summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Disable global forwarding per-zoneMartin Kosek2012-11-091-2/+17
| | | | | | | | | | | bind-dyndb-ldap allows disabling global forwarder per-zone. This may be useful in a scenario when we do not want requests to delegated sub-zones (like sub.example.com. in zone example.com.) to be routed through global forwarder. Few lines to help added to explain the feature to users too. https://fedorahosted.org/freeipa/ticket/3209
* Process relative nameserver DNS record correctlyMartin Kosek2012-11-061-18/+93
| | | | | | | | | | | | | | | | | | | | | | | Nameserver hostname passed to dnszone_add command was always treated as FQDN even though it was a relative DNS name to the new zone. All relative names were being rejected as unresolvable. Modify --name-server option processing in dnszone_add and dnszone_mod to respect FQDN/relative DNS name and do the checks accordingly. With this change, user can add a new zone "example.com" and let dnszone_add to create NS record "ns" in it, when supplied with its IP address. IP address check is more strict so that it is not entered when no forward record is created. Places misusing the option were fixed. Nameserver option now also accepts zone name, which means that NS and A record is placed to DNS zone itself. Also "@" is accepted as a nameserver name, BIND understand it also as a zone name. As a side-effect of this change, other records with hostname part (MX, KX, NS, SRV) accept "@" as valid hostname. BIND replaces it with respective zone name as well. Unit tests were updated to test the new format. https://fedorahosted.org/freeipa/ticket/3204
* Clarify trust-add help regarding multiple runs against the same domainAlexander Bokovoy2012-11-021-3/+25
| | | | | | | | Since trust-add re-establishes the trust every time it is run and all the other information fetched from the remote domain controller stays the same, it can be run multiple times. The only change would occur is update of trust relationship credentials -- they are supposed to be updated periodically by underlying infrastructure anyway.
* Resolve external members from trusted domain via Global CatalogAlexander Bokovoy2012-11-012-22/+27
| | | | | | | | | | | | A sequence is following: 1. Match external member against existing trusted domain 2. Find trusted domain's domain controller and preferred GC hosts 3. Fetch trusted domain account auth info 4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain 5. Do LDAP SASL interactive bind using the ccache 6. Search for the member's SID 7. Decode SID 8. Replace external member name by SID
* Fixed incorrect link to browser config after session expirationPetr Vobornik2012-10-241-1/+1
| | | | | | Fixed typo in message placeholder. https://fedorahosted.org/freeipa/ticket/3187
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Simpler instructions to generate certificatePetr Vobornik2012-10-191-1/+1
| | | | | | | | | | | | | | Instructions to generate certificate were simplified. New instructions: 1) Create a certificate database or use an existing one. To create a new database: # certutil -N -d <database path> 2) Create a CSR with subject CN=<hostname>,O=<realm>, for example: # certutil -R -d <database path> -a -g <key size> -s 'CN=dev.example.com,O=DEV.EXAMPLE.COM' 3) Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: https://fedorahosted.org/freeipa/ticket/3056
* Warn about DNA plugin configuration when working with local ID rangesAlexander Bokovoy2012-10-171-1/+22
| | | | https://fedorahosted.org/freeipa/ticket/3116
* Use PublicError instructions support for trust-add case when domain is not foundAlexander Bokovoy2012-10-111-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/3167
* Fix wrong RID for Domain Admins in the examples of trust commandsAlexander Bokovoy2012-10-101-2/+2
|
* Minor fixes for default SMB groupMartin Kosek2012-10-091-1/+1
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-041-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-041-1/+1
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-021-1/+6
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-031-3/+17
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Improve user addition to default group in user-addTomas Babej2012-10-031-1/+9
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
* Only use service PAC type as an overrideMartin Kosek2012-10-032-11/+30
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Do not produce unindexed search on every DEL commandMartin Kosek2012-10-011-1/+7
| | | | | | | | | | | | Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
* Validate SELinux users in config-modMartin Kosek2012-09-271-17/+32
| | | | | | | | config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-261-19/+6
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-241-2/+1
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Fix idrange plugin helpMartin Kosek2012-09-201-4/+4
| | | | | range plugin was renamed to idrange. Update plugin help to reflect this change.
* Use default reverse zone consistentlyMartin Kosek2012-09-191-1/+10
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Add verification of the AD trustAlexander Bokovoy2012-09-171-5/+7
| | | | | | | | | | Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763
* Fix various typos.Yuri Chornoivan2012-09-187-13/+13
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Fix addattr internal errorMartin Kosek2012-09-161-1/+11
| | | | | | | | | | | When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-131-3/+6
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Make sure selinuxusemap behaves consistently to HBAC ruleTomas Babej2012-09-121-18/+58
| | | | | | | | | Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983
* Reflect API change of SSH store in Web UIPetr Vobornik2012-09-061-1/+1
| | | | | | | | Format of ipasshpubkey in users and hosts changed from BYTES to STR. Web UI no longer gets the value as base64 encoded string in a object. Label was changed to reflect that the key don't have to be plain base64 encoded blob. https://fedorahosted.org/freeipa/ticket/2989
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-062-26/+33
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Trust CLI: mark trust-mod for future useSumit Bose2012-09-071-1/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2968
* Trust CLI: return more details of added trustSumit Bose2012-09-071-0/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/2971
* Trust CLI: Return more details when searching trustsSumit Bose2012-09-071-0/+13
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2970
* Do not create trust if murmur hash is not available and base-id not givenSumit Bose2012-09-071-6/+5
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3018
* IDRange CLI: Add documentationSumit Bose2012-09-071-2/+127
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2969
* IDRange CLI: allow to work without argumentsSumit Bose2012-09-071-6/+16
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2999
* Rename range CLI to idrangeSumit Bose2012-09-073-17/+17
|
* Cast DNS SOA serial maximum boundary to longMartin Kosek2012-09-071-1/+1
| | | | | | This will fix i386 builds where the SOA serial value written in API.txt was already of a long type while on x86_64 it was still of an int type.
* Set the e-mail attribute using the default domain name by defaultRob Crittenden2012-09-071-6/+20
| | | | https://fedorahosted.org/freeipa/ticket/2810
* Add range safety check for range_mod and range_delMartin Kosek2012-09-061-0/+81
| | | | | | | | | | | | | range_mod and range_del command could easily create objects with ID which is suddenly out of specified range. This could cause issues in trust scenarios where range objects are used for computation of remote IDs. Add validator for both commands to check if there is any object with ID in the range which would become out-of-range as a pre_callback. Also add unit tests testing this new validator. https://fedorahosted.org/freeipa/ticket/2919
* Update of confirmation of actionsPetr Vobornik2012-09-061-0/+2
| | | | | | | | | | | This patch is changing confirmation of actions according to ticket #3035, see the ticket description. It does following changes: * Confirmation of update action was removed. * Action lists resets to first action (which is usually a NOP: '-- select action --') on change of displayed entry. * New confirmation dialog was implemented. It is used for action confirmation. It is used in IPA.action to replace the call of window.confirm(message). The old call is a modal window which blocks all JS functionality and has different style than other dialogs in Web UI. The new one has same design and doesn't block background operations. https://fedorahosted.org/freeipa/ticket/3035
* Fix DNS SOA serial parameters boundariesMartin Kosek2012-09-061-1/+7
| | | | | | | Set correct boundaries for DNS SOA serial parameters (see RFC 1035, 2181). https://fedorahosted.org/freeipa/ticket/2568
* Allow localhost in zone ACIsMartin Kosek2012-09-061-6/+3
| | | | | Loopback address, "localhost" and "localnets" ACIs are no longer an issue for bind-dyndb-ldap. Allow them in our validators.
* Added decimal checks to metadata validatorPetr Vobornik2012-09-061-0/+1
| | | | | | Medatadata validator didn't have check for decimal values. It was added. https://fedorahosted.org/freeipa/ticket/3052
generated by cgit (git 2.34.1) at 2024-05-20 10:39:12 +0000