Before krb5 1.13 the krb5_salttype_to_string() function was returning
incorrect names (display names of some kind instead of the names
used by the rest of the library to map saltname to the salt type
integer number).
This patch adds a function that checks at runtime if we have a working
function and uses a fallback map updated to the salt types known up
to 1.12, this allows us to use the library provided function in
following releases where new salt types may emerge.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Milan Kubik <mkubik@redhat.com>
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged
into a single code base, keep their respective bits in separate modules in the
package.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Martin Basti <mbasti@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Ensure that the correct version of dogtag is passed from API object to the KRA
uninstaller during IPA server uninstall.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa server-find
ipa server-show FQDN
These commands display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If value does not exists then do not update entry. Otherwise, together with
nonexistent entry, the LDAP decode error will be raised.
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
To detect if DS server is running, use the slapd socket for upgrade, and the LDAP port
for installation.
Without enabled LDAPi socket checking doesnt work.
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Bad ordering of LDAP entries during replica removal resulted in a failure to
delete replica and its services from cn=masters,cn=ipa,cn=etc,$SUFFIX. This
patch enforces the correct ordering of entries resulting in proper removal of
services before the host entry itself.
https://fedorahosted.org/freeipa/ticket/5019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This also prevent the script ipa-upgradeconfig execute upgrading.
Upgrade of services is called from ipa-server-upgrade
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
credentials used by IPA httpd process when talking to smbd. As result,
LSA RPC connection is seen as anonymous by Samba client code and we cannot
derive session key to use for encrypting trust secrets before transmitting
them.
Additionally, rewrite of the SMB protocol support in Samba caused previously
working logic of choosing DCE RPC binding string to fail. We need to try
a different set of priorities until they fail or succeed.
Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During server upgrade we should wait until DS is ready after restart, otherwise
connection error is raised.
Instead of 389 port, the DS socket is checked.
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-kra-install validates and asks for directory manager password during
uninstallation phase. Since this password is never used during service
uninstall, the uninstaller will not perform these checks anymore.
https://fedorahosted.org/freeipa/ticket/5028
Reviewed-By: Martin Basti <mbasti@redhat.com>
Datetime widget was transform from a simple text input to 3 separate inputs:
- date with bootstrap-datepicker
- hour
- minute
e.g.:
Validity end [ 2015-05-18 ] [23]:[01] UTC
Vendor [ abc ]
Editation of seconds is not supported.
https://fedorahosted.org/freeipa/ticket/4347
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Web UI wa not able to create a user without a private group.
New field added to user adder dialog to allow that.
https://fedorahosted.org/freeipa/ticket/4986
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Deleter dialog in search facet is now chosen in order as follows:
- facet's, defined as spec, e.g.:
deleter_dialog: { $factory: IPA.user.deleter_dialog }
- entity's, the same but it entity spec
- default, which is IPA.search_deleter_dialog
Previous didn't allow to override entity dialog with facet one and
also definition by spec was not allowed.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Now also facets other than details facet can use facet policies.
Facet policies purpose is to extend facets behavior without
overriding base class. This shared behavior could be reused in
several other facets which may have completely different
base classes.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
basically implementation of #4625 but atm there is no time to properly
test #4625 in the whole UI, therefore, it will be limited only to
active/stage/preserved user search page.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Facets use to inherit facet groups from entity. There was no option to define
cross-entity facet groups for different facets which belong one entity.
In other words it was not possible to have 'user search' and 'stage user search'
tab in one facet group.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Fixes issue where it is not possible to define under the same parent:
{ entity: 'bar', facet: 'baz' }
{ entity: 'foo', facet: 'baz' }
Error reporting of invalid menu item names was improved.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Remove behavior which navigated to previously selected child if navigating
to its parent.
It makes navigation more consistent.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
While selecting menu item based on a facet which have an entity defined,
prefer entity fallback over facet name fallback.
It solves an issue which appears when a menu item of a different entity
has the same facet name specified. In such case this menu item was selected
instead of the desired one.
E.g.: there are menu items:
{ entity: 'foo' }
{ entity: 'bar', facet: 'search'}
Showing a foo's search facet resulted in selecting
{ entity: 'bar', facet: 'search'} item.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
All entity facets are automatically registered as a new type in
reg.facet.
The type name is: <entity_name>_<facet_name>
The name of facets is kept same, mainly to support the same url routes.
This change allows to get facet instance by calling, e.g.:
reg.facet.get('user_details')
It allows to make declarative links to facet which are not yet instantiated.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Useful for declarative inheritance. E.g. base new facet on details
facet with all registered preops and default spec object.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
A search facet could be defined with an option which is always applied
during entity-find command on facet refresh.
e.g.
ipa user-find --preserved
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Or in other words, move all objects which belong to user module to the module.
Therefore they no longer pollutes the main 'IPA' module.
Therefore:
require('freeipa/ipa').user == require('freeipa/user')
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Not all functionality is available. Mostly because IPA doesn't require them yet.
Missing: bootstrap combobox, datatables js, PF font with icons, spinner for old IEs
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
