| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
We used to set connections argument for bind-dyndb-ldap even when
the attribute was not in named.conf. This is not necessary as
the bind-dyndb-ldap plugin chooses a sane default instead of us.
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Ranges
https://fedorahosted.org/freeipa/ticket/3321
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.
Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.
These were the last uses of ipautil.convert_ldap_error, remove that.
https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
|
| |
|
|
|
|
| |
In addition to removing the module, fix all places where it was imported.
Preparation for: https://fedorahosted.org/freeipa/ticket/3446
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.
For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.
Tests included
https://fedorahosted.org/freeipa/ticket/2886
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.
Change CAInstance to behave correctly in two-step install.
Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.
https://fedorahosted.org/freeipa/ticket/3459
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds 'nfs:NONE' as an allowed entry for the global
authorization data type in the CLI and WebUI. This is an ad-hoc solution
to make sure that the new default value for the NFS service is not
removed by chance.
This patch should be removed if a more generic solution is implemented
to modify service:TYPE style values of the authorization data type.
https://fedorahosted.org/freeipa/ticket/2960
|
| |
|
|
|
|
|
| |
Since the hardcoded default fpr the NFS service was removed the default
authorization data type is now set in the global server configuration.
https://fedorahosted.org/freeipa/ticket/2960
|
| | |
|
| |
|
|
|
|
|
| |
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.
https://fedorahosted.org/freeipa/ticket/3437
|
| |
|
|
|
|
|
| |
Added blacklists section, with ipantsidblacklistincoming and
ipantsidblacklistoutgoing multivalued textbox fields, into trust details page.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
|
|
|
| |
There was an incorrect check for no_update flag. Check was performed as
if the flag was an attribute of object not an item of array. Hence, the
flag never caused any effect.
|
| |
|
|
|
|
| |
Editable combobox didn't update it's dirty state correctly. CB had it's own
internal value changed event, which was incorrectly used. It was removed and
widget's value_changed event was used instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Combobox can be controlled just by using keyboard.
When value list is closed, user can:
* use UP and DOWN error to open list, it will focus the list and
select previous/next value
* when CB is non-editable, user can start typing, first character will open
list, second will be entered into search input. Note: I wanted to copy the
first char to the search box as well, but I did not figure out reliable
method for converting keycode to char for non ASCII keyboard layouts
* ESCAPE, ENTER, TAB keys are handled to allow keyboard operations in a
container
When value list is opened:
* CB tries to keep focus on either search input or a select
* when focus is lost, the value list is closed. So user can click anywhere
on a page to close it - two comboboxes can't be opened on the same time
* hitting TAB key switches between search and select
* if CB is not searchable, hitting TAB will close the value list and select
input textbox
* hitting ESCAPE on will close the value list
* hitting ENTER on search input will invoke search operation
* hitting ENTER on select will close the value list
* hitting UP/DOWN arrows will select previous/next values
Additional modifications:
* opening arrow and search button were made non-focusable. It fixes the
'wrong focus area' bug and simplifies keyboard usage. It doesn't affect
mouse usage.
https://fedorahosted.org/freeipa/ticket/3324
|
| | |
|
| |
|
|
|
| |
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
| |
Add a new init argument, ldap_uri, to IPAdmin to make this possible.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
|
| |
The get_base_dn function still uses python-ldap because
get_ipa_basedn is shared with client code, which doesn't have
access to uor LDAP wrappers.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| | |
|
| |
|
|
|
|
|
|
| |
The unbind and unbind_s functions do the same thing (both are synchronous).
In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
|
|
|
|
| |
The find_entries method is cumbersome to use: it requires keyword arguments
for simple uses, and callers are tempted to ignore the 'truncated' flag
it returns.
Introduce a simpler method, get_entries, that returns the found
list directly, and raises an errors if the list is truncated.
Replace the getList method by get_entries.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
|
| |
A simple sort(key=len) is simpler both implementation-wise and
semantics-wise.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
| |
|
|
|
|
|
| |
We did not have the includedir directory with a trailing slash which made
rpm update add a redundant line.
https://fedorahosted.org/freeipa/ticket/3132
|
| |
|
|
|
|
|
|
| |
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.
https://fedorahosted.org/freeipa/ticket/3398
|
| |
|
|
|
|
|
|
| |
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.
Replacing mis-spelled ORDERING value on new install and upgrades.
https://fedorahosted.org/freeipa/ticket/3398
|
| |
|
|
|
|
|
| |
This is to prevent a fatal name clash wih the new common "messages" Output.
Since i18n_messages is an internal plugin, the change does not affect
our public API.
|
| |
|
|
|
|
| |
freeipa.profile was updated accordingly to contain all modules in dojo layer.
This change removes expected errors during the build and therefore it won't confuse others during rpm build. It also helps during development because developer will notice real dependency errors (those not specified this way).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One can specify module ids provided by other means (already built layer file) in providedMids array of build profile file's package section. Builder then ignores dependency errors for specified modules. This allows to build layers without source codes of their dependencies, with no expected errors raised.
Example:
packages:[
{
name: "freeipa",
location: "freeipa",
providedMids: [
'dojo/_base/declare',
'dojo/_base/lang',
'dojo/_base/array',
'dojo/Stateful'
//etc
]
}
],
|
| |
|
|
|
|
|
|
|
|
|
| |
Develop.js contains code useful only for debugging. It is not part of FreeIPA
release.
Is loaded by typing require(['freeipa/develop']); in browser JS console.
It adds IPA global variable and provide easier way of loading AMD modules into
window.ipadev[providedNameOrModuleName] variable.
https://fedorahosted.org/freeipa/ticket/112
|
| |
|
|
|
|
|
| |
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.
The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.
https://fedorahosted.org/freeipa/ticket/3402
|
| |
|
|
|
|
|
|
|
| |
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.
https://fedorahosted.org/freeipa/ticket/2945
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3132
|
| |
|
|
|
|
|
|
| |
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.
https://fedorahosted.org/freeipa/ticket/3195
|
| |
|
|
|
|
|
|
| |
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.
https://fedorahosted.org/freeipa/ticket/3289
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.
If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.
If a server is not an IPA server it is removed.
https://fedorahosted.org/freeipa/ticket/3388
|
| |
|
|
|
|
|
|
| |
When deleting a replica from IPA domain:
* Abort if the installation is about to be left without CA
* Warn if the installation is about to be left without DNS
Ticket: https://fedorahosted.org/freeipa/ticket/2879
|
| |
|
|
|
|
|
|
|
|
| |
Modify update file to use default: rather than add: in
cn=replication,cn=etc,$SUFFIX.
Drop quotes around nsDS5ReplicaRoot because default: values
are not parsed as CSV.
https://fedorahosted.org/freeipa/ticket/3394
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Break the script into several smaller methods.
Use modern idioms: os.path.join instead of string addition; the with statement
for closing files.
Add --quiet, --verbose, and --log-file options. Use logging instead of print
statements. (http://freeipa.org/page/V3/Logging_and_output)
Part of: https://fedorahosted.org/freeipa/ticket/2652
Fixes: https://fedorahosted.org/freeipa/ticket/3285
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3381
|
| |
|
|
|
| |
"Add SIDs for existing users andgroups as the final step" changed
to "Add SIDs for existing users and groups as the final step".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
|
