| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
No other param/field has 'field' in a label.
|
| |
|
|
| |
Long words (ie. service principal) breaks out of notification area. It doesn't look good. Patch adds word-wrap to break them to multiple pieces.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.
https://fedorahosted.org/freeipa/ticket/3803
|
| |
|
|
|
|
|
|
|
|
| |
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.
For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.
Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:
- first, as we don't really know exact AD LDAP server names (any AD DC
can be used), constrained delegation would have to be defined against
a wild-card
- second, constrained delegation requires that target principal exists
in IPA LDAP as DN.
These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.
Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.
This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.
This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
https://fedorahosted.org/freeipa/ticket/3626
Part of https://fedorahosted.org/freeipa/ticket/3649
|
| |
|
|
|
|
|
|
|
|
|
| |
We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name
Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch optimizes options used in commands executed by search pages.
1) Removed --all from _find and _show commands used by search pages. All displayed attributes should be already included in default attributes.
2) Removed search_all_attributes - Not needed since introduction of paging.
3) Added --no-members options to search _show commmands. Members are not displayed on search pages and such change drastically improves performance. It reduces computations on server and amount of data transferred to Web UI.
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3706
|
| |
|
|
|
|
|
| |
Fix internal error in idrange-add, caused by a missing 'name' argument of
ValidationError.
https://fedorahosted.org/freeipa/ticket/3781
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3771
|
| |
|
|
|
|
|
| |
IPA uses "ipa" as the "package name" for all translations,
even in the ipa-client package.
https://fedorahosted.org/freeipa/ticket/3695
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3772
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3785
|
| |
|
|
|
|
|
|
| |
The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.
https://fedorahosted.org/freeipa/ticket/3782
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3749
|
| |
|
|
|
|
|
|
|
|
| |
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
|
| |
|
|
|
|
| |
Also add an option to ipautil.run to redirect command output to /dev/null.
https://fedorahosted.org/freeipa/ticket/3767
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
|
| |
|
|
|
|
| |
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
| |
Host and DNS adder dialogs used span element as container for block elements. It's not valid nor consistent with other forms.
'span' was replaced by 'div'
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
| |
1. add class to active facet instead of using direct style modification for hiding/showing
2. add name attribute to tables and dialog buttons and error dialog
https://fedorahosted.org/freeipa/ticket/3744
|
| |
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3434
|
| | |
|
| |
|
|
| |
The main case for this is having ticket numbers in the Beaker ouput.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Logs from Beaker jobs are normally very brief, with the standard
output/error containing detailed information. Make ipa-run-tests
with BeakerLib plugin follow this convention.
Only include INFO and higher level messages in the Beaker logs.
Downgrade several message levels to DEBUG.
Log to console using Python logging instead of showing the Beaker logs.
Since ipa-run-tests sets up its own logging, Nose's own log
handling just causes duplicate messages. Disable it with --nologcapture.
|
| |
|
|
|
|
|
| |
Phase names are now in the format:
test-module-TestClass-test_method: First line of docstring
https://fedorahosted.org/freeipa/ticket/3723
|
| |
|
|
|
|
|
|
|
|
| |
- Use the external hostname when connecting to remote hosts
- Make it possible to specify working directory for remote commands
- Move kinit calls to installation code
This allows tests where installation is done later
- Log at error level when a remote command fails unexpectedly
- Clean up test directory before testing
- Break infinite recursion in mkdir_recursive if dir can't be created
|
| |
|
|
|
|
|
|
| |
Set up the hostname, /etc/resolv.conf, and /etc/hosts on remote
hosts in the test setup.
Undo the changes in test teardown.
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
| |
Output from IPA's log manager is not captured by Nose's logcapture plugin.
Forward IPA logs to a regular Python logger so that they are shown
on failures.
IPA log messages are also shown on standard error.
Filter out Paramiko logs by default; these are too verbose.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
| |
After each test, and after class setups and teardowns, the BeakerLib
integration plugin now downloads log files from the remote masters
and submits them using rlFileSubmit.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce a class inspired by subprocess.Popen that handles
running a command on a remote machine and handling its output.
To separate stdout & stderr streams of a remote command,
they need to be read in parallel, so that one of them doesn't
stall the runner when its buffer fills up. Accomplish this
by using a thread for each stream.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
|
| |
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.
Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
|
| |
|
|
|
|
|
|
|
|
| |
Tests in test classes decorated by @ipatests.order_plugin.ordered
are sorted by the source line number instead of alphabetically,
if the plugin is enabled.
The ipa-run-tests helper now loads and enables the plugin.
This should make writing integration tests easier.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3745
|
| |
|
|
|
|
|
| |
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).
https://fedorahosted.org/freeipa/ticket/3739
|
| |
|
|
|
|
|
|
|
|
| |
Using the --ignore-dependencies switch was causing the ipactl stop command
not to stop all instances of dirsrv and dogtag. Make sure the switch is used
only when necessary, i.e. to prevent ipa-otpd.socket from getting stuck during
the shutdown transaction.
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3765
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
|
| |
|
|
|
|
|
|
|
|
| |
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.
When --range-type option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3729
|
