The IPA.dialog has been modified to support sections. The add
dialog for permission has been modified to include the target
section. The base dialog classes have been moved from widget.js
into a new file called dialog.js.
This patch also includes ayoung's fix for parameter name and
format for the permission attributes.
https://fedorahosted.org/freeipa/ticket/791
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.
Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.
ticket 751
Declaritive Service definition
Fixed a problem with multiple calls to create breaking the link between the select box and the text box
swapped the select and the text
https://fedorahosted.org/freeipa/ticket/442
This patch fixes several issues in delegation UI:
When adding a new delegation, only the first attribute selected
was saved. Now all attributes will be saved properly.
When loading the details page, the custom widgets did not store
the original values properly so is_dirty() did not work correctly.
Now this has been fixed except for the memberof attribute because
of these issues:
- https://fedorahosted.org/freeipa/ticket/869
- https://fedorahosted.org/freeipa/ticket/870
When saving the details page, the attrs were saved as an array
which was rejected by the server. Now it is stored as comma-
separated list.
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.
Ticket:
https://fedorahosted.org/freeipa/ticket/344
A couple of the ACI definitions were incorrect, and the end result was that fields were not getting initialized. USing the declarative approach cleaned up the cause.
Also fixed a few broken unit tests
Delay the creation of entities until after ipa init is called
made the user and group entity definitions declarative
removed unused facet from groups
adjusted unit tests
made review changes:
factories are now in an associative array
entity init called right after factory
init dialogs in entity init
fixed type on search
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.
This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.
Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.
Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.
This change requires an IPA server reinstall since the default ACI
set has been changed.
https://fedorahosted.org/freeipa/ticket/764
Makes the values for the Top level tabs internationizable, and no longer just
passes through their names
Also uses the I18N values for SUDO and HBAC as the static text in the Action p[anel title
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.
ticket 811
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
The add dialogs for Hosts and Services have been updated to include
a checkbox to force adding hosts/services that are not in DNS.
The widgets has been updated to support tooltips.
The status panel for certificates and Kerberos keys has been
modified to display only the current status with the relevant buttons.
New icons have been added to replace the red/yellow/green bullets.
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.
Fixes: https://fedorahosted.org/freeipa/ticket/765
The OTP field has been moved into a separate row to avoid line
wrapping. The line height inside tables has been increased to
avoid overlapping buttons in certificate status panel.
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
Now that we can setup GSSAPI authenticated replication we are not
tied to use the Directory Manager password to set up replication
agreements.
Fixes: https://fedorahosted.org/freeipa/ticket/644
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
The labels for the following fields in Host details page have been
changed:
- fqdn: Fully Qualified Host Name
- serverhostname: Host Name
The ipa_details_field_create_input() and _ipa_create_text_input()
has been converted into methods in ipa_details_field class. The code
has been modified to display read-only fields as labels instead
of disabled text fields.
The attributelevelrights in host test data files have been updated.
All references to hbac in the UI have been replaced with hbacrule.
This is to match the hbacrule plugin. The test data and templates
have been renamed as well.
The table widget now can be enabled/disabled. When disabled, the
checkboxes and links/buttons are grayed out and non functional.
The radio buttons in HBAC and SUDO details page have been modified
to enable/disable the corresponding tables.
The radio buttons under the Run Commands section in the SUDO details
page have been changed from allow/deny/specified into all/specified,
and moved under the Allow commands subsection, matching the correct
usage of the cmdcategory attribute.
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
