| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.
https://fedorahosted.org/freeipa/ticket/4319
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These attributes are removed from the blacklist, which means
high-level admins can now modify them:
- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName
The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.
Also, move the admin ACIs from ldif and trusts.update to aci.update.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
The usercertificate attribute is slated to not be readable for
anonymous users. Use associateddomain in $SUFFIX instead.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.
A dict is added to hold templates for the non-plugin permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Allow cn=etc,$SUFFIX with these exceptions:
- cn=masters,cn=ipa,cn=etc,$SUFFIX
- virtual operations
- cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The entries are moved from the ldif file to an update file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add tests coverage for recently added ID range checks dependant
on the ID range types.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
range_check_result_t enum
Using integers for return values that are used for complex casing can be fragile
and typo-prone. Change range_check function to return range_check_result_t enum,
whose values properly describes each of the range_check results.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
struct
Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.
Otherwise this can cause false negative results of checks in the range_check
plugin.
Part of: https://fedorahosted.org/freeipa/ticket/4137
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
Our tests do strict type-checking, using unicode string causes failures.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
For backward compatibility, the values are converted to unicode, unless the
attribute is binary or the conversion fails.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
get_type returns the Python type for an LDAP attribute.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.
This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
OTP Token add failed because of invalid function call. qr_widget doesn't
contain `on_value_changed` method since it inherits from `IPA.widget` and
not from `IPA.input_widget`.
Emitting the event was preserved for future possible usage.
https://fedorahosted.org/freeipa/ticket/4306
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In legacy client integration test, the test cases that query information
from subdomain about subdomain users and group expected subdomain
users and groups to have the UIDs/GIDs as users and groups in the root
domain.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a BaseHost instance, the machine's hostname was
reconfigured to have the same shortname prepended the domain name
of the domain where it was defined.
However, it makes sense in certain use cases to define hosts
that have hostnames other than belonging directly in the domain
they were defined in.
Treat input hostnames with trailing dots as static FQDNs that
will not be changed by the name of the domain they were defined in.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
| |
fixes FreeIPA Jenkins CI test freeipa-integration-forced_client_reenrollment-f19
https://fedorahosted.org/freeipa/ticket/4298
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.
Do not ask for memberindirect when retrieving the entry.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
A single permission is added to cover automountlocation,
automountmap, and automountkey.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change `IPA.login_password` and `IPA.get_credentials` to use async AJAX
and to return promise instead of blocking the code.
IPA.get_credentials is still partially blocking because of negotiate process.
We can't do anything about that.
It allows activity indicators to do their job.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
| |
General purpose authentication interface and state. See doc of 'freeipa/auth' module.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
| |
A facet with login sreen widget.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reimplementation of unauthorized dialog into separate widget. It uses RCUE
design.
New features compared to unauthorized dialog:
- reflects auth methods from `auth` module
- validation summary
- differentiates Kerberos auth failure with session expiration
- Caps Lock warning
- form based method doesn't allow password only submission
https://fedorahosted.org/freeipa/ticket/4017
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
| |
A widget which aggregates warnings and errors and shows them on one place.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Load page is a simple facet which is displayed up to 'runtime' phase.
On application start it tells the user that there is ongoing activity.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Network activity is now published through global topics. It allows other
components like activity_widget to listen to them.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A widget for showing ongoing activity.
Displays a text with changing dots.
It listens to `network-activity-start` and `network-activity-end` topics.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
`facet.Facet` is a new base class for facets. It doesn't have any dependencies
on entities so it's usable for general purpose facets, e.g., future API browser,
load facet or login facet.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A mixin which implements widget storing logic. Similar logic is already implemented
in details facet and dialog.
Long term goal is to replace that with this one.
Separating the logic into mixin makes it usable in other components.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
a mixin used for fields validation. Basically implements a logic which
is already in details facet and dialog.
Now this logic can be used in any component.
The long term goal is to replace the logic in details facet and dialog
with this mixin.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
A widget which servers as container for facets. FacetContainer is a base
class. App is specialization.
Doing this abstraction will allow us to implement various facet containers.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
|
| |
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
