-271-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2337
* Don't consider virtual attributes when validating custom objectclassesRob Crittenden2012-02-271-0/+5
| | | | | | | | | We verify user and group default objectclasses when changing them to be sure that required objectclasses aren't being dropped. We need to ignore virtual attributes or it will raise an error because they aren't defined in schema. https://fedorahosted.org/freeipa/ticket/2406
* Add gidnumber minvalueMartin Kosek2012-02-233-6/+8
| | | | | | Do not accept invalid GID values in IPA user/group plugins. https://fedorahosted.org/freeipa/ticket/2335
* Catch public exceptions when creating the LDAP context in WSGI.Rob Crittenden2012-02-242-1/+10
| | | | | | Made specifically for the case where S4U2Proxy delegation fails. https://fedorahosted.org/freeipa/ticket/2414
* Add API for PTR sync controlMartin Kosek2012-02-242-3/+11
| | | | | | | | | | | | | | | | New version of bind-dyndb-ldap plugin have an ability to automatically update machine reverse address when its forward address is updated via GSS-TSIG update. The reverse zone must be managed by FreeIPA as well in order of this feature to work. As it would not be secure to enable this behaviour for all zones there is a global attribute that can enable PTR sync for all zones and also a per-zone attribute that can enable for chosen zones only. This patch adds an API for this control. https://fedorahosted.org/freeipa/ticket/2176
* Add DNS conditional forwardingMartin Kosek2012-02-242-4/+30
| | | | | | | | Add ability configure per-zone forwarder for DNS zones. Any data in such zone will then be considered as non-authoritative and all queries will be sent to specified forwarder. https://fedorahosted.org/freeipa/ticket/2108
* Query and transfer ACLs for DNS zonesMartin Kosek2012-02-247-14/+264
| | | | | | | | | | | | | | Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211
* Global DNS optionsMartin Kosek2012-02-247-3/+94
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-244-3/+86
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow IPA master hosts or important services be deleted.Rob Crittenden2012-02-235-0/+51
| | | | | | | | | Deleting these would cause the IPA master to blow up. For services I'm taking a conservative approach and only limiting the deletion of known services we care about. https://fedorahosted.org/freeipa/ticket/2425
* Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtagRob Crittenden2012-02-221-0/+7
| | | | | | | | | | | | We had this in v1 but removed it with v2 because we no longer used TurboGears for the UI. Because we are now proxying requests to dogtag we need to re-add this so that mod_ssl doesn't interfere with our communication. mod_ssl always blindly registers itself as the SSL provider for mod_proxy. mod_nss will only register itself if mod_ssl hasn't already done so. https://fedorahosted.org/freeipa/ticket/2177
* Don't check for schema uniqueness when comparing in ldapupdate.Rob Crittenden2012-02-221-1/+6
| | | | | | | | | | This is needed on F-17+, otherwise things blow up when we try to see if we've added new schema. Introspection is required to see if the argument check_uniqueness is available. https://fedorahosted.org/freeipa/ticket/2383
* Make sure memberof is in replication attribute exclusion list.Rob Crittenden2012-02-233-12/+80
| | | | | | | A previous bug caused this attribute to not be added which would lead to unnecessary replication. This runs as an updater plugin. https://fedorahosted.org/freeipa/ticket/2223
* Add the -v option to sslget to provide more verbose errorsRob Crittenden2012-02-232-2/+4
| | | | | | | | I noticed a couple of bad references in ipapython/dogtag.py and fixed those as well. We used to call sslget for all our SSL client needs before python-nss was written. https://fedorahosted.org/freeipa/ticket/2391
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-232-1/+5
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* update translation pot fileJohn Dennis2012-02-211-235/+240
|
* pulled new po files from TransifexJohn Dennis2012-02-2123-87604/+86410
|
* Update pot file and list of explicit Python files needing translationJohn Dennis2012-02-212-1339/+2082
|
* Added missing configuration optionsPetr Voborník2012-02-204-0/+23
| | | | | | | | | | Missing options were added to Web UI's IPA Server/Configuration page. * ipaconfigstring * ipaselinuxusermaporder * ipaselinuxusermapdefault https://fedorahosted.org/freeipa/ticket/2285 https://fedorahosted.org/freeipa/ticket/2400
* Fixed problem when attributes_widget was displaying empty optionPetr Voborník2012-02-201-1/+6
| | | | | | Attribute table was modified to skip creation of option for empty value. https://fedorahosted.org/freeipa/ticket/2291
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-202-1/+6
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Add common helper for interactive promptsPetr Viktorin2012-02-192-30/+40
| | | | | | | | | | | | | | | This patch adds a common method, textui.prompt_helper, that handles encoding, decoding and error handling for interactive prompts. On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises a new InvocationError, PromptFailed. The helper is used in prompt, prompt_yesno, and prompt_password, each of which originally only handled one of Ctrl+C and Ctrl+D. This fixes https://fedorahosted.org/freeipa/ticket/2345 And it means prompt_yesno will no longer return None on error. A minor fix restores errors.py's ability print out the list of errors when run as a script.
* Add extra checking function to XMLRPC test frameworkPetr Viktorin2012-02-192-8/+43
| | | | | | | | | | | | | | | | This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add ability in test framework to compare two values in result) in a general way: adding an optional extra_check key to the test dict, so a custom checking function with access to the whole result can be called. The particular test mentioned in that issue, checking that the uidnumber and gidnumber for new isers are the same, is added. Also, this adds a docstring to the Declarative class. And finally, the test dictionary is passed to check() via keyword arguments, preventing spelling mistakes in keys from going unnoticed.
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Ease zonemgr restrictionsMartin Kosek2012-02-205-10/+7
| | | | | | | | | | | | Admin e-mail validator currently requires an email to be in a second-level domain (hostmaster@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272
generated by cgit (git 2.34.1) at 2025-09-03 21:49:20 +0000