The HBAC Service Groups search, details, and association pages have
been added under the HBAC tab.
New test data files for HBAC Service Groups have been added. The sample
metadata has been updated as well.
The HBAC Service search and details pages have been added under the HBAC
tab. This requires some changes to the framework.
Currently the navigation framework doesn't support multiple entities under
one tab. As a temporary solution, an 'entity' URL parameter is used to
determine the entity to be displayed. This parameter is now only used by
HBAC tab, but its use might be expanded later. The navigation framework
needs be redesigned to provide more flexibility.
The search page in all entities except DNS records have been changed to
use the ipa_search_widget. The Select/Unselect All checbox and Delete
button now work correctly and consistently.
The Add dialog has been enhanced to render and work in a more consistent
way while still supporting custom widgets & layouts. For the search page,
the Add button will refresh the search results and clear the fields in
the dialog box.
The framework now provides some extension points which can be overriden
by the subclasses:
- init(): for initialization and configuration
- create(): for creating the layout dynamically or from template
- setup(): for setting the look and feel
- load(): for loading the data
Entity and facet initialization is now done after IPA.init(). This is to
ensure the metadata is loaded first so the entities and facets can use
localized messages/labels/titles.
The group entity has been partially converted to use the new framework.
The unit tests have been updated accordingly.
Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over
LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around
the issue by setting both into the environment.
https://fedorahosted.org/freeipa/ticket/467
The signature of ldap2.get_entry() changed so normalize wasn't being
handled properly so the basedn was always being appended causing our
entry in cn=config to be not found.
ticket 414
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
UI updated to use the enable and disable methods, and to correctly report them
Implementation has a few shortcomings:
1. Status is displayed in Browser alert dialog, not JQueryUI themed
2. Upon completion of RPC, navigate back to the Search page.
Still, this is much less broken than before.
With whitespace cleanup,
using toLowerCase for testing true
and removde dual declaration of variables
IPA commands now can be defined in these classes:
- ipa_command: a single IPA command
- ipa_batch_command: a batch command for executing multiple commands
on the server side using the new batch plugin
The dialog boxes for adding and removing entries have been refactored:
- ipa_dialog: base class for dialog boxes
- ipa_adder_dialog: generic adder dialog box
- ipa_deleter_dialog: generic deleter dialog box
- ipa_association_adder_dialog: adding entity association
- ipa_association_deleter_dialog: removing entity association
Dialog boxes for adding/deleting HBAC users, hosts, services, and
sourcehosts are implemented using the association dialog boxes.
The dialog box for adding access time is implemented using ipa_dialog
and currently contains only a text field. This will be replaced with a
custom dialog box in a separate patch.
The dialog box for removing access time is implemented using the
generic deleter class because it's not an association. Removing multiple
access times is implemented using batch operations.
New test data files for access times have been added.
THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app
Conflicts:
install/static/ipa.js
if the field does not have a 'w' for writable in its rights, disable it.
Merged with the HBAC/Widget changes
add and remove links are managed via permissions now
The UI framework has been extended to include a collection of widgets:
- ipa_widget: base class
- ipa_text_widget: text field
- ipa_radio_widget: radio button
- ipa_textarea_widget: textarea
- ipa_button_widget: button
- ipa_column_widget: column for table
- ipa_table_widget: table
These widgets can be used to create input controls. They can also be
extended to create custom controls.
The framework has also been enhanced to support custom layouts. This
can be used to change the look of the application without changing
the code. Initially this is only available in details section.
Layout consists of a collection of HTML templates. Each template is a
complete and valid HTML file representing a portion of a page. The
template will be loaded and initialized by the code, then filled with
the data from the server. The layouts are located in
install/static/layouts/<name> folder.
By default, if no templates are used, the fields in the details page
are rendered vertically using dd/dt/dd tags. For pages that require
different layout, a custom UI needs to be developed. There are two ways
to do that:
- write a custom widget to generate the UI dynamically
- create an HTML template and write the initialization code
For components that are quite complex or used frequently, it's might
be better to use the first method. For simple pages that are used only
in one location or need to support customization, the second method
might be preferable. Other benefits of templates:
- cleaner code and UI separation
- more flexibility in customization
- new pages can be developed quickly and require less coding
- multiple templates can be used with the same initialization code
- easier to maintain
The HBAC details page has been implemented using both methods. By
default it will use custom widgets to generate the page. To use a
custom layout, add the following parameter to the URL, then reload
the page:
&layout=<name>
Currently the only available layout is 'default' which produces the
same look as the custom widgets.
The HBAC details page is usable, but it still needs additional work.
The access time is not working yet. There is no undo button, hint,
or validation yet.
The table in the association facet has also been changed to use
ipa_association_widget which is derived from ipa_table_widget.
The Makefile has been updated to include the layouts. The unit tests
have been updated as well.
Always display the account enable/disable status.
Don't ignore the exceptions when a user is already enabled or disabled.
Fix the exception error messages to use the right terminology.
In baseldap when retrieving all attributes include the default attributes
in case they include some operational attributes.
ticket 392
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
