All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.
Also, $SUFFIX itself can now be read anonymously.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.
selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.
This change is Fedora 20+.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This change allow us to use proper two way binding between a field and
a widget. In previous implementation field was not changed if something
changed the value of a widget in 'update'. Now listeners are notified
when the widget value is changed by: calling 'update', 'set_value'
or by user change.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Hidden was used only in ACI. There is no reason to have two properties
which are negations of each other.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
This is a Web UI wide change. Fields and Widgets binding was refactored
to enable proper two-way binding between them. This should allow to have
one source of truth (field) for multiple consumers - widgets or something
else. One of the goal is to have fields and widget implementations
independent on each other. So that one could use a widget without field
or use one field for multiple widgets, etc..
Basically a fields logic was split into separate components:
- adapters
- parsers & formatters
- binder
Adapters
- extract data from data source (FreeIPA RPC command result)
- prepares them for commands.
Parsers
- parse extracted data to format expected by field
- parse widget value to format expected by field
Formatters
- format field value to format suitable for widgets
- format field value to format suitable for adapter
Binder
- is a communication bridge between field and widget
- listens to field's and widget's events and call appropriate methods
Some side benefits:
- better validation reporting in multivalued widget
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
ipa-client-automount calls automountlocation-show command during the
process. Unfortunately, FreeIPA commands are forward compatible only
and thus fail the installer.
Similarly to ipa-client-install, call XML-RPC interface directly
with version fixed to 2.0 (command was already available at that
version) to fix the failure.
https://fedorahosted.org/freeipa/ticket/4290
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages
by equivalents from rpc module.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
- moves RPC code from ipa.js to it's own module
- part of ongoing effort where the ultimate goal is to get rid of ipa.js
and IPA namespace
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When some module used 'freeipa/navigation' it pulled the entire Web UI
because navigation depended on app.
This patch splits the app into two modules: app and app_container.
App specifies the entities which are part of final application.
app_container module represents the application boot classes. Navigation
now depends on app_container.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
python-pyasn1 and python-qrcode were imported by ipalib but not
required by python subpackage.
https://fedorahosted.org/freeipa/ticket/4275
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In test_trust.py, several tests did case sensitive search on the output of
the ipa idrange-show command. This could cause false negatives.
Part of: https://fedorahosted.org/freeipa/ticket/4267
Reviewed-By: Martin Kosek <mkosek@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.
Also removed now unused upload_ca_dercert method of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The files are created later by ipa-client-install, there's no need to do it
twice.
This also fixes a bug in CA-less, where the CA certificate is not removed from
/etc/pki/nssdb after client uninstall, because it has a different nickname.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The 'top' objectclass is added by DS if not present. On every
update the managed permission updater compared the object_class
list with the state from LDAP, saw that there's an extra 'top'
value, and tried deleting it.
Add 'top' to the list to match the entry in LDAP.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
