There were quite errors in es.po, it was difficult or impossible to
track down where they came from, Transifex does not have good revision
history.
I fixed about 20% of the msgstr's in the file that had obvious
problems which could be spotted by a non-Spanish speaking person.
Spurious backslashes and backslash-newlines had been introduced. I
tracked this particular problem down to a bug in polib. polib is a
Python library which can read/write po/mo files. In Fedora it's
packaged as python-polib. polib is used by the Transifex instance to
read/write po files. We don't currently use polib in IPA (that will
change soon though) but I wrote utilities using polib to help fix the
bad po file and analyze what had gone wrong. I discovered that if one
simply uses polib to read a po file into memory and they write that po
file back out from memory you don't end up with the same contents if
there are backslashed escapes in the file. I tracked this down to the
escape() and unescape() functions in polib. This caused me to look to
see if upstream polib had been fixed. It had. Therefore I think the
spurious backslashes were introduced when Transifex was using an older
broken version of polib. I filed this Fedora bug
https://bugzilla.redhat.com/show_bug.cgi?id=744419 to get the fixes
into python-polib. I manually corrected all the backslash errors.
I compared all 1329 translations from a known good version of es.po
with the current version and generated a new es.po by taking the
translation (e.g. msgstr) from the two po files which was obviously
correct. In those instances where neither msgstr was obviosuly correct
the deleted the translation entirely.
I also wrote utilities to validate any "substitution" variables
appearing in the text. I discovered a number of instances where the
substitution variable had been malformed by the translator such that
it was syntactically invalid. This is how we originally discovered
problems with the translation, it was throwing Python exceptions. I
fixed all those errors.
I also found approximately 80 translations where the leading
whitespace had been altered by the translator. Those also were fixed.
I cannot verify that the remaining translations are a correct Spanish
translation of the original text (in fact a number of them I looked at
seemed dubious to me, for example it omitted recongnizable
keywords). But I do believe that the obvious errors are fixed and we
shouldn't be throwing any more Python exceptions because of malformed
substitution variables.
We determine the realm in the client installer so we can deduce
the base dn, pass that into ipa-join so we don't have to hunt for
it.
Re-order the bind so when doing an OTP enrollment so we can use the host
entry to authenticate before we retrieve the subject base, then initiate
the enrollment.
If ipa-join is called without a basedn it will still attempt to
determine it, but it will fail if anonymous binds are not allowed.
https://fedorahosted.org/freeipa/ticket/1935
systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of
/etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we
need to make sure it is always existing and pointing to our realm.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/1192
backup_and_replace_hostname() was doing three things:
1. Given config file in 'key=value' style, replace value for a
specified key (HOSTNAME)
2. Backup original file and install a replacement
3. Restore original security context after editing
We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:
1. config_replace_variables(filepath, replacevars=dict(),
appendvars=dict())
Replaces or appends values to specified keys, adding new key=value
pairs if key was absent
2. backup_config_and_replace_variables(fstore, filepath,
replacevars=dict(),
appendvars=dict())
Backups config file and calls config_replace_variables()
A caller must handle security context after using these two tools.
In addition, as before, there is
ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.
The code will be used extensively for systemd integration for Fedora 16.
Fixes:
https://fedorahosted.org/freeipa/ticket/1871
In checking to see if the dogtag proxy configuration needed to be updated
we didn't handle the case where dogtag isn't installed at all.
https://fedorahosted.org/freeipa/ticket/1951
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.
Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.
This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
Request to evaluate:
<user <name foobar groups [hbacusers,ipausers]>
service <name sshd groups []>
targethost <name vm-101.ipa.local groups []>
srchost <name vm-101.ipa.local groups []>
>
Fixes:
https://fedorahosted.org/freeipa/ticket/1862https://fedorahosted.org/freeipa/ticket/1949
Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
name_from_ip validation which works fine for CLI. However, when
the command is not proceeded via CLI and sent directly to the
RPC server, the server throws Internal Server Error.
Make sure that the server returns a reasonable error. Also implement
2 unit cases testing this option
https://fedorahosted.org/freeipa/ticket/1941
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
During ipa-client-install SSSD is not always started up properly for some
reason, things like "getent passwd admin" do not work. This is particulary
true for large setups where admin is included in a large set of groups.
https://fedorahosted.org/freeipa/ticket/1774
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
https://fedorahosted.org/freeipa/ticket/1933
Web UI init method was modified to get initialization data in 3 calls.
First call remains the same as before except that the json_metadata command
was removed.
JSON metadata are requested after successful response of the first batch command.
This approach should preserve functionality in IE (where request is missing after
authentication). Getting JSON metadata is split to two commands - this should prevent
the error in linked ticket. These two commands are paralelly executed by new
concurent_command object.
Concurrent command waits for all responses then it calls each command's success
handler.
The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}
Note the difference in the positional parameters.
To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter.
THis is not ideal, but we are constrained by the existing API.
Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.
This significantly reduces the number of queries required for large groups.
https://fedorahosted.org/freeipa/ticket/1885
https://fedorahosted.org/freeipa/ticket/1932
Description of problem:
Title is missing while configuring browser for the first time.
Actual results:
There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not.
Expected results:
Title "Identity Management" is always present.
Fixed:
* modified paths to images
* fixed padding in ssbrowser.html
* moved browser icons to ui folder
* deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed)
whitespaces
For every hostgroup a managed netgroup is created (if this is allowed).
Make sure that if a stand-alone netgroup exists, a hostgroup with the
same name cannot be created to prevent collisions.
https://fedorahosted.org/freeipa/ticket/1914
When running ipa-client-install on a system whose clock is not in sync
with the master, kinit fails and enrollment is aborted. Manual checking
of current time at the master and adjusting on the client-to-be is then
needed.
The patch tries to fetch SRV records for NTP servers of the domain we aim
to join and runs ntpdate to get time synchronized. If no SRV records are
found, sync with IPA server itself. If that fails, warn that time might
be not in sync with KDC.
https://fedorahosted.org/freeipa/ticket/1773
We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.
Fixes: https://fedorahosted.org/freeipa/ticket/1820
https://fedorahosted.org/freeipa/ticket/1922
gidNumber is not an allowed attribute for a non-posix group. When adding a non-posix group from the UI, unchecking the "Is this a POSIX group?:" box should disable the "GID:" field.
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
The radio buttons in association facet and radio widget are now
linked to their labels so that they can be selected by clicking
the labels.
Ticket #1782
When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers
point to IPA NTP server as well.
When restoring the client during ipa-client-install --uninstall, make sure NTP configuration
is fully restored and NTP service is disabled if it was disabled before the installation.
https://fedorahosted.org/freeipa/ticket/1770
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
When group/user is migrated, the attribute used for RDN may be
multivalued. Make sure that we pick the value used in the RDN
which should be the unique one and not just the first one.
https://fedorahosted.org/freeipa/ticket/1892
