| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.
Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.
Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.
https://fedorahosted.org/freeipa/ticket/2892
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
|
| |
|
|
|
| |
Extra new line in .TH section of the man page caused invalid
wrapping.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.
Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.
https://fedorahosted.org/freeipa/ticket/2687
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for new per-domain permissions to Web UI.
User with assigned permission (through role,priviledge) can edit DNS zone. These permissions can be added/remove by ipa dnszone-{add/remove}permission $dnszone command.
For adding/removing of this permission in Web UI new actions in DNS zone action list were created. DNS zone object doesn't contain information about existance of related permission. Such information is required for enabling/disabling of new actions. Web UI has to search for the permission to get it. DNS zone facet was modified to use batch command, in a same way as user facet, for loading dnszone and the permission at the same time - on load.
Batch command has a feature to report all errors. Such behavior is unwanted because we expect that permission-show command will fail when the permission doesn't exist. Batch command was therefore modified to not report commands which has retry attribute set to false. This attr was chosen because it has similar purpose in single command execution.
New actions should be enabled only for users with appropriate rights. It is not possible to obtain rights for certain action in advance so an approximation is used: write right for dns zones' managedby attribute.
https://fedorahosted.org/freeipa/ticket/2851
|
| |
|
|
| |
The page said `-y` but the actual option is `-p`.
|
| |
|
|
|
| |
Add a check in the WebUI to use the admin navigation if a user is a
indirect member of a role.
|
| |
|
|
|
|
| |
Added measurement units for kerberos ticket policy.
https://fedorahosted.org/freeipa/ticket/2444
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When filling password policy it may be unclear what value to enter because user may not remember field's measurement unit.
This patch adds support for declaring measurement units. It's done in field's/widget's spec by entering key for unit's string (which is in IPA.messages.measurement_units[key]).
Measurement units in table layout are displayed in parenthesis after label. It is to be consistent with some fields which have measurement unit integrated in label.
This patch defines measurement units for password policy's 'History size', 'Failure reset interval' and 'Lockout duration' fields.
https://fedorahosted.org/freeipa/ticket/2437
|
| |
|
|
|
|
|
|
| |
Message 'Logged in as: user@FREEIPA.ORG' was displayed before user was logged in. It was wrong.
Now 'Logged in as: XXX' is displayed only when user XXX is logged in. So no more user@FREEIPA.ORG :) .
https://fedorahosted.org/freeipa/ticket/2882
|
| |
|
|
|
|
|
|
| |
Configaration was the last navigation item in IPA server tab. Trusts changed it. It was wrong because configuration is like 'other settings' and so it should be last.
This patch moves configuration navigation item to the last position again.
https://fedorahosted.org/freeipa/ticket/2900
|
| |
|
|
|
|
|
|
| |
SASL bind callback due to refactoring was referencing local variable which
didn't exist all the time. Fix that by including a copy of service principals
into ipasam long term private struct.
Rework ccache handling to avoid re-initing every time callback is called
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.
A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.
https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
|
| |
|
|
|
|
|
|
|
|
| |
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.
Default range LDIF entry for new install was fixed so that new
installation does not crash.
https://fedorahosted.org/freeipa/ticket/2891
|
| |
|
|
|
|
|
|
| |
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.
https://fedorahosted.org/freeipa/ticket/2839
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or
SIDs for objects that are no neither users nor groups.
The ipa*IDRange objectclasses will be used to store the used Posix ID
ranges of the local domains (ipaDomainIDRange) or the ranges reserved
for AD domains (ipaTrustedADDomainRange). To be able to map the Posix
IDs to a RID and back the corresponding ranges can be saved here as
well.
|
| |
|
|
|
|
|
|
|
| |
This patch removes following non-existing command options:
* all,rights in host_disable
* record_type in dns_record_add
* all,rights in various xxx_remove_xxx commands used in rule_association_table_field (removing association)
https://fedorahosted.org/freeipa/ticket/2878
|
| |
|
|
|
|
|
| |
Association facet was refactored to use new concept of control buttons. It is the last facet type which don't use this concept.
It fixes regression introduced by previous refactoring of table facet (delete button was never enabled).
https://fedorahosted.org/freeipa/ticket/2876
|
| |
|
|
|
|
|
|
| |
This patch adds pending password expiration notification support to Web UI. When user's password is going to expire in less or equal than configure days a bold red text 'Your password expires in N days.' and a link 'Reset your password' are shown in Web UI's header (on the left next to 'Logged in as...').
Clicking on 'Reset your password link' opens IPA.user_password_dialog. Successful reset of own password will reload user's information (whoami) and update header (it will most likely hide the warning and link).
https://fedorahosted.org/freeipa/ticket/2625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
|
| |
|
|
|
|
|
| |
It was likely that this would fail being in an LDIF so let an update
file add this potentially conflicting entry instead.
https://fedorahosted.org/freeipa/ticket/2837
|
| |
|
|
|
|
|
|
| |
This is a continuation of effor which transforms status widgets with buttons executing actions to separate status widget and action panels. This patch strips certificate status widget of its buttons and separates the actions to their own objects. Appropriate modifications are taken in host and service details facets.
New certificate loader, facet policy and evaluator are introduced to make actions and status widget independent. On facet load event new certificate facet policy loads a certificate from result. Unfortunately results don't contain revocation reason so it also executes additional cert-show command to get the revocation reason. Policy store the certifacete to facet. It raises the certifacet_loaded event to notify certificate evaluator and status widget. Status widget updates its state. Certificate evaluater updates state and actions get disabled or enabled.
https://fedorahosted.org/freeipa/ticket/2250
|
| |
|
|
|
|
|
|
| |
ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.
https://fedorahosted.org/freeipa/ticket/2856
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds validator which compares passwords in two fields.
In future it should be used in various password reset dialogs.
A flags attribute was added to field. It's purpose is to define control flags. This patch uses it in details facet and adder dialog to not include fields to command option if the field has 'no_command' flag. Therefore there is no need to use hacks such as disabling of field or removing a value from command's option map when a non-command field is needed (ie verify password).
https://fedorahosted.org/freeipa/ticket/2829
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds Web UI for trusts.
Navigation path is IPA Server/Trust. It allows to add, deleted and show trust. Mod command doesn't have defined input options so update of a trust is not supported yet.
Adder dialog supports two ways if adding a trust:
1) adding with domain name, admin name and admin password.
2) adding with domain name, shared secret
Search page shows only list of realm names which are trusts' cns.
Details page is read only. It contains following attributes:
* Realm name (cn)
* Domain NetBIOS name (ipantflatname)
* Domain Security Identifier (ipanttrusteddomainsid)
* Trust direction (trustdirection)
* Trust type (trusttype)
trust_output_params also defines 'Trust status' param. This param is not return by show command as well so it's commented out in code until it's fixed in plugin code.
Fields in details pages are using labels defined in internal.py. It is temporary solution until including of command.has_output_params will be added to metadata.
https://fedorahosted.org/freeipa/ticket/2829
|
| |
|
|
|
|
|
|
|
| |
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log
Will output basic stauts information if executed from the command-line.
https://fedorahosted.org/freeipa/ticket/2696
|
| |
|
|
|
|
|
|
| |
Error message for IPA error 911 is not very clear for end users.
This patch changes the message and adds an advice how to get rid of the error.
https://fedorahosted.org/freeipa/ticket/2778
|
| |
|
|
|
|
|
|
|
|
| |
IPA web UI isn't functional when browser doesn't send http headers.
This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it.
Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader
https://fedorahosted.org/freeipa/ticket/2778
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2857
|
| |
|
|
|
|
|
|
| |
Web UI was missing a way how to reset expired password for normal user. Recent server patch added API for such task. This patch is adding reset password form to unautorized dialog.
If user tries to login using form-based authentication and his password is expired login form transforms to reset password form. The username and password are used from previous login attempt. User have to enter new password and its verification. Then he can hit enter button on keyboard or click on reset button on dialog to perform the password reset. Error is displayed if some part of password reset fails. If it is successful new login with values entered for password reset is performed. It should login the user. In password reset form user can click on cancel button or hit escape on keyboard to go back to login form.
https://fedorahosted.org/freeipa/ticket/2755
|
| |
|
|
|
|
| |
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.
https://fedorahosted.org/freeipa/ticket/2755
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/2767
|
| |
|
|
|
|
|
|
|
| |
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.
https://fedorahosted.org/freeipa/ticket/2331
|
| |
|
|
|
|
|
|
| |
Servise provisioning status widget was modified only to display the has_keytab status. Button for 'delete key,unprovision' was moved as action to newly created action panel in the same section. This required to moved the creation of the unprovisioning dialog from that widget to new separate dialog.
Action for action panel and all required status evaluators for enabling/disabling of that action were also created.
https://fedorahosted.org/freeipa/ticket/2252
|
| |
|
|
|
|
| |
Widgets in host enrollment sections were modified. They now serve only for displaying of has_key and has_password status. Functionality for setting otp and unprovisioning was moved to separate dialogs. Execution points for opening of these dialogs are items in new action panel in enrollment section.
https://fedorahosted.org/freeipa/ticket/2251
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.
This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.
The actual password change in the script is processed by LDAP
password change command.
Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
(optional) X-IPA-Pwchange-Policy-Error: $policy_error_text
https://fedorahosted.org/freeipa/ticket/2276
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).
Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.
ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
|
| |
|
|
|
|
|
|
|
|
|
| |
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.
This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Patch "Add options to reduce writes from KDC" adds two more possible values to config plugins ipaconfigstring configuration options.
These are:
* KDC:Disable Last Success
* KDC:Disable Lockout
This patch adds them to Web UI
https://fedorahosted.org/freeipa/ticket/2734
|
| |
|
|
|
|
|
|
| |
Association dialogs were using non-existent options for find commands. It causes error when #2509 is implemented.
Now when creating a find command a check for options existence is performend. Option is not used if not present in metadata. It fixes the issue.
https://fedorahosted.org/freeipa/ticket/2760
|
| |
|
|
|
|
|
|
|
| |
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
|
| |
|
|
|
|
|
|
| |
resolve_host() function returns a list of IP addresses. Handle it all rather
than expecting that there is a single address.
It wouldn't hurt to make a common function that takes --ip-address into account
when resolving host addresses and use it everywhere.
|
| |
|
|
|
|
|
|
|
|
| |
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.
The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.
https://fedorahosted.org/freeipa/ticket/1577
|
| | |
|
