Commit Graph

3975 Commits

Author SHA1 Message Date
Endi S. Dewata
571274e978 Entity select widget improvements
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list. The base functionality has been extracted
into IPA.combobox_widget.

Ticket #1361
2011-07-18 14:47:57 -04:00
Jan Cholasta
95901bbdb5 Update minimum required version of python-netaddr.
ticket 1288
2011-07-17 22:44:21 -04:00
Rob Crittenden
d43ba5316a Generate a database password by default in all cases.
If the password passed in when creating a NSS certificate database is None
then a random password is generated. If it is empty ('') then an empty
password is set.

Because of this the HTTP instance on replicas were created with an empty
password.

https://fedorahosted.org/freeipa/ticket/1407
2011-07-17 22:26:01 -04:00
Rob Crittenden
a48a84a5ea Set the ipa-modrdn plugin precedence to 60 so it runs last
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.

https://fedorahosted.org/freeipa/ticket/1370
2011-07-17 22:24:30 -04:00
Rob Crittenden
bfee87dced Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA
The old nickname was 'RA Subsystem' and this may confuse some users
with the dogtag RA subsystem which we do not use.

This will only affect new installs. Existing installations will
continue to work fine.

https://fedorahosted.org/freeipa/ticket/1236
2011-07-17 22:22:21 -04:00
Rob Crittenden
b14473a86c Fix failing tests due to object name changes
Some object names had spaces in them which was bad, update the tests
to reflect the new names.
2011-07-17 22:21:53 -04:00
Rob Crittenden
3fdca99c48 Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
2011-07-17 22:16:32 -04:00
Rob Crittenden
2f650b60a4 Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.

We can instead pull the subject from the certificate and use that as
the nickname.

https://fedorahosted.org/freeipa/ticket/1141
2011-07-17 22:14:24 -04:00
Rob Crittenden
038089a0c9 Validate that the certificate subject base is in valid DN format.
https://fedorahosted.org/freeipa/ticket/1176
2011-07-17 22:10:03 -04:00
Martin Kosek
bc8be0a41e Improve long integer type validation
Passing a number of "long" type to IPA Int parameter invokes
user-unfriendly error message about incompatible types. This patch
improves Int parameter with user understandable message along with
maximum value he can pass.

https://fedorahosted.org/freeipa/ticket/1346
2011-07-18 16:02:07 +02:00
Martin Kosek
1a207bb23c Fix typo in ipa-replica-prepare
https://fedorahosted.org/freeipa/ticket/1327
https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 14:54:41 +02:00
Martin Kosek
47f1d86e35 Add new dnszone-find test
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).

https://fedorahosted.org/freeipa/ticket/1473
2011-07-18 09:50:23 +02:00
Martin Kosek
50a2c45760 Check IPA configuration in install tools
Install tools may fail with unexpected error when IPA server is not
installed on a system. Improve user experience by implementing
a check to affected tools.

https://fedorahosted.org/freeipa/ticket/1327
https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 09:36:43 +02:00
Jan Cholasta
5f0adc3fbe Fix exit status of ipa-nis-manage enable.
ticket 1247
2011-07-15 02:39:17 -04:00
Jan Cholasta
b203756a88 Add ability to specify DNS reverse zone name by IP network address.
In order for this to work, chaining of parameters through
default_from is made possible.

ticket 1474
2011-07-15 02:21:23 -04:00
Martin Kosek
d802aa57f1 Fix self-signed replica installation
When a replica for self-signed server is being installed, the
installer crashes with "Not a dogtag CA installation". Make sure
that installation is handled correctly for both dogtag and
self-signed replicas.

https://fedorahosted.org/freeipa/ticket/1479
2011-07-14 22:36:53 -04:00
Martin Kosek
aece880d8f Fix ipa-dns-install
When DNS plugin is installed via ipa-dns-install and user has a valid
Kerberos ticket at the time, the DNS installation is corrupt and named
won't start, reporting Preauthentication error.

When the non-DM identity is used for authentication, krbprincipalkey
attribute in DNS service LDAP record is not created, thus leading
to the error. This patch makes sure that authentication with Directory
Manager password is used every time.

https://fedorahosted.org/freeipa/ticket/1483
2011-07-15 17:36:29 +02:00
Jan Cholasta
881df73568 Fix creation of reverse DNS zones.
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.

Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.

The reverse DNS zone name is printed to the user during the install.

ticket 1398
2011-07-15 16:42:16 +02:00
Jan Cholasta
1c5028c17d Configure SSSD to store user password if offline.
ticket 1359
2011-07-14 19:26:25 -04:00
Rob Crittenden
bea7818add Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.

The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.

https://fedorahosted.org/freeipa/ticket/1432
2011-07-14 19:23:17 -04:00
Rob Crittenden
9dfdf55034 In sudo labels we should use RunAs and not Run As.
https://fedorahosted.org/freeipa/ticket/1328
2011-07-14 19:18:02 -04:00
Rob Crittenden
ef29207047 Document registering to an entitlement server with a UUID as not implemented.
It was my understanding that we would be able to pass in an existing UUID
when registering to connect to an existing registration (for the case where
IPA is re-installed). This is supported in the REST API but not python-rhsm.

https://fedorahosted.org/freeipa/ticket/1216
2011-07-14 19:15:15 -04:00
Rob Crittenden
37e3bf2a60 Disallow direct modifications to enrolledBy.
This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
2011-07-14 19:11:49 -04:00
Endi S. Dewata
4bd85ceb90 Fixed label capitalization
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.

Ticket #1424
2011-07-14 11:44:48 -04:00
Adam Young
a746c613a4 dnsrecord-mod ui
Brings the DNS record infrastructure in line with the other entities.
Uses widgets, nested search, and a littel bit of overloading for dns specific behavior
The records now have their own page.

simplified link widget and use for dns
links work for nested entities.

change the field in the link widget to other_entity to avoid name collision.
unit test for entity link.

fixed reference to entity for getting pkeys

work around lack of setattr for dns record mod.
update wasn't deducing locked_field type correctly.
don't overwrite param_info in init
data is required on adder dialog
delete works for multiple records
use show instead of find for entity_link_widget.

https://fedorahosted.org/freeipa/ticket/1038
https://fedorahosted.org/freeipa/ticket/1448
https://fedorahosted.org/freeipa/ticket/577
https://fedorahosted.org/freeipa/ticket/1460
2011-07-13 21:57:18 +00:00
Adam Young
bccdc7e03d remove HBAC warning from static UI 2011-07-13 20:14:30 +00:00
Martin Kosek
02520ab98c Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.

https://fedorahosted.org/freeipa/ticket/1378
2011-07-13 15:16:24 +02:00
Martin Kosek
0cb65fd9f6 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
2011-07-13 15:06:13 +02:00
Alexander Bokovoy
b93e0b8bbf Convert nsaccountlock to always work as bool towards Python code
https://fedorahosted.org/freeipa/ticket/1259

Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.

This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
2011-07-13 12:02:46 +02:00
Rob Crittenden
f534445e26 Reset failed login count to 0 when admin resets password.
https://fedorahosted.org/freeipa/ticket/1441
2011-07-13 10:46:22 +02:00
Endi S. Dewata
b2c5b2b4b5 Fixed object_name and object_name_plural internationalization
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.

Ticket #1435
2011-07-12 16:33:08 -04:00
Martin Kosek
e6c68e9993 Add DNS record modification command
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.

This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
 - modify a DNS record value (note than DNS record can hold multiple values
   and those will be overwritten)
 - remove a DNS record when an empty value is passed

New tests for this new command have been added to the CLI test suite.

https://fedorahosted.org/freeipa/ticket/1137
2011-07-12 14:20:16 -04:00
Endi S. Dewata
86230333a8 Fixed collapsed table in Chrome.
The .content-table class has been modified to expand properly in
Firefox and Chrome.

Ticket #1450
2011-07-12 11:50:47 -04:00
Adam Young
e0238b5218 entity_select naming
http://fedorahosted.org/freeipa/ticket/1467
2011-07-12 11:01:18 -04:00
Rob Crittenden
28e85ee47a Fix test failure in updater when adding values to a single-value attr
The ipaldap.py code was updated to consider the schema when making
changes and does a REPLACE on single-value attributes. So when you
do an add in an update it will effectively replace the value instead
of ignoring it.
2011-07-11 19:21:51 -04:00
Rob Crittenden
2415ba6d37 Fix error in AttrValueNotFound exception example 2011-07-11 19:21:47 -04:00
Rob Crittenden
d9627ab165 find_entry_by_attr() should fail if multiple entries are found
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).

https://fedorahosted.org/freeipa/ticket/1388
2011-07-11 18:45:49 -04:00
Rob Crittenden
3a5e26a01c Enforce class rules when query=True, continue to not run validators.
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.

I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.

https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2011-07-11 18:43:32 -04:00
Endi S. Dewata
3229eee074 Added sudo options.
A table has been added into sudo rule details page for managing
sudo options.

Ticket #1447
2011-07-11 22:11:40 +00:00
Adam Young
0475340344 indirect admins
https://fedorahosted.org/freeipa/ticket/1465
2011-07-11 16:08:09 +00:00
Adam Young
30492ef3fa clear errors on reset
https://fedorahosted.org/freeipa/ticket/1446
2011-07-08 17:34:55 +00:00
Endi S. Dewata
2337fb5760 Fixed missing entitlement import button label
Ticket #1456
2011-07-08 16:50:44 +00:00
Adam Young
0a5f103733 check required on add
previsouly was checked on key down, but that does the check too soon.
Next attempt was on blur, but that had numerous problems.  This now checkes when the add button is clicked.
works for entity_select widget, too
Checks upon form submission

https://fedorahosted.org/freeipa/ticket/1437
2011-07-08 01:36:52 +00:00
Endi S. Dewata
6dc6c4b2c6 Fixed test fixture file name. 2011-07-07 20:33:06 +00:00
Endi S. Dewata
078d6dfb1c Fixed dirty dialog problems in HBAC/Sudo rules.
The update() in HBAC/Sudo details facet has been fixed to call the
callback function which will show the dirty dialog properly.

Ticket #1439
2011-07-07 16:27:59 -04:00
Endi S. Dewata
158bb676fd Fixed blank self-service page.
The self-service navigation has been fixed to include the root
of the navigation path.

Ticket #1445
2011-07-06 20:57:54 -04:00
Adam Young
e4a444ba81 HBAC deny warning
shows dialog if there are any HBAC deny rules.  Dialog provides option to navigate to the HBAC page.  Deny rules have their rule type value show up in red.

Only shows up fro administrators, not for self service users.

https://fedorahosted.org/freeipa/ticket/1421
2011-07-06 21:52:00 +00:00
Endi S. Dewata
aca908e1e4 Fixed HBAC/Sudo rules associations.
The HBAC/Sudo rules associations in users, groups, hosts and host
groups have been fixed to use the correct associator and method
names.

Ticket #1438
2011-07-06 11:42:14 -04:00
Adam Young
a38ad1d433 password expiration label 2011-07-05 18:00:05 -04:00
Adam Young
a3a9267334 validate ints
validate integers whether meta comes from metadata or param_info

https://fedorahosted.org/freeipa/ticket/1415
2011-07-05 20:31:00 +00:00