When no user/group was found, migration plugin reported an ambiguous
error about invalid container. But the root cause may be for example
in a wrong list of user/group objectclasses. Report both in the error
message to avoid user confusion.
User/group objectclass attribute is now also marked as required.
Without the list of objectclasses, an invalid LDAP search is
produced.
https://fedorahosted.org/freeipa/ticket/2206
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
on_value_changed event in textboxes and textareas was raised only on keyboard input. If user used different input method such as paste or browser undo and redo functions widget's on_value_changed event wasn't raised and so dirty state wasn't changed as well.
This patch adds listener to text's and textarea's 'input' event. Input is a HTML 5 event which is raises on user initiated action.
Some of user initiated actions :
* Cut
* Copy
* Paste
* Undo
* Redo
* Clear
* Typing (like keyup)
* Form AutoFill
* User-invoked spellcheck corrections
* Input from Input Method Editor
It should be supported by all recent versions of major browsers. IE doesn't support it up to version 8.
Listener for 'keyup' event was left in implementation for backward compatibility with older browsers. This may cause firing on_value_change twice but so far it shouldn't cause troubles.
https://fedorahosted.org/freeipa/ticket/2647
Ticket https://fedorahosted.org/freeipa/ticket/2509 bans using non existent options. If such option is supplied command ends with error. It uncovered several cases in Web UI. This patch is fixing these cases.
Automember, Self-service and Delegation don't support 'pkey-only', 'size-limit' and 'rights' option. Pagination and rights check were disabled for them.
Automount map adder dialog was sending options for indirect map even if chosen type was direct (when those for indirect was filled earlier), also it was sending non-existant 'method' option.
https://fedorahosted.org/freeipa/ticket/2760
This patch creates state_evaluator which creates permission states for defined attribute. The state format is: attributeName_permissionChar.
This evaluator is used for user_password attribute and it control enabling/disabling of related action in user account action panel.
https://fedorahosted.org/freeipa/ticket/2318
Currently the user password is shown as follows in the details page:
Password: Reset Password
This is inconsistent with the rest of the page because the 'Reset Password' is an action, not the value of the password.
Now password is shown as follows:
Password: ******* (if set)
Password: (if not set)
Reset password link was removed as well the dialog for reset password was removed from password widget. The dialog was moved to its own object and can be now showed independently. An action for showing this dialog should be created.
https://fedorahosted.org/freeipa/ticket/2248
This patch implements action panel. Action panel is a box located in facet details section which contains actions related to that object/section.
In spec file can be configured actions and title used in action panel. Default title is 'Actions'. Actions are specified by their name. They have to be defined in action collection in facet.
https://fedorahosted.org/freeipa/ticket/2248
This is a first step for implementing action panels which will also use the shared list of actions.
This effor changes the way how action list and control buttons are defined. First all actions are defined on facet level - attribute 'actions' in spec file. Implementation of action list widget is not specified on facet level. It is left in facet header. A list of action names used in action list can be now specified in facet spec in 'header_actions' attribute.
Control buttons use similar concept. Facet by default is using control_buttons_widget. Details and search facet are defining their own default actions (refresh/add/remove/update/reset). Additional buttons can be defined as array of action names on facet level in control_buttons attribute.
state_evaluators and state_listeners were united. They are called state_evaluators but they uses state_listener concept, they are attached to an event. For former state_evaluator the event is post_load. They are defined in spec in state attribute. State object purpose is to aggregate states from all state evaluators. It offers changed event to which can other objects subscribe. It also has summary evaluator which evaluation conditions. Summary evaluator creates summary status with human readable description. It can be used by facet header.
https://fedorahosted.org/freeipa/ticket/2248
This adds tests for the automountlocation_tofiles and
automountlocation_import commands, and to automountmap_add_indirect
with the --parentmap option.
The tofiles test checks not only the XML-RPC output, but also the
output_for_cli method.
The import tests load data from tofiles output to the directory
and check that tofiles output matches.
This only works when all maps are connected to auto.master.
Two minor touches to the automount plugin itself: remove an extra
space, and don't hide the traceback when re-raising an exception.
Precallback validator was failing when a zone-relative name was
used as a NS record (for example record "ns" in a zone "example.com").
However, this is valid in BIND and we should allow it as well.
Imports in dns module had to be switched to absolute imports
(available from Python 2.5) to deal with a conflict of IPA dns
module and dnspython module.
https://fedorahosted.org/freeipa/ticket/2630
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.
On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.
https://fedorahosted.org/freeipa/ticket/2368
We actually perform two searches in permission-find. The first looks
for matches within the permission object itself. The second looks at
matches in the underlying aci.
We need to break out in two places. The first is if we find enough
matches in the permission itself. The second when we are appending
matches from acis.
The post_callback() definition needed to be modified to return
the truncated value so a plugin author can modify that value.
https://fedorahosted.org/freeipa/ticket/2322
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.
If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.
Make sure public key user authentication is enabled in both ssh and sshd.
ticket 2769
'sid' is a stack variable, by assigning its address to the domain_sid pointer
we were later referencing grabage (whatever on the stack ha[ppened to be at
that address.
Properly copy the sid and allocate it on the provided memory context.
If --delattr is used on an attribute that's not present on an entry,
and --{set,add}attr isn't being used on that same attribute,
say that there's "no such attribute" instead of "<attribute> does
not contain <value>".
https://fedorahosted.org/freeipa/ticket/2699
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Kerberos ticket maximum life was being set to 1 hour which then
affected lifetime of Kerberos tickets returned by IPA server under
the test.
Make sure that the policy is reset before and after the unit test to
keep the IPA server settings clean and not to disrupt development
environment.
Always call convert_time_for_output so time gets reported correctly.
That method has its own checks for whether the attributes are present;
an additional check is unnecessary.
Use a key function for sorting; cmp is deprecated, slower and
more complicated.
Add a test
https://fedorahosted.org/freeipa/ticket/2726
When default server was being parsed from IPA's default.conf
configuration file, the parsed server was not appended correctly to
the default_server list.
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.
This should also make the error report clearer if even after the retries
one of the principals doesn't exist.
https://fedorahosted.org/freeipa/ticket/2737
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.
This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.
https://fedorahosted.org/freeipa/ticket/2531
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.
The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.
Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.
https://fedorahosted.org/freeipa/ticket/2520https://fedorahosted.org/freeipa/ticket/2743
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.
https://fedorahosted.org/freeipa/ticket/2030
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
Very long pkeys in facet header were limited to 60 characters. This magic number was good enough but with new action lists it isn't.
This patch is adding calculation of maximum characters for pkey in facet header. It fixes regression introduced by Action Lists and also it uses effectively available space.
Also this patch is changing limiting of breadcrumbs element to use as much space as possible. It works in three steps. First a threshold is set which is equal to length average. Then a total length of keys with length less than threshold is calculated. From this we can get remaining space for long keys and calculate new threshold. At last keys are limited to new threshold.
https://fedorahosted.org/freeipa/ticket/2247
f
When DNS support was disabled there were following errors in Web UI:
1) Host details page was not filled with data
2) Host adder dialog was broken -> unusable
3) DNS tab was displayed in navigation
The bugs were fixed by:
1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present.
2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname.
3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed.
https://fedorahosted.org/freeipa/ticket/2728
When python's distutils build process prepares python scripts, it use
current Python interpreter in an updated shebang for python scripts.
Since Makefile did not use absolute path to python interpreter, it
may be translated to "/bin/python" in Fedora 17 which is then taken
by rpmbuild as freeipa-admintools dependency. This can break of F-17
python package which provides just "/usr/bin/python"
This patch updates Makefile to use a correct absolute path to python
interpreter which is then filled to freeipa scripts shebang and rpm
Requires list. The value is taken from RPM __python macro so that
we do not hardcode it.
https://fedorahosted.org/freeipa/ticket/2727
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
