summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* replace an ACI relying on presence of deprecated objectclassMartin Babinsky2016-07-011-1/+2
| | | | | Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add ACI for admins to modify principal attributesMartin Babinsky2016-07-011-0/+2
| | | | | | | | | | | | This is required for admins to utilize the APIs that enable them to add/remove principal aliases to entities. https://fedorahosted.org/freeipa/ticket/3864 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Migrate management framework plugins to use Principal parameterMartin Babinsky2016-07-0112-239/+213
| | | | | | | | | | | | All plugins will now use this parameter and common code for all operations on Kerberos principals. Additional semantic validators and normalizers were added to determine or append a correct realm so that the previous behavior is kept intact. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: introduce Principal parameterMartin Babinsky2016-07-016-1/+54
| | | | | | | | | | | This patch introduces a separate Principal parameter that allows the framework to syntactically validate incoming/outcoming principals by using a single shared codebase. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Test suite for `ipapython/kerberos.py`Martin Babinsky2016-07-011-0/+137
| | | | | | | | | Low-level unittests checking the correctness principal parsing. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipapython module for Kerberos principal manipulation and parsingMartin Babinsky2016-07-011-0/+208
| | | | | | | | | | | | This module implements a shared codebase to handle various types of Kerberos principal names encountered during management of users, hosts nad services. Common codebase aims to replace various ad-hoc functions and routines scattered along the management framework. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* client: add support for pre-schema serversJan Cholasta2016-07-01198-105/+139695
| | | | | | | | | | | | | | | Bundle remote plugin interface definitions for servers which lack API schema support. These server API versions are included: * 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+, * 2.114: IPA 4.1.4 on Fedora 22, * 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23, * 2.164: IPA 4.3.1 on Fedora 23. For servers with other API versions, the closest lower API version is used. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* client: do not crash when overriding remote command as methodJan Cholasta2016-07-012-8/+21
| | | | | | | | | Do not crash during API initialization when overriding remote command that is not a method with MethodOverride. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* schema: Decrease schema TTL to one hourDavid Kupka2016-07-011-1/+4
| | | | | | | | | | Since checking schema is relatively cheap operation (one round-trip with almost no data) we can do it offten to ensure schema will fetched by client ASAP after it was updated on server. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not log to file in remote conncheck sideMartin Basti2016-07-011-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add option --no-log for ipa-replica-conncheck scriptMartin Basti2016-07-011-1/+3
| | | | | | | | When option is sued, ipa-replica-conncheck will not log into file https://fedorahosted.org/freeipa/ticket/5757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Do not log error when removing a non-existing fileFlorence Blanc-Renaud2016-07-011-4/+11
| | | | | | | | | When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and the file does not exist, only log to debug instead of error. https://fedorahosted.org/freeipa/ticket/6012 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix migration from pre-lightweight CAs masterFraser Tweedale2016-07-011-1/+30
| | | | | | | | | Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Split CA replica installation steps for domain level 0Fraser Tweedale2016-07-011-1/+6
| | | | | | | | | | | Installation from replica file is broken because lightweight CA replication setup is attempted before Kerberos is set up. To fix the issue, explicitly execute step 1 before Kerberos setup, and step 2 afterwards. Part of: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* webui: prevent infinite reload for users with krbbprincipal alias setPetr Vobornik2016-07-011-1/+5
| | | | | | | | | | | | | | | | | | Web UI has inbuilt mechanism to reload in case response from a server contains a different principal than the one loaded during Web UI startup. see rpc.js:381 With kerberos aliases support the loaded principal could be different because krbprincipalname contained multiple values. In such case krbcanonicalname should be used - it contains the same principal as the one which will be in future API responses. https://fedorahosted.org/freeipa/ticket/5927 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix minor typoYuri Chornoivan2016-07-011-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add --ca option to cert-revoke and cert-remove-holdFraser Tweedale2016-07-013-21/+40
| | | | | | | | | | | | | | Implement the --ca option for cert-revoke and cert-remove-hold. Defaults to the IPA CA. Raise NotFound if the cert with the given serial was not issued by the nominated CA. Also default the --ca option of cert-show to the IPA CA. Add commentary to cert-status to explain why it does not use the --ca option. Fixes: https://fedorahosted.org/freeipa/ticket/5999 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* service: Added permissions for auth. indicators read/modifyStanislav Laznicka2016-06-302-4/+4
| | | | | | | Added permissions for Kerberos authentication indicators reading and modifying to service objects. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* host: Added permissions for auth. indicators read/modifyStanislav Laznicka2016-06-302-3/+4
| | | | | | | | | Added permissions for Kerberos authentication indicators reading and modifying to host objects. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* server: exclude Local commands from RPCJan Cholasta2016-06-303-10/+23
| | | | | | | | | | Local API commands are not supposed to be executed over RPC but only locally on the server. They are already excluded from API schema, exclude them also from RPC and `batch` and `json_metadata` commands. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* client: add placeholders for required remote pluginsJan Cholasta2016-06-303-3/+78
| | | | | | | | | | | | Add placeholders for remote plugins which are required by client-side commands. They are used when the remote plugins are not available. This fixes API initialization error when the remote server does not have the plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* client: ignore override errors in command overridesJan Cholasta2016-06-3022-43/+43
| | | | | | | | | This fixes API initialization errors when the remote server does not have the overriden command. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* plugable: add option to ignore override errorsJan Cholasta2016-06-301-13/+19
| | | | | | | | | Add new `no_fail` option to API.add_plugin. When set to True, override errors are ignored and the affected plugins are skipped. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* cert: fix CLI output of cert_remove_holdJan Cholasta2016-06-302-9/+13
| | | | | | | | | | cert_remove_hold uses output params instead of exceptions to convey unsuccessful result. Move the output params to the client side before the command is fixed to use exceptions. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* frontend: do not ignore client-side output paramsJan Cholasta2016-06-301-1/+12
| | | | | | | | Do not ignore output params defined in client-side overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* user: add object plugin for user_statusJan Cholasta2016-06-305-32/+50
| | | | | | | | | | | Change user_status from a method of user to a method of a new userstatus class, which defines the extra attributes returned by user_status. This fixes user_status CLI output. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* server: define missing virtual attributesJan Cholasta2016-06-3012-166/+147
| | | | | | | | | | | Move virtual attributes defined in output params of methods into params of the related object. This fixes the virtual attributes being ommited in CLI output. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Check for CA subject name collision before attempting creationFraser Tweedale2016-06-301-0/+7
| | | | | | | | | | Lightweight CA subject name collisions are prevented by Dogtag (response code 409 Conflict), however, we do not want to expose the Dogtag error. Perform the check in the IPA framework as well, raising DuplicateEntry on collision. Fixes: https://fedorahosted.org/freeipa/ticket/5981 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Fix `Conflicts` with ipa-pythonPetr Spacek2016-06-301-2/+2
| | | | | | | | | The conflicts should have constant version in it because it is related to package split. https://fedorahosted.org/freeipa/ticket/6004 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* cert-request: better error msg when 'add' not supportedFraser Tweedale2016-06-302-3/+28
| | | | | | | | | | | | cert-request supports adding service principals that don't exist. If add is requested for other principal types, the error message just says "the principal doesn't exist". Add a new error type with better error message to explain that 'add' is not supported for host or user principals. Fixes: https://fedorahosted.org/freeipa/ticket/5991 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Fix ipa-server-certinstall with certs signed by 3rd-party CAFlorence Blanc-Renaud2016-06-301-3/+17
| | | | | | | | | | | | | | | | | | | | | | | Multiple issues fixed: - when untracking a certificate, the path to the NSS directory must be exactly identical (no trailing /), otherwise the request is not found and the old certificate is still tracked. - when a cert is issued by a 3rd party CA, no need to track it - the server_cert should not be found using cdb.find_server_certs()[0][0] because this function can return multiple server certificates. For instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert with the trust flags u,u,u. This leads to trying to track ipaCert (which is already tracked). The workaround is looking for server certs before and after the import, and extract server-cert as the certificate in the second list but not in the first list. https://fedorahosted.org/freeipa/ticket/4785 https://fedorahosted.org/freeipa/ticket/4786 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix wrong imports in copy-schema-to-ca.pyStanislav Laznicka2016-06-301-3/+13
| | | | | | | | | Some imports were not possible in old versions of IPA. This caused import exceptions on the script start. https://fedorahosted.org/freeipa/ticket/6003 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add button for server-del commandPavel Vomacka2016-06-303-1/+72
| | | | | | WebUI counterpart of: https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add support to change button css class on confirm dialogPavel Vomacka2016-06-301-0/+11
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Simplify the confirmation messagesPavel Vomacka2016-06-302-4/+4
| | | | | | | | | The confirmation of revoke and remove the certificate hold action is simplier and more consistent with another parts of WebUI. Part of: https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS: Reinitialize DNS resolver after changing resolv.confPetr Spacek2016-06-301-0/+6
| | | | | | | | | | | | | | Previously the installer did not reinitialize resolver so queries for records created using --ip-address option might not be answered. This led to incorrect results during 'Updating DNS system records' phase at the end of installation. This is kind of hack but right now we do not have enough time to extend python-dns's interface with resolver_reinit() method. https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* makeaci, makeapi, oddjob: use the default API contextJan Cholasta2016-06-303-4/+2
| | | | | | | | | | | | Use the default context rather the server context for code not running inside the server. This prevents the affected code from attempting to initialize the session manager. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* xmlserver: initialize RPC server plugins only in server contextJan Cholasta2016-06-301-1/+1
| | | | | | | | | | | | Do not initialize the plugins for all in-server API instances, as they are used only in the server context. This prevents code using in-server API instances from attempting to initialize the session manager. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* session: do not initialize session manager on importJan Cholasta2016-06-303-6/+19
| | | | | | | | | | Removes the side effect of attempting to connect to memcached when the session module is imported, which caused user visible warnings and/or SELinux AVC denials. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* session: move the session module from ipalib to ipaserverJan Cholasta2016-06-306-7/+7
| | | | | | | | | The module is used only on the server, so there's no need to have it in ipalib, which is shared by client and server. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Change paths of strings in auth indicators widget on service pagePavel Vomacka2016-06-301-3/+3
| | | | | | | | | Strings which are used by widget which shows authentication indicators were moved. Therefore the change in string paths. Part of: https://fedorahosted.org/freeipa/ticket/5872 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add authentication identificator to host pagePavel Vomacka2016-06-303-6/+26
| | | | | | | | | | Also move strings which are connected with authentication indicators to authtype dict. This place is more general than have them in service dict. It's nicer when these strings are not used only on service page. Part of: https://fedorahosted.org/freeipa/ticket/5872 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add authentication indicators support to Host objectsNathaniel McCallum2016-06-303-6/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* cert.py split module docstring to multiple ugetext stringMartin Basti2016-06-301-37/+37
| | | | | | | | | It is hard to translate whole dosctring again and again aftear each minor change. This split will make life for translators easier. (Just note: dosctring was changed and that is the reason why I'm sending this, because translators must translate it again anyway) Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix replica install with CAMartin Basti2016-06-302-11/+6
| | | | | | | | The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Tests: Fix frontend testsLenka Doudova2016-06-301-3/+0
| | | | | | | | Test ipatests/test_ipalib/test_frontend.py::test_Command::test_validate fails due to attributes that are no longer present, therefore assertion for these values was removed. https://fedorahosted.org/freeipa/ticket/5987 Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
* Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.pyLenka Doudova2016-06-301-11/+9
| | | | | | | | | | | | Test fails were caused mainly by assertion between unicode and nonunicode string, or due to changes in code related to thin client. Fixes: test_Command::test_default_from_chaining test_Command::test_args_options_2_params test_Command::test_params_2_args_options test_Command::test_validate_output_per_type Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
* Tests: Remove DNS configuration from trust testsLenka Doudova2016-06-301-40/+4
| | | | | | | Since DNS configuration is no longer needed for running trust tests, this method's contents are removed. Method is left empty as reference for others, should they have issues with DNS configuration. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* replica install: don't allow install against a newer serverJan Cholasta2016-06-301-2/+26
| | | | | | | | | If the version of the remote server is higher than the local version, don't allow installing a replica of it. https://fedorahosted.org/freeipa/ticket/5983 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* backup: use in-server API in ipa-backup and ipa-restoreJan Cholasta2016-06-302-2/+2
| | | | | | | | | Use in-server API so that the commands don't try to fetch API schema and fail. https://fedorahosted.org/freeipa/ticket/5995 Reviewed-By: Milan Kubik <mkubik@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-08 16:38:58 +0000