The samba LDAP schema is updated to the lastest version available from the
samba source code to be able to use the new trust related object class and
attributes.
In the adder dialog for groups the checkbox has been modified to use
the correct field name "nonposix" and be checked by default.
Note: This is a temporary fix to minimize the changes due to release
schedule. Eventually the field label will be changed into "Non-POSIX
group" and the checkbox will be unchecked by default, which is more
consistent with CLI.
Ticket #1799
The hidden fqdn field in the host adder dialog has been changed to
use a generic widget instead of text widget to avoid null pointer
error since the UI elements are never created.
Ticket #1788
- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs
https://fedorahosted.org/freeipa/ticket/1771
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils
https://fedorahosted.org/freeipa/ticket/1708
The optional uid field in user's adder dialog did not appear when
the link is clicked to show the field. This is a regression introduced
in the patch for ticket #1648.
The click handler for the link field has been moved into a new closure
so that the variables point to the correct elements.
Note: the duplicate code in IPA.details_table_section.create() and
IPA.dialog.create() will be addressed separately in ticket #1394.
https://fedorahosted.org/freeipa/ticket/1640
On the HBAC Rules page, where the rules are listed, if no rule is selected, the "Delete" button is not enabled, and cannot be clicked on.
But edit a Rule, and Delete button is enabled in the available sections - regardless of, if an object is selected to be deleted or not, or even if there is no object to be selected to delete.
One can click on this button...but then - there is no message indicating that something should be selected for deletion for this button to do anything.
Notes:
* fixed association_table_widget and association_facet
The adder dialog for the user and host tables in sudo rule details
page have been fixed to use --not-in-sudorules to avoid showing
entries that are already added into the rule either directly or
indirectly via groups.
This does not apply to the command and run-as tables because they
do not support such option.
Ticket #1768
In order to maintain consistent layout between details page and dialog
boxes the IPA.details_list_section has been replaced with
IPA.details_table_section which is based on table.
The IPA.target_section and other subclasses of IPA.details_list_section
have been converted to use IPA.details_table_section as well.
The unit tests have been updated accordingly.
Ticket #1648
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
Due to a recent change, all dialog boxes are now reset initially. The
IPA.target_section has been modified to show the default target (i.e.
filter) and the fields properly when reset.
Ticket #1748
We need to check all Kerberos ports both TCP and UDP transports.
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
https://fedorahosted.org/freeipa/ticket/1739
The attributes table (IPA.attributes_widget) used in Permissions, Self-Service Permissions, and Delegations is supposed to be short but scrollable. In Firefox 3.6 it works fine, but in Firefox 6.0 it appears as a long non-scrollable table which makes it more difficult to use.
The memberof_netgroup association facet for hostgroup has been
explicitly defined to use the serial associator so it will invoke
the right methods.
Ticket #1737
Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).
A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.
Ticket #1701
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
https://fedorahosted.org/freeipa/ticket/1697
Original problem:
WEBUI: Update automount location refer to unknown command
Update name of the automount location (Policy -> Automount ->
custom_location -> Settings -> Update) in the WEBUI refer to an unknown command.
Solution:
Tracking dirty state in field -> section -> details facet.
'Reset' and 'Updates' in details facet are enabled only if facet is dirty.
Removes the problem above and 'no modification to be performed' annoyance.
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
https://fedorahosted.org/freeipa/ticket/1689
Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).
It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.
Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.
We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.
It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.
However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.
Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.
class foo(Command):
'''
The foo command takes out the garbage.
'''
Would become:
class foo(Command):
__doc__ = _('The foo command takes out the garbage.')
But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.
In summary what this patch does is:
* Remove the use of pygettext (modification to install/po/Makefile.in)
* Replace every docstring with an explicit assignment to __doc__ where
the rhs of the assignment is an i18n marking function.
* Single line docstrings appearing in multi-line string literals
(e.g. ''' or """) were replaced with single line string literals
because the multi-line literals were introducing unnecessary
whitespace and newlines in the string extracted for translation. For
example:
'''
The foo command takes out the garbage.
'''
Would appear in the translation catalog as:
"\n
The foo command takes out the garbage.\n
"
The superfluous whitespace and newlines are confusing to translators
and requires us to strip leading and trailing whitespace from the
translation at run time.
* Import statements were moved from below the docstring to above
it. This was necessary because the i18n markers are imported
functions and must be available before the the doc is
parsed. Technically only the import of the i18n markers had to
appear before the doc but stylistically it's better to keep all the
imports together.
* It was observed during the docstring editing process that the
command documentation was inconsistent with respect to the use of
periods to terminate a sentence. Some doc had a trailing period,
others didn't. Consistency was enforced by adding a period to end of
every docstring if one was missing.
https://fedorahosted.org/freeipa/ticket/1688
The serial associator is used to execute a command multiple times with different parameters. This is used for adding/removing a user into/from multiple groups. It has some issues:
Each command is executed one-by-one, so it could be slow.
* If there's a failure the rest of the commands will not be executed.
* This can be fixed by putting the commands into a batch and execute them at once.
Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed.
Fixed integer minimum and maximum value checking.
Read-only and non-writable fields are no longer considered required.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
Since the Add/Delete links in the association table are disabled when
the category is set to 'all', it's no longer necessary to check the
category before showing the add/delete dialogs and modify the category
before adding entries. Thus, the IPA.rule_association_table_widget is
no longer needed.
Ticket #1692
The association table widget and facet have been modified to accept
titles for the add and delete dialogs. The table and facet definitions
have been modified to specify the appropriate titles.
Some unused code have been removed.
Ticket #1629
The 'Hide already enrolled' has been removed from the enrollment
dialog because it is checked by default and entries that are already
enrolled cannot be enrolled again.
Ticket #1638
ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650) has
an extensive discussion of the issues, please refer to that.
This patch does the following:
* does not count fuzzy translations when computing translation
statistics via the "msg-stats" make target in install/po
* adds a new make target called "pull-po" which pulls updated po files
from Transifex (configure.ac includes some trailing whitespace fixes)
* turns off the generation of fuzzy translation suggestions during the
message merge phase.
Our LINGUAS file and the set of po files have diverged from what's on
Transifex. We should update the LINGUAS file to match the set of
translations on Transifex and add po files currently on Transifex but
not in our git repo to our git repo.
The IPA.user_status_widget has been modified to show/hide the link for
activating/deactivating users according to the attributelevelrights.
Ticket #1625
The general link style defined in ipa.css was overriden by a more
specific rule in jquery-ui.css. So the style has been modified to
include the more specific rule.
Ticket #1623
Pull the new translations for Spanish (es) and Ukrainian (uk)
Update the LINGUAS file to add comment showing the friendly
name for the language abbreviation.
The make target msg-stats which produces a report about the state
of the translations no longer maintained it's column alignment
due to larger numbers so the formating was tweaked to maintain
column alignment.
The 3rd level tabs were partially covered by the content panel, so
only the top portion can be clicked. The content panel has been
repositioned to avoid the problem.
The host adder dialog has been modified to show separate fields for
hostname and DNS zone. The hostname is a text field and the DNS zone
is an editable drop-down list. The fields will have the following
behavior:
- If the user types a dot into the hostname field, the cursor will
automatically move into the DNS zone field.
- If the user pastes an FQDN into the hostname field, the value will
automatically be split into hostname and DNS zone.
- If the user selects a value from the drop-down list, it will only
change the DNS zone, not the hostname.
Ticket #1457
The IE does not resend the request body during negotiation, so after
after a successful authentication the server could not find the JSON
request to parse.
The Web UI has been modified to detect this error and resend the
initialization request.
Ticket #1540
The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.
Ticket #1423, #1561
https://fedorahosted.org/freeipa/ticket/1481
Shows status dialog instead of error dialog (error 4304 is treated like success).
Refactored error dialog.
Added generic message dialog (IPA.message_dialog)
Modified core tests to work with dialog.
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
If a hostname configured in /etc/ipa/default.conf is changed and
is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX
ipactl gives an unintelligible error.
This patch improves the error message and also offers a list of
configured master so that the hostname setting in IPA configuration
can be easily fixed.
https://fedorahosted.org/freeipa/ticket/1558
The tables in the adder dialog have been modified to expand
according to the size of the dialog.
This patch also fixes the problem with row height on IE.
Ticket #1542
change widget and widget unit tests to hold on to entity, not entity name.
Replacing entity_name with entity.name in most places.
The one exception is columns for table_widget.
Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.
cleanup entity assignment.
removed template and layout,
merged setup into create
adder dialogs adjust height for external
removed init from widget, isection, association, facet, host and service
Make unit tests use factory.
fix functional tests to click find link correctly.
tweak to activation test, but still broken.
moved initialization code to the end
use --all for hbacrule find, so the type shows up now
fixed dns exception code and exception handling for get_entity
replace metadata look up with value from entity.
fixed author lines
removed duplicate columns in managed by facets.
tweak to nav fix in order to initialize tab.
more defensive code
update metadata for true false
one line init for entity_name in widget
move init code to end of constructor functions
moved constants to start of function for adder_dialog
external fields for dialogs initialized at dialog creation
sudo sections: move add fields and columns to widget definition.
The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.
decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables
return false at the end of click handler
removed blank labels in sudo command section
fix radio buttons for sudo category
fixed table side for adder dialogs with external fields
comments for future direction with add_columns
https://fedorahosted.org/freeipa/ticket/1451https://fedorahosted.org/freeipa/ticket/1462https://fedorahosted.org/freeipa/ticket/1493https://fedorahosted.org/freeipa/ticket/1497https://fedorahosted.org/freeipa/ticket/1532https://fedorahosted.org/freeipa/ticket/1534
The handler for host 'Set OTP' button has been modified to obtain
the primary key from the entity and return false to stop the normal
event processing.
Ticket #1511
When opening a bookmark, each tab level will be updated separately
from top to bottom according to the URL state. The navigation code
has been modified to recognize when an ancestor tab is being updated
and not change the URL state.
Ticket #1521
The navigation code has been modified store the facet's state
separately in the facet object itself. The path state is stored
in the navigation object. When the path is changed to view a new
facet, only the path and the state of the new facet will be shown
in the URL, thus keeping the URL short.
This fixes pagination, bookmark and search filter problems as well.
Ticket #1507, 1516, 1517
The select event handler in the navigation tab has been modified to
distinguish the source of the event. If the event is triggered by
URL hash change, it will use the state specified in the URL. If the
event is triggered by a mouse click, it will use the state stored
internally.
The IPA.current_facet() has been merged into IPA.entity.setup()
and replaced by IPA.entity.get_facet(). The setup() will read the
current facet's name from the <entity>-facet URL parameter and store
the facet object in the entity object. The get_facet() without any
parameter will return the current facet object.
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.
Ticket #1501
The HBAC access time is currently not supported, so the related UI
code has been removed to reduce maintenance issue. When the feature
becomes supported in the future the code may be restored/rewritten.
Ticket #546
In a recent change the details page was changed to create and locate
field containers with 'details-field' CSS class. The HBAC and sudo
custom details pages have been modified to use the same CSS class.
Ticket #1508
The UUID field has been removed from the entitlement registration
dialog box because it's currently not supported. The code has been
modified not to send empty UUID value should this become supported
in the future.
Ticket #1506
A custom adder dialog has been added for DNS zones to simplify creating
reverse zones from IP address. The dialog provides a checkbox which
indicates whether the content of the zone name field is an IP address.
The IP address will be used to generate the reverse zone name and email
address.
Ticket #1045
Remove all DNS entities if the DNS server is not installed.
Removes it from the navigation as well.
https://fedorahosted.org/freeipa/ticket/1498
move created count to last thing in the funciton.
The IPA.entity_select_widget has been modified into a searchable and
editable drop down list. The base functionality has been extracted
into IPA.combobox_widget.
Ticket #1361
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.
https://fedorahosted.org/freeipa/ticket/1370
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
When a replica for self-signed server is being installed, the
installer crashes with "Not a dogtag CA installation". Make sure
that installation is handled correctly for both dogtag and
self-signed replicas.
https://fedorahosted.org/freeipa/ticket/1479
When DNS plugin is installed via ipa-dns-install and user has a valid
Kerberos ticket at the time, the DNS installation is corrupt and named
won't start, reporting Preauthentication error.
When the non-DM identity is used for authentication, krbprincipalkey
attribute in DNS service LDAP record is not created, thus leading
to the error. This patch makes sure that authentication with Directory
Manager password is used every time.
https://fedorahosted.org/freeipa/ticket/1483
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.
Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.
The reverse DNS zone name is printed to the user during the install.
ticket 1398
This fixes a regression.
We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.
https://fedorahosted.org/freeipa/ticket/302
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.
Ticket #1424
Brings the DNS record infrastructure in line with the other entities.
Uses widgets, nested search, and a littel bit of overloading for dns specific behavior
The records now have their own page.
simplified link widget and use for dns
links work for nested entities.
change the field in the link widget to other_entity to avoid name collision.
unit test for entity link.
fixed reference to entity for getting pkeys
work around lack of setattr for dns record mod.
update wasn't deducing locked_field type correctly.
don't overwrite param_info in init
data is required on adder dialog
delete works for multiple records
use show instead of find for entity_link_widget.
https://fedorahosted.org/freeipa/ticket/1038https://fedorahosted.org/freeipa/ticket/1448https://fedorahosted.org/freeipa/ticket/577https://fedorahosted.org/freeipa/ticket/1460
https://fedorahosted.org/freeipa/ticket/1259
Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.
This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
previsouly was checked on key down, but that does the check too soon.
Next attempt was on blur, but that had numerous problems. This now checkes when the add button is clicked.
works for entity_select widget, too
Checks upon form submission
https://fedorahosted.org/freeipa/ticket/1437
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.
Ticket #1217
The entitlement buttons are located serveral levels underneath
facet-controls, so the CSS selector has been fixed to extend beyond
facet-controls' immediate children.
Ticket #1419
The IPA.user_status_widget has been modified such that it checks
the facet dirty status and asks the admin to either Update or Reset
the changes. Then the widget shows a dialog to confirm whether
the admin wants to activate/deactivate the user.
Ticket #1395
Instead of looking for a match on the entity name, use the nesting structure
of containing entites to grab their pkeys.
Code review fixes
https://fedorahosted.org/freeipa/ticket/674
https://fedorahosted.org/freeipa/ticket/674
decrement depth for hidden tabs.
Initialize state from url
useing delete for removing state
stricter attribute matching
not incrementing depth for all hidden tabs.
whitespace cleanup
The entity labels in the following locations have been fixed:
- search facet title: plural
- details facet title: singular
- association facet title: singular
- breadcrumb: plural
- adder dialog title: singular
- deleter dialog title: plural
Some entity labels have been changed into the correct plural form.
Unused file install/ui/test/data/i18n_messages.json has been removed.
Ticket #1249
Ticket #1387
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.
The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.
Ticket #1249
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
The content and the size of entity header changes depending on the
facet being displayed, so the entity header has been converted into
a facet header to allow better control via CSS.
The DNS record facet has been updated to use the same styling and
support scrolling.
To help styling and testing, all buttons have been assigned a name.
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
Tests for dirty after the RPC call has completed and the select has updated
Passes the original value to the RPC completion, so it isn't lost upon RPC completion
https://fedorahosted.org/freeipa/ticket/1340
the tabs are required for natigation, but they should not be visible, as the breadcrub provides the navigation for them instead.
Moved the automount tabs up one level so that it uses the two level style
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.
Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.
https://fedorahosted.org/freeipa/ticket/1333
The association facet has been modified to store the current page
number in the browser's URL. This way page changes are stored in
browser's history allowing the back button to work properly.
Ticket #1264
The direct and indirect associations are now displayed in the same
facet. The type of association to be displayed can be selected
using radio buttons.
Ticket #1338
In self-service mode the user's association facets have been modified
such that the entries are not linked since the only available entity
is the user entity.
A 'link' parameter has been added to IPA.association_facet and
IPA.column to control whether to link the entries. The link_handler()
method can be used to define how to handle the link.
Ticket #1072
When a new DNS zone is being created a local hostname is set as a
nameserver of the new zone. However, when the zone is created
during ipa-replica-prepare, the the current master/replica doesn't
have to be an IPA server with DNS support. This would lead to DNS
zones with incorrect NS records as they wouldn't point to a valid
name server.
Now, a list of all master servers with DNS support is retrieved
during DNS zone creation and added as NS records for a new DNS
zone.
https://fedorahosted.org/freeipa/ticket/1261
The buttons were previously skipped during tab navigation because
they do not have an href attribute. The IPA.button has been fixed
to always provide an href attribute.
Ticket #983
The conditional used to determine if thd CA 389-ds instance was already
configured was rather poor so it was possible to pass command-line
arguments in to confuse it. This would cause it to not be installed at
all causing the dogtag installation to fail in a strange way.
https://fedorahosted.org/freeipa/ticket/1244
A selectable option has been added to the table widget to show/hide
the checkbox column for selecting table rows. By default it's set
to true. The indirect association facet has been modified to hide
the column because it is non-editable.
The UI has been modified to fix some resizing issues:
Previously the height of facet content was roughly calculated using
resize(). Now the height can be more accurately defined in CSS.
Previously the UI width was fixed. The HTML layout and background
images have been modified to support horizontal expansion if needed.
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.
The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.
Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.
https://fedorahosted.org/freeipa/ticket/1243https://fedorahosted.org/freeipa/ticket/1254
--no-host-dns option should allow installing IPA server on a host
without a DNS resolvable name.
Update parse_ip_address and verify_ip_address functions has been
changed not to return None and print error messages in case of
an error, but rather let the Exception be handled by the calling
routine.
https://fedorahosted.org/freeipa/ticket/1246
When re-creating the CADS instance it needs to be more fully-populated
so we have enough information to create an SSL certificate and move
the principal to a real entry.
https://fedorahosted.org/freeipa/ticket/1245
When IPA replica is installed and the master machine record is not
in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer
a question about adding a host to this file.
This has, however, a potential to break automatic tests.
ipa-replica-conncheck should not require any further user interaction
when all mandatory options are filled.
https://fedorahosted.org/freeipa/ticket/1305
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
Previously when an internal error occurs on the server the UI will
display a blank error dialog box. To fix the problem the string
message thrown by Ajax has been converted into an object containing
the error message.
Ticket #1280
Since the group-show command doesn't return indirect members, the tabs
for group's indirect members have been reverted to call user-find with
the --in-groups parameter to get the entries.
However, this is only a temporary solution since the user-find command
returns both direct and indirect members (ticket #1273).
The Selenium test for groups has been modified to test nested groups
and verify indirect members. The verification currently will fail due
to the above issue.
Turn off the side scroll bars for pages.
Resizes the table when the browser resizes
For stables, the rows scroll, but not the header.
For details, the content area scrolls.
Reserves 400 picesl for the header/ footer. Resize is only done on reload
indirect automount maps
code review changes for automount:
Removed: fields for mount and parentmap in maps details since they are not present in show or mod
Hid undo link for adder dialog
set up click handler for checkboxes when row does not have primary key
removed add override in automountmap_adder_dialog
moved 'var input...' in automount.js line 158 to start of method.
changed logic in if statmenet ,dialog.js line 628 it if (!first) as suggested
The association facet has been modified to support pagination. The
UI will show 20 members per page. There are buttons to go to a
previous or next page. There is also an input text to jump directly
to a certain page.
Ticket #1011
Previously deleting a value in a text field did not work because
the field is not included in the modify operation when the value
is empty. The details facet's update() method has been modified
to update only dirty fields.
The section lists in details facet and dialog have been converted
into ordered maps.
Ticket #1256
The Dirty dialogs have been combined into IPA.dirty_dialog. It
provides the Update and Reset buttons with customizable callback.
Previously the widget's dirty status is computed by comparing the
old values with the new values. This method is sometimes inaccurate,
so the is_dirty() method has been modified to simply return a flag
which is set to true if the widget is changed.
Ticket #896.
When a new reverse zone was created in ipa-replica-prepare (this
may happen when a new replica is from different subnet), the master
DNS address was corrupted by invalid A/AAAA record. This caused
problems for example in installing replica.
https://fedorahosted.org/freeipa/ticket/1223
automount implemented using standard facets and containing_entity pkey generation
sample data fixtures for automount.
messages for automount and HBAC.
modified form of the search facet used to nest the automount entities
Add works for nested entities. Delete works for all but keys. Since the API for this is going to change, I'm not going to fix it pre-checkin.
All the places the PKEY prefix is needed uses a single function. Added breadcrumb trail into title.
update ipa_init sample data
add redirect logic for pages without pkeys.
add and delete link to appropriate entities for nested search facet.
Using on demand entities. Fixed breadcrumbs.
If you install a replica, delete the replica, then re-add it and then
try to re-initialize the agreement it will fail because the remote master
has the old service principals cached. It needs to be restarted to work.
ticket 1077
The Managed Entries plugin configurations weren't being created on
replica installs. The templates were there but the cn=config
portions were not.
This patch adds them as updates. The template portion will be added
in the initial replication.
ticket 1222
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
The IPA.add_dialog has been modified such that if the user clicks the
Add and Edit button it will read the primary key returned by the add
operation and use it to open the details page.
Ticket #1108
The IPA.command has been modified not to insert a title into the error
object thrown by Ajax operation because the object could be immutable.
Ticket #1240
The ordered map is a jQuery extension for creating a collection which can
be accessed both as an ordered list and as a map. This collection can be
used to store various objects including entities, fields, columns, and
dialogs. A test suite for this class has been added as well.
Ticket #1232
Enforce that the remote hostname matches the remote SSL server certificate
when 389-ds operates as an SSL client.
Also add an update file to turn this off for existing installations.
This also changes the way the ldapupdater modlist is generated to be more
like the framework. Single-value attributes are done as replacements
and there is a list of force-replacement attributes.
ticket 1069
The IPA.association_facet has been modified to take a read_only parameters.
If the parameter is set to true, the Enroll and Delete buttons will not be
shown. All facets under the memberindirect and memberofindirect facet groups
are marked as read-only.
Ticket #1030
The IPA.entity has been modified to support customizable facet groups.
The default list of facet groups is defined in IPA.entity_header and can
be overriden in the entity definition.
Ticket #1219
Logging errors are printed out when ipa-replica-manage is run
as a non-root user. Log has been disabled in such case to
prevent such messages.
https://fedorahosted.org/freeipa/ticket/1046
The IPA.records_facet has been converted into a subclass of
IPA.search_facet. This helps remove duplicate table code and provide
consistent DOM element attributes for Selenium tests.
Facet container has been added to hold facet header (i.e. title,
search fields, buttons, links) and facet content. Each facet now
occupies separate container, so it can be shown/hidden without
having to redraw the content.
Previously the entities and navigation are entangled inside a common
DOM structure which limits code reuse. Now they have been moved
into separate structures.
Previously the tab state is represented using numeric index such
as navigation=0&identity=1 which is not very user friendly. Now the
code has been modified to use entity names such as
navigation=identity&identity=group.
The singular object IPA.nav has been converted into an IPA.navigation
class. The admin and self-service navigation tabs have been converted
into subclasses of IPA.navigation and will be instantiated according
to user authorization.
Report missing python packages, inform about false positives, fail
gracefully if pylint isn't installed. Fixed a bug in the ignore
list and added few more files/directories to it.
ticket 1184
The --force option may be misused to reinstall an existing IPA
client. This is not supported and may lead to unexpected errors.
When required, the cleanest way to re-install IPA client is to
run uninstall and then install again.
This patch also includes few cosmetic changes in messages to user
to provide more consistent user experience with the script.
https://fedorahosted.org/freeipa/ticket/1117
The widget base class has been modified to validate integer value
if the type is specified in the metadata. This is used to validate
entitlement quantity.
replacing the action panel with the Design for 2.1
Significantly cleaned up implementation of intra-entity navigation
requires additional CSS work
still need to integrate the search controls onto each page
cleaning up interface between entity and facet
simplified nested tabs logic
Fixed role navigation
select default tab from the search widget
fixed unit tests and jsl
keep tabs area allocated
set default tab selected whenever the pkey changes.
Removing styling that is changing positions of buttons. The logic for that was for action-panel, but does not translate to entity-header.
change from metadata name to label for I18N
set selected tab in entity_init.
Default title for entities without search and pkeys
associations in table now link.
remove colon from title when not showing pkey
added Managed by facet group.
Removed entities that are, for some reason, invalid.
