| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was
pointed out that apache has no access to /var/lib/ipa directory breaking
the session handling.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
| |
The record variable could be null. This check makes sure
that variable won't be null.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
| |
All calls of alert were without explicit object. This commit
adds explicit object window.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The entries in cn=topology,cn=ipa,cn=etc should not be taken in
account for the compat plugin.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
Fixes https://pagure.io/freeipa/issue/6865
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
| |
Fixes: https://pagure.io/freeipa/issue/6863
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.
Resolves: https://pagure.io/freeipa/issue/6834
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Directive LookupUserByCertificateParamName tells mod_lookup_identity module the
name of GET parameter that is used to provide username in case certificate is
mapped to multiple user accounts.
Without this directive login with certificate that's mapped to multiple users
doesn't work.
https://pagure.io/freeipa/issue/6860
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.
This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.
Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The trusted domain entries created in earlier versions are missing gidnumber.
During upgrade, a new plugin will read the gidnumber of the fallback group
cn=Default SMB Group and add this value to trusted domain entries which do
not have a gidNumber.
https://pagure.io/freeipa/issue/6827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In domain level 1 ipa-ca-install does not require a replica-file. Update the
man page to distinguish the domain level 0 or 1 usage.
https://pagure.io/freeipa/issue/5831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Remove the references to the pkinit options which was forgotten
about in 46d4d534c0
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogtag-ipa-ca-renew-agent-submit behaves differently depending on the
certificate it needs to renew. For instance, some certificates (such as IPA RA)
are the same on all the hosts and the renewal is actually done only on
the renewal master. On other nodes, the new cert is downloaded from LDAP.
The function is_replicated() is returning the opposite as what it should. If
the cert nickname is IPA RA, it should return that the cert is replicated but
it doesn't, and this leads to a wrong code path to renew the cert.
https://pagure.io/freeipa/issue/6813
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The certificate to the certmapping might be inserted as
base64 encoded blob. This patch allows to also insert the certificate
blob with surrounding "-----BEGIN CERTIFICATE-----" and
"-----END CERTIFICATE-----" lines. This behavior is the same in
widget for assigning certificates to users, so the change helps
WebUI to be more consistent.
https://pagure.io/freeipa/issue/6772
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In big deployments enabled recording of the last sucesfull login
this creates a huge changelog on DS side and cause performance
issues even if this is excluded from replication.
Actually this is not used directly by FreeIPA so it is safe to remove
in new installations. User who need this must manually remove
"KDC:Disable Last Success" using `ipa config-mod` command or WebUI.
https://pagure.io/freeipa/issue/5313
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Vaults menu item was shown even when the KRA service was not installed.
That was caused by different path to the menu item in admin's view
and in selfservice view.
The path is now set correctly for both situations. 'network_service/vault'
for admin's view and 'vault' for selfservice view.
https://pagure.io/freeipa/issue/6812
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This widget is used on details pages and dialogs. When the size limit
is set to lower number the warning about truncation was shown every time
the details page was open.
Now, with support for suppressing warning messages from server according
to its code, we are able to disable warning with 13017 code (truncation
warning)
https://pagure.io/freeipa/issue/6618
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Each command can have specified an array of warning codes which will
be suppressed and won't be shown.
For specifying this it is necessary to set command property
'supressed_warnings: [codes_of_warning]'
Part of: https://pagure.io/freeipa/issue/6618
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.
AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".
This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.
https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
AD user can do only several things. One of those which are not
allowed is to reset password to itself. Therefore we need to be
able to turn of a item in dropdown menu. In our case
'Password reset' item. Function which disable menu item and detach
the listener on click from the item specified by its name was added.
Part of: https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
WebUI checks whether principal name of logged user and principal name
in each command is equal. As KDC for our principals is case insensitive
- it does make sense to switch this check also into case insensitive.
So both principals are reformated to lower case and then
compared.
Part of: https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Update the caIPAserviceCert profile to accept 8192-bit RSA keys.
Affects new installs only, because there is not yet a facility to
update included profiles.
Fixes: https://pagure.io/freeipa/issue/6319
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.
https://pagure.io/freeipa/issue/6795
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Apache has a default keep alive timeout of 5 seconds. That's too low for
interactive commands, e.g. password prompts. 30 seconds sounds like a
good compromise.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).
Ticket: https://pagure.io/freeipa/issue/6771
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added field into idview details page and into server config where
the order of domains used while searching for user. Domains can
be separated by ':' character.
https://pagure.io/freeipa/issue/6372
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.
https://pagure.io/freeipa/issue/6372
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there
https://pagure.io/freeipa/issue/6540
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Also add error message when login failed.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bunch of tests for WebUI Vault Management.
Covers:
Adding vaults
Modifying vaults
Adding members and owners to all types of vaults
https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
are not supported in WebUI. Also retrieving or archiving data
is not supported.
- There aren't any container support right now
Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members
https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Allows to show rows which have the same primary key. Used in Vault.
https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
While defining search facet and adding custom actions with the same name
as default actions in search facet. Custom actions will be used and their
definition will override default actions.
Part of:https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Removes item selected by name attribute from sidebar
Part of: https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
'additional_table_attrs' can contain array of names of columns. Value from each
column with its name will be added to the batch _del command. in case that
the column with set name does not exists - the name is skipped.
Part of: https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Allow pagination to table facets which needs to call _show on all rows
with additional parameter. 'show_command_additional_attr' can be set to any
attribute from result of _find command. This attribute is taken with its value
and added to options of _each command for each row.
Part of: https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
