This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.
This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.
https://fedorahosted.org/freeipa/ticket/2500
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
raises an error and thus breaks the migration
This patch fixes both issues.
https://fedorahosted.org/freeipa/ticket/2508
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.
https://fedorahosted.org/freeipa/ticket/2484
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.
https://fedorahosted.org/freeipa/ticket/2424
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.
https://fedorahosted.org/freeipa/ticket/2369
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:
1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.
2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.
https://fedorahosted.org/freeipa/ticket/2386
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.
https://fedorahosted.org/freeipa/ticket/2382
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.
https://fedorahosted.org/freeipa/ticket/2418
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur. All occurrences of CSV joining were therefore removed.
https://fedorahosted.org/freeipa/ticket/2227
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.
This requires SSSD 1.8.0.
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
Usability was imporved in Unauthorized/Login dialog.
When the dialog is opened a link which switches to login form is focus so user can do following:
1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter
this sequence will execute login request.
When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.
https://fedorahosted.org/freeipa/ticket/2450
Support for forms based authentication was added to UI.
It consist of:
1) new login page
Page url is [ipa server]/ipa/ui/login.html
Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.
2) new enhanced error dialog - authorization_dialog.
This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.
login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.
https://fedorahosted.org/freeipa/ticket/2450
A number of different errors could occur when trying to handle an
error which just confused matters.
If no CCache was received then trying to retrieve context.principal
in the error message caused yet another exception to be raised.
Trying to get Command[name] if name wasn't defined in command would
raise an exception.
Trying to raise errors.CCache was failing because the response hadn't
been started.
https://fedorahosted.org/freeipa/ticket/2371
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.
This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.
Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.
Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.
When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.
Fixes: http://fedorahosted.org/freeipa/ticket/2472
Our install tools like ipa-server-install, ipa-replica-{prepare,
install} may allow hostnames that do not match the requirements
in ipalib. This creates a disconnect and may cause issues when
user cannot delete hostnames created by install tools.
This patch makes sure that ipalib requirements are applied to
install tools hostnames as well.
https://fedorahosted.org/freeipa/ticket/2089
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.
'--with-compat' is new flag. If it is set, the compat status is ignored.
https://fedorahosted.org/freeipa/ticket/2274
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.
Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).
Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.
Add a test to ensure that nowhitespace is actually enforced.
https://fedorahosted.org/freeipa/ticket/2115
Related: https://fedorahosted.org/freeipa/ticket/2089
Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285https://fedorahosted.org/freeipa/ticket/1286https://fedorahosted.org/freeipa/ticket/1287
Logout button was added to Web UI.
Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.
logout.html is a simple page with "You have been logged out" text and a link to return back to main page.
https://fedorahosted.org/freeipa/ticket/2363
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'.
Current check is an equality check of content_type http header.
RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result.
This patch makes the check more benevolent to allow such values.
Patch is a fixup for:
https://fedorahosted.org/freeipa/ticket/2095
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.
This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.
As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.
https://fedorahosted.org/freeipa/ticket/2420
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.
This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.
https://fedorahosted.org/freeipa/ticket/2384