When the admin runs ipa-cacert-manage install, he should also run
ipa-certupdate on master/replicas/clients in order to update the
certificates databases.
The man page should mention this requirement, and also clarify that
"install" command does not replace IPA CA but rather installs an
additional trusted CA.
https://fedorahosted.org/freeipa/ticket/6381
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When user is logged in and opens details page of another user there should not
be visible button for adding new certificate and also the option in action menu
for deleting certificate should be grayed out.
This is achieved by adding custom field for certificates widget, which is able to
read ACLs from result of user-show and not from cert-find result.
https://fedorahosted.org/freeipa/ticket/6341
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
In case that API is not accessible the 404 error is thrown. There was error dialog
with almost no information. The new dialog says what error is there and what can be
the main cause of the error.
https://fedorahosted.org/freeipa/ticket/4821
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Sometimes the entity_show command must be called with options which are gathered
from result of entity_find command. These options needs to be passed as
arguments in URL which points to details page.
This functionality is implemented to table facet. There is new property
'additional_navigation_arguments' which is prepared for array of attributes
which will be passed to URL.
Part of: https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.
At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).
Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.
Part of: https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Topology graph didn't show plus icons correctly.
There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.
https://fedorahosted.org/freeipa/ticket/6175
Reviewed-By: Martin Basti <mbasti@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.
https://fedorahosted.org/freeipa/ticket/6100
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
ipa-ca-install said that it used
/var/log/ipareplica-ca-install.log
but in fact it used
/var/log/ipaserver-ca-install.log
This patch unites it to ipareplica-ca-install.log
It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.
https://fedorahosted.org/freeipa/ticket/6086
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
