summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ipadb_iterate(): handle match_entry == NULLSumit Bose2012-09-052-0/+10
| | | | | | | | | If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL. Fixes: https://fedorahosted.org/freeipa/ticket/3011
* Add nsds5ReplicaStripAttrs to replica agreementsPetr Viktorin2012-09-044-84/+125
| | | | | | | | | | Generalize the fix_replica_memberof update plugin to allow updating more replication attributes. Add nsds5ReplicaStripAttrs to replication agreements on update and replica install. https://fedorahosted.org/freeipa/ticket/2534
* Sort policies numerically in pwpolicy-findTomas Babej2012-09-032-3/+5
| | | | | | | | Password policies in pwpolicy-find are now sorted in the expected numerical manner. Also tweaks one of the unit tests so that it tests this behaviour. https://fedorahosted.org/freeipa/ticket/3039
* Make replica install more robustMartin Kosek2012-09-031-12/+26
| | | | | | | | | | | | | | | | | Under certain circumstances, replica installation may fail in "enable GSSAPI for replication" step when it cannot sync LDAP service principals. There is often not much we can do as Directory Server may be in an unrecoverable state but we should at least wait longer before we give up. A function checking replication status was also fixed to give more accurate results by properly comparing start/end time of the replication process and returning an error message to calling function. This error message is then returned to user if do not manage to get the LDAP service principals to give him a pointer to the actual issue. https://fedorahosted.org/freeipa/ticket/2950
* Run ntpdate in verbose mode, not debug (i.e. no-op) modePetr Viktorin2012-09-042-8/+6
| | | | | | | Remove the debug argument to synconce_ntp since we always want the logs to be verbose. https://fedorahosted.org/freeipa/ticket/3048
* Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cbTomas Babej2012-09-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2953
* Internationalization for public errorsPetr Viktorin2012-09-0330-123/+175
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
* prevent last admin from being disabledJohn Dennis2012-09-033-173/+303
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We prevent the last member of the admin group from being deleted. The same check needs to be performed when disabling a user. * Moved the code in del_user to the common subroutine check_protected_member() and call it from both user_del and user_disable. Note, unlike user_del user_disable does not have a 'pre' callback therefore the check function is called in user_disable's execute routine. * Make check_protected_member() aware of disabled members. It's not sufficient to check which members of the protected group are present, one must only consider those members which are enabled. * Add tests to test_user_plugin.py. - verify you cannot delete nor disable the last member of the admin group - verify when the admin group contains disabled users in addition to enabled users only the enabled users are considered when determining if the last admin is about to be disabled or deleted. * Replace duplicated hardcoded values in the tests with variables or subroutines, this makes the individual tests a bit more succinct and easier to copy/modify. * Update error msg to reflect either deleting or disabling is an error. https://fedorahosted.org/freeipa/ticket/2979
* ipa user-find --manager does not find matchesJohn Dennis2012-09-032-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The manager LDAP attribute is a dn pointing inside the user container. When passed on the command it is typically a bare user uid. The search filter will only succeed if the bare uid is converted to a full dn because that is what is stored in the value for the manager attribute. The search failure is solved by calling _normalize_manager() which does the conversion to a dn (if not already a dn). It feels like this type of conversion should be performed in the pre callback which allows one to modify the filter. But when the pre callback is invoked it's complex string with the manager attribute already inserted. This is because the LDAPSearch.execute() method processes the options dict and constructs a filter component for each key/value in the options dict prior to invoking the pre callback. If we wanted to modify the manager value in the filter in the pre callback we would have to decompose the filter string, perform dn checking and then reassemble the filter. It's much cleaner to perform the dn operations on the manager value before it gets embedded into what otherwise might be a very complex filter. This is the reason why the normalization is perfored in the execute method as opposed to the pre callback. Other classes do similar things in their execute methods as opposed to their callbacks's, selinuxusermap_find is one example. Patch also introduces new unit test to verify. https://fedorahosted.org/freeipa/ticket/2264
* Fixes different behaviour of permission-mod and show.Tomas Babej2012-08-292-1/+88
| | | | | | | Both commands now produce the same output regarding the attributelevelrights. https://fedorahosted.org/freeipa/ticket/2875
* Password policy paging with proper sortingPetr Vobornik2012-08-292-3/+6
| | | | | | | | This patch adds option to disable sorting when paging. It allowed to enable paging in password policy with order of items untouched (they are sorted on server side by priority). Also fixing issue when paging is disabled and command summary = null. It displayed 'null' in facet footer. https://fedorahosted.org/freeipa/ticket/2677
* Successful action notificationPetr Vobornik2012-08-2915-81/+135
| | | | | | | | | | | | | | | | | | | User was not notified about success of actions executed from action list, action panel or facet cotrol bar. This patch adds IPA.notify_success(message) call. It creates a yellow notification area with supplied message in Web UI header in the middle of the green area (empty space of first level navigation). This area is displayed for 3s and then it fades out (800ms). It also fades out when it is clicked. This call is used(directly or indirectly) in: * search facets: delete, disable, enable actions * details facets: delete action * user details facet: reset password action * host details facet: unprovision, set OTP actions * service details facet: unprovision action * host and service details facet: request, revoke, restore certificates actions * group details facet: change to POSIX/external actions * dns zone details facet: add/remove permission actions https://fedorahosted.org/freeipa/ticket/2977
* Fix issue which broke setup of Web UI unit testsPetr Vobornik2012-08-291-1/+3
| | | | | | Web UI itself wasn't negatively affected. https://fedorahosted.org/freeipa/ticket/2897
* Revert change causing failure in test automationPetr Vobornik2012-08-291-3/+3
| | | | | | | | Move of click handler in patch for #2834 causes failure of automation tests. This patch reverts the problematic part. It should not affect function of fix for #2824. https://fedorahosted.org/freeipa/ticket/3014
* Restrict the SELinux user map user MLS value to 0-1023Rob Crittenden2012-08-292-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3001
* Update Contributors.txt fileMartin Kosek2012-08-281-8/+14
| | | | Update list of active developers working on IPA.
* Improves deletion of PTR records in ipa host-delTomas Babej2012-08-281-1/+6
| | | | | | | Command ipa host-del with --updatedns now can deal both with hosts which zones are in FQDN form with or without a trailing dot. https://fedorahosted.org/freeipa/ticket/2809
* Fix managedBy label for DNS zoneMartin Kosek2012-08-263-3/+16
| | | | | | | | | | | | Even though managedBy output parameter was only used for failed host managedBy memberships, it was defined in global baseldap.py classes. Incorrect label was then being displayed also for DNS zone per-zone permission attribute with the same name. Move managedBy output parameter to host plugin. Define proper managedBy output parameter in DNS plugin to improve clarity of this attribute. https://fedorahosted.org/freeipa/ticket/2946
* Ticket #2850 - Ipactl exception not handled wellJohn Dennis2012-08-272-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ticket #2850 - Ipactl exception not handled well There were various places in ipactl which intialized IpactlError with None as the msg. If you called str() on that exception all was well because ScriptError.__str__() converted a msg with None to the empty string (IpactlError is subclassed from ScriptError). But a few places directly access e.msg which will be None if initialized that way. It's hard to tell from the stack traces but I'm pretty sure it's those places which use e.msg directly which will cause the problems seen in the bug report. I do not believe it is ever correct to initialize an exception message to None, I don't even understand what that means. On the other hand initializing to the empty string is sensible and for that matter is the default for the class. This patch makes two fixes: 1) The ScriptError initializer will now convert a msg parameter of None to the empty string. 2) All places that initialized IpactlError's msg parameter to None removed the None initializer allowing the msg parameter to default to the empty string. I don't know how to test the fix for Ticket #2850 because it's not clear how it got into that state in the first place, but I do believe initialing the msg value to None is clearly wrong and should fix the problem.
* Don't generate password history error if history is set to 0.Rob Crittenden2012-08-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2805
* Ask for admin password in ipa-adtrust-installAlexander Bokovoy2012-08-242-0/+46
| | | | | | | | | The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. https://fedorahosted.org/freeipa/ticket/2852
* Ticket #3008: DN objects hash differently depending on caseJohn Dennis2012-08-223-30/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because the attrs & values in DN's, RDN's and AVA's are comparison case- insensitive the hash value between two objects which compare as equal but differ in case must also yield the same hash value. This is critical when these objects are used as a dict key or in a set because dicts and sets use the object's __hash__ value in conjunction with the objects __eq__ method to lookup the object. The defect is the DN, RDN & AVA objects computed their hash from the case- preserving string representation thus two otherwise equal objects incorrectly yielded different hash values. The problem manifests itself when one of these objects is used as a key in a dict, for example a dn. dn1 = DN(('cn', 'Bob')) dn2 = DN(('cn', 'bob')) dn1 == dn2 --> True hash(dn1) == hash(dn2) --> False d = {} d[dn1] = x d[dn2] = y len(d) --> 2 The patch fixes the above by lower casing the string representation of the object prior to computing it's hash. The patch also corrects a spelling mistake and a bogus return value in ldapupdate.py which happened to be discovered while researching this bug.
* Adds dependency on samba4-winbind.Tomas Babej2012-08-221-0/+4
| | | | | Dependency on samba4-winbind has been added to the package freeipa-server-trust-ad.
* Add ACI to allow regenerating ipaNTHash from ipasamAlexander Bokovoy2012-08-221-1/+2
| | | | | | ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute, Part 2 of https://fedorahosted.org/freeipa/ticket/3016
* Fix ipasam ipaNThash magic regen to actually fetch updated passwordAlexander Bokovoy2012-08-221-13/+9
| | | | | | | With this change ipasam is able to ask for ipaNTHash generation and if corresponding Kerberos key is available, will be able to retrieve generated ipaNTHash. Part 1 of https://fedorahosted.org/freeipa/ticket/3016
* Recover from invalid cached kerberos credentials in ipasamAlexander Bokovoy2012-08-221-37/+77
| | | | | | | | | | | | | | | | When developing and testing in the same environment, multiple re-installs may be needed. This means previously issued and cached Kerberos credentials will become invalid upon new install. ipasam passdb module for Samba uses Kerberos authentication when talking to IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime. However, the ccache is not removed automatically and if IPA setup is made again, cached credentials are used, only to discover that they are invalid. With this change invalid correctly obtained cached credentials are recognized and, if LDAP SASL bind fails, new credentials are requested from the KDC. https://fedorahosted.org/freeipa/ticket/3009
* Use libsamba-security instead of libsecuritySumit Bose2012-08-222-2/+2
| | | | | In samba4-beta6 the name of a library was changed from libsecurity to libsamba-security.
* Range Web UIPetr Vobornik2012-08-2114-3/+401
| | | | | | | | | | | Range web UI was implemented. It consist of: * new menu item - 'ranges' in 'IPA Server' tab * new search page * new details page https://fedorahosted.org/freeipa/ticket/2894
* Fix client-only buildMartin Kosek2012-08-171-1/+1
| | | | | | Client-only build unconditionally touched some files from freeipa-server package and thus the installation crashed. Fix spec file to enable client-only builds like "make client-rpms".
* Read DM password from option in external CA installMartin Kosek2012-08-171-1/+4
| | | | | | | | ipa-server-install with external CA could not be run in an unattended mode as DM password was required to decipher answer cache. https://fedorahosted.org/freeipa/ticket/2793
* Bump bind-dyndb-ldap version in spec fileMartin Kosek2012-08-171-1/+5
| | | | | | The updated version of the BIND LDAP plugin includes completed support of DNS zone transfers. With the new version, users will be able to configure slave DNS servers for IPA master DNS server.
* Become IPA v3 beta 2 (3.0.0.pre2)beta_2-3-0-0Rob Crittenden2012-08-151-1/+1
|
* Ignore lint errors if pysssd_murmur and samba4 support not installed when ↵Alexander Bokovoy2012-08-151-2/+2
| | | | | | | building client code. Since ipalib.plugins.trust has both client-side and server-side code, this is the only way to properly handle linting errors.
* trust CLI: add ID range for new trusted domainSumit Bose2012-08-153-2/+66
|
* extdom: read ranges from LDAPSumit Bose2012-08-151-0/+72
|
* Ticket #2584 - Installation fails when CN is set in certificate subject baseJohn Dennis2012-08-161-14/+13
| | | | | | | | | | | | | | | | | | It is illegal to have more than one CN attribute in a certificate subject. The subject command line arg is actually inserting a dn between a leading RDN with a CN attribute and a suffix. The final subject must have only CN attribute therefore the subject command line arg must not contain CN. The patch modifies the subject validation to prohibit CN. It also improves the error messages to clearly indicate which command line parameter caused the failure and why. While fixing the above it discovered the logic used for subject validation with an external CA was flawed. DN objects were not being used when they should be (certificate subject and issuer fields are dn syntax). That code was also fixed so that the comparisions between subjects and issuers were performed with DN objects. While fixing this it was noted the object type relationship between IPA DN objects and x509 DN objects was awkward, ticket 3003 was opened to address this.
* Validate default user in ordered list when using setattr, require MLSRob Crittenden2012-08-162-11/+24
| | | | | | The MLS was optional in the format, it should be required. https://fedorahosted.org/freeipa/ticket/2984
* Raise proper exception when given a bad DN attribute.Rob Crittenden2012-08-161-1/+4
|
* Use DN object for Directory Manager in ipa-replica-manage connect commandRob Crittenden2012-08-161-1/+1
|
* Convert PKCS#11 subject to string before passing to ipapython.DNRob Crittenden2012-08-151-1/+1
|
* Add internationalization to DCE RPC codeAlexander Bokovoy2012-08-141-10/+20
| | | | https://fedorahosted.org/freeipa/ticket/2964
* Raise Base64DecodeError instead of ConversionError when base64 decoding ↵Jan Cholasta2012-08-141-3/+3
| | | | | | fails in Bytes parameters. ticket 2962
* Improves exception handling in ipa-replica-prepare.Tomas Babej2012-08-142-1/+10
| | | | | | | | A backtrace is no longer displayed when trying to prepare a replica file with the local LDAP server down. Also adds --debug option and no longer displays info messages without it. https://fedorahosted.org/freeipa/ticket/2939
* Corrects help description of selinuxusermap.Tomas Babej2012-08-141-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/2959
* Handle SSSD restart crash more gently.Tomas Babej2012-08-141-1/+4
| | | | | | | | In ipa-client-install, failure of restart of sssd service no longer causes the crash of the install process. Adds a warning message to the root logger instead. https://fedorahosted.org/freeipa/ticket/2827
* Update other facets on delete from search pagePetr Vobornik2012-08-142-3/+27
| | | | | | | | When an object in search facet was deleted, other facets were not notified that they need to refresh. If one crated object with same pkey as deleted object and then navigated to it's details he could see old object's data. This notification was added. https://fedorahosted.org/freeipa/ticket/2618
* Disable caching of Web UI login_kerberos requestPetr Vobornik2012-08-141-0/+1
| | | | | | IE caches login_kerberos request so SSO doesn't work after logout. This patch disables the caching. https://fedorahosted.org/freeipa/ticket/2991
* Handle case when trusted domain user access the Web UIPetr Vobornik2012-08-141-1/+21
| | | | | | WebUI catches the fact that the user can't access LDAP server with a current ticket. It shows form-based auth login dialog. Previoustly an ugly error was returned on an almost empty page, and user had no recourse. https://fedorahosted.org/freeipa/ticket/2897
* Read-only external facet for non-external groupsPetr Vobornik2012-08-142-1/+57
| | | | | | | Added evaluators to decide if attribute facet should be read-only based on attribute level rights. Default values serves well for group's external member. https://fedorahosted.org/freeipa/ticket/2895
* Group external member facetPetr Vobornik2012-08-141-0/+15
| | | | | | Added 'external' attribute facet to group entity. It serves for displaying group's externalmember attribute. https://fedorahosted.org/freeipa/ticket/2895
generated by cgit (git 2.34.1) at 2025-09-03 21:53:42 +0000