to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
This patch uses the kerberos schema policy, this is the same policy used by
kadmin.
While this patch allows for krbPwdPolicy objects anywhere the kldap module
will make the kdc fail to provide tickets if the "krbPwdPolicyReference"
points to any object that is not a child of cn=<REALM>,cn=kerberos,dc=....
To let us set policies anywhere in the tree I enabled the code to actually
look at parent entries and the user entry itself and specify policies directly
on these objects by adding the krbPwdPolicy objectclass to them (I know its
structural but DS seem to allow multiple Structural classes on the same
entry).
The only side effect is that kadmin will not understand this, but we don't
want to use kadmin anyway as it does not understand way too many things about the
directory.
I've tested a few scenarios and all seem working as expected, but further
testing is welcome of course.
Fix error reporting in the UI to include the detailed message
Sort delegations by name when displaying them
Update the name field from "Name" to "Delegation Name"
1) Add a base class for all of the instance objects.
2) Normalize usage of logging.
3) General cleanups of ipa-server-install.
4) Make better use of httpinstance.
5) Add webguiinstance.
6) Improve progress reporting during installation.
Works Here (TM), but it would be nice to get someone else
to test since this moves code around a bit.
Configure ipa servers as an ntp server and clients
to (by default) us the ipa server as an ntp server.
Also corrected the messages about which ports should
be opened.
The error log is rotated weekly on Sunday. 4 backups are saved.
The access log is not stored since it would be a duplicate of the
Apache logs. It can be enabled if desired.
Had to move the call to daemonize() in ipa-webgui so that the
fork is done before TurboGears is initialized. Otherwise the log
files end up getting closed.
This patch fixes a couple of buglets with read_ip_address():
1) It writes host_name to /etc/hosts, but isn't currently
being passed host_name
2) It doesn't return the IP address even though the caller
expects it
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.
This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
