Commit Graph

3132 Commits

Author SHA1 Message Date
Endi S. Dewata
fb9ba5bb5c UI for host managedby
A custom facet has been added to manage the host's managedby attribute.
The facet defines the add and remove methods, the columns for the
association table and enrollment dialog, and the link for the primary
key column.
2010-12-02 13:42:40 -05:00
Adam Young
6c2391b6b3 associate search automatically perfomr the no-args search for enrollment-adder pages 2010-12-02 13:09:13 -05:00
Endi S. Dewata
c0eb2b60c8 Multicolumn enrollment dialog
The enrollment dialog has been modified to use scrollable tables that
supports multiple columns to display the search results and selected
entries. The columns are specified by calling create_adder_column()
on the association facet. By default the tables will use only one
column which is to display the primary keys.

The following enrollment dialogs have been modified to use multiple
columns:
 - Group's member_user
 - Service's managedby_host
 - HBAC Service Group's member_hbacsvc
 - SUDO Command Group's member_sudocmd

The ipa_association_table_widget's add() and remove() have been moved
into ipa_association_facet so they can be customized by facet's
subclass. The ipa_table's add_row() has been renamed to add_record().

Some old code has been removed from ipa_facet_create_action_panel().
The code was used to generate association links from a single facet.
It's no longer needed because now each association has its own facet.

The test data has been updated. The IPA.nested_tabs() has been fixed
to return the entity itself if IPA.tab_set is not defined. This is
needed to pass unit test.
2010-12-02 12:14:07 -05:00
Endi S. Dewata
620c085ebf Certificate management with self-signed CA
The certificate_status_widget has been modified to check for the
environment variable ra_plugin to determine the CA used by IPA
server. If self-signed CA is used, some operations will not be
available (e.g. checking certificate status, revoking/restoring
certificate), so the corresponding interface will be hidden. Other
operations such as creating new certificate and viewing certificate
are still available.
2010-12-02 11:54:58 -05:00
Adam Young
27b01cb628 remove task and role groups since these entites are no longer exposed in the Meta data, including them in the code causes breakage at initialization 2010-12-02 11:48:29 -05:00
Pavel Zuna
5db7c4ec34 Add new version of DNS plugin: complete rework with baseldap + unit tests.
Ticket #36
Ticket #450
2010-12-01 21:32:09 -05:00
Rob Crittenden
4ad8055341 Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).

A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.

ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).

This makes the aci plugin internal only.

ticket 445
2010-12-01 20:42:31 -05:00
Adam Young
85d5bfd1b1 admin determination
extends the logic for showing the admin or self service ui to admins by checking for membership in the group admins
added check for group admins
2010-12-01 20:22:30 -05:00
Adam Young
47d61e6cab action panel sibling added function to get sibling entities from the tab set. remove explicit sibling code from entity pages Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI 2010-12-01 15:21:02 -05:00
Simo Sorce
20b1e0a75e Enable EntryUSN plugin by default, with global scope
This will allow clients to use entryusn values to track what changed in the
directory regardles of replication delays.

Fixes: https://fedorahosted.org/freeipa/ticket/526
2010-11-30 18:26:40 -05:00
Pavel Zuna
94957c8ddc Prompt correctly for required Password params.
Ticket #361
2010-11-30 15:14:28 -05:00
Endi S. Dewata
c90bff232d Multicolumn association facet
The association facet has been modified to support multiple columns.
By default the facet will have one column which is the primary key of
the associated object (e.g. username of a group member), so the
existing code will work like before. Other fields (e.g. user's full
name) can be added by subclassing the ipa_association_facet class and
specifying the additional columns to display. These additional fields
will be retrieved using a batch operation.

Previously a single association facet instance will be used for all
associations in an entity. Now each association will have its own
association facet. This way each association facet can be customized
differently as needed. The <entity>-enroll URL parameter has been
removed because it's no longer needed.

The ipa_entity.create_association_facets() is provided to generate
the default association facets with one column for the primary key.

The column click handler has been moved out of ipa_column to provide
more flexibility for customization.

The get_action_panel() and get_client_area() have been modified to
search within the entity's container.

The group entity has been fully converted to use the new UI framework.

Association facets that have been modified to use multiple columns are:
 - User Group's member_user
 - HBAC Service Group's member_hbacsvc
 - SUDO Command Group's member_sudocmd
 - Service's managedby_host

New test data files have been added. Unit tests have been updated.
2010-11-30 14:58:30 -05:00
Rob Crittenden
d644d17adf Reduce the number of attributes a host is allowed to write.
The list of attributes that a host bound as itself could write was
overly broad.

A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.

ticket 416
2010-11-30 14:30:52 -05:00
Rob Crittenden
88133ab43c Create user private groups with a uniqueid.
If we don't then we need to add it when a group is detached causing
aci issues.

I had to move where we create the UPG template until after the DS
restart so the schema is available.

ticket 542
2010-11-30 09:52:05 -05:00
Jakub Hrozek
df28017eaf Init smods to prevent crash if encode_keys fails 2010-11-29 17:21:17 -05:00
Jan Zeleny
58bcb5e7f9 Handle error messages during various HBAC operations
During some HBAC operations, various error messages were handled
incorrectly - displaying only generic error messages instead of
correct ones, which were defined for the module.

This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.

https://fedorahosted.org/freeipa/ticket/487
2010-11-29 17:19:40 -05:00
Endi S. Dewata
df48c9cf71 Fixed navigation problem with nested entities.
Replaced _entity with -entity in IPA.tab_state().
Replaced sudo-entity with sudorule-entity.
2010-11-29 21:13:34 -05:00
Adam Young
7b91e9d83d top nav index allows links between differnt top level tabs by calculating the index of the top level tab for the target tab. new version creats third level navigation for nested entities, such as SUDO and HBAC 2010-11-29 21:13:26 -05:00
Nalin Dahyabhai
b683c7261b build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
Adam Young
5bfb1a004a quote class member
the class member variable is a reserved keyword in Javascript.
This patch fixes a syntax error.
2010-11-29 09:46:39 -05:00
Adam Young
16b935169c whoami fix
recent changes to the scope mechanism weren't propigated to the whoami call
2010-11-24 16:36:36 -05:00
Adam Young
091099480f navigation format UXD guidance to cleanup navigation. adjusts the tab font 2010-11-24 20:30:43 -05:00
Adam Young
841c290113 action panel formatting
Cleans up the indentation of the action panel
Puts the sudo and HBAC entries in a consistent order
2010-11-24 20:30:34 -05:00
Pavel Zuna
a34bb67cbd Rename parent LDAPObject pkeys in child LDAPObject methods.
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
2010-11-24 09:54:01 -05:00
Rob Crittenden
8d235c6b71 Verify the --ip-address option when setting up DNS.
There was a corner case where the value of --ip-address was never verified
if you were also setting up DNS.

Added this bit of information to the man page too.

ticket 399
2010-11-24 09:18:57 -05:00
Rob Crittenden
0ad0f4ba6c Catch when we fail to get a cert chain from the CA during installation
Also don't free the XML document if it was never created.

ticket 404
2010-11-24 08:39:00 -05:00
Rob Crittenden
97e9309db3 Gracefully handle an empty members list
This can occur if you do something like:

$ ipa hbac-add-host --hosts="" testrule

options will have an entry for 'host' but it will be None whcih is
not iterable.

ticket 486
2010-11-24 08:38:48 -05:00
Rob Crittenden
d824eee8fa Display user and host membership in netgroups.
This uses an enhanced memberof plugin that allows multiple attributes
to be configured to create memberOf attributes.

tickets 109 and 110
2010-11-24 08:38:41 -05:00
Pavel Zuna
9120155dae Generate better DuplicateEntry error messages in LDAPCreate.
Ticket #530
2010-11-23 21:32:12 -05:00
Pavel Zuna
5060fdfade Change signature of LDAPSearch.pre_callback.
Add the opportunity to change base DN and scope in the callback.
2010-11-23 21:29:08 -05:00
Rob Crittenden
6d51a48af8 Add ability to add/remove DNS records when adding/removing a host entry.
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.

For IPv4 it will create an A and a PTR DNS record.

IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.

When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.

ticket 238
2010-11-23 18:23:29 -05:00
Simo Sorce
aa70959f16 Fix modrdn plugin crash bug.
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.

Fixes: https://fedorahosted.org/freeipa/ticket/529
2010-11-23 11:40:38 -05:00
Jakub Hrozek
960fc66447 ipa-client code cleanup
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
7086c9e863 Silence compilation warnings in SLAPI plugins
Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
110397f059 Don't use deprecated ldap_bind_s
ldap_bind_s is marked as deprecated in new libldap releases.

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
ce75d1c6d6 Stricter compilation flags
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Jakub Hrozek
5da451876e Common include file for SLAPI plugin logging
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.

https://fedorahosted.org/freeipa/ticket/408

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00
Endi S. Dewata
b9f539ba19 SUDO Commands and Command Groups
The SUDO Commands and Command Groups pages have been added under
SUDO Rules tab.

Similar to HBAC navigation issue, these entities do not have their
own tab, so an exception has been added to the navigation code
to read sudo-entity parameter to determine the entity being viewed.
Fixing this issue will require framework changes.

New test data for these operations have been added.
2010-11-22 15:37:17 -05:00
Endi S. Dewata
27d8529a84 Fixed action panel queries
Previously the queries for action panel were done globally. Since each
entity container has its own action panel, the queries will return multiple
results. This is fixed by qualifying the query to run within the entity
container.

The query has also been moved into ipa_facet.get_action_panel(). Entities
that do not have their own entity container (e.g. HBAC services and service
groups) will need to override this method to get the action panel from the
right entity container (e.g. HBAC rules).

The facet.setup_views() has been renamed to facet.create_action_panel().
New test data for SUDO rules have been added.
2010-11-22 15:28:42 -05:00
Rob Crittenden
861a0fdba9 Don't use full pathnames for kerberos binaries, let PATH find them.
Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH
sort it out.
2010-11-22 14:52:09 -05:00
Rob Crittenden
f6b094156d Handle wget failures trying to retrieve the CA during the client install
ticket 405
2010-11-22 14:47:15 -05:00
Simo Sorce
c53c0ca1ad Autotune directory server to use a greater number of files
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).

Fixes: https://fedorahosted.org/freeipa/ticket/464
2010-11-22 12:42:16 -05:00
Simo Sorce
733dc89f75 Save and restore on uninstall ds related config files 2010-11-22 12:42:16 -05:00
Simo Sorce
6a5c4763af id ranges: change DNA configuration
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.

Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.

Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.

fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-22 12:42:16 -05:00
Jan Zeleny
61e2016ee3 Ensure that Apache is running with MPM=Prefork
Script wsgi.py checks if Apache is compiled with MPM=Prefork
and if not, it refuses to run.

https://fedorahosted.org/freeipa/ticket/252
2010-11-22 12:35:52 -05:00
Simo Sorce
b67df045be Configure KDC to use multiple workers
Only if more than one CPU is available
Only if supported by the installed krb5kdc
2010-11-22 11:57:19 -05:00
Jakub Hrozek
57e1edd052 Use sys.exit to quit scripts
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.

https://fedorahosted.org/freeipa/ticket/425
2010-11-22 09:51:07 -05:00
Endi S. Dewata
3e540272c6 Multivalued email address 2010-11-20 02:31:40 -05:00
Simo Sorce
5d5ec15ee5 Automatically disable pkinit when not supported 2010-11-19 14:49:49 -05:00