The cert-show command needs to be called with cacn option. Cacn option is
passed using URL attribute.
https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Sometimes the entity_show command must be called with options which are gathered
from result of entity_find command. These options needs to be passed as
arguments in URL which points to details page.
This functionality is implemented to table facet. There is new property
'additional_navigation_arguments' which is prepared for array of attributes
which will be passed to URL.
Part of: https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.
At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).
Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Port name "msft-gc" is taken form /etc/services file provided by package
setup-2.10.1-1.fc24.noarch.
https://fedorahosted.org/freeipa/ticket/6235
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.
Part of: https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Topology graph didn't show plus icons correctly.
There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.
https://fedorahosted.org/freeipa/ticket/6175
Reviewed-By: Martin Basti <mbasti@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update the ipa-replica-install man page and help to reflect that replica_file
is optional instead of mandatory.
https://fedorahosted.org/freeipa/ticket/6164
Reviewed-By: Martin Basti <mbasti@redhat.com>
As the 'cn' is not in the response of user-show there is empty column in adder dialog.
Therefore the column was removed.
https://fedorahosted.org/freeipa/ticket/6055
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.
https://fedorahosted.org/freeipa/ticket/6100
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
ipa-ca-install said that it used
/var/log/ipareplica-ca-install.log
but in fact it used
/var/log/ipaserver-ca-install.log
This patch unites it to ipareplica-ca-install.log
It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.
https://fedorahosted.org/freeipa/ticket/6086
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Also changes the name of option which is send during adding new service from
'krbprincipalname' to 'krbcanonicalname'.
https://fedorahosted.org/freeipa/ticket/5927
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The custom_command_multivalued_widget now handles remove and add commands errors
correctly and shows error message.
Part of: https://fedorahosted.org/freeipa/ticket/5381
add_error
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Web UI has inbuilt mechanism to reload in case response from a server
contains a different principal than the one loaded during Web UI
startup.
see rpc.js:381
With kerberos aliases support the loaded principal could be different
because krbprincipalname contained multiple values.
In such case krbcanonicalname should be used - it contains the same
principal as the one which will be in future API responses.
https://fedorahosted.org/freeipa/ticket/5927
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some imports were not possible in old versions of IPA. This caused
import exceptions on the script start.
https://fedorahosted.org/freeipa/ticket/6003
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The confirmation of revoke and remove the certificate hold action is simplier
and more consistent with another parts of WebUI.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Use the default context rather the server context for code not running
inside the server.
This prevents the affected code from attempting to initialize the session
manager.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Strings which are used by widget which shows authentication indicators were moved.
Therefore the change in string paths.
Part of: https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Also move strings which are connected with authentication indicators to authtype dict.
This place is more general than have them in service dict. It's nicer when these strings are
not used only on service page.
Part of: https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add possibility to add, remove, view, get and download custom certificates on ID override user page.
https://fedorahosted.org/freeipa/ticket/5926
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add general class for multivalued widget which uses special commands which
are performed immediately.
Part of: https://fedorahosted.org/freeipa/ticket/5108
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
All certificates which are not issued by IPA CA are grey and not clickable. That's
because these certificates are not maintained by IPA CA.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Method calling in actions is moved to another function - these calls may be used
by another functions, not only by actions.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Removed old layout created using html tables. Now table layout is made by div
and modern css styling.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Object adapter changes data to more useful format. Single value is reachable
as single value, property with more values is transformed to array.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
By specifying correct attribute when creating command it turn off showing activity icon
when webui waits for response from the server.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This widget can be used as notification that some other widget is working.
It shows spinner and cover the other widget by specified color.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Adds methods which are able to enable and disable options according to the name of option
and methods which set or get whole item list.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Every single widget which is in multivalued widget can now have custom action menu
and the delete button is included in this custom action menu.
Part of this ticket:
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Enhance the ipa-certupdate program to add Certmonger tracking
requests for lightweight CA certificates.
Also update the dogtag-ipa-ca-renew-agent-submit to not store or
retrieve lightweight CA certificates, becaues Dogtag clones observe
renewals and update their NSSDBs on their own, and allow the helper
to request non-self-signed certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.
Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided
* NTP related params - DNS records will be updated automatically,
based on LDAP values
* CA related params - DNS records will be updated automatically based
* on LDAP values
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.
It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.
With this feature there are two ccaches so there is no clash.
https://fedorahosted.org/freeipa/ticket/5653
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
With a ca_cert_file specified in options, the nss_db was used before the
certificates from the file were added to it, which caused an exception
that led to fallback to ssh which is broken.
https://fedorahosted.org/freeipa/ticket/5965
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds new page with DNS Servers and details page about each server.
It is counterpart of dnsserver-{find,show,mod} CLI commands.
Part of: https://fedorahosted.org/freeipa/ticket/5905
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There was a bug when a new server was added it was not possible to set weight until
a location was set. This change corrects it and allows user to set a weight of server
without location.
Part of: https://fedorahosted.org/freeipa/ticket/5905
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The event is emited by clicking on the second node when adding segment by mouse.
The listener opens dialog and prefill values.
Part of: https://fedorahosted.org/freeipa/ticket/5648
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Create new semicircles around the node after mouseover. These work as buttons
to create arrow and after clicking on another node the Add topology segment dialog
is opened. Also selecting segment works, if the segment already exists then
the segment is selected instead of opening the dialog.
https://fedorahosted.org/freeipa/ticket/5648
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Remove hardcoded strings 'Actions ' and substitute them by strings from
translatable strings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
renew_ca_cert fails because it cannot access the 'config' plugin.
Bootstrap all the restart scripts to avoid such issues.
Fixes: https://fedorahosted.org/freeipa/ticket/5968
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)
In addition make sure that slapi-nis has a low precedence
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`ipa-replica-manage del` will now call `server_del` behind the scenes when a
removal of replica from managed topology is requested. The existing removal
options were mapped on the server_del options to maintain backwards
compatibility with earlier versions.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes <principal>@<master hostname> \
echo OK
The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal admin@EXAMPLE.COM).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
[sssd]
default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.
The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
-o GSSAPIAuthentication=yes -o User=<principal> \
<master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master
https://fedorahosted.org/freeipa/ticket/5812
Reviewed-By: Martin Basti <mbasti@redhat.com>
Store some parts of DNS configuration in LDAP tree instead of named.conf
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The option server_id is required for DNS location feature, otherwise it
will not work.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Objectclass: idnsServerConfigObject - stores configuration values for
DNS servers
Attributetype: idnsServerId - identifier of dns server (server hostname)
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The path how to get IPA domain in code was somehow obfuscated, this
patch simplifies and make clear what happened there with domain name.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
use the dns_update_system_records command to set proper DNS records
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For performace ipalocation should be indexed because it is used by
referint plugin
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
