Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.
Patch fixes ipactl to use integers for ordering.
Reviewed-By: David Kupka <dkupka@redhat.com>
Usual link columns are link with primary key of current entity.
This patch allows to create a link to arbitrary non-nested entity.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current default mechanism of a link widget assumes that pkeys of a current facet are pkeys for the link. It works for the only usage - in password policy. It's rather inflexible since it can't be used if the keys are in other attribute. This behavior is also bad in nested entities - creates a link to itself which is pointless.
This patch changes the default behavior to assume that the supplied value are the pkeys and that the last pkey is the value to display.
It also keeps the old method of overriding `other_pkeys` method so if the last and only pkey is the actual value to display then the method can tranform it into the pkeys which keeps compatibility with descendant widgets (`host_dnsrecord_entity_link_widget`, `dnsrecord_host_link_widget`).
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fixes issue when:
- user navigates to a nested facet
- refreshes browser
- uses breadcrumb navigation to go to parent entity page which requires a pkey. E.g. from automount keys to maps.
The old code relies on the facet, that user visited the parent facet before and therefore the facet has pkey stored. It fails after the browser reload.
Allows to specify a containing_facet. It allows breadcrumb navigation to return to a different facet than the 'default'.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Add a Default Trust View, which is used by SSSD as default mapping for AD users.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We need the referential plugin config to watch for changes in the ID view
objects, since hosts refer to them in ipaAssignedIDView attribute.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.
https://fedorahosted.org/freeipa/ticket/3575
Reviewed-By: Martin Basti <mbasti@redhat.com>
Required to prevent code duplications
ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All ipa-dns capable server is added to root zones as nameserver
During uninstall all NS records pointing to particular replica are
removed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr
attribute to enumerate the list of attributes that should be returned
even if not specified explicitly. Use the behaviour to get the same attributes
returned from searches on rootDSE as in 1.3.1.
https://fedorahosted.org/freeipa/ticket/4288
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done. Also, re-added the no_host_dns option which is used when
unpacking a replica file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:
nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso
In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.
The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.
Convert IPA defaults to use referint-membership-attr.
https://fedorahosted.org/freeipa/ticket/4537
Reviewed-By: Martin Kosek <mkosek@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
hide widgets if associated field had received attribute level rights
without 'r' right.
Explicit rights are required to avoid hiding of special widgets which
are not associated with any LDAP attribute.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Hide widgets without a value. Must be explicitly turned on. In widget by
`hidden_if_empty` flag. Or globally by `hide_empty_widgets` flag. Global
hiding can be individually turned off by `ignore_empty_hiding` flag.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- used `ctor_init` instead of `init` to avoid name collision with
existing logic
- `ctor_init` is called right after widget instantiation. Basically support
better inheritance for the old class system which doesn't have proper
contructors
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- widget save() save method should try to always return value even if read only
- report value-change event with actual value to allow processing of the value
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Add 'Add OTP Token' action to user action menu.
This option is disabled in self-service when viewing other users.
https://fedorahosted.org/freeipa/ticket/4402
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.
https://fedorahosted.org/freeipa/ticket/4478
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Make association auto-magic little bit less stupid. Now it supports
adding of new attribute member with add_member and remove_member
methods only on one side of the relationship.
https://fedorahosted.org/freeipa/ticket/4507
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- bounce url param was renamed from 'redirect' to 'url'
- support for 'delay' param added
Behavior:
- "Continue to next page" link is shown if 'url' is present
- page is no longer automatically redirected if 'url' is present
- automatic redirect is controlled by 'delay' param - it specifies
number of seconds until redirection
- info message 'You will be redirected in Xs' is show to notify
the user that something will happen. It's useful even if delay
is 0 or negative because redirection might be slow.
- counter is decremented every second
- delay is ignored if parsed as NaN
https://fedorahosted.org/freeipa/ticket/4440
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
DNS zone 'Add and Edit' failed because of new DNS name encoding.
This patch makes sure that keys are extracted properly.
https://fedorahosted.org/freeipa/ticket/4520
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
action buttons associated with batch actions were enabled by default, but
they were disabled right after facet creation and a load of data. It caused
a visual flicker.
UX is enhanced by making them disabled by default.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- save one click by opening edit dialog right after adding new row
- add margin between fingerprint and "show/edit" button
- fix honoring of writable/read-only flags upon row creation
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- category radio line has line-height large enough to contain
undo button -> content doesn't move several pixels on change
- remove vertical padding from btns in table headers to maintain
about the same height
- remove invisible border from link buttons to have the same height
for disabled and enabled button
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Tooltips were added to "User authentication types" and "Default user
authentication types" to describe their relationship and a meaning of
not-setting a value.
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Allow to set 'tooltip' attribute in spec. It displays info icon
with Bootstrap's tooltip near field's label.
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- use title for input's elements 'title' attribute
- tooltip for Bootstrap's tooltip component
https://fedorahosted.org/freeipa/ticket/4471
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- added cancel button to reset password view of login screen
- re-implemented buttons hiding mechanism
- switching between 'Reset Password' and 'Reset Password and Login' according to presence of value in OTP field
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- add info icons to distinguish and classify the messages.
- add info text for OTP fields
- fix login instruction inaccuracy related to position of login button
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The notification is a primary information of the page. It should be more highlighted.
https://fedorahosted.org/freeipa/ticket/4470
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
On page:
- styled to use proper line breaks
- "centered" by .container class and not by huge padding
Console:
- proper line breaks
- links in stack trace are clickable(Chrome)
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Simplify code base by reuse of 'disable' feature of button_widget. All
occurrences of action-button which were disabled/enabled were replaced
by button-widget.
https://fedorahosted.org/freeipa/ticket/4258
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Detach/attach facet nodes when switching facets instead of
hiding/showing.
Keeps dom-tree more simple.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Fixed:
1. IE doesn't support value 'initial' in CSS rule.
2. setting innerHTML='' also destroys content of child nodes in
LoginScreen in IE -> reattached buttons have no text.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.
Further performance enhancement is desired, but is outside the
scope of this patch.
https://fedorahosted.org/freeipa/ticket/4410
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Nested options (MS-PAC and PAD) of service's PAC type should be
disabled if no value is supplied (default value is "Inherited
from server configuration"). That was not the case - regression.
This patch fixes it and along with it simplifies the update method
of option_widget_base to be more comprehensible.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
User is not able to change Bind Rule Type if permission is already
member of a privilege. Let's disable it and don't confuse user.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Little regression - select widget could not handle empty or no array as an
input value.
It broke 'undo' operation in Permissions' 'Type' attribute while switching
between '' and some value.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Visible read-only fields are no longer displayed as disabled in
permission details facet.
https://fedorahosted.org/freeipa/ticket/4254
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
The input-group class was added based on visibility of child elements.
This failed when it had to be determined *before* displaying the widget.
Now it's added if the buttons are not hidden by `display: none` CSS rule.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Separate update of read-only state from update of value.
It should be possible to switch from read-only UI to editable UI without
value change.
https://fedorahosted.org/freeipa/ticket/4254
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Very useful for managed permissions since the list of attrs in metadata
might be smaller that default attributes. This smooths behavior if one
removes an attr from effective attrs which is not in metadata. Without
this it will disappear from the list and one has to add it manually
through 'Add'.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Web UI doesn't always know what are the possible attributes
for target object. This will allow to add custom attributes
if necessary.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
There is a case where attributes widget can contain > 1000 items.
It's about 3000 nodes. It's slow in jQuery. Simple move to dojo
speeds it up (is closer to native calls) while maintaining developer
friendliness.
Now the biggest lag is in browser's render. It's probably not worth
developer time to optimize that.
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Adds filter field to attribute box in permissions for better user
experience. User can then quickly find the desired attribute.
Initial version of the patch authored by: Adam Misnyovszki
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Attributes widget layour was changed from tiny table which allowed
to display only few options to a checkbox list with multiple
columns (depends on container).
Check all attributes option was removed to force the user
to read through the attributes which he selects.
Initial version authored by: Adam Misnyovszki
https://fedorahosted.org/freeipa/ticket/4253
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.
https://fedorahosted.org/freeipa/ticket/4433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
API responses can contain warnings in "messages" array. This patch
also adds support for displaying multiple notifications at the same
time in order to show the message and a status of finished operation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
/usr/share/java/rhino.jar is a Fedora's symlink to /usr/share/java/js.jar
Debian doesn't have it. Direct usage of upstream /usr/share/java/js.jar should
work on both systems.
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
It was decided not to change the OID space for FreeIPA 4.0+ objectclasses.
However, we should still at least properly mark the X-ORIGIN to make
analyzing schema easier.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The make-ui.sh script builds both app.js and core.js,
but only one was specified in the Makefile.
Correct the mistake.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Call user-unlock command from Web UI.
It will unlock displayed user on current master.
https://fedorahosted.org/freeipa/ticket/4407
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
standalone page for OTP token synchronization. It reuses SyncOTPScreen
widget instead of reimplementing the logic as in other standalone pages.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current compiled Web UI layer (app.js) contains every FreeIPA plugin and
not just the UI framework. It's not possible to start just a simple facet.
This commit creates a basis for a layer (core.js) which contains only
framework code and not entity related code.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
