A custom facet has been added to manage the host's managedby attribute.
The facet defines the add and remove methods, the columns for the
association table and enrollment dialog, and the link for the primary
key column.
The enrollment dialog has been modified to use scrollable tables that
supports multiple columns to display the search results and selected
entries. The columns are specified by calling create_adder_column()
on the association facet. By default the tables will use only one
column which is to display the primary keys.
The following enrollment dialogs have been modified to use multiple
columns:
- Group's member_user
- Service's managedby_host
- HBAC Service Group's member_hbacsvc
- SUDO Command Group's member_sudocmd
The ipa_association_table_widget's add() and remove() have been moved
into ipa_association_facet so they can be customized by facet's
subclass. The ipa_table's add_row() has been renamed to add_record().
Some old code has been removed from ipa_facet_create_action_panel().
The code was used to generate association links from a single facet.
It's no longer needed because now each association has its own facet.
The test data has been updated. The IPA.nested_tabs() has been fixed
to return the entity itself if IPA.tab_set is not defined. This is
needed to pass unit test.
The certificate_status_widget has been modified to check for the
environment variable ra_plugin to determine the CA used by IPA
server. If self-signed CA is used, some operations will not be
available (e.g. checking certificate status, revoking/restoring
certificate), so the corresponding interface will be hidden. Other
operations such as creating new certificate and viewing certificate
are still available.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
The association facet has been modified to support multiple columns.
By default the facet will have one column which is the primary key of
the associated object (e.g. username of a group member), so the
existing code will work like before. Other fields (e.g. user's full
name) can be added by subclassing the ipa_association_facet class and
specifying the additional columns to display. These additional fields
will be retrieved using a batch operation.
Previously a single association facet instance will be used for all
associations in an entity. Now each association will have its own
association facet. This way each association facet can be customized
differently as needed. The <entity>-enroll URL parameter has been
removed because it's no longer needed.
The ipa_entity.create_association_facets() is provided to generate
the default association facets with one column for the primary key.
The column click handler has been moved out of ipa_column to provide
more flexibility for customization.
The get_action_panel() and get_client_area() have been modified to
search within the entity's container.
The group entity has been fully converted to use the new UI framework.
Association facets that have been modified to use multiple columns are:
- User Group's member_user
- HBAC Service Group's member_hbacsvc
- SUDO Command Group's member_sudocmd
- Service's managedby_host
New test data files have been added. Unit tests have been updated.
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.
ticket 416
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
During some HBAC operations, various error messages were handled
incorrectly - displaying only generic error messages instead of
correct ones, which were defined for the module.
This patch adds catching these generic exceptions and raising
new exceptions with the correct error message.
https://fedorahosted.org/freeipa/ticket/487
If the parent and child entries have the same attribute as primary
key (such as in the DNS schema), we need to rename the parent key
to prevent a param name conflict. It has no side effects, because
the primary key name is always taken from the LDAPObject params,
never from the method params.
There was a corner case where the value of --ip-address was never verified
if you were also setting up DNS.
Added this bit of information to the man page too.
ticket 399
This can occur if you do something like:
$ ipa hbac-add-host --hosts="" testrule
options will have an entry for 'host' but it will be None whcih is
not iterable.
ticket 486
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.
For IPv4 it will create an A and a PTR DNS record.
IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.
When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.
ticket 238
Constant values were assigned to variables gthat would later be freed
with slapi_ch_free_string(). Make copies instead so the free doesn't
blow. Also remove useless tests, as these functions already check for
NULL on their own.
Fixes: https://fedorahosted.org/freeipa/ticket/529
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Don't use KRB5_PRIVATE.
The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
* krb5_principal2salt_norealm
* krb5_free_ktypes
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Use a little stricter compilation flags, in particular -Wall and treat
implicit function declarations as errors.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Consolidate the common logging macros into common/util.h and use them
in SLAPI plugins instead of calling slapi_log_error() directly.
https://fedorahosted.org/freeipa/ticket/408
Signed-off-by: Simo Sorce <ssorce@redhat.com>
The SUDO Commands and Command Groups pages have been added under
SUDO Rules tab.
Similar to HBAC navigation issue, these entities do not have their
own tab, so an exception has been added to the navigation code
to read sudo-entity parameter to determine the entity being viewed.
Fixing this issue will require framework changes.
New test data for these operations have been added.
Previously the queries for action panel were done globally. Since each
entity container has its own action panel, the queries will return multiple
results. This is fixed by qualifying the query to run within the entity
container.
The query has also been moved into ipa_facet.get_action_panel(). Entities
that do not have their own entity container (e.g. HBAC services and service
groups) will need to override this method to get the action panel from the
right entity container (e.g. HBAC rules).
The facet.setup_views() has been renamed to facet.create_action_panel().
New test data for SUDO rules have been added.
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198