The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
https://fedorahosted.org/freeipa/ticket/2238
It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.
This is for new installs only.
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.
https://fedorahosted.org/freeipa/ticket/2147
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
Address column in A, AAAA DNS records was exented of redirection capabilities.
Redirection dialog is shown after a click on a value.
Dialog does following steps:
1) fetch all dns zones
2) find most accurate reverse zone for IP address
2 -fail) show error message, stop
3) checks if target record exists in the zone
3 -fail) show 'dns record create link', stop
4) redirects
Click on 'dns record create link':
1) creates record
1 -fail) show error, stop
2) redirects
https://fedorahosted.org/freeipa/ticket/1975
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
ticket 1634
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.
https://fedorahosted.org/freeipa/ticket/1634
In user group adder dialog, the "Is this a POSIX group?" was replaced with "POSIX group".
In host search facet, the "Enrolled?" was replaced with "Enrolled".
https://fedorahosted.org/freeipa/ticket/2353
Problem:
Entity link (eg: to hosts in dns record or to dns record in host) is not changing its state when linked record doesn't exist. The link can remain wrongly enabled from previous state.
Fixed:
The link is disabled when target doesn't exist.
https://fedorahosted.org/freeipa/ticket/2364
The patch fixes a problem in error_handler_login() when it gets
an error other than 401.
The login_url is not needed for fixtures because it does not need
authentication.
The patch also fixes jslint warnings and formatting issues.
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
In this patch was implemented and added a control for defining default automember groups.
There is a difference from UXD spec. In the spec the control was placed below table in the search facet. This was not working well with the combobox in the control. Open combobox requires some space below it. As it was placed at the bottom of the page it created unwanted blank space and forced showing scrollbars. Moving the control above the table solves the problem without rewriting combobox logic. It can be rewritten and moved down later.
https://fedorahosted.org/freeipa/ticket/2195
New UI for automember.
Implemented:
* search facet core
* rule details facet
* attribute_table_widget - new base class for tables which contains multivalued attribute with special add/remove commands
* adding/removing conditions in details facet
TODO:
* label translations
* UI for defining default rules
https://fedorahosted.org/freeipa/ticket/2195
In current implementation target facet of navigation(from menu) and redirection is always one exact facet per entity. There isn't a way to navigate to different facet from menu or redirect to different facets from various facets.
This patch adds:
* possibility to define menu items which can navigate to different facets of various entities. This also means that now current menu tree can contain leafs with the same entity.
* possibility to define redirection target per facet - it is needed to keep breadcrumb navigation consistent with various navigation tree patch leading to same entity leafs.
This functionality is needed for Automember UI. Automember UI is designed as if it was for two entities but it is in fact only one.
https://fedorahosted.org/freeipa/ticket/2195
The user details page was modified to show the password expiration
date next to the existing password field.
Fixed problem resetting password in self-service mode. The JSON
interface for the passwd command requires the username to be
specified although the equivalent CLI command doesn't require it.
Ticket #2064
The status formatter was modified to show enabled/disabled icon
before the status text.
The format classes were renamed to formatter to avoid confusion
with the format() method. A new parameter 'type' was added to the
formatter to determine the output type (e.g. text/html).
Ticket #1996
Paging in DNS record search facet was disabled because there was a mismatch between primary keys sent by server and values displayed in the facet.
The facet was modified to enable paging. To preserve amount of information which was displayed before, current rows have variable height - they can contain more that one line depending on number of values in the record. Each record has a checkbox and indsname in its first line to distinguish one record from others. Because there is only one checkbox for record, delete command is called with --rem-all option which causes that entire record is removed. Individual values can be deleted in record's details facet.
https://fedorahosted.org/freeipa/ticket/2094
Web UI is caching records. Currently only possible ways how to display updated record which was changed elsewhere - ie. in CLI are:
* refresh page in browser (takes really long on slow vpns)
* search facet: change filter, find, change filter back, find
* entity details: go to search, select other entry, go back to search, select original entry
* association facet: same as entity details
These are unconvenient methods.
This patch adds Refresh button to search, details and association facet. This button executes facets refresh method.
https://fedorahosted.org/freeipa/ticket/2051
When using ipa-replica-manage or ipa-csreplica-manage to delete an
agreement with a host we would try to make a connection to that host
prior to tryign to delete it. This meant that the trying to delete
a host we don't have an agreement with would return a connection
error instead of a "no agreement with host foo" error.
Also display a completed message when an agreement is removed.
https://fedorahosted.org/freeipa/ticket/2048https://fedorahosted.org/freeipa/ticket/2125
A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.
This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.
https://fedorahosted.org/freeipa/ticket/2154
