There are cases when ipactl returns success even when it fails. Plus,
when the error really is detected the status codes are not LSB
compliant. This may result in consequent issues.
This patch improves error handling in ipactl and adds LSB compliant
status codes. Namely:
0 program is running or service is OK
3 program is not running
4 program or service status is unknown
for "status" action. Status code 4 is issued when IPA is not
configured to distinguish this state from not running IPA.
For other actions, the following non-zero status codes are
implemented:
1 generic or unspecified error
2 invalid or excess argument(s)
4 user had insufficient privilege
6 program is not configured
https://fedorahosted.org/freeipa/ticket/1055
The month in krblastpwdchange (LDAP Generalized Time) is 1-based
but the month in JavaScript Date.setUTCFullYear() is 0-based so it
needs a conversion.
Ticket 1053
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
https://fedorahosted.org/freeipa/ticket/1002
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
By calling directly sasl_interactive_bind_s() we were not calling __lateinit()
This in turn resulted in some variables like dbdir not to be set on the
IPAadmin object.
Keep all bind types in the same place so the same common sbind steps can be
performed in each case.
Related to: https://fedorahosted.org/freeipa/ticket/1022
This patch replaces xgettext with a custom pygettext to generate
translatable strings from plugin files in ipalib/plugins. pygettext
was modified to handle plural forms (credit goes to Jan Hendrik Goellner)
and had some bugs fixed by myself. We only use it for plugins, because
it's the only place where we need to extract docstrings for the built-in
help system.
I also had to make some changes to the way the built-in documentation
systems gets docstrings from modules for this to work.
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.
https://fedorahosted.org/freeipa/ticket/997
Created some default roles as examples. In doing so I realized that
we were completely missing default rules for HBAC, SUDO and password
policy so I added those as well.
I ran into a problem when the updater has a default record and an add
at the same time, it should handle it better now.
ticket 585
Many WebUI identifiers were defined in a global namespace. This is
not a good programming practice and may result in name clashes,
for example with other libraries.
This patch moves these variables to IPA namespace or its
sub-namespaces, when meaningful.
https://fedorahosted.org/freeipa/ticket/212
A link has been added into the details page to expand/collapse all
sections.
Previously each section's <div> container is identified using a long
ID. It is now identified using the section name.
Support of navigator.preferences that is used to access browser
configuration was dropped in Firefox 4. This disables automatic
configuration of user preferences in this browser that is needed
to use Kerberos single sign-on.
This patch detectes a lack of this interface and tries to
configure the browser using new Services module introduced in
Gecko 2 (used in Firefox 4, SeaMonkey 2.1).
https://fedorahosted.org/freeipa/ticket/975
The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets.
The service.py has been modified to specify the correct relationships. The API.txt has been updated.
https://fedorahosted.org/freeipa/ticket/960
Trying to run ipactl as non-root results in a slew of bogus
error messages, some of which come because dirsrv can't read certain
files as the wrong user, some based on our handling of that fact.
ticket 936
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
a dogtag server.
The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
Add pointer to self to /etc/hosts to avoid chicken/egg problems when
restarting DNS.
On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't
attempt to do any resolving. Leave it to true on clients.
Set rdns to false on both server and client.
https://fedorahosted.org/freeipa/ticket/931
The current version of the DNS Plugin does not support searching by record, so that is commented out.
The search field wasn't working either. The search criteria had to be appended to the params array, just after the zone.
https://fedorahosted.org/freeipa/ticket/907
The group.upg NIS map was an experiment in providing UPG groups
dynamically, and is not one of the maps that I'd ever expect a NIS
client to "know" to search. We should probably just drop it.
Previously the add service dialog box shows a 'Principal:' label with
no text field next to it. It now has been removed. The dialog box
has been widened to avoid line wrapping of the buttons.
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
The state is read only at initialization time. This works ok when
individual services remove their state data but when worked upon again
at the top-level it still has the full state in memory, so when the
state file is re-written all of the data that was removed is re-added.
ticket 916
Previously all certificate & Kerberos key statuses (valid, missing
and revoked) will appear briefly at the same time during page load.
This has been fixed by setting the initial style to hidden.
Previously the IPA.details_list_section can only be used with widgets
that generates <dd> tag because it uses the following structure:
<dl>
<dt>Telephone Number:</dt>
<span name="teleponenumber">
<dd>111-1111</dd>
<dd>222-2222</dd>
</span>
</dl>
The <dd> tag was previously used to handle multi-valued attributes.
Since multi-valued attributes are now handled by the recently added
IPA.multivalued_text_widget, the structure can be changed as follows:
<dl>
<dt>Telephone Number:</dt>
<dd>
<span name="telephonenumber">
<div>111-1111</div>
<div>222-2222</div>
</span>
</dd>
</dl>
This allows IPA.details_list_section to be used with any widgets
without requiring the <dd> tag.
A multi-valued text widget has been created to replace the old
IPA.details_field. The old code was designed to handle all data
types, and it uses one <dd> tag for each value, so the code is
still incomplete and complex. The new code was designed to handle
only multi-valued text attributes, and it uses one <dd> tag for
all values, so it's easier to maintain. There are already other
widgets that can be used to handle other data types.
The new code supports line-level undo and line-out for removal
like the old code, but there are some changes:
- Undoing a newly added line will remove the entire line.
- Editing the value of a removed line will cancel the removal.
- It provides 'undo all' link to reset the entire attribute.
The old code will be cleaned up in a subsequent patch.
A cosmetic patch to IPA server installation output aimed to make
capitalization in installer output consistent. Several installation
tasks started with a lowercase letter and several installation
task steps started with an uppercase letter.
https://fedorahosted.org/freeipa/ticket/776
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
There wasn't an exception in the "is the server already installed"
check for a two-stage CA installation.
Made the installer slightly more robust. We create a cache file of
answers so the next run won't ask all the questions again. This cache
is removed when the installation is complete. Previously nothing would work
if the installer was run more than once, this should be fixed now.
The cache is encrypted using the DM password.
The second problem is that the tomcat6 init script returns control
before the web apps are up. Add a small loop in our restart method
to wait for the 9180 port to be available.
This also adds an additional restart to ensure that nonces are disabled.
ticket 835
revise
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
The reset and is_dirty functionality for permission has been fixed.
New widgets have been created for select and a collection of checkboxes.
New test data files have been added for each target type.
The reset and is_dirty functionality for permission has been fixed.
New widgets have been created for select and a collection of checkboxes.
New test data files have been added for each target type.
ipa_target_section does not overload is_dirty, and it alwayrs returns true, meaning you can never leave the page once you visit it.
THis commit pushes a simple placeholder function that always returns fales. Follow on work will be required to correctly inplement the is_dirty functonality
The IPA.dialog has been modified to support sections. The add
dialog for permission has been modified to include the target
section. The base dialog classes have been moved from widget.js
into a new file called dialog.js.
This patch also includes ayoung's fix for parameter name and
format for the permission attributes.
https://fedorahosted.org/freeipa/ticket/791
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.
Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.
ticket 751
Declaritive Service definition
Fixed a problem with multiple calls to create breaking the link between the select box and the text box
swapped the select and the text
https://fedorahosted.org/freeipa/ticket/442
This patch fixes several issues in delegation UI:
When adding a new delegation, only the first attribute selected
was saved. Now all attributes will be saved properly.
When loading the details page, the custom widgets did not store
the original values properly so is_dirty() did not work correctly.
Now this has been fixed except for the memberof attribute because
of these issues:
- https://fedorahosted.org/freeipa/ticket/869
- https://fedorahosted.org/freeipa/ticket/870
When saving the details page, the attrs were saved as an array
which was rejected by the server. Now it is stored as comma-
separated list.
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.
Ticket:
https://fedorahosted.org/freeipa/ticket/344
A couple of the ACI definitions were incorrect, and the end result was that fields were not getting initialized. USing the declarative approach cleaned up the cause.
Also fixed a few broken unit tests
Delay the creation of entities until after ipa init is called
made the user and group entity definitions declarative
removed unused facet from groups
adjusted unit tests
made review changes:
factories are now in an associative array
entity init called right after factory
init dialogs in entity init
fixed type on search
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.
This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.
Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.
Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.
This change requires an IPA server reinstall since the default ACI
set has been changed.
https://fedorahosted.org/freeipa/ticket/764
Makes the values for the Top level tabs internationizable, and no longer just
passes through their names
Also uses the I18N values for SUDO and HBAC as the static text in the Action p[anel title
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.
ticket 811
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
The add dialogs for Hosts and Services have been updated to include
a checkbox to force adding hosts/services that are not in DNS.
The widgets has been updated to support tooltips.
The status panel for certificates and Kerberos keys has been
modified to display only the current status with the relevant buttons.
New icons have been added to replace the red/yellow/green bullets.
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.
Fixes: https://fedorahosted.org/freeipa/ticket/765
The OTP field has been moved into a separate row to avoid line
wrapping. The line height inside tables has been increased to
avoid overlapping buttons in certificate status panel.
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
Now that we can setup GSSAPI authenticated replication we are not
tied to use the Directory Manager password to set up replication
agreements.
Fixes: https://fedorahosted.org/freeipa/ticket/644
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
The labels for the following fields in Host details page have been
changed:
- fqdn: Fully Qualified Host Name
- serverhostname: Host Name
The ipa_details_field_create_input() and _ipa_create_text_input()
has been converted into methods in ipa_details_field class. The code
has been modified to display read-only fields as labels instead
of disabled text fields.
The attributelevelrights in host test data files have been updated.
All references to hbac in the UI have been replaced with hbacrule.
This is to match the hbacrule plugin. The test data and templates
have been renamed as well.
The table widget now can be enabled/disabled. When disabled, the
checkboxes and links/buttons are grayed out and non functional.
The radio buttons in HBAC and SUDO details page have been modified
to enable/disable the corresponding tables.
The radio buttons under the Run Commands section in the SUDO details
page have been changed from allow/deny/specified into all/specified,
and moved under the Allow commands subsection, matching the correct
usage of the cmdcategory attribute.
Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
THis patch updates the metadata with the changes for the facet groups names. It is a large patch only in that the metadata is huge, but the change is trivial
THe client aread class is added after the create call. THe logic assumes that there are two divs under the tabs. THe records facet broke that assumption. THis fixes it
The title attribute in various HTML elements in SUDO details page
has been set to show the proper tooltips. Most of the values are
taken from the 'doc' attribute of sudorule parameters.
make clickable links blue
change spacing to keep headers from wrapping
convert most px values to em, to support scaling
indent action controls and place them under the active facet
set default font size to 11px
The SUDO details page has been modified to support external users
and hosts. In the backend, the internal and external users are kept
in separate attributes, but in the UI they will be displayed as a
single list. The same thing is done for hosts.
The ipa_sudorule_association_adder_dialog() has been modified such
that it only displays the external field if there is an external
attribute for that field.
TAKE 1
- Enrollement links in the action panel are now sorted by relationships.
- You can only enroll members.
(The webUI made the impression you can enroll parents as well, but it was
broken.)
- When enrolling new members, you can choose not to display already enrolled
ones. (On by default.)
- Couple cosmetic changes.
To support group-based account disablement we created a Class of Service
where group membership controlled whether an account was active or not.
Since we aren't doing group-based account locking drop that and use
nsaccountlock directly.
ticket 568
