freeipa.git/ipaserver/plugins, branch pwdpolicy FreeIPA patches cert: fix search limit handling in cert-find 2017-01-24T12:53:07+00:00 Jan Cholasta jcholast@redhat.com 2017-01-17T13:34:33+00:00 85834abad655c6aed54c0253bc194ece81d78774 If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
dogtag: search past the first 100 certificates 2017-01-24T12:53:07+00:00 Jan Cholasta jcholast@redhat.com 2016-12-21T08:55:40+00:00 d84edc43e55c2f7c30614a4a5268aeb58e33a087 Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
py3: decode bytes for json.loads() 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-12T15:20:43+00:00 18337bf7f7c31a47fe0c7280f82fca043b548bd5 In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
dogtag.py: fix exception logging of JSON data 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-11T13:38:25+00:00 0eb5a0e0ec2d232d2921ae5f9e8d0885146a5610 'read_ca' and 'create_ca' have no logging when exception happened and it masks real reason why it failed. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: convert_attribute_members: don't use bytes as parameter for DN 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-11T12:39:04+00:00 1e0f98a146ecedf84b8e3e07fbd41a897ddd399d due perfomance improvement in e4930b3235e5d61d227a7e43d30a8feb7f35664d we have to decode value before it can be used in DN() constructor. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
due perfomance improvement in e4930b3235e5d61d227a7e43d30a8feb7f35664d
we have to decode value before it can be used in DN() constructor.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: add_entry_to_group: attribute name must be string not bytes 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-11T09:23:04+00:00 0a1d7f2e01819ad6e4a19d0416b3a01883dea7d0 With bytes as attribute name pyldap raises type error https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
With bytes as attribute name pyldap raises type error

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix coverity issue 2017-01-16T13:44:54+00:00 Tomas Krizek tkrizek@redhat.com 2017-01-12T09:49:12+00:00 49855ca9dea9241ccd88e3a89b499b6fed4493c9 A code path exists, where principal_obj is None. Add check principal_obj is not None to avoid dereferencing it. Reviewed-By: Martin Basti <mbasti@redhat.com> 
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reuse self.api when executing ca_enabled_check 2017-01-11T14:26:20+00:00 Fraser Tweedale ftweedal@redhat.com 2016-12-19T04:31:14+00:00 09a65df6842411d42966111e50924df3de0b7031 The ca_enabled_check function is a wrapper around api.Command.ca_is_enabled. When using remote_api (e.g. during installer), ca_enabled_check invokes the *global* api instead of the remote_api. Update ca_enabled_check to explicitly receive an api object from the caller and invoke Command.ca_is_enabled through it. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled.  When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.

Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa_generate_password algorithm change 2017-01-06T08:26:56+00:00 Petr Spacek pspacek@redhat.com 2016-12-21T14:07:34+00:00 fb7c111ac13510609e2cba14ecf88cd2ed291a4b A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Change activity text while loading metadata 2017-01-05T18:13:37+00:00 Pavel Vomacka pvomacka@redhat.com 2016-08-09T10:43:09+00:00 be7865bf4f9b6774a17f31380e96b76d0473f982 After log in into webui there was 'Authenticating' sign even during loading metadata. Now while data are loading there is 'Loading data' text. This change requires new global topic 'set-activity' of activity widget. So for now there is possibility to change every activity string during running phase just by publishing 'set-activity' topic and setting new text as first parameter. Part of: https://fedorahosted.org/freeipa/ticket/6144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.

Part of: https://fedorahosted.org/freeipa/ticket/6144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>