When default server was being parsed from IPA's default.conf
configuration file, the parsed server was not appended correctly to
the default_server list.
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.
This should also make the error report clearer if even after the retries
one of the principals doesn't exist.
https://fedorahosted.org/freeipa/ticket/2737
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.
This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.
https://fedorahosted.org/freeipa/ticket/2531
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.
The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.
Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.
https://fedorahosted.org/freeipa/ticket/2520https://fedorahosted.org/freeipa/ticket/2743
If a user become locked due to too many failed logins and then were
unlocked by an administrator, the account would not lock again. This
was caused by two things:
- We were incrementing the fail counter before checking to see if the
account was already locked out.
- The current fail count wasn't taken into consideration when
deciding if the account is locked.
The sequence was this:
1. Unlocked account, set failcount to 0
2. Failed login, increment failcount
3. Within lastfailed + lockout_duration, still locked. This skips
update the last_failed date.
So I reversed 2 and 3 and check to see if the fail count exceeds policy.
https://fedorahosted.org/freeipa/ticket/2765
When we set a password we also need to make sure krbExtraData is set.
If not kadmin will later complain that the object is corrupted at password
change time.
Ticket: https://fedorahosted.org/freeipa/ticket/2764
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.
https://fedorahosted.org/freeipa/ticket/2030
ipa permission-mod was prompting for all parameters because they had
specified flag 'ask_update'. The flag was removed. Additionally the
exec_callback for permission-mod was updated to unify the behaviour with
other ipa commands (raise exception when no modification was specified).
https://fedorahosted.org/freeipa/ticket/2280
Very long pkeys in facet header were limited to 60 characters. This magic number was good enough but with new action lists it isn't.
This patch is adding calculation of maximum characters for pkey in facet header. It fixes regression introduced by Action Lists and also it uses effectively available space.
Also this patch is changing limiting of breadcrumbs element to use as much space as possible. It works in three steps. First a threshold is set which is equal to length average. Then a total length of keys with length less than threshold is calculated. From this we can get remaining space for long keys and calculate new threshold. At last keys are limited to new threshold.
https://fedorahosted.org/freeipa/ticket/2247
f
When DNS support was disabled there were following errors in Web UI:
1) Host details page was not filled with data
2) Host adder dialog was broken -> unusable
3) DNS tab was displayed in navigation
The bugs were fixed by:
1) Was caused by entity_link_widget. The widget was modified to do not show link if other_entity (in this case dnsrecord) is not present.
2) Was caused by host_fqdn_widget. The widget is unusable becouse withou DNS support it doesn't have access to DNS zone entity. The section with this widget was removed. Also IP address field was removed because it shouln't be used without DNS support. New 'fqdn' text box was added for specifying hostname.
3) New DNS config entity was initialized but it wasn't shown because it caused some JavaScript error. The dnsconfig's init method was modified to throw expected exception. Now no dns entity is initialized and therefore DNS tab in navigation is not displayed.
https://fedorahosted.org/freeipa/ticket/2728
When python's distutils build process prepares python scripts, it use
current Python interpreter in an updated shebang for python scripts.
Since Makefile did not use absolute path to python interpreter, it
may be translated to "/bin/python" in Fedora 17 which is then taken
by rpmbuild as freeipa-admintools dependency. This can break of F-17
python package which provides just "/usr/bin/python"
This patch updates Makefile to use a correct absolute path to python
interpreter which is then filled to freeipa scripts shebang and rpm
Requires list. The value is taken from RPM __python macro so that
we do not hardcode it.
https://fedorahosted.org/freeipa/ticket/2727
Instructions to generate certificate were changed. Now they use certutil instead of openssl. In the example is also used option for specifying key size.
https://fedorahosted.org/freeipa/ticket/2725
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for ACI-related plugins.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
permission-find --name wasn't working for two reasons. The first
was that the cn to search on in options ended up overlapping the
primary key name causing the request to fail.
The second reason was aci uses aciname, not cn, as its name field.
So searching on --name matched everything because it was as if you
were searching on nothing.
https://fedorahosted.org/freeipa/ticket/2320
This patch adds action list and control buttons for consistent change of enty status for user, hbac rules, sudo rules, SELinux maps and dns zones.
Action lists with 'enable' and 'disable' and 'delete' options were added to details facets.
Two control buttons: 'enable' and 'disable' were added to search facets.
https://fedorahosted.org/freeipa/ticket/2247
Adds hiding/showing capabilities to action_button_widget. This patch is fixing regression caused replacing old details facet buttons with control_buttons_widget. The problem was that some buttons were not hidden in self-service mode.
https://fedorahosted.org/freeipa/ticket/2707
Control buttons is a widget which contains action buttons. It is located in facet header and are supposed to replace old action buttons created by IPA.action_button(spec) call. The benefit is that now it is possible to define new buttons declaratively in spec definition without a need of inheriting facet and overriding create method.
Action buttons are an entry poing for execution facet-wide action so they are tightly bound to facet.
Action button options:
name: string
label: string, human readable label
tooltip: string, human readable tooltip
href: string, optional
icon: string, icon class
needs_confirm: boolean, default false
confirm_msg: string, human readable confirmation message
confirm_dialog: confirmation dialog, optional, custom confirmation dialog
action: action, action which will be executed
enabled: boolean, optional, default true
Control buttons are define in facet spec in control_buttons property. Its a spec object with following attributes:
all attributes which normal widget can have
buttons: array of action_button specs
state_listeners: array of state listener specs
In init phase control_buttons_widget should assign a action_button a facet.
control_buttons_widget are resposible for evaluation of action_button disable/enable state because they contain state_listeners which creates the state upon the enabled/disabled state is evaluated.
State listeners are similar to state_evaluators. The differce is that the state is not evaluated from record set but from facet itself. The execution of evaluation is bound to a facet event.
https://fedorahosted.org/freeipa/ticket/2247
This patch add support fo Action Lists.
Action list is a select widget with actions as options located in facet header. Action can be selected and then executed by clickin on 'apply' button.
Actions lists are defined on facet level. Facet header takes them from facet.
Action list options
actions: list of actions
state_evaluator: a state evaluator which is needed for enabling/disabling options. Can encapsulate more evaluators.
State evaluator object
----------------------
State evaluator is resposible for evaluating a state from result set. State is a array of strings. Each evaluator should inherit from IPA.state_evaluator and override evaluate method.
Methods:
evaluate(record): should return string array which represents the state
get_description(): human readable representation of a state
Action
------
Action is a object which can perform certain action on a facet. Action has enabling and disabling conditions.
action options:
name: string, required, name of the option
label: string, required, human readable name of the option
enable_cond: string array, states which need to be present in order to run this action
disable_cond: string array, states which must not be present in order to run this action
handler: function, contains action's logic
needs_confirm: boolean, default false, indicates if action needs user confirmation
confirm_msg: string, default generic message, human readable confirmation message.
Action list should contain logic which enables/disables action based on facet state and action's enabling/disabling conditions. It should also enforce presence of confirmation.
In this patch is also slightly modified facet header, mostly title part. It was revised to contain status icon, title and action list on single line. Facet header is using state evaluator's get_description method to properly set tooltip for state icon.
https://fedorahosted.org/freeipa/ticket/2247
Web UI mainly uses declarative way of defining UI structure. When a new object type is created it is often required to create a new builder which would build the objects from spec file. The builders' logic is mostly the same. This patch adds a general builder with some extendability capabilities.
Now it is possible to:
1) define spec for single object and build it by calling IPA.build(spec, /* optional */ builder_fac)
2) define an array of specs and build the objects by the same call
Prerequisite for following action list patches.
https://fedorahosted.org/freeipa/ticket/2707
We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.
All we really want to do is escape when we don't hvae an entry to modify.
https://fedorahosted.org/freeipa/ticket/2237
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
The config plugin was adding together a list and a tuple, then
converting to a set.
Replace the operation with a set union.
Regression test included.
https://fedorahosted.org/freeipa/ticket/2706
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
Calling a LDAP{Add,Remove}ReverseMember with an empty reverse_member
caused an internal error, because empty values are converted to None,
which is then iterated.
Use an empty list instead of None (or other false falues, of which we
only use the empty list).
https://fedorahosted.org/freeipa/ticket/2681
Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.
This patch does that for the automount plugin and its tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/2509
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.
This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.
Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.
https://fedorahosted.org/freeipa/ticket/2697
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.
https://fedorahosted.org/freeipa/ticket/1966
This reverts commit 1356988b7a.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
This reverts commit a58cbb985e.
We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
Password policies are sorted by priority. When paging is enabled, table facet uses pwpolicy-find --pkey-only to get all pwpolicies keys. Those keys are sorted on server by priority but table facet sorts them again. This breaks the priority sorting.
This patch disables the paging in passord policy serch page so the keys are sorted by priority.
TODO: we should inspect sorting in table facet more deeply and disable it if it don't break anything.
https://fedorahosted.org/freeipa/ticket/2676
Test that `pwpolicy_find --pkey-only` works as expected
Test that deleting a group removes its password policy
Rename the test module to be consistent with other plugin tests.
Password policy plugin sorts password policies by its COS priority.
However, when the pwpolicy-find command is run with --pkey-only,
the resulting entries do not contain COS priority and the sort
function crashes.
This patch makes sure that cospriority is present in the time
of the result sorting process and removes the cospriority again
when the sorting is done. This way, the entries are sorted properly
both with and without --pkey-only flag.
Previous entries_sortfn member attribute of LDAPSearch class
containing custom user sorting function was replaced just with
a flag indicating if a sorting in LDAPSearch shall be done at all.
This change makes it possible to sort entries in a custom
post_callback which is much more powerful (and essential for
sorting like in pwpolicy plugin) approach than a plain sorting
function.
https://fedorahosted.org/freeipa/ticket/2676
* Add bootstrap-autogen depdenency to lint target to force
generated files to be created.
* Add validate-src-strings to lint rules
* Add validate-src-strings as dependency to lint targett
* Remove obsolete test_lang frm test target
* Add diagnostic message to validation command in i18n.py
that outputs how many objects were scanned. Formerly it only
output a message if there were errors. This made it impossible to
distinguish an empty file from one with no errors.
* While adding the validation counts it was discovered plurals had
been omitted for some of the validation checks. Added the missing
checks for plural forms.
* Also distinguished between errors and warnings. Permit warnings to
be emitted but do not fail the validatition unless actual errors
were also detected.