It was decided not to change the OID space for FreeIPA 4.0+ objectclasses.
However, we should still at least properly mark the X-ORIGIN to make
analyzing schema easier.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The make-ui.sh script builds both app.js and core.js,
but only one was specified in the Makefile.
Correct the mistake.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Call user-unlock command from Web UI.
It will unlock displayed user on current master.
https://fedorahosted.org/freeipa/ticket/4407
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
standalone page for OTP token synchronization. It reuses SyncOTPScreen
widget instead of reimplementing the logic as in other standalone pages.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current compiled Web UI layer (app.js) contains every FreeIPA plugin and
not just the UI framework. It's not possible to start just a simple facet.
This commit creates a basis for a layer (core.js) which contains only
framework code and not entity related code.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Simple plugin which handles transition from login facet to OTP sync facet
and vice versa.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Global notifications were limited to "main" container. Now they have their
own container which is displayed over other ones. It makes them usable
everywhere.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
When a new objectclass was defined as "objectclass" and not
"objectClass", it made the schema updater skip some objectclasses.
https://fedorahosted.org/freeipa/ticket/4405
Reviewed-By: Rich Megginson <rmeggins@redhat.com>
Currently there is an incorrect behavior that server doesn't send datetime
and dnsname data in new format.
This patch adds the version to each RPC request making the UI look as the
latest client. Server then sends data in correct format. It also removes
the "unknown version" warning from each RPC response.
https://fedorahosted.org/freeipa/ticket/4394
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
old detection did not work with the static version used for test and
demonstration purposes.
https://fedorahosted.org/freeipa/ticket/4357
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Regular update of static metadata for testing and presentation purposes.
It should also contain new DNS Forward Zones metadata.
https://fedorahosted.org/freeipa/ticket/4357
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This HTTP call takes the following parameters:
* user
* password
* first_code
* second_code
* token (optional)
Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.
https://fedorahosted.org/freeipa/ticket/4274
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Search for privileges was limited to bindruletype==permission. There
was no reason to do that.
This patch removes the restriction.
Related to:
https://fedorahosted.org/freeipa/ticket/4079
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fields with default value, such as DNS Zone's idnsforwardpolicy, were
marked as dirty when no value was loaded and when default value of
input control was other than empty.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
