The dialogs and details pages have been modified to use the * symbol
to mark required fields. The automount map and the DNS zone dialogs
have been modified to update the required fields according to the
input type.
Ticket #1696, #1973
Fixes 3 issues:
- If a topic has all its commands disabled, it should be disabled
- If a command is disabled its help should be disabled
- The show-mappings help was missing a doc string so no help was displayed
https://fedorahosted.org/freeipa/ticket/1998
When the NGP plugin is enabled, a managed netgroup is created for
every hostgroup. We already check that netgroup with the same
name does not exist and provide a meaningful error message.
However, this error message was also printed when a duplicate
hostgroup existed.
This patch checks for duplicate hostgroup existence first and
netgroup on the second place. It also makes sure that when NGP
plugin is (temporarily) disabled, a colliding netgroup cannot
be created.
https://fedorahosted.org/freeipa/ticket/1914
Since IPA v2 server already contain predefined groups that may collide
with groups in migrated (IPA v1) server (for example admins, ipausers),
users having colliding group as their primary group may happen to belong
to an unknown group on new IPA v2 server.
Implement --group-overwrite-gid option to overwrite GID of already
existing groups to prevent this issue.
https://fedorahosted.org/freeipa/ticket/1866
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.
Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.
This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
Request to evaluate:
<user <name foobar groups [hbacusers,ipausers]>
service <name sshd groups []>
targethost <name vm-101.ipa.local groups []>
srchost <name vm-101.ipa.local groups []>
>
Fixes:
https://fedorahosted.org/freeipa/ticket/1862https://fedorahosted.org/freeipa/ticket/1949
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this:
{"method":"json_metadata","params":[["all",""],{}],"id":0}
And just the methods call it like this:
{"method":"json_metadata","params":[["","all"],{}],"id":0}
Note the difference in the positional parameters.
To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter.
THis is not ideal, but we are constrained by the existing API.
For every hostgroup a managed netgroup is created (if this is allowed).
Make sure that if a stand-alone netgroup exists, a hostgroup with the
same name cannot be created to prevent collisions.
https://fedorahosted.org/freeipa/ticket/1914
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.
I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.
Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.
The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.
https://fedorahosted.org/freeipa/ticket/1808
When group/user is migrated, the attribute used for RDN may be
multivalued. Make sure that we pick the value used in the RDN
which should be the unique one and not just the first one.
https://fedorahosted.org/freeipa/ticket/1892
LDAPCreate reports "search criteria was not specific enough" when LDAP
object created in LDAPCreate shares its container with other LDAP objects
and there is one with the same name and RDN attribute.
Pass objectclass to find_entry_by_attr() function used to retrieve
newly created object for POST_CALLBACK to identify correct LDAP
object.
https://fedorahosted.org/freeipa/ticket/1864
Fix get_url_list() so that the configured master server is there
just once. This fix lets /usr/bin/ipa try connecting to all IPA
masters just once and not print confusing server list with
dupled master.
https://fedorahosted.org/freeipa/ticket/1817
The validator will still fire, just after the load_files() call. Basically
it will hit the validator twice. The first time it will exit because the
value of csr is a filename. The second time it will run the validator against
the contents of the file.
ticket https://fedorahosted.org/freeipa/ticket/1777
https://fedorahosted.org/freeipa/ticket/1763
When external host is specified in HBAC rule, it needs to be added to
the set of source hosts this rule applies to. Add (list of external hosts)
explicitly when converting FreeIPA rules to PyHBAC objects.
Some hard-coded messages in ipa.js have been moved into internal.py.
The messages in internal.py have been rearranged to match the output
(ipa_init.json).
A new method IPA.get_message() has been added to take a message ID and
return the translated message or a default message if not found.
Ticket #1701
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
1) Add sudorule docstring headline
2) Fix naming inconsistency in Sudo plugins help and summaries,
especially capitalization of Sudo objects - Sudo Rule, Sudo
Command and Sudo Command Group
3) Add missing summaries for sudorule-add-option and
sudorule-remove-option. To keep backward compatibility with
older clients, just print the missing summary with
output_for_cli(), don't expand Output.
https://fedorahosted.org/freeipa/ticket/1595https://fedorahosted.org/freeipa/ticket/1596
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.
ticket https://fedorahosted.org/freeipa/ticket/1574
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.
Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.
We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.
It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.
However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.
Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.
class foo(Command):
'''
The foo command takes out the garbage.
'''
Would become:
class foo(Command):
__doc__ = _('The foo command takes out the garbage.')
But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.
In summary what this patch does is:
* Remove the use of pygettext (modification to install/po/Makefile.in)
* Replace every docstring with an explicit assignment to __doc__ where
the rhs of the assignment is an i18n marking function.
* Single line docstrings appearing in multi-line string literals
(e.g. ''' or """) were replaced with single line string literals
because the multi-line literals were introducing unnecessary
whitespace and newlines in the string extracted for translation. For
example:
'''
The foo command takes out the garbage.
'''
Would appear in the translation catalog as:
"\n
The foo command takes out the garbage.\n
"
The superfluous whitespace and newlines are confusing to translators
and requires us to strip leading and trailing whitespace from the
translation at run time.
* Import statements were moved from below the docstring to above
it. This was necessary because the i18n markers are imported
functions and must be available before the the doc is
parsed. Technically only the import of the i18n markers had to
appear before the doc but stylistically it's better to keep all the
imports together.
* It was observed during the docstring editing process that the
command documentation was inconsistent with respect to the use of
periods to terminate a sentence. Some doc had a trailing period,
others didn't. Consistency was enforced by adding a period to end of
every docstring if one was missing.
In cli.py is a framework for printing out help information. The
command documentation being displayed is internationalized, however
the text generated by the help framework itself is not
internationalized.
The strings output by the help subsystem need to be internationalized.
* Wrap each topic description in _()
* Replace the use of if 'topic' in dir(module) with the more
Pythonic and efficient getattr(module, 'topic', None)
* Make sure to invoke unicode on the value returned from _()
otherwise you'll get a GettextFactory instance, not a string
* Clean up trailing whitespace errors
A Password param always prompted to confirm the entered password.
This doesn't make sense if you want to prompt for a password to another
system like we do with entitlements. This adds a new boolean option to
control the Password prompt parameter.
https://fedorahosted.org/freeipa/ticket/1695
Newly performs validation of details facet before update. If validation fails, notification dialog is shown and command isn't executed.
Fixed integer minimum and maximum value checking.
Read-only and non-writable fields are no longer considered required.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
The association table widget and facet have been modified to accept
titles for the add and delete dialogs. The table and facet definitions
have been modified to specify the appropriate titles.
Some unused code have been removed.
Ticket #1629
Do not fail import operation with DuplicateEntry when imported
maps/keys conflict with maps/keys pre-created by
automountlocation-add command. Currently, this applies for map
'auto.direct' and key '/-'.
https://fedorahosted.org/freeipa/ticket/1551
The 'Hide already enrolled' has been removed from the enrollment
dialog because it is checked by default and entries that are already
enrolled cannot be enrolled again.
Ticket #1638
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.
Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.
Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.
https://fedorahosted.org/freeipa/ticket/1528
dns.py at line 976 has an invalid i18n string and cannot be processed
during message extraction causing message catalog generation to fail.
The format parameters are trapped inside the i18n string. Also it's
not necessary to promote the i18n string literal to unicode via the u
prefix because the _() function returns unicode.
The DN unittest was lacking a test for i18n. The unittest was
updated to store "Hello" in Arabic with both utf-8 and unicode
and verify the values could be properly retrieved and converted
to dn string syntax.
During the testing a few problems were discovered and corrected.
* passing in utf-8 caused an ASCII decode error becuase of Python's
silly default encoding of ASCII. The fix was to explictly use
the utf-8 codec.
* there were a couple of places where encode/decode were not
called correctly.
* the internal attr and value members of the AVA class were renamed
to explicitly show they are stored as unicode.
Of course the unittest was updated as well.
The facet group labels have been modified according to UXD spec.
Some facet groups will have more descriptive labels. Some others
will not have any labels because the facet tab is self-explanatory.
Ticket #1423, #1561
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
change widget and widget unit tests to hold on to entity, not entity name.
Replacing entity_name with entity.name in most places.
The one exception is columns for table_widget.
Widgets that refer to other entities have to have late resolution of the entity object, due to circular dependencies.
cleanup entity assignment.
removed template and layout,
merged setup into create
adder dialogs adjust height for external
removed init from widget, isection, association, facet, host and service
Make unit tests use factory.
fix functional tests to click find link correctly.
tweak to activation test, but still broken.
moved initialization code to the end
use --all for hbacrule find, so the type shows up now
fixed dns exception code and exception handling for get_entity
replace metadata look up with value from entity.
fixed author lines
removed duplicate columns in managed by facets.
tweak to nav fix in order to initialize tab.
more defensive code
update metadata for true false
one line init for entity_name in widget
move init code to end of constructor functions
moved constants to start of function for adder_dialog
external fields for dialogs initialized at dialog creation
sudo sections: move add fields and columns to widget definition.
The parameter validation in IPA.column ...This is precondition checking. Note that it merely throws an exception if the entity_name is not set. I want this stuff at the top of the function so that it is obvious to people looking to use them what is required. I added a comment to make this clear, but I'd like to keep precondition checking at the top of the function.
decreased the scope of the pkey_name and moved the initiailzation fof columns into the setup_column function for association_tables
return false at the end of click handler
removed blank labels in sudo command section
fix radio buttons for sudo category
fixed table side for adder dialogs with external fields
comments for future direction with add_columns
https://fedorahosted.org/freeipa/ticket/1451https://fedorahosted.org/freeipa/ticket/1462https://fedorahosted.org/freeipa/ticket/1493https://fedorahosted.org/freeipa/ticket/1497https://fedorahosted.org/freeipa/ticket/1532https://fedorahosted.org/freeipa/ticket/1534
Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)
Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.
Add keyword constructor parameters to pass configuration options.
Make first_key_match a configuration keyword.
Updated documentation.
Updated unit test.
FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.
When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.
https://fedorahosted.org/freeipa/ticket/1520
The summary value was set to primary key. However, the primary key
may contain also an info option as a workaround for multiple direct
maps problem.
This patch sets the result 'value' and thus summary text to
expected and consistent value.
https://fedorahosted.org/freeipa/ticket/1524
The pairwise grouping used to form RDN's and AVA's proved to be
confusing in practice, this patch removes that functionality thus
requiring programmers to explicitly pair attr,value using a tuple or
list.
In addition it was discovered additional functionality was needed to
support some DN operations in freeipa. DN objects now support
startswith(), endswith() and the "in" membership test. These functions
and operators will accept either a DN or RDN.
The unittest was modified to remove the pairwise tests and add new
explicit tests. The unittest was augmented to test the new
functionality. In addition the unittest was cleaned up a bit to use
common utilty functions for improved readabilty and robustness.
The documentation was updated.
fix test_role_plugin use of DN to avoid pairwise grouping
Allow a long to get as far as the min/max constraints where we can
compare it to min/max int values and reject with a proper error message.
https://fedorahosted.org/freeipa/ticket/1494
Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.
This is controlled by a new booleon option, wait_for_attr, defaulting
to False.
https://fedorahosted.org/freeipa/ticket/1144
If you used sudorule-remove-runasgroup to remove a member that member
still appeared in the command output when --all was included (it isn't a
default attribute). This was due to post-processing to evaluate external
users/groups, the entry was actually updated properly.
https://fedorahosted.org/freeipa/ticket/1348
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
Passing a number of "long" type to IPA Int parameter invokes
user-unfriendly error message about incompatible types. This patch
improves Int parameter with user understandable message along with
maximum value he can pass.
https://fedorahosted.org/freeipa/ticket/1346
Implement a test for new dnszone-find option --forward-only.
Fix example for reverse zone (zone was not fully qualified and
DNS plugin would forbid adding PTR records).
https://fedorahosted.org/freeipa/ticket/1473
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
It was my understanding that we would be able to pass in an existing UUID
when registering to connect to an existing registration (for the case where
IPA is re-installed). This is supported in the REST API but not python-rhsm.
https://fedorahosted.org/freeipa/ticket/1216
The CSS text-transform sometimes produces incorrect capitalization,
so the code has been modified to use translated labels that already
contain the correct capitalization.
Ticket #1424
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
https://fedorahosted.org/freeipa/ticket/1259
Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.
This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
The object_name, object_name_plural and messages that use these
attributes have been converted to support translation. The label
attribute in the Param class has been modified to accept unicode
string.
Ticket #1435
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).
https://fedorahosted.org/freeipa/ticket/1388
This started as a problem in allowing leading/trailing whitespaces
on primary keys. In nearly every command other than add query is True
so all rules were ignored on the primary key. This meant that to
enforce whitespace we would need to define a validator for each one.
I decided instead to set self.all_rules to just the class rules if
query == True. So the minimum set of validators will be executed
against each type but param-specific validators will only run on add.
https://fedorahosted.org/freeipa/ticket/1285https://fedorahosted.org/freeipa/ticket/1286https://fedorahosted.org/freeipa/ticket/1287
The object_name attribute was used as both an identifier and a
label which sometimes require different values (e.g. hbacrule
vs. HBAC rule). The code that uses object_name as an identifier
has been changed to use the 'name' attribute instead. The values
of the object_name attribute have been fixed to become proper
labels.
Ticket #1217
The following invalid associations have been removed:
- group's memberindirect netgroup and role
- hostgroup's memberofindirect host
Ticket #1366
Ticket #1367
The IPA.user_status_widget has been modified such that it checks
the facet dirty status and asks the admin to either Update or Reset
the changes. Then the widget shows a dialog to confirm whether
the admin wants to activate/deactivate the user.
Ticket #1395
According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE.
This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values
and enforces TRUE or FALSE string for account locking.
The entity labels in the following locations have been fixed:
- search facet title: plural
- details facet title: singular
- association facet title: singular
- breadcrumb: plural
- adder dialog title: singular
- deleter dialog title: plural
Some entity labels have been changed into the correct plural form.
Unused file install/ui/test/data/i18n_messages.json has been removed.
Ticket #1249
Ticket #1387
A new attribute label_singular has been added to all entities which
contains the singular form of the entity label in lower cases except
for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web
UI, this label can be capitalized using CSS text-transform.
The existing 'label' attribute is intentionally left unchanged due to
inconsistencies in the current values. It contains mostly the plural
form of capitalized entity label, but some are singular. Also, it
seems currently there is no comparable capitalization method on the
server-side. So more work is needed before the label can be changed.
Ticket #1249
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
The goal is to not import foreign certificates.
This caused a bunch of tests to fail because we had a hardcoded server
certificate. Instead a developer will need to run make-testcert to
create a server certificate generated by the local CA to test against.
ticket 1134
When user_add command is executed without uid parameter filled, user
account is created without 'krbprincipalname' attribute. This renders
the user account unusable.
https://fedorahosted.org/freeipa/ticket/1279
Enhance Host plugin to provide not only "Managed By" list but also
a list of managed hosts. The new list is generated only when --all
option is passed.
https://fedorahosted.org/freeipa/ticket/993
When a new DNS zone is being created a local hostname is set as a
nameserver of the new zone. However, when the zone is created
during ipa-replica-prepare, the the current master/replica doesn't
have to be an IPA server with DNS support. This would lead to DNS
zones with incorrect NS records as they wouldn't point to a valid
name server.
Now, a list of all master servers with DNS support is retrieved
during DNS zone creation and added as NS records for a new DNS
zone.
https://fedorahosted.org/freeipa/ticket/1261
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.
This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.
Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).
https://fedorahosted.org/freeipa/ticket/1266
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.
So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.
Multiple direct maps are still supported and for those the info is
always required.
ticket 1229
LDAP search operation may return a search reference pointing to
an LDAP resource. As the framework does not handle search
references, skip these results to prevent result processing
failures.
Migrate operation crashed when the migrated DS contained search
references. Now, it correctly skips these records and prints the
failed references to user.
https://fedorahosted.org/freeipa/ticket/1209
Interactive mode for commands manipulating with DNS records
(dnsrecord-add, dnsrecord-del) is not usable. This patch enhances
the server framework with new callback for interactive mode, which
can be used by commands to inject their own interactive handling.
The callback is then used to improve aforementioned commands'
interactive mode.
https://fedorahosted.org/freeipa/ticket/1018
Attempt to retrieve the schema the first time it is needed rather than
when Apache is started. A global copy is cached for future requests
for performance reasons.
The schema will be retrieved once per Apache child process.
ticket 583
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.
Add two new LDAPObject values to control this behavior:
limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed
By default both of these lists are empty so are skipped.
ticket 744
Migration from a v2 server would fail because of our fake memberofindirect
attribute. This isn't in any objectclass so would cause entries to fail
to migrate. We can safely just remove it.
Also remove any limits on time/size when searching for entries on the
remote server. Otherwise only the number of entries configured in the
local IPA server can be migrated.
ticket 1124
automount implemented using standard facets and containing_entity pkey generation
sample data fixtures for automount.
messages for automount and HBAC.
modified form of the search facet used to nest the automount entities
Add works for nested entities. Delete works for all but keys. Since the API for this is going to change, I'm not going to fix it pre-checkin.
All the places the PKEY prefix is needed uses a single function. Added breadcrumb trail into title.
update ipa_init sample data
add redirect logic for pages without pkeys.
add and delete link to appropriate entities for nested search facet.
Using on demand entities. Fixed breadcrumbs.
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
We should more gracefully handle if the TGT has not been forwarded
than returning a 500 error.
Also catch and display KerberosErrors from ping() in the client better.
ticket 1101
The IPA.association_facet has been modified to take a read_only parameters.
If the parameter is set to true, the Enroll and Delete buttons will not be
shown. All facets under the memberindirect and memberofindirect facet groups
are marked as read-only.
Ticket #1030
The IPA.entity has been modified to support customizable facet groups.
The default list of facet groups is defined in IPA.entity_header and can
be overriden in the entity definition.
Ticket #1219
Facet container has been added to hold facet header (i.e. title,
search fields, buttons, links) and facet content. Each facet now
occupies separate container, so it can be shown/hidden without
having to redraw the content.
Report missing python packages, inform about false positives, fail
gracefully if pylint isn't installed. Fixed a bug in the ignore
list and added few more files/directories to it.
ticket 1184
When the pwpolicy attribute "cospriority" is passed to pwpolicy-mod
command and the old value is kept, the command should succeed
if there was at least one other attribute changed. Current
pwpolicy-mod raises exception in this case which may lead to issues
in the WebUI.
https://fedorahosted.org/freeipa/ticket/1104
This change means the UI can stop using the --all option and have to
retrieve significantly less information from the server. It also
speeds up user-find as it doesn't have to calculate membership.
This adds a new baseclass parameter, search_display_attributes, which
can provide a separate list from default_attributes just for find
commands.
The UI will need to be changed to switch from using cn to using
givenname and sn.
ticket 1136
When adding a new DNS zone in the WebUI, IPA server will verify
whether the nameserver is in DNS. Sometimes it is necessary to
skip the verification.
This patch adds a --force option already available in CLI which
can skip this the verification.
https://fedorahosted.org/freeipa/ticket/1105
The entitlement facet will show buttons according to the entitlement
status. If it's unregistered, the facet will show a Register button.
If it's registered, the facet will show a Consume button.
Current PTR validation is unclear and may misled the user. This
patch improves the validation process so that the eventual exception
is clearer. New check that the PTR record is fully qualified has
been added to ensure that the reverse zone resolution behaves as
expected.
Additionally, several strings in the DNS plugin were prepared for
localization.
https://fedorahosted.org/freeipa/ticket/1129
Most of the pwpolicy_* commands do include cospriority in the result
and potentially in the attribute rights (--all --rights). Especially
when --raw output is requested. This patch fixes it for all
pwpolicy commands.
https://fedorahosted.org/freeipa/ticket/1103
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
When duplicate user is added an inconsistent error message to the rest
of the framework is printed. This patch changes this to standard
duplicate error message.
https://fedorahosted.org/freeipa/ticket/1116
This patch fixes a stacktrace that is printed out when a IPv6
AAAA record with subnet prefix length (e.g. /64) is added.
The same error message as when IPv4 record with subnet prefix
length is used.
https://fedorahosted.org/freeipa/ticket/1115
Nested role is not supported in 2.0.x, so the association facet
for it should be removed from the UI. The attribute_members in
role.py needs to be fixed because it is used to generate the
association facet automatically.
Ticket 1092.
In a details page, usually any changes done to the fields will not be
applied until the user clicks the Update button. However, if the page
contains an association table, any addition/deletion to the table will
be applied immediately.
To avoid any confusion, the user is now required to save or reset all
changes to the page before modifying the association. A dialog box will
appear if the page contains any unsaved changes.
This patch replaces xgettext with a custom pygettext to generate
translatable strings from plugin files in ipalib/plugins. pygettext
was modified to handle plural forms (credit goes to Jan Hendrik Goellner)
and had some bugs fixed by myself. We only use it for plugins, because
it's the only place where we need to extract docstrings for the built-in
help system.
I also had to make some changes to the way the built-in documentation
systems gets docstrings from modules for this to work.
We weren't searching the cn=sudo container so all members of a
sudocmdgroup looked indirect.
Add a label for sudo command groups.
Update the tests to include verifying that membership is done
properly.
ticket 1003
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
This creates a new custom attribute, memberofindirect_[plugin].
Using this you can tell the difference between being an actual memberof
another entry and being a memberof as the result if inheritence. This is
particularly useful when trying to remove members of an entry, you can
only remove direct members.
I had to add a couple of short sleep calls to make things work a little
better. The memberof plugin runs as a postop and we have no way of knowing
when it has done its work. If we don't pause we may show some stale
data that memberof hasn't updated yet. .3 seconds is an arbitrary choice.
ticket 966
The json_metadata() has been updated to return ipa.Objects and
ipa.Methods. The i18n_messages() has been updated to include other
messages that are not available from the metadata.
Previously the user's city parameter is defined to use the 'locality'
attribute. This was a problem because the attribute would be returned
as 'l' by the directory server causing a mismatch. Now the parameter
has been changed to use the 'l' attribute.
nsaccountlock doesn't have a visible Param but we want do so
some basic validation to be sure garbage doesn't get in there so
do it in the pre_callback of add and mod.
ticket 968
When a service/host is disabled, the resulting summary message states
that a Kerberos key was disabled. However, Kerberos key may not have
been enabled before this command at all, which makes this information
confusing for some users. Also, the summary message didn't state
that an SSL certificate was disabled too.
This patch rather changes the summary message to a standard phrase
known from other plugins disable command and states all disable
command steps in a respective command help.
https://fedorahosted.org/freeipa/ticket/872
The cert plugin only worked OK with decimal certificate serial numbers.
This patch allows specifying the serial number in hexadecimal, too. The
conversion now works such that:
* with no explicit radix, a best-effort conversion is done using int(str,
0) in python. If the format is ambiguous, decimal takes precedence.
* a hexadecimal radix can be specified explicitly with the traditional
0x prefix
https://fedorahosted.org/freeipa/ticket/958https://fedorahosted.org/freeipa/ticket/953
This patch adds a proper summary text to HBAC command which is
then printed out in CLI. Now, HBAC plugin output is consistent
with other plugins.
https://fedorahosted.org/freeipa/ticket/596
The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets.
The service.py has been modified to specify the correct relationships. The API.txt has been updated.
https://fedorahosted.org/freeipa/ticket/960
Also fix some related problems in write_certificate(), handle
either a DER or base64-formatted incoming certificate and don't
explode if the filename is None.
ticket 954
Some attribute enforcement is done by schema, others should be done
by the required option in a Parameter. description, for example, is
required by many plugins but not the schema. We need to enforce in the
framework that required options are provided.
After all the setattr/addattr work is done run through the modifications
and ensure that no required values will be removed.
ticket 852
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.
https://fedorahosted.org/freeipa/ticket/646
This patch fixes the default domain functionality for user email(s).
This setting may be configured via:
ipa config-mod --emaildomain=example.com
Then, when user is added/modified and --mail option is passed,
the default domain is appended if the passed attribute does not
contain another domain already.
https://fedorahosted.org/freeipa/ticket/598
Request logging on the server only happened if you added verbose=True
or debug=True to the IPA config file. We should log the basics at
least: who, what, result.
Move a lot of entries from info to debug logging as well.
Related to ticket 873
This patch removes some individual work-arounds of converting strings
to unicode, they only masked the problem. String values are not
passed to the validator or normalizers so things like adding the
realm automatically to services weren't happening.
ticket 941
Since some LDAP attributes have their cli_name value defined,
so they can be more user friendly, it can be difficult for user to find
out which attributes do the parameteres given to CLI really represent.
This patch provides new command, which will take another IPA command as
and argument and display attributes which given command takes and what
LDAP attributes are they mapped to.
https://fedorahosted.org/freeipa/ticket/447
