summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ipa-kdb: do not fetch client principal if it is the same as existing entryAlexander Bokovoy2014-03-061-6/+13
| | | | | | | | | | | | | | | When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com>
* tests: Create the testing service certificate on demandPetr Viktorin2014-03-066-166/+121
| | | | | | | | | Replace the make-testcert command with a module that creates the certificate when it is first needed. As a result the tests are more self-contained, and can be run from a read-only location (such as installed from a system package). Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib.plugable: Always set the parser in bootstrap()Petr Viktorin2014-03-051-4/+6
| | | | | | | | | | In cases where logging was already configured by the time API.bootstrap() was called, saving the argument parser was mistakenly skipped along with the logging configuration. Always set the argument parser on the API object. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* man: sshd should be run at least once before client enrollmentTomas Babej2014-03-051-0/+3
| | | | | | | | | | If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* fix filtering of subdomain-based trust usersAlexander Bokovoy2014-03-051-9/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-053-57/+58
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add tests for integration test configurationPetr Viktorin2014-03-051-0/+437
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Convert some text values to strPetr Viktorin2014-03-052-8/+8
| | | | | | | When loading from file, some strings are loaded as unicode, which would throw off assert_deepequal. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-test-config: Add --json and --yaml output optionsPetr Viktorin2014-03-052-2/+40
| | | | | | | | Also update the man page. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Add environment variables for JSON/YAMLPetr Viktorin2014-03-051-1/+18
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Load/store from/to dictsPetr Viktorin2014-03-053-5/+93
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Do not store the index in Domain and Host objectsPetr Viktorin2014-03-052-31/+35
| | | | | | | The index is a detail of the environment variable method of configuration, it should only be used there. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Use a more declarative approach to test-wide settingsPetr Viktorin2014-03-051-57/+50
| | | | | | | | The list of options was duplicated too many times. Consolidate. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Do not save the input environmentPetr Viktorin2014-03-052-36/+25
| | | | | | | | | | | | | Using the input environment saved in self._session_env outside of the config loading meant that methods of configuration other than environment variables wouldn't be possible. Restructure the roles/extra_roles to not depend on _session_env. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Fix crash in to_env when no replica is definedPetr Viktorin2014-03-051-4/+10
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: Don't act on keyboard events which originated in different dialogPetr Vobornik2014-03-051-2/+33
| | | | | | | | | | | | | | | | | | Fixes issue when: 1. 2 dialogs are opened 2. top dialog's close button is focused 3. user presses enter to execute 'close' action 4. dialog is immediately closed (enter key is still pressed) 5. second dialog automatically receives focus (it's top dialog now) 6. user releases the key 7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event 8. UNDESIRED behavior occurs Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there. https://fedorahosted.org/freeipa/ticket/4098 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Typo in warning message where IPA realm and domain name differGabe2014-03-051-1/+1
| | | | | | | | Removed 'y' from warning message. https://fedorahosted.org/freeipa/ticket/4211 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Test fixed modlist generation codePetr Viktorin2014-03-032-1/+17
| | | | | https://fedorahosted.org/freeipa/ticket/4138 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix modlist generation code not to generate empty replace mods.Jan Cholasta2014-03-031-3/+3
| | | | | https://fedorahosted.org/freeipa/ticket/4138 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* adtrustinstance: make sure to stop and disable winbind in uninstall()Alexander Bokovoy2014-02-281-2/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver/dcerpc: catch the case of insuffient permissions when establishing ↵Alexander Bokovoy2014-02-271-2/+5
| | | | | | | | | | | | | | trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* trusts: Remove usage of deprecated LDAP APITomas Babej2014-02-271-2/+2
| | | | | | | | | Remove a reference to the old deprecated LDAP API invoked by the usage of trust_add method. https://fedorahosted.org/freeipa/ticket/4204 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: Focus expand/collapse link in batch_error dialogPetr Vobornik2014-02-271-0/+2
| | | | | | | | Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog https://fedorahosted.org/freeipa/ticket/4097 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared ↵Alexander Bokovoy2014-02-261-0/+8
| | | | | | | | | | | | by admin When admin clears authdata flag for the service principal, KDC will pass NULL client pointer (service proxy) to the DAL driver. Make sure we bail out correctly. Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-kdb: in case of delegation use original client's database entry, not the ↵Alexander Bokovoy2014-02-261-2/+7
| | | | | | | | | proxy https://fedorahosted.org/freeipa/ticket/4195 Reviewed-By: Tomáš Babej <tbabej@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* bindinstance: make sure zone manager is initialized in add_master_dns_recordsAlexander Bokovoy2014-02-261-0/+1
| | | | | | | | | Bind instance is configured using a short-circuited way when replica is set up. Make sure required properties are in place for that. https://fedorahosted.org/freeipa/ticket/4186 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update API.txtPetr Viktorin2014-02-251-2/+2
| | | | | This fixes commit be7b1b94e300b137c34bab80df3dc91195259c89 https://fedorahosted.org/freeipa/ticket/4163
* Remove NULLS from constants.pyNathaniel McCallum2014-02-253-12/+14
| | | | | | | | | | In the parameters system, we have been checking for a positive list of values which get converted to None. The problem is that this method can in some cases throw warnings when type coercion doesn't work (particularly, string to unicode). Instead, any values that evaluate to False that are neither numeric nor boolean should be converted to None. Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* Certificate search max_serial_number problem fixedAdam Misnyovszki2014-02-251-0/+2
| | | | | | | | Maximum serial number field now accepts only positive numbers https://fedorahosted.org/freeipa/ticket/4163 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: Fix incorrect order of operations when restoring backupTomas Babej2014-02-251-1/+1
| | | | | | | | | | When restoring files from backup, we do use an incorrect order of operations - we first restore SELinux context and then copy the files from backup, when we need to do the exact opposite. https://fedorahosted.org/freeipa/ticket/4133 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* Always use real entry DNs for memberOf in ldap2.Jan Cholasta2014-02-241-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4192 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make all ipatokenTOTP attributes mandatoryNathaniel McCallum2014-02-211-1/+1
| | | | | | | | Originally we made them all optional as a workaround for the lack of SELFDN support in 389DS. However, with the advent of SELFDN, this hack is no longer necessary. This patch updates TOTP to match HOTP in this regard. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use super() properly to avoid an exceptionNathaniel McCallum2014-02-211-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4099 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission plugin: Do not assume attribute-level rights for new attributes ↵Petr Viktorin2014-02-211-7/+10
| | | | | | | | | | | | | are present With the --all --raw options, the code assumed attribute-level rights were set on ipaPermissionV2 attributes, even on permissions that did not have the objectclass. Add a check that the data is present before using it. https://fedorahosted.org/freeipa/ticket/4121 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the unused ipalib.frontend.Property classPetr Viktorin2014-02-215-127/+23
| | | | | | | | | | This class was built into the framework from its early days but it's not used anywhere. Remove it along with its tests https://fedorahosted.org/freeipa/ticket/3460 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* libotp: do not call internal search for NULL dnAlexander Bokovoy2014-02-211-1/+6
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Teach ipa-pwd-extop to respect global ipaUserAuthType settingsNathaniel McCallum2014-02-217-406/+398
| | | | | | https://fedorahosted.org/freeipa/ticket/4105 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP sync support to ipa-pwd-extopNathaniel McCallum2014-02-219-970/+373
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-218-0/+225
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-218-22/+69
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add --force option to ipactlAdam Misnyovszki2014-02-202-48/+67
| | | | | | | | | | | | | | | | If an error occurs in the start up sequence in ipactl start/restart, all the services are stopped. Using the --force option prevents stopping of services that have successfully started, just skips the services which can not be started. ipactl status now shows stopped services also, if the directory server is running. With the contribution of Ana Krivokapic https://fedorahosted.org/freeipa/ticket/3509 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* .mailmap: use correct name format for AdamMartin Kosek2014-02-201-0/+1
| | | | | Name should be First-Name Last-Name. Map all Adam's contributions to this preferred format.
* Add tests for multivalued filtersPetr Viktorin2014-02-201-0/+216
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add permission_filter_objectclasses for explicit type filtersPetr Viktorin2014-02-2010-14/+30
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-207-234/+296
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 21:02:33 +0000