When adding a new DNS zone in the WebUI, IPA server will verify
whether the nameserver is in DNS. Sometimes it is necessary to
skip the verification.
This patch adds a --force option already available in CLI which
can skip this the verification.
https://fedorahosted.org/freeipa/ticket/1105
UI trims whitespace at the beginning or at the end when user data
are being saved. This confuses is_dirty function which incorrectly
recognizes given field as modified.
This patch fixes this issue for both general text fields and
ACI filter field.
https://fedorahosted.org/freeipa/ticket/1096
The entitlement facet will invoke entitle_status to check the entitlement
status and show the appropriate buttons. If it's unregistered it will show
Register and Import button. If it's registered it will show the Consume
button only. If it's imported it will show the Import button only. The
Import button will open a dialog box for importing entitlement certificate.
Ticket #277
This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.
ticket 1177
The entitlement facet will show buttons according to the entitlement
status. If it's unregistered, the facet will show a Register button.
If it's registered, the facet will show a Consume button.
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.
This also gives priority to the DM password if it is passed in.
Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.
Ticket 1157
The IPA.entity_builder has been modified to take a 'factory' parameter
in custom facet's and custom dialog's spec. The IPA.dialog has been
modified to take an array of fields in the spec. The IPA.search_facet
has been modified to take an array of columns in the spec.
To improve code readability and extensibility the containers for action
panel and client area are now created in IPA.entity.setup(). The 'client area'
has been renamed into 'content'. The IPA.facet.create() has been renamed to
IPA.facet.create_content().
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.
This requires 389-ds-base-1.2.8.0-1+
ticket 1153
If the host has a one-time password but krbPrincipalName wasn't set yet
then the enrollment would fail because writing the principal is not
allowed. This creates an ACI that only lets it be written if it is not
already set.
ticket 1075
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one.
https://fedorahosted.org/freeipa/ticket/1102
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
There are cases when ipactl returns success even when it fails. Plus,
when the error really is detected the status codes are not LSB
compliant. This may result in consequent issues.
This patch improves error handling in ipactl and adds LSB compliant
status codes. Namely:
0 program is running or service is OK
3 program is not running
4 program or service status is unknown
for "status" action. Status code 4 is issued when IPA is not
configured to distinguish this state from not running IPA.
For other actions, the following non-zero status codes are
implemented:
1 generic or unspecified error
2 invalid or excess argument(s)
4 user had insufficient privilege
6 program is not configured
https://fedorahosted.org/freeipa/ticket/1055
The month in krblastpwdchange (LDAP Generalized Time) is 1-based
but the month in JavaScript Date.setUTCFullYear() is 0-based so it
needs a conversion.
Ticket 1053
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
