This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.
ticket 1177
The entitlement facet will show buttons according to the entitlement
status. If it's unregistered, the facet will show a Register button.
If it's registered, the facet will show a Consume button.
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.
This also gives priority to the DM password if it is passed in.
Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.
Ticket 1157
The IPA.entity_builder has been modified to take a 'factory' parameter
in custom facet's and custom dialog's spec. The IPA.dialog has been
modified to take an array of fields in the spec. The IPA.search_facet
has been modified to take an array of columns in the spec.
To improve code readability and extensibility the containers for action
panel and client area are now created in IPA.entity.setup(). The 'client area'
has been renamed into 'content'. The IPA.facet.create() has been renamed to
IPA.facet.create_content().
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.
This requires 389-ds-base-1.2.8.0-1+
ticket 1153
If the host has a one-time password but krbPrincipalName wasn't set yet
then the enrollment would fail because writing the principal is not
allowed. This creates an ACI that only lets it be written if it is not
already set.
ticket 1075
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one.
https://fedorahosted.org/freeipa/ticket/1102
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
There are cases when ipactl returns success even when it fails. Plus,
when the error really is detected the status codes are not LSB
compliant. This may result in consequent issues.
This patch improves error handling in ipactl and adds LSB compliant
status codes. Namely:
0 program is running or service is OK
3 program is not running
4 program or service status is unknown
for "status" action. Status code 4 is issued when IPA is not
configured to distinguish this state from not running IPA.
For other actions, the following non-zero status codes are
implemented:
1 generic or unspecified error
2 invalid or excess argument(s)
4 user had insufficient privilege
6 program is not configured
https://fedorahosted.org/freeipa/ticket/1055
The month in krblastpwdchange (LDAP Generalized Time) is 1-based
but the month in JavaScript Date.setUTCFullYear() is 0-based so it
needs a conversion.
Ticket 1053
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
https://fedorahosted.org/freeipa/ticket/1002
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
By calling directly sasl_interactive_bind_s() we were not calling __lateinit()
This in turn resulted in some variables like dbdir not to be set on the
IPAadmin object.
Keep all bind types in the same place so the same common sbind steps can be
performed in each case.
Related to: https://fedorahosted.org/freeipa/ticket/1022
This patch replaces xgettext with a custom pygettext to generate
translatable strings from plugin files in ipalib/plugins. pygettext
was modified to handle plural forms (credit goes to Jan Hendrik Goellner)
and had some bugs fixed by myself. We only use it for plugins, because
it's the only place where we need to extract docstrings for the built-in
help system.
I also had to make some changes to the way the built-in documentation
systems gets docstrings from modules for this to work.
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.
https://fedorahosted.org/freeipa/ticket/997
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.
I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.
ticket 585
Many WebUI identifiers were defined in a global namespace. This is
not a good programming practice and may result in name clashes,
for example with other libraries.
This patch moves these variables to IPA namespace or its
sub-namespaces, when meaningful.
https://fedorahosted.org/freeipa/ticket/212
A link has been added into the details page to expand/collapse all
sections.
Previously each section's <div> container is identified using a long
ID. It is now identified using the section name.
Support of navigator.preferences that is used to access browser
configuration was dropped in Firefox 4. This disables automatic
configuration of user preferences in this browser that is needed
to use Kerberos single sign-on.
This patch detectes a lack of this interface and tries to
configure the browser using new Services module introduced in
Gecko 2 (used in Firefox 4, SeaMonkey 2.1).
https://fedorahosted.org/freeipa/ticket/975
The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets.
The service.py has been modified to specify the correct relationships. The API.txt has been updated.
https://fedorahosted.org/freeipa/ticket/960
Trying to run ipactl as non-root results in a slew of bogus
error messages, some of which come because dirsrv can't read certain
files as the wrong user, some based on our handling of that fact.
ticket 936
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
a dogtag server.
The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
The current version of the DNS Plugin does not support searching by record, so that is commented out.
The search field wasn't working either. The search criteria had to be appended to the params array, just after the zone.
https://fedorahosted.org/freeipa/ticket/907
The group.upg NIS map was an experiment in providing UPG groups
dynamically, and is not one of the maps that I'd ever expect a NIS
client to "know" to search. We should probably just drop it.
Previously the add service dialog box shows a 'Principal:' label with
no text field next to it. It now has been removed. The dialog box
has been widened to avoid line wrapping of the buttons.
