summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fixed problem when attributes_widget was displaying empty optionPetr Voborník2012-02-201-1/+6
| | | | | | Attribute table was modified to skip creation of option for empty value. https://fedorahosted.org/freeipa/ticket/2291
* policy: add function to check lockout policySimo Sorce2012-02-193-1/+62
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2393
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-202-1/+6
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Add common helper for interactive promptsPetr Viktorin2012-02-192-30/+40
| | | | | | | | | | | | | | | This patch adds a common method, textui.prompt_helper, that handles encoding, decoding and error handling for interactive prompts. On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises a new InvocationError, PromptFailed. The helper is used in prompt, prompt_yesno, and prompt_password, each of which originally only handled one of Ctrl+C and Ctrl+D. This fixes https://fedorahosted.org/freeipa/ticket/2345 And it means prompt_yesno will no longer return None on error. A minor fix restores errors.py's ability print out the list of errors when run as a script.
* Add extra checking function to XMLRPC test frameworkPetr Viktorin2012-02-192-8/+43
| | | | | | | | | | | | | | | | This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add ability in test framework to compare two values in result) in a general way: adding an optional extra_check key to the test dict, so a custom checking function with access to the whole result can be called. The particular test mentioned in that issue, checking that the uidnumber and gidnumber for new isers are the same, is added. Also, this adds a docstring to the Declarative class. And finally, the test dictionary is passed to check() via keyword arguments, preventing spelling mistakes in keys from going unnoticed.
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Ease zonemgr restrictionsMartin Kosek2012-02-205-10/+7
| | | | | | | | | | | | Admin e-mail validator currently requires an email to be in a second-level domain (hostmaster@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272
* ipa-kdb: Fix ACL evaluatorSimo Sorce2012-02-201-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2343
* Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema ↵Rob Crittenden2012-02-151-1/+5
| | | | | | replication. https://fedorahosted.org/freeipa/ticket/2118
* Require krb5 1.10Simo Sorce2012-02-161-2/+2
|
* Remove compat definesSimo Sorce2012-02-161-32/+0
| | | | | | | These definitions were needed during development to be a le to build against krb5 version < 1.10 These function headers and defintions are now available in 1.10 that is a hard dependency for freeipa 3.0, so we can safely drop them.
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-154-7/+7
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Configure ipa_memcached when a replica is installed.Rob Crittenden2012-02-161-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2401
* Enable ipa_memcached when upgradingRob Crittenden2012-02-164-9/+41
| | | | | | | | | | Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
* ipa-kdb: set krblastpwdchange only when keys have been effectively changedSimo Sorce2012-02-151-2/+4
|
* ipa-kdb: Avoid lookup on modify if possibleSimo Sorce2012-02-151-19/+27
| | | | This avoids one useless search if we already have the entry_dn.
* Disable false pylint error in freeipa-systemd-upgradeRob Crittenden2012-02-151-1/+1
|
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Remove Apache ccache on upgrade.Rob Crittenden2012-02-152-0/+7
| | | | | | | Make this removal a common function that can be shared between installer and upgrade tool. https://fedorahosted.org/freeipa/ticket/2395
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-152-7/+7
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-154-1/+15
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-157-17/+33
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.confRob Crittenden2012-02-152-1/+76
| | | | | | | | | | | The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On upgrade it will be left running by the previous installation, we need to stop it and uninstall the service. The dbmodules section needs to reflect that we're now using the new IPA kdb backend instead of the standard MIT ldap backend. https://fedorahosted.org/freeipa/ticket/2341
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
* Redirection to PTR records from A,AAAA recordsPetr Voborník2012-02-153-2/+255
| | | | | | | | | | | | | | | | | | | Address column in A, AAAA DNS records was exented of redirection capabilities. Redirection dialog is shown after a click on a value. Dialog does following steps: 1) fetch all dns zones 2) find most accurate reverse zone for IP address 2 -fail) show error message, stop 3) checks if target record exists in the zone 3 -fail) show 'dns record create link', stop 4) redirects Click on 'dns record create link': 1) creates record 1 -fail) show error, stop 2) redirects https://fedorahosted.org/freeipa/ticket/1975
* UI support for ssh keysPetr Voborník2012-02-1515-26/+369
| | | | | | | | To user and host details pages was added ipasshpubkey attribute. New widget for ssh public keys was created. https://fedorahosted.org/freeipa/ticket/2340
* ipa-kdb: add AS auditing supportSimo Sorce2012-02-148-91/+257
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2334
* Don't use sets when calculating the modlist so order is preserved.Rob Crittenden2012-02-131-4/+5
| | | | | | | | | | | | This is for the LDAP updater in particular. When adding new schema order can be important when one objectclass depends on another via SUP. This calculation will preserve the order of changes in the update file. Discovered trying to add SSH schema. https://fedorahosted.org/freeipa/ticket/754
* Move the compat module from ipalib to ipapython.Jan Cholasta2012-02-135-4/+4
| | | | | | Fixes import problems trying to import just ipalib/compat.py. https://fedorahosted.org/freeipa/ticket/754
* Add SSH service to platform-specific services.Jan Cholasta2012-02-133-4/+23
| | | | | | | | Add method for getting configuration directory path of a service, so that a different SSH configuration directory can be specified on different platforms. https://fedorahosted.org/freeipa/ticket/754
* Base64-decode unicode values in Bytes parameters.Jan Cholasta2012-02-133-9/+19
| | | | | | | | | | | Fix wrong handling of strings in --setattr/--addattr/--delattr. These changes make it possible to use Bytes in --setattr/--addattr/ --delattr without errors. Fixes managing SSH keys on command-line https://fedorahosted.org/freeipa/ticket/754
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-136-0/+142
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-137-3/+86
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Move the nsupdate functionality to separate function in ipa-client-install.Jan Cholasta2012-02-131-18/+26
| | | | | | Done as part of adding SSH support. https://fedorahosted.org/freeipa/ticket/1634
* Add API initialization to ipa-client-install.Jan Cholasta2012-02-132-10/+30
| | | | | | | | This change makes it possible to call IPA commands from ipa-client-install. Done to support adding SSH host keys to DNS. https://fedorahosted.org/freeipa/ticket/1634
* Add support for SSH public keys to user and host objects.Jan Cholasta2012-02-138-35/+192
| | | | | | | | | | | This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-134-0/+52
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-135-0/+29
| | | | https://fedorahosted.org/freeipa/ticket/754
* Internationalization for HBAC and ipalib.outputPetr Viktorin2012-02-143-13/+13
| | | | | | | | | | | * hbacrule: Internationalize HBAC rule "all" category exceptions https://fedorahosted.org/freeipa/ticket/2267 * hbactest: Use internationalized names (doc) instead of names for output items Also don't convert result to bool, `not` does it implicitly * ipalib.output: Internationalize descriptions of some standard entries
* Removed question marks from field labelsPetr Voborník2012-02-142-4/+4
| | | | | | | In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group". In host search facet, the "Enrolled?" was replaced with "Enrolled". https://fedorahosted.org/freeipa/ticket/2353
* Fixed entity link disablingPetr Vobornik2012-02-141-2/+6
| | | | | | | | | | Problem: Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state. Fixed: The link is disabled when target doesn't exist. https://fedorahosted.org/freeipa/ticket/2364
* Add Petr Viktorín to Contributors.txtMartin Kosek2012-02-101-0/+1
|
* Clean up i18n stringsPetr Viktorin2012-02-105-19/+21
| | | | | | | | | | | This patch switches to named ("%(name)s") instead of positional ("%s") substitutions for internationalized strings, so translators can reorder the words. This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no longer gives warnings). Also, some i18n calls are rewritten to translate the template before substitutions, not after.
* Fixed ipa.js for sessions.Endi S. Dewata2012-02-091-8/+9
| | | | | | | | | | The patch fixes a problem in error_handler_login() when it gets an error other than 401. The login_url is not needed for fixtures because it does not need authentication. The patch also fixes jslint warnings and formatting issues.
* add session manager and cache krb authJohn Dennis2012-02-0912-31/+1843
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Add ipa_memcached serviceJohn Dennis2012-02-098-0/+189
| | | | | | | | | | | | | | | | | | | | | | | * Adds ipa_memcached SystemV initscript * Adds ipa_memcached service file and tmpfiles.d/ipa.conf to recreate /var/run/ipa_memcached on reboot. * Adds ipa_memcached config file * Adds memcacheinstnace.py to manage ipa_memcaced as as SimpleService object. * Updates the IPA service list to include ipa_memcached, at service positon 39, httpd is position 40 * Updates the spec file: - requires the memcached daemon and python client - installs service or initscripts depending on OS - installs config file - creates /var/run/ipa_memcached directory * Modifies ipa-server-install to install ipa_memcached
* Adopt to python-ldap 2.4.6 by removing unused references which are not ↵Alexander Bokovoy2012-02-081-1/+1
| | | | available in python-ldap anymore
* Handle upgrade issues with systemd in Fedora 16 and aboveAlexander Bokovoy2012-02-083-21/+113
| | | | | | | | | | | | Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are configured via /etc/sysconfig/dirsrv.systemd. It means logic change in systemd/fedora16 platform of FreeIPA. Additionally, existing installs need to be handled during upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/2117 https://fedorahosted.org/freeipa/ticket/2300
* Add management of inifiles to allow manipulation of systemd unitsAlexander Bokovoy2012-02-081-1/+99
| | | | | | | | | | | inifile_replace_variables() works similar to config_replace_variables() but allows to apply changes to specific section of an inifile. Inifiles are commonly used by freedesktop.org software and particularly used by systemd. When modifying inifile, all changes will be applied to specific section. Also fixes corner case in config_replace_variables() which would dublicate variables when adding them.
generated by cgit (git 2.34.1) at 2025-09-03 22:39:40 +0000