| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6735
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.
https://pagure.io/freeipa/issue/6735
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.
https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Result of certmap_match command is in the following format:
[{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2',
uid:[uid21, uid22, uid23},...]
For correct displaying in table we need to reformat it to the following:
[{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},...
This can be done using this Adapter.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In case that API call returns array of objects which contains data, using
'object_index' attribute in adapter specification we can set which object
should be used.
It is possible to choose only one object specified by its index in array.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When field on details facet has set 'autoload_value' to false, then it won't
be loaded using that.load method of details facet. That means that field
might stay unchanged even that loading of data was performed.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.
https://pagure.io/freeipa/issue/6714
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to install KRA on first IPA server in one step using
ipa-server-install
This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.
Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
All values were previously converted to lowercase which was not
coresponding with CLI behaviour. Now they stay as they are
inserted. I also have to change the strings to lowercase because
the otp and radius should be inserted as lowercase words.
https://fedorahosted.org/freeipa/ticket/6308
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add new attribute which keeps information whether each text added
using custom_checkbox_widget shoud be transformed to lowercase.
Part of: https://fedorahosted.org/freeipa/ticket/6308
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix is in checkboxes widget but the only affected one is attributes widget.
Reproduction:
1. Add permission with attribute with uppercase character
$ ipa permission-add aa_test --type=stageuser --attrs=businessCategory --right=read
2. Check if it is correctly displayed in Web UI
Actual result:
- businesscategory is not checked
Expected result:
- businesscategory is checked
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.
https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also added general setter and getter for attributes of config.
Part of: https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Javascript integer validator checks whether value entered into field is number
and is not higher than Number.MAX_SAFE_INTEGER constant.
Part of: https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options
https://pagure.io/freeipa/issue/6630
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add facets for certmaprule and certmapconfigure entities.
https://fedorahosted.org/freeipa/ticket/6601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adder dialog which is used along with custom_command_multivalued_widget.
It behaivor of confirm dialog and adds fields which are necessary.
Part of: https://fedorahosted.org/freeipa/ticket/6601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Old krb-principal widget is changed to general one. And used also for
ipacertmapdata in user.
This widget make every line non-editable.
Part of: https://fedorahosted.org/freeipa/ticket/6601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If field will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.
Part of: https://fedorahosted.org/freeipa/ticket/6601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.
This change allows us to move ID views into Identity submenu.
https://pagure.io/freeipa/issue/6717
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It was not possible to get all arbitrary certificates which were added
using {user|host|service|idview}-add-cert method. Adding sizelimit:0
to this cert-find command fix the issue. It set sizelimit to unlimited.
https://pagure.io/freeipa/issue/6712
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6701
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.
https://pagure.io/freeipa/issue/6648
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
https://fedorahosted.org/freeipa/ticket/6542
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since AD trust installer is now a part of composite installers, their
man pages were updated with separate section documenting relevant AD
trust-related option descriptions.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
`--rid-base` and `--secondary-rid-base` had `-U` option assigned
by error in the man page. Remove it as these options have not short
alias.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There is no point in emitting this message during server/replica
install.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When we changed the session handling code we unintentinally extended
sessions expiraion time to the whole ticket lifetime of 24h.
Related to https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.
ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.
The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).
The fix also logs an error when a template file is not versioned.
https://fedorahosted.org/freeipa/ticket/6354
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.
The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.
https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
MD5 is a grandpa and FIPS does not like it at all.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.
https://fedorahosted.org/freeipa/ticket/6673
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 1e6a204b4372bbbfb722a00370a5ce4e34406b9f added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.
Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When combobox is opened then ESC key should close it. There was a bug
that ESC key closed also the dialog. It was caused by bad keyboard event
handling. The CB was closed by keydown event and the dialog by keyup.
Therefore the propagating of keyup and keydown event is stopped when CB
is opened (when the event is fired on CB element).
https://fedorahosted.org/freeipa/ticket/6388
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adder dialog is mixed with confirmation_mixin. That mixin calls on_cancel method
when closing dialog using ESC key. Previously the on_cancel method
was not defined, therefore dialog was not correctly closed. This was the root
cause of the bug, that adder dialog cannot be opened after closing it using ESC.
Now the default function for on_cancel is dialog.close. So dialog
is correctly closed.
https://fedorahosted.org/freeipa/ticket/6388
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.
https://fedorahosted.org/freeipa/ticket/6629
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This removes one of the 2 identical copies of the ipa_session cookie
Fixes https://fedorahosted.org/freeipa/ticket/6676
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This fix adds information about --ignore-last-of-role in
ipa-server-install man page
Fixes https://fedorahosted.org/freeipa/ticket/6634
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
