| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.
https://fedorahosted.org/freeipa/ticket/1418
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js
This is because of a glob:
%{_usr}/share/ipa/ui/*.js
and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js
https://fedorahosted.org/freeipa/ticket/2253
|
| |
|
|
|
|
| |
If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem.
https://fedorahosted.org/freeipa/ticket/2449
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of our tests checked for exceptions using an error-prone
try block: they allowed the expected exception to pass, but sometimes
forgot an else block, so the test passed when an exception wasn't
thrown.
This changes the tests to use the appropriate nose tools (raises,
assert_raises).
For consistency, tests that had a correct else block are also changed.
Also fix some test problems that were hidden by the above:
- in some sudorule and HBAC tests, change the *_add_user argument name
from `users` to `user`
- don't remove HBAC testing data while it was still used
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2487
|
| |
|
|
|
|
|
|
|
| |
in_server controls how a method is dispatched, it should not also control
what plugins are imported.
This suppresses the error message "session memcached servers not running."
https://fedorahosted.org/freeipa/ticket/2499
|
| |
|
|
|
| |
The ipausers group is no longer a POSIX group by default.
Reflect that in the tests.
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2209
|
| |
|
|
|
|
|
|
|
| |
Set URI, BASE and TLS_CACERT
Also update the man page to include a list of files that the client
changes.
https://fedorahosted.org/freeipa/ticket/1810
|
| |
|
|
|
|
|
|
| |
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.
Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.
This patch is fixing the problem.
https://fedorahosted.org/freeipa/ticket/2494
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
|
| |
|
|
|
|
|
|
|
|
| |
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
|
| |
|
|
|
|
| |
Updated UI static content to contain value and label for certificate serial_number_hex.
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/1991
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
|
| |
|
|
|
|
|
| |
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).
https://fedorahosted.org/freeipa/ticket/2432
|
| |
|
|
|
|
| |
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
|
| |
|
|
|
|
|
|
|
|
| |
Network validator allowed invalid mask format:
* leading zeros: 192.168.0.1/0024
* trailing chars: 192.168.0.1/24abcd
It was fixed.
https://fedorahosted.org/freeipa/ticket/2493
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.
This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.
https://fedorahosted.org/freeipa/ticket/2500
|
| |
|
|
|
|
|
|
|
| |
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
raises an error and thus breaks the migration
This patch fixes both issues.
https://fedorahosted.org/freeipa/ticket/2508
|
| |
|
|
|
|
|
| |
This package version adds a boolean, httpd_manage_ipa, that enables
the ipa_memcached service to work.
https://fedorahosted.org/freeipa/ticket/2433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
|
| |
|
|
|
|
|
| |
IPA assumes most config options are present, but allowed the user
to delete them. This patch marks them as required.
https://fedorahosted.org/freeipa/ticket/2159
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
|
| |
|
|
|
|
|
|
|
| |
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.
https://fedorahosted.org/freeipa/ticket/2415
If obtaining host TGT fails, the installation is aborted and changes are
rolled back.
https://fedorahosted.org/freeipa/ticket/1995
|
| |
|
|
|
|
|
|
|
| |
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.
https://fedorahosted.org/freeipa/ticket/2484
|
| | |
|
| |
|
|
|
|
|
|
| |
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.
https://fedorahosted.org/freeipa/ticket/2424
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2369
|
| |
|
|
|
|
|
| |
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.
https://fedorahosted.org/freeipa/ticket/2369
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:
1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.
2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.
https://fedorahosted.org/freeipa/ticket/2386
|
| |
|
|
|
|
|
|
|
|
| |
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.
https://fedorahosted.org/freeipa/ticket/2382
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.
https://fedorahosted.org/freeipa/ticket/2418
|
| |
|
|
|
|
|
|
|
|
| |
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
|
| |
|
|
|
|
| |
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed.
https://fedorahosted.org/freeipa/ticket/2227
|
| |
|
|
|
|
|
|
| |
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.
This requires SSSD 1.8.0.
|
| |
|
|
|
|
|
| |
According to FHS, the reboot command should live in /sbin.
Systems may also have a symlink in /usr/bin, but they don't have to.
https://fedorahosted.org/freeipa/ticket/2480
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
|
| |
|
|
|
|
|
| |
This information is not replicated so pull from all IPA masters
and display the status across all servers.
https://fedorahosted.org/freeipa/ticket/2162
|
| |
|
|
|
|
| |
Based on contribution by Brian Harrington.
https://fedorahosted.org/freeipa/ticket/2428
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usability was imporved in Unauthorized/Login dialog.
When the dialog is opened a link which switches to login form is focus so user can do following:
1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter
this sequence will execute login request.
When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.
https://fedorahosted.org/freeipa/ticket/2450
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
|
