browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].
Old configuration method was moved to ssbrowser.html.
Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.
The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later.
How it works:
Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages.
Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page)
* introspection of client (read ipa client install config and such)
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
This strange patch is to accomodate both python-ldap 2.3 and later versions.
There was refactoring in python-ldap support for LDAP controls that split
base class into two different, changing properties and method signatures.
Luckily, we don't use any values passed to encodeControlValue.
This patch addresses two issues:
1. If a client is previously enrolled in an IPA server and the server
gets re-installed then the client machine may still have a keyring
entry for the old server. This can cause a redirect from the
session URI to the negotiate one. As a rule, always clear the keyring
when enrolling a new client.
2. We save the NSS dbdir in the connection so that when creating a new
session we can determine if we need to re-initialize NSS or not. Most
of the time we do not. The dbdir was not always being preserved between
connections which could cause an NSS_Shutdown() to happen which would
fail because of existing usage. This preserves the dbdir information when
a new connection is created as part of the session mechanism.
https://fedorahosted.org/freeipa/ticket/3108
Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.
Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.
Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.
https://fedorahosted.org/freeipa/ticket/3106
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.
https://fedorahosted.org/freeipa/ticket/3098
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.
https://fedorahosted.org/freeipa/ticket/3097
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.
Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).
https://fedorahosted.org/freeipa/ticket/2184
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.
Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.
Add both indexes to new and updated IPA installs.
https://fedorahosted.org/freeipa/ticket/3020https://fedorahosted.org/freeipa/ticket/3025
A hotfix pushed in a scope of ticket 3088 forced conversion of DN
object (baseDN) in IPA client discovery so that ipa-client-install
does not crash when creating an IPA default.conf. Since this is not
a preferred way to handle DN objects, improve its usage:
- make sure, that baseDN retrieved by client discovery is always
a DN object
- update ipachangeconf.py code to handle strings better and instead
of concatenating objects, make sure they are converted to string
first
As a side-effect of ipachangeconf changes, default.conf config file
generated by ipa-client-install has no longer empty new line at the
end of a file.
Whole ipachangeconf.py has been modified to be compliant with PEP8.
https://fedorahosted.org/freeipa/ticket/3088
Fedora 18 and later has moved unified samba and samba4 packages. Update
Requires and BuildRequires in spec file to require correct versions.
Also require libwbclient-devel which now provides libwbclient.h instead
of samba4-devel package.
https://fedorahosted.org/freeipa/ticket/3118
Do not print list of possible values as "%r" but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.
https://fedorahosted.org/freeipa/ticket/2869
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.
Fix this error and add a check for empty DNS labels to the validator
Instead of `except:`, use `except Exception:`. This means that errors
like KeyboardInterrupt are not handled, letting them terminate the
script as expected.
https://fedorahosted.org/freeipa/ticket/2941
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.
https://fedorahosted.org/freeipa/ticket/2993
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.
Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).
https://fedorahosted.org/freeipa/ticket/2790
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).
https://fedorahosted.org/freeipa/ticket/3055
Forward and reverse resolution of the newly created replica is already
checked via get_host_name (which calls verify_fqdn).
Add the same check for the existing master.
Additionally, if DNS is installed on the remote host, check forward
and reverse resolution of both replicas using that DNS only
(ignoring /etc/hosts). These checks give only warnings and, in interactive
installs, a "Continue?" prompt.
https://fedorahosted.org/freeipa/ticket/2845
The sssd.conf file is no longer left behind in case sssd was not
configured before the installation. However, the patch goes behind
the scope of this ticked and improves the handling of sssd.conf
during the ipa-client-install --uninstall in general.
The current behaviour (well documented in source code) is as follows:
- In general, the IPA domain is simply removed from the sssd.conf
file, instead of sssd.conf being rewritten from the backup. This
preserves any domains added after installation.
- If sssd.conf existed before the installation, it is restored to
sssd.conf.bkp. However, any IPA domains from pre-installation
sssd.conf should have been merged during the installation.
- If sssd.conf did not exist before the installation, and no other
domains than IPA domain exist in it, the patch makes sure that
sssd.conf is moved to sssd.conf.deleted so user experiences no
crash during any next installation due to its existence.
https://fedorahosted.org/freeipa/ticket/2740
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.
Test case has been added to cover the new default.
https://fedorahosted.org/freeipa/ticket/2461
There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases.
https://fedorahosted.org/freeipa/ticket/3066
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.
Once trust is added, status of it is never stored anywhere.
https://fedorahosted.org/freeipa/ticket/2763
We've been stopping both DS instances (main and PKI) when upgrading.
This can happen while the CA is running. In some cases stopping the PKI
DS also killed the CA.
Only stop the specific instance for upgrades.
Also, wait for open ports after the upgrade is complete. The wait was
skipped previously. This can prevent bugs if scripts that need a DS are
run after the upgrade.
https://fedorahosted.org/freeipa/ticket/3083
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
https://fedorahosted.org/freeipa/ticket/2846
ipa-client-install crashed when IPA server anonymous access was
disabled and base DN was thus generated via realm_to_suffix
function which, however, returns a DN object and not string.
DN was converted to string, ipa-client-install no longer crashes
in this scenario.
https://fedorahosted.org/freeipa/ticket/3088
If you have a replication topology like A <-> B <-> C and you try
to delete server B that will leave A and C orphaned. It may also
prevent re-installation of a new master on B because the cn=masters
entry for it probably still exists on at least one of the other masters.
Check on each master that it connects to to ensure that it isn't the
last link, and fail if it is. If any of the masters are not up then
warn that this could be a bad thing but let the user continue if
they want.
Add a new option to the del command, --cleanup, which runs the
replica_cleanup() routine to completely clean up references to a master.
https://fedorahosted.org/freeipa/ticket/2797
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv
list-ruv can be use to list the update vectors the master has
configugured
clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.
https://fedorahosted.org/freeipa/ticket/2303