This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.
The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.
A minor fix restores errors.py's ability print out the list of
errors when run as a script.
This fixes https://fedorahosted.org/freeipa/ticket/1968 (Add
ability in test framework to compare two values in result)
in a general way: adding an optional extra_check key to the test
dict, so a custom checking function with access to the whole result
can be called.
The particular test mentioned in that issue, checking that the
uidnumber and gidnumber for new isers are the same, is added.
Also, this adds a docstring to the Declarative class.
And finally, the test dictionary is passed to check() via keyword
arguments, preventing spelling mistakes in keys from going unnoticed.
https://fedorahosted.org/freeipa/ticket/2238
It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.
This is for new installs only.
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
These definitions were needed during development to be a le to build against
krb5 version < 1.10
These function headers and defintions are now available in 1.10 that is a hard
dependency for freeipa 3.0, so we can safely drop them.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.
https://fedorahosted.org/freeipa/ticket/2147
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
This is for the LDAP updater in particular. When adding new schema
order can be important when one objectclass depends on another via
SUP.
This calculation will preserve the order of changes in the update file.
Discovered trying to add SSH schema.
https://fedorahosted.org/freeipa/ticket/754
Add method for getting configuration directory path of a service,
so that a different SSH configuration directory can be specified on
different platforms.
https://fedorahosted.org/freeipa/ticket/754
Fix wrong handling of strings in --setattr/--addattr/--delattr.
These changes make it possible to use Bytes in --setattr/--addattr/
--delattr without errors.
Fixes managing SSH keys on command-line
https://fedorahosted.org/freeipa/ticket/754
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
ticket 1634
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.
https://fedorahosted.org/freeipa/ticket/1634
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
* hbacrule: Internationalize HBAC rule "all" category exceptions
https://fedorahosted.org/freeipa/ticket/2267
* hbactest: Use internationalized names (doc) instead of names
for output items
Also don't convert result to bool, `not` does it implicitly
* ipalib.output: Internationalize descriptions of some standard entries
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
Problem:
Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state.
Fixed:
The link is disabled when target doesn't exist.
https://fedorahosted.org/freeipa/ticket/2364
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).
Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
The patch fixes a problem in error_handler_login() when it gets
an error other than 401.
The login_url is not needed for fixtures because it does not need
authentication.
The patch also fixes jslint warnings and formatting issues.
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
