The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert the existing default permissions.
The Read permission is split between Read DNS Entries and Read
DNS Configuration.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
It enables declarative extraction of values from partial
results of a batch commands and also further extensibility
in custom adapters.
The default adapter has detection logic for this extraction so
it can use bare record or extract data from normal or batch RPC
command.
Minor change of user plugin fixed:
https://fedorahosted.org/freeipa/ticket/4355
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.
Admins, as before, have full access to all token permissions.
Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.
Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.
When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.
This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.
https://fedorahosted.org/freeipa/ticket/4228https://fedorahosted.org/freeipa/ticket/4259
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
`memberdenycmd_sudocmd` and `memberdenycmd_sudocmdgroup` tables are now
enabled/disabled based on `cmdcategory` as well.
https://fedorahosted.org/freeipa/ticket/4361
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Interface for setting default group is hidden when user doesn't have
necessary rights or if there is some error while loading the state.
https://fedorahosted.org/freeipa/ticket/4356
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
using browser history when unauthenticated causes transition to
the original and/or preceding facets. But nothing works since
all commands fail due to expired credentials in session.
These changes make sure that user stays on login screen if he misses
valid session credentials while he wants to switch to facet which
requires authentication.
https://fedorahosted.org/freeipa/ticket/4353
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Dialog instances no longer directly call IPA.opened_dialog methods. It's
handled through events (decoupled from dialog's POV). IPA.open_dialogs
with assistance of ApplicationController makes sure that there is only
one dialog opened at the same time.
It also makes sure to hide all dialogs, which are not global dialogs and
did not originate from current facet, when switching facets.
https://fedorahosted.org/freeipa/ticket/4348
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
there is only one top level item -> no point of having this level.
This patch replaces top level with second menu level
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
GID field should be enabled by default since the default group is posix.
Was caused by option_widget_base not properly reporting value change while
selecting the default value. It has to be notified with delay otherwise the
event is consumed by FieldBinder.
https://fedorahosted.org/freeipa/ticket/4325
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Now buttons have normal button appearance instead of link button.
Partially fixes: https://fedorahosted.org/freeipa/ticket/4258 since the disabling is done through button's disabled attribute.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Mainly html and css changes.
Second level menus are absolutely positioned and so they don't adjust container
size making other elements to overlap.
side effect partially fixes:
https://fedorahosted.org/freeipa/ticket/3435
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
To update install/ui/css/patternfly.css you should:
1. clone Bootstrap 3, Font-Awesome, Bootstrap-Select and PatternFly
to the same parent directory as for FreeIPA (or use symlinks)
2. checkout desired versions of each component
3. run install/ui/util/make-patternfly.css
4. when changing component versions, copy xxx/variables.less from each
component to install/ui/less/xxx/ so we can use the variables in our
less files
This commit contain css made from component versions as follows:
- PatternFly: 0.2.5
- Bootstrap: 3.1.1
- Bootstrap-select: 1.4.3
- Font-Awesome: 4.0.3
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.
https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When the static test site called batch delete,
it always referred to batch.json. This patch
fixes it, by referring entityname + '_batch_del.json'
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
- required indicators are not present for all sections except the last
- validation has wrong color for the same sections
There was only one layout for all choices. Layout should not be reused
because `create` method will reset layout's rows therefore it worked
properly only for the last choice.
https://fedorahosted.org/freeipa/ticket/4327
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
ID range adder was not properly addressed in field binding refactoring.
The usage of reset caused some weird loops.
https://fedorahosted.org/freeipa/ticket/4326
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
The select all checkbox remained selected after bulk
operation. This patch fixes it, after any bulk modify
or delete operation, unselect_all function is called.
https://fedorahosted.org/freeipa/ticket/4245
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.
https://fedorahosted.org/freeipa/ticket/4319
Reviewed-By: Martin Kosek <mkosek@redhat.com>
These attributes are removed from the blacklist, which means
high-level admins can now modify them:
- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName
The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.
Also, move the admin ACIs from ldif and trusts.update to aci.update.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Allow cn=etc,$SUFFIX with these exceptions:
- cn=masters,cn=ipa,cn=etc,$SUFFIX
- virtual operations
- cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
OTP Token add failed because of invalid function call. qr_widget doesn't
contain `on_value_changed` method since it inherits from `IPA.widget` and
not from `IPA.input_widget`.
Emitting the event was preserved for future possible usage.
https://fedorahosted.org/freeipa/ticket/4306
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Change `IPA.login_password` and `IPA.get_credentials` to use async AJAX
and to return promise instead of blocking the code.
IPA.get_credentials is still partially blocking because of negotiate process.
We can't do anything about that.
It allows activity indicators to do their job.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
General purpose authentication interface and state. See doc of 'freeipa/auth' module.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reimplementation of unauthorized dialog into separate widget. It uses RCUE
design.
New features compared to unauthorized dialog:
- reflects auth methods from `auth` module
- validation summary
- differentiates Kerberos auth failure with session expiration
- Caps Lock warning
- form based method doesn't allow password only submission
https://fedorahosted.org/freeipa/ticket/4017https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Load page is a simple facet which is displayed up to 'runtime' phase.
On application start it tells the user that there is ongoing activity.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Network activity is now published through global topics. It allows other
components like activity_widget to listen to them.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
A widget for showing ongoing activity.
Displays a text with changing dots.
It listens to `network-activity-start` and `network-activity-end` topics.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
`facet.Facet` is a new base class for facets. It doesn't have any dependencies
on entities so it's usable for general purpose facets, e.g., future API browser,
load facet or login facet.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
A mixin which implements widget storing logic. Similar logic is already implemented
in details facet and dialog.
Long term goal is to replace that with this one.
Separating the logic into mixin makes it usable in other components.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
a mixin used for fields validation. Basically implements a logic which
is already in details facet and dialog.
Now this logic can be used in any component.
The long term goal is to replace the logic in details facet and dialog
with this mixin.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
A widget which servers as container for facets. FacetContainer is a base
class. App is specialization.
Doing this abstraction will allow us to implement various facet containers.
https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.
Also, $SUFFIX itself can now be read anonymously.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This change allow us to use proper two way binding between a field and
a widget. In previous implementation field was not changed if something
changed the value of a widget in 'update'. Now listeners are notified
when the widget value is changed by: calling 'update', 'set_value'
or by user change.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Hidden was used only in ACI. There is no reason to have two properties
which are negations of each other.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
This is a Web UI wide change. Fields and Widgets binding was refactored
to enable proper two-way binding between them. This should allow to have
one source of truth (field) for multiple consumers - widgets or something
else. One of the goal is to have fields and widget implementations
independent on each other. So that one could use a widget without field
or use one field for multiple widgets, etc..
Basically a fields logic was split into separate components:
- adapters
- parsers & formatters
- binder
Adapters
- extract data from data source (FreeIPA RPC command result)
- prepares them for commands.
Parsers
- parse extracted data to format expected by field
- parse widget value to format expected by field
Formatters
- format field value to format suitable for widgets
- format field value to format suitable for adapter
Binder
- is a communication bridge between field and widget
- listens to field's and widget's events and call appropriate methods
Some side benefits:
- better validation reporting in multivalued widget
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages
by equivalents from rpc module.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
- moves RPC code from ipa.js to it's own module
- part of ongoing effort where the ultimate goal is to get rid of ipa.js
and IPA namespace
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When some module used 'freeipa/navigation' it pulled the entire Web UI
because navigation depended on app.
This patch splits the app into two modules: app and app_container.
App specifies the entities which are part of final application.
app_container module represents the application boot classes. Navigation
now depends on app_container.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.
Also removed now unused upload_ca_dercert method of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The files are created later by ipa-client-install, there's no need to do it
twice.
This also fixes a bug in CA-less, where the CA certificate is not removed from
/etc/pki/nssdb after client uninstall, because it has a different nickname.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Remove 'u' from .po files as it is a typo and has been removed from other files.
https://fedorahosted.org/freeipa/ticket/2546
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reflects:
- adding of RCUE styles along with Bootstrap 2.0.
- removal of jQuery BBQ plugin
- removal of rhino enviroment for selenium which was used in old UI tests
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Child widgets are disabled when main widget is disabled. Also main
widget won't show "add" button.
prerequisite for:
https://fedorahosted.org/freeipa/ticket/4079
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
UI unit tests were broken since main RCUE work. This patch fixes them
all except aci, which will be fixed along with update of aci UI.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Update JSON metadata files for static presentation of FreeIPA UI and
some tests. This regeneration did not happen for very long time and
an update is needed for upcoming ACI patch.
prerequisite for:
https://fedorahosted.org/freeipa/ticket/4079
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Old implementation crawled DOM for gathering data from DOM. Such code
is very error prone. Little visual change somewhere else can break it
- as happened in main patch for #4217.
prerequisite for:
https://fedorahosted.org/freeipa/ticket/4217
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
checkboxes and radio buttons:
- do not change color on hover when disabled
- are focusable and checkable be keyboard again. This uses a little
trick where the real checkbox is hidden under the artificial
checkbox. That way it has the same position and therefore it
works even in containers with overflow set.
https://fedorahosted.org/freeipa/ticket/4217
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.
Add an update file to do the database update. Content is based on
recommendation from PKI team:
* https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9
This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
* https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
* https://fedorahosted.org/pki/ticket/906 (checking database version)
Also make sure that PKI service is restarted in the end of the installation
as the other services to make sure it picks changes done during LDAP
updates.
https://fedorahosted.org/freeipa/ticket/4243
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
this patch implements:
- output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion.
- datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date.
- utc formatter replaced with new datetime formatter
- datetime_validator introduced
- new datetime field, extension of text field, which by default uses datetime formatter and validator
Dojo was regenerated to include dojo/string module
https://fedorahosted.org/freeipa/ticket/4194
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Checkboxes have not used unique ids across the whole UI. It broke checking by clicking on label for later displayed instances. It became serious problem when rcue introduced new checkbox styles with 'label clicking' as default check method.
https://fedorahosted.org/freeipa/ticket/3904
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
This patch adds option to define which item of which array attribute of specification object will be replaced by a new value.
The difference between combination of $add and $del is that it keeps position of that item in the array.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Boolean object properties can have different default meaning for not defined
value. This patch allows to defined this meaning to `boolean_formatter` by
introduction of `emty_value` property. `boolean_state_evaluator` was modified
to leverage it as well.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file
is used consistently in the installers.
https://fedorahosted.org/freeipa/ticket/4240
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Fixes issue when:
1. 2 dialogs are opened
2. top dialog's close button is focused
3. user presses enter to execute 'close' action
4. dialog is immediately closed (enter key is still pressed)
5. second dialog automatically receives focus (it's top dialog now)
6. user releases the key
7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event
8. UNDESIRED behavior occurs
Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there.
https://fedorahosted.org/freeipa/ticket/4098
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog
https://fedorahosted.org/freeipa/ticket/4097
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If an error occurs in the start up sequence in ipactl start/restart,
all the services are stopped. Using the --force option prevents
stopping of services that have successfully started, just skips the
services which can not be started.
ipactl status now shows stopped services also, if the directory
server is running.
With the contribution of Ana Krivokapic
https://fedorahosted.org/freeipa/ticket/3509
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
fixed by starting the directory server when restarting if it is not
currently running to enable fetching running services
later restart didn't check that
also added a check, that if the directory server started at the
beginning, there is no need to restart it
https://fedorahosted.org/freeipa/ticket/4050
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The checks for existing host and existing replication agreement
set a flag that caused an exit() if any of them failed.
Between these checks there was an unrelated check, DNS resolution.
If the host and DNS checks both failed, this made it look like
the DNS check was the cause of failed install. Especially if the user
ignored the DNS check in unattended mode, the output was confusing.
Remove the flag and fail directly.
Do the replication agreement check first; fixing this with
ipa-replica-manage del will also remove the host entry.
Also, use the logger for error messages so they appear in the log
file as well as on the console.
https://fedorahosted.org/freeipa/ticket/3889
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
Add Web UI counterpart of following CLI commands:
* trust-fetch-domains Refresh list of the domains associated with the trust
* trustdomain-del Remove infromation about the domain associated with the trust.
* trustdomain-disable Disable use of IPA resources by the domain of the trust
* trustdomain-enable Allow use of IPA resources by the domain of the trust
* trustdomain-find Search domains of the trust
https://fedorahosted.org/freeipa/ticket/4119
This commit changes how fonts are used.
- remove usage of bundled fonts and only system fonts are used instead
- by using alias in httpd conf
- by using local("Font Name") directive in font-face
- removed usage of overpass font
- redefined Open Sans font-face declarations. Note: upstream is doing the
same change so we will be fine on upgrade.
- introduce variable.less for variable definitions and overrides. This file
will be very useful when we upgrade to newer RCUE so we will be able to
redefine their and bootstrap's variables.
Fixes: https://fedorahosted.org/freeipa/ticket/2861
- widgets has a new base class - Evented it allows raising various events
- it's purpose is to replace IPA.observer events in a future
- now all widget's IPA.observers events has their own counterpart
https://fedorahosted.org/freeipa/ticket/3904
sudoers compat plugin configuration missed the sudoOrder attribute
and it thus did not show up in ou=sudoers. Add the definion to update
file.
https://fedorahosted.org/freeipa/ticket/4107
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.
Part of: https://fedorahosted.org/freeipa/ticket/3306
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
On sysrestore failure, user is prompted out to remove the sysrestore
file. However, the path to the sysrestore file mentioned in the
sentence is not correct.
https://fedorahosted.org/freeipa/ticket/4080
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.
512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly
if they use inconsistent capitalization.
This patch works around the bug in IPA schema files.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Note: git's --word-diff option is recommended for viewing these changes
The new schema updater only compares textual representations of schema
elements, as formatted by python-ldap.
This works well, but it is too strict for the current schema files in two ways:
- For attribute names in MAY and MUST, the correct letter case must be used
- AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if
they are the same as its supertype's.
When these restrictions are not followed, the updater will always overwrite
the schema element. This is harmless but it fills up the log unnecessarily.
Modify the schema files to conform to these restrictions.
Part of the work for https://fedorahosted.org/freeipa/ticket/3454
Note: git's --word-diff option is recommended for viewing these changes
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
Add three new ipa-advise plugins, to facilitate configuration of
legacy clients using nss-pam-ldapd:
* config-redhat-nss-pam-ldapd
* config-generic-linux-nss-pam-ldapd
* config-freebsd-nss-pam-ldapd
https://fedorahosted.org/freeipa/ticket/3672
