summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Don't set migrated user's GID to that of default users group.Rob Crittenden2012-02-291-3/+8
| | | | | | The GID should be the UID unless UPG is disabled. https://fedorahosted.org/freeipa/ticket/2430
* Validate attributes in permission-addOndrej Hamada2012-02-282-0/+120
| | | | | | | | | | | When adding or modifying permission with both type and attributes specified, check whether the attributes are allowed for specified type. In case of disallowed attributes raises the ObjectclassViolation exception. New tests were also added to the unit-tests. https://fedorahosted.org/freeipa/ticket/2293
* Warn that deleting replica is irreversible, try to detect reconnection.Rob Crittenden2012-02-292-1/+24
| | | | | | | | | | | | | Using ipa-replica-manage del <replica> is irreversible. You can't turn around and do a connect to it, all heck will break loose. This is because we clean up all references to the replica when we delete so if we connect to it again we'll end up deleting all of its principals. When a connection is deleted then the agreement is removed on both sides. What isn't removed is the nsDS5ReplicaBindDN so we can use that to determine if we previously had a connection. https://fedorahosted.org/freeipa/ticket/2126
* Fix nested netgroups in NIS.Rob Crittenden2012-02-292-1/+6
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-296-41/+99
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Added attrs to permission when target is group or filterPetr Voborník2012-02-293-36/+122
| | | | | | | | | | | | Option to set attributes in permission was missing for target 'group' and 'filter'. Attribute_table_widget with type=group is shown for target=group. For target=filter a multivalued textbox is shown. This is because UI can't predict what type will the result of the filter be. In future it can be extended by interactive attribute selector to help user find what he wants to enter. Mutlivalued widget was modified to show undo button for new entries even if show_undo is false. It is useful in adder dialog to indicate that user added something and to enable it reversal. https://fedorahosted.org/freeipa/ticket/2372
* Multiple fields for one attributePetr Voborník2012-02-295-18/+21
| | | | | | | | | | Current implementation has a limitation to have one field per one attribute. This is fine for most cases. For cases where an attribute can have two editor widgets which can be swapped a need for two different types of field may occur. This patch introduces 'param' option which supposes to contain attribute name. If 'param' is not specified it will contain field's name therefore backward compatibility is maintained. This extension allows to have two fields with different name and same param -> two fields get/supply value from/to the same attribute. Needed for: https://fedorahosted.org/freeipa/ticket/2372
* Fixed selection of single value in comboboxPetr Voborník2012-02-291-9/+15
| | | | | | | | | | | | When editable combobox had only one option and input field was cleared, the option couldn't be selected if it was selected before. This patch adds click handler to option elements. The handler calls select_on_change. When different option is selected select_on_change is executed twice. To avoid duplicate call of value_changed an open state of option area is checked. In first pass the area will be closed so it won't be executed in second. When selected option is clicked, only onclick handler is processed. This patch assumes that select event will be processed before click event. https://fedorahosted.org/freeipa/ticket/2070
* Fixed redirection in Add and edit in automember hostgroup.Petr Voborník2012-02-291-0/+14
| | | | | | Redirection in 'Add and edit' in automember hostgroup now navigates to correct facet. https://fedorahosted.org/freeipa/ticket/2422
* Added unsupported_validatorPetr Voborník2012-02-294-5/+30
| | | | | | | | dnszone attributes idnsallowquery and idnsallowtransfer have valid but currently unsupported values: 'localhost' and 'localnets'. New validator was introduced for unsuported values. By using this validator user can see that the value is currently unsupported instead of showing 'invalid value' or passing the value to server and creating error there. https://fedorahosted.org/freeipa/ticket/2351
* Fixed DNS record add handling of 4304 errorPetr Voborník2012-02-293-33/+59
| | | | | | | | Fixed hanling of 4304 error in DNS record add. Code which handled this error in host-add was generalized and moved to IPA. DNS record add both in adder dialog and dns record table are using this generalized version. https://fedorahosted.org/freeipa/ticket/2349
* Making validators to return true result if emptyPetr Voborník2012-02-292-37/+28
| | | | | | | | All custom validators were changed to return true result if value is empty. Raising error if value is empty is resposibility of check_required call. This fixes immediate displaying of error message in multivalued fields containing custom validators. https://fedorahosted.org/freeipa/ticket/2351
* Moved is_empty method from field to IPA objectPetr Voborník2012-02-293-23/+23
| | | | | | is_empty method represents IPA UI standard of evaluating whether value is empty. Therefore is should be placed in IPA object instead of IPA.field to allow reuse in different locations. https://fedorahosted.org/freeipa/ticket/2351
* New UI for DNS global configurationPetr Voborník2012-02-297-9/+109
| | | | | | UI for DNS global configuration was implemented. https://fedorahosted.org/freeipa/ticket/2350
* Fixed displaying of A6 RecordPetr Voborník2012-02-291-2/+2
| | | | | | | | UI was modified to reflect changes in #2309. Now it uses a6_part_data attribute instead of a6record. This fixes displaying of values in a table and modification of existing A6 record. https://fedorahosted.org/freeipa/ticket/2367
* DNS UI: added A,AAAA create reverse options to adder dialogPetr Voborník2012-02-291-20/+41
| | | | | | | | To DNS record adder dialog were added a_extra_create_reverse and aaaa_extra_create_reverse options. It's UI part of #2009. https://fedorahosted.org/freeipa/ticket/2349
* DNS Zone UI: added new attributesPetr Voborník2012-02-296-95/+228
| | | | | | | | | | | | | | | | | New attributes were added to DNS zone details facet. Attributes: idnsallowquery idnsallowtransfer idnsforwarders idnsforwardpolicy idnsallowsyncptr New network address validator created for idnsallowquery and idnsallowtransfer attributes. Network address validator also added to dnszone adder dialog - from_ip field. https://fedorahosted.org/freeipa/ticket/2351
* New checkboxes option: Mutual exclusivePetr Voborník2012-02-291-0/+10
| | | | | | | | | | Problem: UI doesn't have a control for selecting one or none value from given set of values. Solution: Attribute mutex was added to checkboxes_widget. When it is set, checking some value causes that all other values are unchecked. https://fedorahosted.org/freeipa/ticket/2351
* Static metadata update - new DNS optionsPetr Voborník2012-02-291-113/+694
| | | | Tickets: #2349 #2350 #2351 #2367
* Use stricter semantics when checking IP address for DNS recordsPetr Viktorin2012-02-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2379
* Fix bad merge of not calling memberof task when re-initializing a replicaRob Crittenden2012-02-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2199
* ipa-kdb: fix delegation acl checkSimo Sorce2012-02-281-2/+4
| | | | | We need to check for a matching acl only if one match hasn't already been found, otherwise results are unpredictable and order dependent.
* Don't call memberof task when re-initializing a replica.Rob Crittenden2012-02-271-2/+5
| | | | | | | | | | | memberof is not in the EXCLUDE list of nsDS5ReplicatedAttributeListTotal so we have no need of running the task, memberof will come with the data. If that attribute doesn't exist then this agreement was created with an older version of 389-ds, we DO need to initialize memberOf. https://fedorahosted.org/freeipa/ticket/2199
* Improve dns error messageMartin Kosek2012-02-281-2/+8
| | | | | | | | | | Improve AttrValueNotFound exception error message raised in the DNS module when a deleted (modified) attribute value is not found in a record. In order to be consistent with previous DNS module implementation this error message should include an attribute label instead of an attribute name. https://fedorahosted.org/freeipa/ticket/2377
* Implement password based session loginJohn Dennis2012-02-278-98/+294
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
* Implement session activity timeoutJohn Dennis2012-02-276-50/+144
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-2712-126/+376
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Limit allowed characters in a netgroup name to alpha, digit, -, _ and .Rob Crittenden2012-02-275-14/+41
| | | | | | Apply this to hostgroup names as well since they can be linked. https://fedorahosted.org/freeipa/ticket/2221
* Make sure the nolog argument to ipautil.run is not a bare stringPetr Viktorin2012-02-262-1/+9
| | | | | | | | | | | ipautil.run expects a tuple of passwords for nolog; passing a single string causes all individual letters from that string to be replaced by Xes. This fixes such a call, and adds a sanity check to ipautil.run that prevents lone strings from being used in nolog. https://fedorahosted.org/freeipa/ticket/2419
* Add SSHFP update policy for existing zonesMartin Kosek2012-02-273-7/+40
| | | | | | | | | | | | | SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Don't run restorecon if SELinux is disabled or not present.Rob Crittenden2012-02-271-1/+12
| | | | | | | Also check for the existence of restorecon. This may be overkill but it will prevent a client installation from failing for no good reason. https://fedorahosted.org/freeipa/ticket/2368
* Sanitize UDP checks in conncheckMartin Kosek2012-02-262-36/+49
| | | | | | | | | | | | | | | | | | UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
* Add reverse DNS record when forward is createdMartin Kosek2012-02-275-247/+389
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding reverse DNS record may be a time consuming task, especially for IPv6 addresses. Having a way to automatically create a reverse record when a forward record is created could speed up the process. host-add command already has this possibility. This patch takes advantage of the new per-type API and adds new options for A/AAAA record types: --a-create-reverse and --aaaa-create-reverse. These commands can be used to automatically create reverse records for new A/AAAA addresses (both forward and reverse zones need to be managed by FreeIPA server): ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 --a-create-reverse This command would add a new A record to record foo in zone example.com and a PTR record to appropriate reverse zone for IP address 10.0.0.1 (for example PTR record 1 in zone 0.0.10.in-addr.arpa. pointing to foo.example.com.). Few modification were done to new DNS API to support this feature: - Refactor --ip-address option handling from host-add and place it to dns.py to be used by both modules - Add support for "extra" per-type options - Hide DNS record part options in dnsrecord_find command as they have no effect for this command https://fedorahosted.org/freeipa/ticket/2009
* Make sure 389-ds is running when adding memcache service in upgrade.Rob Crittenden2012-02-261-0/+4
| | | | | | | Adding the memcache service requires 389-ds to be running because we add an entry to cn=masters. https://fedorahosted.org/freeipa/ticket/2411
* Remove unused kpasswd.keytab and ldappwd files if they exist.Rob Crittenden2012-02-272-0/+57
| | | | | | These were used by ipa_kpasswd and krb5-server-ldap respectivily. https://fedorahosted.org/freeipa/ticket/2397
* Check for duplicate winsync agreement before trying to set one up.Rob Crittenden2012-02-271-13/+15
| | | | | | | | | We currently only support a single winsync agreement so all we need to do is check to see if we have one with the remote host. This also adds some minor exception handling cleanup. https://fedorahosted.org/freeipa/ticket/2130
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-272-43/+64
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
* Add Requires to ipa-client on oddjob-mkhomedirRob Crittenden2012-02-271-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2337
* Don't consider virtual attributes when validating custom objectclassesRob Crittenden2012-02-271-0/+5
| | | | | | | | | We verify user and group default objectclasses when changing them to be sure that required objectclasses aren't being dropped. We need to ignore virtual attributes or it will raise an error because they aren't defined in schema. https://fedorahosted.org/freeipa/ticket/2406
* Add gidnumber minvalueMartin Kosek2012-02-233-6/+8
| | | | | | Do not accept invalid GID values in IPA user/group plugins. https://fedorahosted.org/freeipa/ticket/2335
* Catch public exceptions when creating the LDAP context in WSGI.Rob Crittenden2012-02-242-1/+10
| | | | | | Made specifically for the case where S4U2Proxy delegation fails. https://fedorahosted.org/freeipa/ticket/2414
* Add API for PTR sync controlMartin Kosek2012-02-242-3/+11
| | | | | | | | | | | | | | | | New version of bind-dyndb-ldap plugin have an ability to automatically update machine reverse address when its forward address is updated via GSS-TSIG update. The reverse zone must be managed by FreeIPA as well in order of this feature to work. As it would not be secure to enable this behaviour for all zones there is a global attribute that can enable PTR sync for all zones and also a per-zone attribute that can enable for chosen zones only. This patch adds an API for this control. https://fedorahosted.org/freeipa/ticket/2176
* Add DNS conditional forwardingMartin Kosek2012-02-242-4/+30
| | | | | | | | Add ability configure per-zone forwarder for DNS zones. Any data in such zone will then be considered as non-authoritative and all queries will be sent to specified forwarder. https://fedorahosted.org/freeipa/ticket/2108
* Query and transfer ACLs for DNS zonesMartin Kosek2012-02-247-14/+264
| | | | | | | | | | | | | | Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211
* Global DNS optionsMartin Kosek2012-02-247-3/+94
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-244-3/+86
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow IPA master hosts or important services be deleted.Rob Crittenden2012-02-235-0/+51
| | | | | | | | | Deleting these would cause the IPA master to blow up. For services I'm taking a conservative approach and only limiting the deletion of known services we care about. https://fedorahosted.org/freeipa/ticket/2425
* Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtagRob Crittenden2012-02-221-0/+7
| | | | | | | | | | | | We had this in v1 but removed it with v2 because we no longer used TurboGears for the UI. Because we are now proxying requests to dogtag we need to re-add this so that mod_ssl doesn't interfere with our communication. mod_ssl always blindly registers itself as the SSL provider for mod_proxy. mod_nss will only register itself if mod_ssl hasn't already done so. https://fedorahosted.org/freeipa/ticket/2177
* Don't check for schema uniqueness when comparing in ldapupdate.Rob Crittenden2012-02-221-1/+6
| | | | | | | | | | This is needed on F-17+, otherwise things blow up when we try to see if we've added new schema. Introspection is required to see if the argument check_uniqueness is available. https://fedorahosted.org/freeipa/ticket/2383
generated by cgit (git 2.34.1) at 2025-09-03 14:43:26 +0000