summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* webui: use unique ids for checkboxesPetr Vobornik2014-03-131-4/+1
| | | | | | | | Checkboxes have not used unique ids across the whole UI. It broke checking by clicking on label for later displayed instances. It became serious problem when rcue introduced new checkbox styles with 'label clicking' as default check method. https://fedorahosted.org/freeipa/ticket/3904 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* trust: do not fetch subdomains in case shared secret was used to set up the ↵Alexander Bokovoy2014-03-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | trust Until incoming trust is validated from AD side, we cannot run any operations against AD using the trust. Also, Samba currently does not suport verifying trust against the other party (returns WERR_NOT_SUPPORTED). This needs to be added to the documentation: When using 'ipa trust-add ad.domain --trust-secret', one has to manually validate incoming trust using forest trust properties in AD Domains and Trusts tool. Once incoming trust is validated at AD side, use IPA command 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. From this point on the trust should be usable. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver/dcerpc: make sure to always return unicode SID of the trust domainAlexander Bokovoy2014-03-121-1/+1
| | | | | | | | | | Trusted domain SID could be obtained through different means. When it is fetched from the AD DC via LDAP, it needs to be extracted from a default context and explicitly converted to unicode. https://fedorahosted.org/freeipa/ticket/4246 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support OTP in form based authPetr Vobornik2014-03-121-6/+32
| | | | | | | | OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor. https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Added QRcode generation to Web UIPetr Vobornik2014-03-129-7/+246
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* UI for managing user-auth typesPetr Vobornik2014-03-122-0/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* UI for radius proxyPetr Vobornik2014-03-126-1/+147
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* UI for OTP tokensPetr Vobornik2014-03-127-11/+361
| | | | | | https://fedorahosted.org/freeipa/ticket/3369 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Fix handling of action visibility change in action panelPetr Vobornik2014-03-121-0/+18
| | | | Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Use general password dialog for host OTPPetr Vobornik2014-03-121-136/+16
| | | | Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Password DialogPetr Vobornik2014-03-124-1/+351
| | | | Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Fixed doc examples in Spec_modPetr Vobornik2014-03-121-1/+3
| | | | Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Declarative replacement of array item in specification objectPetr Vobornik2014-03-121-1/+49
| | | | | | | | This patch adds option to define which item of which array attribute of specification object will be replaced by a new value. The difference between combination of $add and $del is that it keeps position of that item in the array. Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Added empty value meaning to boolean formatterPetr Vobornik2014-03-122-4/+20
| | | | | | | | | Boolean object properties can have different default meaning for not defined value. This patch allows to defined this meaning to `boolean_formatter` by introduction of `emty_value` property. `boolean_state_evaluator` was modified to leverage it as well. Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* ipa-sam: cache gid to sid and uid to sid requests in idmap cacheJason Woods2014-03-121-14/+114
| | | | | | | | | | | | | | | | | | | | | | Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the directory service for gid/uid<->sid resolution. Additionally, this patch further reduces number of queries by: - fast fail on uidNumber=0 which doesn't exist in FreeIPA, - return fallback group correctly when looking up user primary group as is done during init, - checking for group objectclass in case insensitive way Patch by Jason Woods <devel@jasonwoods.me.uk> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> https://fedorahosted.org/freeipa/ticket/4234 and https://bugzilla.redhat.com/show_bug.cgi?id=1073829 https://bugzilla.redhat.com/show_bug.cgi?id=1074314 Reviewed-By: Sumit Bose <sbose@redhat.com>
* permission_add: Remove permission entry if adding the ACI failsPetr Viktorin2014-03-122-1/+45
| | | | | | https://fedorahosted.org/freeipa/ticket/4187 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-114-31/+32
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Avoid passing non-terminated string to is_master_hostMartin Kosek2014-03-111-1/+2
| | | | | | | | | | | When string is not terminated, queries with corrupted base may be sent to LDAP: ... cn=ipa1.example.com<garbage>,cn=masters... https://fedorahosted.org/freeipa/ticket/4214 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permission-find: Cache the root entry for legacy permissionsPetr Viktorin2014-03-111-8/+23
| | | | | | | | | This makes searching faster if there are many legacy permissions present. The root entry (which contains all legacy permission ACIs) is only looked up once. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Log unhandled exceptions in certificate renewal scripts.Jan Cholasta2014-03-107-211/+262
| | | | | | https://fedorahosted.org/freeipa/ticket/4093 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* permissions plugin: Don't crash with empty targetfilterPetr Viktorin2014-03-072-1/+48
| | | | | | https://fedorahosted.org/freeipa/ticket/4206 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Allow multiple values for memberofPetr Viktorin2014-03-074-11/+55
| | | | | | | Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions Additional fix for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission-mod: Remove attributelevelrights before reverting entryPetr Viktorin2014-03-072-1/+29
| | | | | | | | | LDAPUpdate adds the display-only 'attributelevelrights' attribute, which doesn't exist in LDAP. Remove it before reverting entry. https://fedorahosted.org/freeipa/ticket/4212 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa-kdb: do not fetch client principal if it is the same as existing entryAlexander Bokovoy2014-03-061-6/+13
| | | | | | | | | | | | | | | When client principal is the same as supplied client entry, don't fetch it again. Note that when client principal is not NULL, client entry might be NULL for cross-realm case, so we need to make sure to not dereference NULL pointer here. Also fix reverted condition for case when we didn't find the client principal in the database, preventing a memory leak. https://fedorahosted.org/freeipa/ticket/4223 Reviewed-By: Sumit Bose <sbose@redhat.com>
* tests: Create the testing service certificate on demandPetr Viktorin2014-03-066-166/+121
| | | | | | | | | Replace the make-testcert command with a module that creates the certificate when it is first needed. As a result the tests are more self-contained, and can be run from a read-only location (such as installed from a system package). Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib.plugable: Always set the parser in bootstrap()Petr Viktorin2014-03-051-4/+6
| | | | | | | | | | In cases where logging was already configured by the time API.bootstrap() was called, saving the argument parser was mistakenly skipped along with the logging configuration. Always set the argument parser on the API object. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* man: sshd should be run at least once before client enrollmentTomas Babej2014-03-051-0/+3
| | | | | | | | | | If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* fix filtering of subdomain-based trust usersAlexander Bokovoy2014-03-051-9/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4207 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix token secret length RFC complianceNathaniel McCallum2014-03-051-1/+1
| | | | | | | | | RFC 4226 states the following in section 4: R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rework how otptoken defaults are handledNathaniel McCallum2014-03-053-57/+58
| | | | | | | | | | | | We had originally decided to provide defaults on the server side so that they could be part of a global config for the admin. However, on further reflection, only certain defaults really make sense given the limitations of Google Authenticator. Similarly, other defaults may be token specific. Attempting to handle defaults on the server side also makes both the UI and the generated documentation unclear. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add tests for integration test configurationPetr Viktorin2014-03-051-0/+437
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Convert some text values to strPetr Viktorin2014-03-052-8/+8
| | | | | | | When loading from file, some strings are loaded as unicode, which would throw off assert_deepequal. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-test-config: Add --json and --yaml output optionsPetr Viktorin2014-03-052-2/+40
| | | | | | | | Also update the man page. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Add environment variables for JSON/YAMLPetr Viktorin2014-03-051-1/+18
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Load/store from/to dictsPetr Viktorin2014-03-053-5/+93
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Do not store the index in Domain and Host objectsPetr Viktorin2014-03-052-31/+35
| | | | | | | The index is a detail of the environment variable method of configuration, it should only be used there. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Use a more declarative approach to test-wide settingsPetr Viktorin2014-03-051-57/+50
| | | | | | | | The list of options was duplicated too many times. Consolidate. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Do not save the input environmentPetr Viktorin2014-03-052-36/+25
| | | | | | | | | | | | | Using the input environment saved in self._session_env outside of the config loading meant that methods of configuration other than environment variables wouldn't be possible. Restructure the roles/extra_roles to not depend on _session_env. Part of the work for: https://fedorahosted.org/freeipa/ticket/3938 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_integration.config: Fix crash in to_env when no replica is definedPetr Viktorin2014-03-051-4/+10
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: Don't act on keyboard events which originated in different dialogPetr Vobornik2014-03-051-2/+33
| | | | | | | | | | | | | | | | | | Fixes issue when: 1. 2 dialogs are opened 2. top dialog's close button is focused 3. user presses enter to execute 'close' action 4. dialog is immediately closed (enter key is still pressed) 5. second dialog automatically receives focus (it's top dialog now) 6. user releases the key 7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event 8. UNDESIRED behavior occurs Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there. https://fedorahosted.org/freeipa/ticket/4098 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
* Typo in warning message where IPA realm and domain name differGabe2014-03-051-1/+1
| | | | | | | | Removed 'y' from warning message. https://fedorahosted.org/freeipa/ticket/4211 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Test fixed modlist generation codePetr Viktorin2014-03-032-1/+17
| | | | | https://fedorahosted.org/freeipa/ticket/4138 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix modlist generation code not to generate empty replace mods.Jan Cholasta2014-03-031-3/+3
| | | | | https://fedorahosted.org/freeipa/ticket/4138 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* adtrustinstance: make sure to stop and disable winbind in uninstall()Alexander Bokovoy2014-02-281-2/+5
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaserver/dcerpc: catch the case of insuffient permissions when establishing ↵Alexander Bokovoy2014-02-271-2/+5
| | | | | | | | | | | | | | trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trust: make sure we always discover topology of theAlexander Bokovoy2014-02-271-31/+6
| | | | | | | | | | forest trust Even though we are creating idranges for subdomains only in case there is algorithmic ID mapping in use, we still need to fetch list of subdomains for all other cases. https://fedorahosted.org/freeipa/ticket/4205
* trusts: Remove usage of deprecated LDAP APITomas Babej2014-02-271-2/+2
| | | | | | | | | Remove a reference to the old deprecated LDAP API invoked by the usage of trust_add method. https://fedorahosted.org/freeipa/ticket/4204 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in ↵Petr Viktorin2014-02-271-0/+2
| | | | | | | | JSON metadata https://fedorahosted.org/freeipa/ticket/4201 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trustdomain_find: make sure we skip short entries when --pkey-only is specifiedAlexander Bokovoy2014-02-271-0/+2
| | | | | | | | | With --pkey-only only primary key is returned. It makes no sense to check and replace boolean values then. https://fedorahosted.org/freeipa/ticket/4196 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* webui: Focus expand/collapse link in batch_error dialogPetr Vobornik2014-02-271-0/+2
| | | | | | | | Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog https://fedorahosted.org/freeipa/ticket/4097 Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
generated by cgit (git 2.34.1) at 2026-03-15 19:11:53 +0000