| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Summarize entered IPA server configuration so that user can examine
it and stop the installation process in case of error. Before this
patch, user had to know which question is the last one and check
the values he entered in various places during the interactive
wizard.
https://fedorahosted.org/freeipa/ticket/1083
|
| |
|
|
|
|
|
|
|
|
| |
This is the initial implementation of HBAC Test page. Currently it
can select user, source/target group, service, rules, and execute
the test. Other functionalities to be implemented include the search
filter, external users/hosts, back/next buttons, validation, styling,
and internalization.
Ticket #388
|
| |
|
|
|
|
|
|
|
| |
The load() in IPA.facet has been modified to accept the complete
data returned by the server instead of just the result. This is
needed by HBAC Test to access other attributes returned in the
test result.
Ticket #388
|
| |
|
|
|
|
|
|
|
|
|
| |
The current code assumes that an entity will always have a corresponding
LDAPObject on the server, so it looks for the metadata in a fixed location.
This assumption doesn't work for HBAC Test since it is a Command, not an
LDAPObject, so the metadata has to be obtained from a different location.
A new method get_default_metadata() has been added to allow each entity
to find the metadata from the correct location.
Ticket #388
|
| |
|
|
|
|
|
|
|
| |
The table widget has been modified to support single-valued attribute
using radio buttons needed by some facets in HBAC Test. The widget now
uses 'pagination' flag to determine whether to show the pagination
control. The test data has also been updated.
Ticket #388
|
| |
|
|
|
|
|
|
|
| |
The json_metadata command has been modified to accept some new
options and return the commands metadata. The API.txt has been
updated as well. The UI has been modified to use commands metadata
instead of methods metadata.
Ticket #388
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to check presence of nss_ldap or nss-pam-ldapd when installing
client with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of one of nss_ldap configuration files.
This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with
pam_ldap module and hence the presence of it is checked by looking for
'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against
existence of 'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by two different
functions, the function returns tuple containing return code and dictionary
structure - its key is name of target function and value is list of existing
configuration files. Files to check are specified inside the
nssldap_exists() function. nssldap_exists() also returns True if any of
the mandatory files was found, otherwise returns False.
In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They accept one more
parameter which is list of existing files. They are not checking existence
of above mentioned files anymore.
https://fedorahosted.org/freeipa/ticket/2063
|
| |
|
|
|
|
|
|
|
| |
This makes no changes to the functionality in the command-line or
GUI because these all have defaults anyway. This is mostly to show
them properly in the UI and prevent someone from trying to erase the
value (and getting a nasty schema error in response).
https://fedorahosted.org/freeipa/ticket/2015
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1874
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2001
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JavaScript &= and |= are bitwise operators. They are shortened version of:
foo = foo & bar
foo = foo | bar
In some places they were used as shortened version of logical operation and assignment.
foo = foo && bar
It lead to type conversion to Number which is wrong (0 !== false).
This patch replaces such occurances with full version of logical operation and asignment.
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1515
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
|
|
|
|
|
|
| |
After deleting section as a special type of object a new way of defining inter-field logic is needed.
For this purpose a facet_policy was created. It is a simple object with init() method. Init method should contain logic for attaching to fields' or widgets' events.
When a policy is added to facet or dialog its container property should be set to that facet or dialog. It gives the policy an access to fields and widgets.
Init method should be called after widgets creation.
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
|
|
|
|
|
|
| |
Sections are changed into pure widget objects. Introduced IPA.composite_widget, basic widget for widget nesting (it's using IPA.widget_container). It's base class for section widgets.
TODO: change old custom sections into custom fields and widgets.
Note: usage of section in HBAC and SUDO is kept - whole logic will be removed in #1515 patch.
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduced IPA.field_container and IPA.widget_container.
IPA.field_container: collection for fields. Can set logical container (facet, dialog...) to fields.
IPA.widget_container: collection for widgets. Has basic searching capability withing widget tree.
Introduced field_builder, widget_builder, section_builder, details_builder. All are used for building fields and widgets. Field_builder and widget_builder have the main building logic. Section_builder can create content based on current section spec. Details builder defines a strategy for building content.
https://fedorahosted.org/freeipa/ticket/2040
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
|
|
| |
Splitting IPA.widget into IPA.field (logical part) and IPA.widget, IPA.input_widget (visual part).
https://fedorahosted.org/freeipa/ticket/2040
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2151
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'ipa pwpolicy-find' output is now sorted by priority of the policies.
Lower position means lower priority. Global policy is then at the bottom.
The changes has also affected LDAPSearch class in baseldap.py:
LDAPSearch class sorts the search results by primary key be default
(which is usually 'cn'). Therefor a function pointer entries_sortfn
was added. If no sorting function exists, default sorting by primary key
is used.
Sorting function had to be introduced due to the fact that pwpolicy's
primary key is also it's 'cn' and global policy is not allowed to have any
priority.
https://fedorahosted.org/freeipa/ticket/2045
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Make sure that --enable-migration in config plugin works correctly
and user can use to both enable and disable migration.
https://fedorahosted.org/freeipa/ticket/2150
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default log level for server messages captured by httpd's
error_log historically was INFO. The log_manager patch had it set to
ERROR, this patch resets it back to INFO.
Although it would have been trival to set the default_level to INFO in
IPALogManager.configure_from_env() that is not logically the correct
place. It would be much better if the default_level can be reset by
simply assigning it to the log_mgr. To accomplish that
LogManager.default_level was converted to a property with a getter and
setter. The setter runs LogManager.apply_configuratin() after the
default_level is modified. LogManager.set_default_level() was also
added to allow simultaneously updating the configure_state.
While testing some minor problems were observed and also fixed:
* Removed some print statement which had been left in by mistake
* Removed the ability to set the handler level in the config file
because of chicken-and-egg issues of when handlers get created.
The Env config file format is too inflexible to support detailed
logging configuration. If the Env config format is ever made more
flexible we can come back and add this back in. The handler config
setting in Env had never been used and never worked so there is no
issue in removing it.
|
| |
|
|
| |
ticket 2136
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.
Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.
ticket 2007
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1939
|
| | |
|
| |
|
|
|
|
|
| |
Change our default zone manager to hostmaster@<domain> (as per
RFC 2142 recommendation).
https://fedorahosted.org/freeipa/ticket/1981
|
| |
|
|
|
|
|
|
|
|
| |
The validator has been improved to support better both SOA format
(e-mail address in a domain name format, without '@') and standard
e-mail format. Allow '\.' character in a SOA format encoding the
standard '.' in the local-part of an e-mail. Normalization code
has been moved to one common function.
https://fedorahosted.org/freeipa/ticket/2053
|
| |
|
|
| |
We now use our own ipa-kdb DAL driver
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/2122
|
| |
|
|
|
|
| |
A wrong version of the patch has been pushed.
This reverts commit d24dda2fe3e188b4904deb184cc098d979e7f611.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use convenience types (classes) in IPA which make working with LDAP
easier and more robust. It would be really nice if the basic python-ldap
library understood our utility types and could accept them as parameters
to the basic ldap functions and/or the basic ldap functions returned our
utility types.
Normally such a requirement would trivially be handled in an object-
oriented language (which Python is) by subclassing to extend and modify
the functionality. For some reason we didn't do this with the python-ldap
classes.
python-ldap objects are primarily used in two different places in our
code, ipaserver.ipaldap.py for the IPAdmin class and in
ipaserver/plugins/ldap2.py for the ldap2 class's .conn member.
In IPAdmin we use a IPA utility class called Entry to make it easier to
use the results returned by LDAP. The IPAdmin class is derived from
python-ldap.SimpleLDAPObject. But for some reason when we added the
support for the use of the Entry class in SimpleLDAPObject we didn't
subclass SimpleLDAPObject and extend it for use with the Entry class as
would be the normal expected methodology in an object-oriented language,
rather we used an obscure feature of the Python language to override all
methods of the SimpleLDAPObject class by wrapping those class methods in
another function call. The reason why this isn't a good approach is:
* It violates object-oriented methodology.
* Other classes cannot be derived and inherit the customization (because
the method wrapping occurs in a class instance, not within the class
type).
* It's non-obvious and obscure
* It's inefficient.
Here is a summary of what the code was doing:
It iterated over every member of the SimpleLDAPObject class and if it was
callable it wrapped the method. The wrapper function tested the name of
the method being wrapped, if it was one of a handful of methods we wanted
to customize we modified a parameter and called the original method. If
the method wasn't of interest to use we still wrapped the method.
It was inefficient because every non-customized method (the majority)
executed a function call for the wrapper, the wrapper during run-time used
logic to determine if the method was being overridden and then called the
original method. So every call to ldap was doing extra function calls and
logic processing which for the majority of cases produced nothing useful
(and was non-obvious from brief code reading some methods were being
overridden).
Object-orientated languages have support built in for calling the right
method for a given class object that do not involve extra function call
overhead to realize customized class behaviour. Also when programmers look
for customized class behaviour they look for derived classes. They might
also want to utilize the customized class as the base class for their use.
Also the wrapper logic was fragile, it did things like: if the method name
begins with "add" I'll unconditionally modify the first and second
argument. It would be some much cleaner if the "add", "add_s", etc.
methods were overridden in a subclass where the logic could be seen and
where it would apply to only the explicit functions and parameters being
overridden.
Also we would really benefit if there were classes which could be used as
a base class which had specific ldap customization.
At the moment our ldap customization needs are:
1) Support DN objects being passed to ldap operations
2) Support Entry & Entity objects being passed into and returned from
ldap operations.
We want to subclass the ldap SimpleLDAPObject class, that is the base
ldap class with all the ldap methods we're using. IPASimpleLDAPObject
class would subclass SimpleLDAPObject class which knows about DN
objects (and possilby other IPA specific types that are universally
used in IPA). Then IPAEntrySimpleLDAPObject would subclass
IPASimpleLDAPObject which knows about Entry objects.
The reason for the suggested class hierarchy is because DN objects will be
used whenever we talk to LDAP (in the future we may want to add other IPA
specific classes which will always be used). We don't add Entry support to
the the IPASimpleLDAPObject class because Entry objects are (currently)
only used in IPAdmin.
What this patch does is:
* Introduce IPASimpleLDAPObject derived from
SimpleLDAPObject. IPASimpleLDAPObject is DN object aware.
* Introduce IPAEntryLDAPObject derived from
IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware.
* Derive IPAdmin from IPAEntryLDAPObject and remove the funky method
wrapping from IPAdmin.
* Code which called add_s() with an Entry or Entity object now calls
addEntry(). addEntry() always existed, it just wasn't always
used. add_s() had been modified to accept Entry or Entity object
(why didn't we just call addEntry()?). The add*() ldap routine in
IPAEntryLDAPObject have been subclassed to accept Entry and Entity
objects, but that should proably be removed in the future and just
use addEntry().
* Replace the call to ldap.initialize() in ldap2.create_connection()
with a class constructor for IPASimpleLDAPObject. The
ldap.initialize() is a convenience function in python-ldap, but it
always returns a SimpleLDAPObject created via the SimpleLDAPObject
constructor, thus ldap.initialize() did not allow subclassing, yet
has no particular ease-of-use advantage thus we better off using the
obvious class constructor mechanism.
* Fix the use of _handle_errors(), it's not necessary to construct an
empty dict to pass to it.
If we follow the standard class derivation pattern for ldap we can make us
of our own ldap utilities in a far easier, cleaner and more efficient
manner.
|
