| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
|
| |
|
|
|
|
|
| |
It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.
https://fedorahosted.org/freeipa/ticket/2837
|
| |
|
|
|
|
|
|
| |
This is a continuation of effor which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets.
New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluater updates state and actions get disabled or enabled.
https://fedorahosted.org/freeipa/ticket/2250
|
| |
|
|
|
|
|
|
| |
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.
https://fedorahosted.org/freeipa/ticket/2856
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds validator which compares passwords in two fields.
In future it should be used in various password reset dialogs.
A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password).
https://fedorahosted.org/freeipa/ticket/2829
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
|
| |
|
|
|
|
|
|
|
| |
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log
Will output basic stauts information if executed from the command-line.
https://fedorahosted.org/freeipa/ticket/2696
|
| |
|
|
|
|
|
|
| |
Error message for IPA error 911 is not very clear for end users.
This patch changes the message and adds an advice how to get rid of the error.
https://fedorahosted.org/freeipa/ticket/2778
|
| |
|
|
|
|
|
|
|
|
| |
IPA web UI isn't functional when browser doesn't send http headers.
This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it.
Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader
https://fedorahosted.org/freeipa/ticket/2778
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2857
|
| |
|
|
|
|
|
|
| |
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
|
| |
|
|
|
|
| |
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.
https://fedorahosted.org/freeipa/ticket/2755
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2767
|
| |
|
|
|
|
|
|
|
| |
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
|
| |
|
|
|
|
|
|
| |
Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog.
Action for action panel and all required status evaluators for enabling/disabling of that action were also created.
https://fedorahosted.org/freeipa/ticket/2252
|
| |
|
|
|
|
| |
Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section.
https://fedorahosted.org/freeipa/ticket/2251
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed by LDAP
password change command.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).
Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.
ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
|
| |
|
|
|
|
|
|
|
|
|
| |
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.
This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Patch "Add options to reduce writes from KDC" adds two more possible values to config plugins ipaconfigstring configuration options.
These are:
* KDC:Disable Last Success
* KDC:Disable Lockout
This patch adds them to Web UI
https://fedorahosted.org/freeipa/ticket/2734
|
| |
|
|
|
|
|
|
| |
Association dialogs were using non-existent options for find commands. It causes error when #2509 is implemented.
Now when creating a find command a check for options existence is performend. Option is not used if not present in metadata. It fixes the issue.
https://fedorahosted.org/freeipa/ticket/2760
|
| |
|
|
|
|
|
|
|
| |
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
|
| |
|
|
|
|
|
|
| |
resolve_host() function returns a list of IP addresses. Handle it all rather
than expecting that there is a single address.
It wouldn't hurt to make a common function that takes --ip-address into account
when resolving host addresses and use it everywhere.
|
| |
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
| | |
|
| |
|
|
|
|
|
|
| |
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.
https://fedorahosted.org/freeipa/ticket/2168
|
| |
|
|
|
|
|
|
|
|
|
| |
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.
https://fedorahosted.org/freeipa/ticket/2191
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
on_value_changed event in textboxes and textareas was raised only on keyboard input. If user used different input method such as paste or browser undo and redo functions widget's on_value_changed event wasn't raised and so dirty state wasn't changed as well.
This patch adds listener to text's and textarea's 'input' event. Input is a HTML 5 event which is raises on user initiated action.
Some of user initiated actions :
* Cut
* Copy
* Paste
* Undo
* Redo
* Clear
* Typing (like keyup)
* Form AutoFill
* User-invoked spellcheck corrections
* Input from Input Method Editor
It should be supported by all recent versions of major browsers. IE doesn't support it up to version 8.
Listener for 'keyup' event was left in implementation for backward compatibility with older browsers. This may cause firing on_value_change twice but so far it shouldn't cause troubles.
https://fedorahosted.org/freeipa/ticket/2647
|
| |
|
|
|
|
| |
Tables with members in netgroup were missing links for navigation to associated details pages. This patch adds these links.
https://fedorahosted.org/freeipa/ticket/2670
|
| |
|
|
|
|
|
|
|
|
| |
Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non existent options. If such option is supplied command ends with error. It uncovered several cases in Web UI. This patch is fixing these cases.
Automember, Self-service and Delegation don't support 'pkey-only', 'size-limit' and 'rights' option. Pagination and rights check were disabled for them.
Automount map adder dialog was sending options for indirect map even if chosen type was direct (when those for indirect was filled earlier), also it was sending non-existant 'method' option.
https://fedorahosted.org/freeipa/ticket/2760
|
| |
|
|
|
|
| |
Service unprovision dialog was missing a cancel button. The button was added.
https://fedorahosted.org/freeipa/ticket/1811
|
| |
|
|
|
|
|
|
| |
This patch creates state_evaluator which creates permission states for defined attribute. The state format is: attributeName_permissionChar.
This evaluator is used for user_password attribute and it control enabling/disabling of related action in user account action panel.
https://fedorahosted.org/freeipa/ticket/2318
|
| |
|
|
|
|
| |
This patch adds shadow to dialog used in Web UI. It looks cooler.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
This patch adds strings to internal.py which were not translated in action list/panel patches.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
This patch adds action panel to user account section. The panel contain an action for reseting user password.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
| |
This patch implements action panel. Action panel is a box located in facet details section which contains actions related to that object/section.
In spec file can be configured actions and title used in action panel. Default title is 'Actions'. Actions are specified by their name. They have to be defined in action collection in facet.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
| |
It's continuation of previous refactoring effort. This part is changing specs in entities to used changed concept.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a first step for implementing action panels which will also use the shared list of actions.
This effor changes the way how action list and control buttons are defined. First all actions are defined on facet level - attribute 'actions' in spec file. Implementation of action list widget is not specified on facet level. It is left in facet header. A list of action names used in action list can be now specified in facet spec in 'header_actions' attribute.
Control buttons use similar concept. Facet by default is using control_buttons_widget. Details and search facet are defining their own default actions (refresh/add/remove/update/reset). Additional buttons can be defined as array of action names on facet level in control_buttons attribute.
state_evaluators and state_listeners were united. They are called state_evaluators but they uses state_listener concept, they are attached to an event. For former state_evaluator the event is post_load. They are defined in spec in state attribute. State object purpose is to aggregate states from all state evaluators. It offers changed event to which can other objects subscribe. It also has summary evaluator which evaluation conditions. Summary evaluator creates summary status with human readable description. It can be used by facet header.
https://fedorahosted.org/freeipa/ticket/2248
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.
On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.
https://fedorahosted.org/freeipa/ticket/2368
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
|
| |
|
|
|
|
|
| |
Output message of the 'read_domain_name' function in ipa-server-install
was reworded.
https://fedorahosted.org/freeipa/ticket/2704
|
| |
|
|
|
|
|
|
| |
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.
https://fedorahosted.org/freeipa/ticket/2030
|
| |
|
|
|
|
| |
Wrap printing exceptions in unicode() to do Gettext conversion.
https://fedorahosted.org/freeipa/ticket/2196
|
| |
|
|
|
|
|
|
| |
Nested search facets were using 'search' tab label instead of their nested entity name.
This patch is fixing that regression.
https://fedorahosted.org/freeipa/ticket/2744
|
