https://fedorahosted.org/freeipa/ticket/1640
On the HBAC Rules page, where the rules are listed, if no rule is selected, the "Delete" button is not enabled, and cannot be clicked on.
But edit a Rule, and Delete button is enabled in the available sections - regardless of, if an object is selected to be deleted or not, or even if there is no object to be selected to delete.
One can click on this button...but then - there is no message indicating that something should be selected for deletion for this button to do anything.
Notes:
* fixed association_table_widget and association_facet
The adder dialog for the user and host tables in sudo rule details
page have been fixed to use --not-in-sudorules to avoid showing
entries that are already added into the rule either directly or
indirectly via groups.
This does not apply to the command and run-as tables because they
do not support such option.
Ticket #1768
In order to maintain consistent layout between details page and dialog
boxes the IPA.details_list_section has been replaced with
IPA.details_table_section which is based on table.
The IPA.target_section and other subclasses of IPA.details_list_section
have been converted to use IPA.details_table_section as well.
The unit tests have been updated accordingly.
Ticket #1648
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
Due to a recent change, all dialog boxes are now reset initially. The
IPA.target_section has been modified to show the default target (i.e.
filter) and the fields properly when reset.
Ticket #1748
We need to check all Kerberos ports both TCP and UDP transports.
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
https://fedorahosted.org/freeipa/ticket/1739
The attributes table (IPA.attributes_widget) used in Permissions, Self-Service Permissions, and Delegations is supposed to be short but scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears as a long non-scrollable table which makes it more difficult to use.
The memberof_netgroup association facet for hostgroup has been
explicitly defined to use the serial associator so it will invoke
the right methods.
Ticket #1737
Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).
A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.
Ticket #1701
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
https://fedorahosted.org/freeipa/ticket/1697
Original problem:
WEBUI: Update automount location refer to unknown command
Update name of the automount location (Policy -> Automount ->
custom_location -> Settings -> Update) in the WEBUI refer to an unknown command.
Solution:
Tracking dirty state in field -> section -> details facet.
'Reset' and 'Updates' in details facet are enabled only if facet is dirty.
Removes the problem above and 'no modification to be performed' annoyance.
1) Add sudorule docstring headline
2) Fix naming inconsistency in Sudo plugins help and summaries,
especially capitalization of Sudo objects - Sudo Rule, Sudo
Command and Sudo Command Group
3) Add missing summaries for sudorule-add-option and
sudorule-remove-option. To keep backward compatibility with
older clients, just print the missing summary with
output_for_cli(), don't expand Output.
https://fedorahosted.org/freeipa/ticket/1595https://fedorahosted.org/freeipa/ticket/1596
If the client installer fails for some reason and --force was not used
then roll back the configuration.
This is needed because we touch /etc/sysconfig/network early in the
configuration and if it fails due to any number of issues (mostly related
to authentication) it will not be reset. We may as well run through the
entire uninstall process to be sure the system has been reset.
https://fedorahosted.org/freeipa/ticket/1704
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.
ticket https://fedorahosted.org/freeipa/ticket/1574
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
https://fedorahosted.org/freeipa/ticket/1689
Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table
Do not forget to add new line in updated /etc/sysconfig/network
configuration. Move the actual change of the hostname after the
user confirmation about proceeding with installation. It confused
users when the hostname change occurred before this prompt.
https://fedorahosted.org/freeipa/ticket/1724
When we perform an upgrade 389-ds is set to listen only on its
ldapi port. Theoretically it should be restored to the previous
state regardless of whether the upgrades were successful or not.
To be sure that a subsequent re-install will be successful go ahead
and remove the state for these options. Think of it as wearing a
belt and suspenders. Otherwise a re-install could return an error
message that IPA is already configured.
https://fedorahosted.org/freeipa/ticket/1667
We were orphaning a few files/directories when uninstalling 389-instances
both for IPA and dogtag. This should remove everything but the logs.
ticket https://fedorahosted.org/freeipa/ticket/1700
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).
It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Although the proper values for booleans from LDAP should be only uppercase,
389ds does allow wrong cased values without complaining. And we still have some
places where the wrong case is used.
Avoid getting frustrating errors when reading these values out.
