to hash params ( starting with # ). User Details are now part of
index.xhtml, ao one more .inc file has been removed.
Updated commit to catch a few things that had been left out, including
sampledata handling and updateing Makefile.am
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
This disables debug output in the Apache log by default. If you want
increased output create /etc/ipa/server.conf and set it to:
[global]
debug=True
If this is too much output you can select verbose output instead:
[global]
debug=False
verbose=True
ticket 60
The problem was that parameters with no values are automatically
set to None by the framework and it wasn't handled properly in
baseldap.py:get_attributes function. Also, there were two logical
bugs in details.js:
1) atttribute callback to update values were called for input elements
instead of dt elements
2) it was always trying to update the primary key
Unfortunately we can't have any javascript in *.inc files, because
the browser will strip them for security reasons. I moved all the
attribute callbacks etc. to the only logical place: user.js.
It's fine for now, but user.js is going to need some serious cleaning
up in the future.
What does it mean?
I removed duplicate code, that was pasted here from the user details page.
ipa_details_init doesn't call ipa_init anymore.
ipa_details_create takes a second optional parameter, that can be set to
a container element if we want to place the definition lists into a specific
element instead of <body>. In our case, we place stuff in <div id="content">
What it means?
Well, first I removed some development control variables from ipa.js.
Namely useSampleData and sizelimit. I moved useSampleData to the top
of index.xhtml. This way we won't forget about it when we don't need
it anymore. sizelimit has nothing to do in ipa.js and be hardcoded
for ALL commands! Some don't have this parameter and could fail.
Since ipa_init now loads meta-data over JSON-RPC, we need to wait for
it to finish its job. That's why I put a second parameter to ipa_init:
on_win. ipa_init will call on_win when all data is loaded properly and
we can start building the page.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
To do this we need to break the link manually on both sides, the user and
the group.
We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.
ticket 75
Hide the search bar when showing the groups listed for a user, and resotre it when doing other searches.
The enroll button is added only on the groups page, and removed along with anything else in the searchButtons div when a new search is started.
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.
ticket #27
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.
Fixed matching rules and some attribute types.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/89
Removed unused password attribute and realigned OIDs.
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.
Ticket #87
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.
After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer
I took some time and fixed up some things pylint complained about too.
Ticket #83
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run