summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Display serial number as HEX (DECIMAL) when showing certificates.Rob Crittenden2012-03-1410-19/+50
| | | | https://fedorahosted.org/freeipa/ticket/1991
* Don't crash when searching with empty relationship optionsPetr Viktorin2012-03-132-22/+122
| | | | | | | | | | | | | | | | Empty sequences (and sequences of empty strings) are normalized to None, but the member filter code expected a list. This patch extends a test for missing options to also catch false values. The functional change is from `if param_name in options:` to `if options.get(param_name):`; the rest of the patch is code de-duplication and tests. These are CSV params with csv_skipspace set, so on the CLI, empty set is given as a string with just spaces and commas (including the empty string). https://fedorahosted.org/freeipa/ticket/2479
* Don't set dbdir in the connection until after the connection is created.Rob Crittenden2012-03-131-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were comparing the current connection with itself so were never going to call nss_shutdown(). dbdir needs to be set after the connection has been made. This worked on single server installs because we don't do a ping so NSS would never be pre-initialized. If multiple servers are available we call ping() to find one that is up before submitting the request, this is what would have pre-initialized NSS. This was tripping up request-cert because it will intialize NSS with no DB if it hasn't been initialized. We need to initialize it to validate the CSR. A non-working client was doing this when calling cert-request: - call load_certificate_request() - nss.nss_nodb_init() - load the CSR - create a connection, dbdir=/etc/pki/nssdb - the dbdir matches within the same connection, don't call nss_shutdown() - connect to remote server - fail, untrusted CA because we are still using db from nss_nodb_init. Instead if we set dbdir afterward then this will properly be shutdown and NSS re-initialized with correct dbdir. https://fedorahosted.org/freeipa/ticket/2498
* Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.Rob Crittenden2012-03-131-26/+33
| | | | | | | This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). https://fedorahosted.org/freeipa/ticket/2432
* Fixed checkbox value in table without pkeyPetr Vobornik2012-03-141-0/+1
| | | | | | When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string). https://fedorahosted.org/freeipa/ticket/2404
* Fixed mask validation in network_validatorPetr Vobornik2012-03-141-7/+5
| | | | | | | | | | Network validator allowed invalid mask format: * leading zeros: 192.168.0.1/0024 * trailing chars: 192.168.0.1/24abcd It was fixed. https://fedorahosted.org/freeipa/ticket/2493
* Fix ipa-replica-manage TLS connection errorMartin Kosek2012-03-141-2/+5
| | | | | | | | | | | | | | New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500
* Fix nsslapd-anonlimitsdn dn in cn=configRob Crittenden2012-03-132-2/+2
| | | | | | | | | The dn value needs to be quoted otherwise it is interpreted to be a multi-value. This will replace whatever value is currently set. https://fedorahosted.org/freeipa/ticket/2452
* Fix migration plugin compat checkMartin Kosek2012-03-111-3/+7
| | | | | | | | | | | | Ticket #2274 implements a check for compat plugin and warns user if it is enabled. However, there are 2 issues connected with the plugin: 1) The check is performed against the remote (migrated) LDAP server and not the local LDAP server, which does not make much sense 2) When the compat plugin is missing in cn=plugins,cn=config, it raises an error and thus breaks the migration This patch fixes both issues. https://fedorahosted.org/freeipa/ticket/2508
* Set minimum version of selinux-policy to pick up memcached fixRob Crittenden2012-03-111-1/+9
| | | | | | | This package version adds a boolean, httpd_manage_ipa, that enables the ipa_memcached service to work. https://fedorahosted.org/freeipa/ticket/2433
* Refresh resolvers after DNS installMartin Kosek2012-03-113-8/+13
| | | | | | | | | | | | | | Server framework calls acutil.res_send() to send DNS queries used for various DNS tests. However, once acutil is imported it does not change its list of configured resolvers even when /etc/resolv.conf is changed. This may lead to unexpected resolution issues. We should at least reload httpd when we change /etc/resolv.conf to point to FreeIPA nameserver to force a new import of acutil and thus workaround this bug until it is resolved in authconfig. https://fedorahosted.org/freeipa/ticket/2481
* Mark most config options as requiredPetr Viktorin2012-03-121-15/+15
| | | | | | | IPA assumes most config options are present, but allowed the user to delete them. This patch marks them as required. https://fedorahosted.org/freeipa/ticket/2159
* Enforce that required attributes can't be set to None in CRUD UpdatePetr Viktorin2012-03-123-7/+17
| | | | | | | | | | | | The `required` parameter attribute didn't distinguish between cases where the parameter is not given and all, and where the parameter is given but empty. The case of updating a required attribute couldn't be validated properly, because when it is given but empty, validators don't run. This patch introduces a new flag, 'nonempty', that specifies the parameter can be missing (if not required), but it can't be None. This flag gets added automatically to required parameters in CRUD Update.
* Allow removing sudo commands with special characters from command groupsPetr Viktorin2012-03-123-5/+77
| | | | | | | | | Previously the commands were compared as serialized strings. Differences in serializations meant commands with special characters weren't found in the checked list. Use the DN class to compare DNs correctly. https://fedorahosted.org/freeipa/ticket/2483
* More exception handlers in ipa-client-installOndrej Hamada2012-03-091-1/+8
| | | | | | | | | | | | | Added exception handler to certutil operation of adding CA to the default NSS database. If operation fails, installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/2415 If obtaining host TGT fails, the installation is aborted and changes are rolled back. https://fedorahosted.org/freeipa/ticket/1995
* Ignore case in yes/no promptsMartin Kosek2012-03-071-1/+1
| | | | | | | | | We did not accept answers like "Yes", "YES", "No", etc. as valid answers to yes/no prompts (used for example in dnsrecord-del interactive mode). This could confuse users. This patch changes the behavior to ignore the answer case. https://fedorahosted.org/freeipa/ticket/2484
* Fix NSS no_init in the NSSHTTPS classRob Crittenden2012-03-041-2/+2
|
* Only warn if ipa-getkeytab doesn't get all requested enctypes.Rob Crittenden2012-03-041-5/+32
| | | | | | | | Older client machines may request DES keys not supported in newer KDCs. Thsi was causing the entire request to fail as well as client enrollment. https://fedorahosted.org/freeipa/ticket/2424
* Do kinit in client before connecting to backendRob Crittenden2012-03-043-7/+42
| | | | | | | | | | | | | | The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478
* Add --noac option to ipa-client-install man pageRob Crittenden2012-03-041-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2369
* ipa-client-install not calling authconfigOndrej Hamada2012-03-051-62/+66
| | | | | | | Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369
* Fix API.txt and VERSION to reflect new sudoOrder option.Rob Crittenden2012-03-012-4/+4
|
* Improve dnsrecord interactive helpMartin Kosek2012-03-012-20/+109
| | | | | | | | | | | | | | | | | | | | | Add 2 new features to DNS record interactive help to increase its usability and also make its behavior more consistent with standard parameter interactive help: 1) Ask for missing DNS parts When a required part of a newly added DNS record was missing, we just returned a ValidationError. Now, the interactive help rather asks for all missing required parts of all DNS records that were being added by its parts. 2) Let user amend invalid part When an interactive help asked for a DNS record part value and user enters an invalid value, the entire interactive help exits with an error. This may upset a user if he already entered several correct DNS record part values. Now, the help rather tells user what's wrong and give him an opportunity to amend the value. https://fedorahosted.org/freeipa/ticket/2386
* Add help for new structured DNS frameworkMartin Kosek2012-03-011-4/+31
| | | | | | | | | | DNS Test Day shown that the new RR specific DNS options and the concepts behind them may not be easily understood. This patch adds an explanation of the new DNS framework for structured options to make it easier for the user to understand and use the new options. https://fedorahosted.org/freeipa/ticket/2382
* Make hostnames adhere to new standards in hbactest plugin testsRob Crittenden2012-03-011-2/+2
|
* Fix encoding for setattr/addattr/delattrMartin Kosek2012-03-011-0/+2
| | | | | | | | | | Attribute values passed by --{set,add,del}attr parameters were normalized and validated using appropriate parameter, but were never encoded for the backend. This make prevents manipulation with dirsvr BOOL attributes where framework tries to pass boolean value instead of encoded "TRUE"/"FALSE" values. https://fedorahosted.org/freeipa/ticket/2418
* Add support for sudoOrderRob Crittenden2012-03-017-9/+94
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Removed CSV creation from UIPetr Vobornik2012-03-028-41/+18
| | | | | | Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed. https://fedorahosted.org/freeipa/ticket/2227
* Configure SSH features of SSSD in ipa-client-install.Jan Cholasta2012-03-012-2/+35
| | | | | | | | OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0.
* Use reboot from /sbinPetr Viktorin2012-03-021-1/+1
| | | | | | | According to FHS, the reboot command should live in /sbin. Systems may also have a symlink in /usr/bin, but they don't have to. https://fedorahosted.org/freeipa/ticket/2480
* Remove memberPrincipal for deleted replicasMartin Kosek2012-03-022-2/+23
| | | | | | | | | | | | When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451
* Add status command to retrieve user lockout statusRob Crittenden2012-03-022-1/+122
| | | | | | | This information is not replicated so pull from all IPA masters and display the status across all servers. https://fedorahosted.org/freeipa/ticket/2162
* Fix typos in ipa-replica-manage man pageMartin Kosek2012-03-021-3/+3
| | | | | | Based on contribution by Brian Harrington. https://fedorahosted.org/freeipa/ticket/2428
* Improved usability of login dialogPetr Vobornik2012-03-022-6/+45
| | | | | | | | | | | | | | | | | | Usability was imporved in Unauthorized/Login dialog. When the dialog is opened a link which switches to login form is focus so user can do following: 1) press enter (login form is displayed and username field is focused ) 2) type username 3) press tab 4) type password 5) press enter this sequence will execute login request. When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button. https://fedorahosted.org/freeipa/ticket/2450
* Forms based authentication UIPetr Voborník2012-03-0217-161/+527
| | | | | | | | | | | | | | | | | | | | Support for forms based authentication was added to UI. It consist of: 1) new login page Page url is [ipa server]/ipa/ui/login.html Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown. 2) new enhanced error dialog - authorization_dialog. This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires. It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button. login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css. https://fedorahosted.org/freeipa/ticket/2450
* Fix WSGI error handlingRob Crittenden2012-03-021-6/+12
| | | | | | | | | | | | | | | | A number of different errors could occur when trying to handle an error which just confused matters. If no CCache was received then trying to retrieve context.principal in the error message caused yet another exception to be raised. Trying to get Command[name] if name wasn't defined in command would raise an exception. Trying to raise errors.CCache was failing because the response hadn't been started. https://fedorahosted.org/freeipa/ticket/2371
* Make hostnames adhere to new standards in HBAC testsRob Crittenden2012-03-011-2/+2
|
* Fix ticket checks when using either s4u2proxy or a delegated krbtgtSimo Sorce2012-03-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | When using s4u2proxy the only ticket we can access via direct krb5 calls is the HTTP/ ticket which was saved in the ccache as evidence ticket. This ticket is later used by GSSAPI as evidence to obtain an ldap ticket. This works by chance, we shouldn't use calls to get_credentials just to verify ticket expiration dates, but I realize this is a limitation of the current krbV bindings and we have no other way around at the moment. Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to us. In that case the ccache will contain only a krbtgt, so as a fallback we check that. Checking the ldap/ ticket is never really useful. When s4u2proxy is used, trying to check the ldap/ ticket will fail because we do not have it yet on the first authentication before a session is estalished, and doing it later is not useful. When we have a krbtgt we could go and grap a ldap/ ticket directy, but again that makes little sense. In general all tickets will have the same expiration date (which deopends on the original krbtgt) so checking one is sufficient. Fixes: http://fedorahosted.org/freeipa/ticket/2472
* Improve hostname verification in install toolsMartin Kosek2012-02-291-0/+7
| | | | | | | | | | | | Our install tools like ipa-server-install, ipa-replica-{prepare, install} may allow hostnames that do not match the requirements in ipalib. This creates a disconnect and may cause issues when user cannot delete hostnames created by install tools. This patch makes sure that ipalib requirements are applied to install tools hostnames as well. https://fedorahosted.org/freeipa/ticket/2089
* subclass HTTP_Status from plugable.Plugin, fix not_found testsRob Crittenden2012-02-292-8/+48
| | | | | | HTTP_Status needs to subclass from Plugin because it does its own logging. Add tests for other methods of HTTP_Status
* Migration warning when compat enabledOndrej Hamada2012-02-293-4/+32
| | | | | | | | | | | Added check into migration plugin to warn user when compat is enabled. If compat is enabled, the migration fails and user is warned that he must turn the compat off or run the script with (the newly introduced) option '--with-compat'. '--with-compat' is new flag. If it is set, the compat status is ignored. https://fedorahosted.org/freeipa/ticket/2274
* Only apply validation rules when adding and updating.Rob Crittenden2012-02-2914-31/+145
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There may be cases, for whatever reason, that an otherwise illegal entry gets created that doesn't match the criteria for a valid user/host/group name. If this happens (i.e. migration) there is no way to remove this using the IPA tools because we always applied the name pattern. So you can't, for example, delete a user with an illegal name. Primary keys are cloned with query=True in PKQuery which causes no rules to be applied on mod/show/find. This reverts a change from commit 3a5e26a0 which applies class rules when query=True (for enforcing no white space). Replace rdnattr with rdn_is_primary_key. This was meant to tell us when an RDN change was necessary to do a rename. There could be a disconnect where the rdnattr wasn't the primary key and in that case we don't need to do an RDN change, so use a boolean instead so that it is clear that RDN == primary key. Add a test to ensure that nowhitespace is actually enforced. https://fedorahosted.org/freeipa/ticket/2115 Related: https://fedorahosted.org/freeipa/ticket/2089 Whitespace tickets: https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
* Added logout buttonPetr Voborník2012-02-289-6/+104
| | | | | | | | | | Logout button was added to Web UI. Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html. logout.html is a simple page with "You have been logged out" text and a link to return back to main page. https://fedorahosted.org/freeipa/ticket/2363
* Don't delete system users that are added during installation.Rob Crittenden2012-02-293-43/+9
| | | | | | | | | We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423
* Fixed content type check in login_passwordPetr Vobornik2012-02-281-1/+1
| | | | | | | | | | | | | login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'. Current check is an equality check of content_type http header. RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result. This patch makes the check more benevolent to allow such values. Patch is a fixup for: https://fedorahosted.org/freeipa/ticket/2095
* Log a message when returning non-success HTTP resultJohn Dennis2012-02-282-53/+67
| | | | | The routines used to return a non-success HTTP result from WSGI failed to log the aberrant event, this corrects that omission.
* Improve FQDN handling in DNS and host pluginsMartin Kosek2012-02-292-31/+40
| | | | | | | | | | | | | | | | | | | | | DNS and host plugin does not work well with domain names ending with dot. host plugin creates a record with two fqdn attributes when such hostname is created which then has to be manually fixed. DNS plugin handled zones with and without trailing dot as two distinct zones, which may lead to issues when both zones are created. This patch sanitizes approach to FQDNs in both DNS and host plugin. Hostnames are now always normalized to the form without trailing dot as this form did not work before and it would keep hostname form consistent without changes in our server/client enrollment process. As DNS zones always worked in both forms this patch rather makes sure that the plugin works with both forms of one zone and prevents creating 2 identical zones with just different format. https://fedorahosted.org/freeipa/ticket/2420
* Improve hostname and domain name validationMartin Kosek2012-02-295-43/+100
| | | | | | | | | | | | | | | DNS plugin did not check DNS zone and DNS record validity and user was thus able to create domains like "foo bar" or other invalid DNS labels which would really confuse both user and bind-dyndb-ldap plugin. This patch at first consolidates hostname/domain name validators so that they use common functions and we don't have regular expressions and other checks defined in several places. These new cleaned validators are then used for zone/record name validation. https://fedorahosted.org/freeipa/ticket/2384
* Improve dnsrecord-add interactive modeMartin Kosek2012-02-291-4/+9
| | | | | | | | | | | When an invalid record type is entered during dnsrecord-add interactive mode, user is provided with a list of allowed values (record types). However, the provided list contains also unsupported record types (APL, DHCID, etc.) and any attempt to add such records would end with error. This patch limits the list to supported record types only. https://fedorahosted.org/freeipa/ticket/2378
* Don't set migrated user's GID to that of default users group.Rob Crittenden2012-02-291-3/+8
| | | | | | The GID should be the UID unless UPG is disabled. https://fedorahosted.org/freeipa/ticket/2430
generated by cgit (git 2.34.1) at 2024-11-13 06:48:27 +0000