Commit Graph

7877 Commits

Author SHA1 Message Date
Alexander Bokovoy
50f46fdedd Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Petr Vobornik
34fb9f02ef webui: do not offer ipa users to Default Trust View
https://fedorahosted.org/freeipa/ticket/4616

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:29:10 +02:00
Petr Vobornik
3485c6e689 webui: hide (un)apply buttons for Default Trust View
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:25:22 +02:00
Petr Vobornik
04a3dad96d webui: hide applied to hosts tab for Default Trust View
because applying Default Trust view on hosts is not allowed

https://fedorahosted.org/freeipa/ticket/4615

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:25:22 +02:00
Petr Vobornik
2046470be5 webui: change order of idview's facet groups
Applied to hosts facet should not be default because, e.g., for Default Trust View it shouldn't be even visible(o use).

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:25:22 +02:00
Petr Vobornik
b05f39510c webui: make Evented a part of base IPA.object
1. All framework objects to use event interface
2. Framework objects can be part of specification objects but they are not deep-cloned as the rest of specification objects - usually it would cause infinite loop. This make easier to add context as a $pre-op object without a need for $pre-op function.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:25:22 +02:00
Petr Vobornik
502bf56713 webui: allow --force in dnszone-mod and dnsrecord-add
Allow to use --force when changing authoritative nameserver address in DNS zone.

Same for dnsrecord-add for NS record.

https://fedorahosted.org/freeipa/ticket/4573

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 12:06:02 +02:00
Nathaniel McCallum
424b0999c8 Configure IPA OTP Last Token plugin on upgrade
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:18:47 +02:00
Petr Vobornik
905238fbee webui: management of keytab permissions
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-20 10:13:47 +02:00
Nathaniel McCallum
2f8dc3b6cc Create ipa-otp-counter 389DS plugin
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.

Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.

https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:12:36 +02:00
Nathaniel McCallum
23878c36bb Display token type when viewing token
When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 09:59:19 +02:00
Martin Kosek
3e94aee790 Update contributors
Add missing developers contributing to project git. Cancel "Past and
Occcasional" section and merge the people in the right categories.

Update .mailmap so that the Developer list can be easily re-generated.

Reviewed-By: Gabe Alford <redhatrises@gmail.com>
2014-10-20 08:18:09 +02:00
Petr Vobornik
ace4beca75 webui: add new iduseroverride fields
- add gecos, gidnumber, loginshell, sshkeys fields

https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-17 15:57:11 +02:00
Petr Vobornik
bb8740aec6 webui: add link to OTP token app
- display info message which points user to FreeOTP project page
- the link or the text can be easily changed by a plugin if needed

https://fedorahosted.org/freeipa/ticket/4469

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-10-17 15:53:34 +02:00
Petr Vobornik
47811d1ccf idviews: error out if appling Default Trust View on hosts
https://fedorahosted.org/freeipa/ticket/4615

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-17 14:28:13 +02:00
Petr Vobornik
7313ed4f9e tests: management of keytab permissions
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-17 14:11:35 +02:00
Petr Vobornik
9cfcb03c70 keytab manipulation permission management
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-17 14:11:35 +02:00
Petr Vobornik
895f350ebf dns: fix privileges' memberof during dns install
Permissions with member attrs pointing to privileges are created before the privileges.

Run memberof plugin task to fix other ends of the relationships.

https://fedorahosted.org/freeipa/ticket/4637

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-17 14:08:37 +02:00
Jan Cholasta
5303e6324e Check LDAP instead of local configuration to see if IPA CA is enabled
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00
Jan Cholasta
277850e02c Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00
Jan Cholasta
63557c2ca3 Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig
This fixes upgrade from CA-less to CA-full after IPA upgrade.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00
Martin Kosek
2e38855295 Remove changetype attribute from update plugin
The attribute addition had no effect, but it should not be there.
2014-10-17 12:02:25 +02:00
Jan Cholasta
b5f9d40dba Add ipa-client-install switch --request-cert to request cert for the host
The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".

https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-16 19:11:52 +02:00
Jan Cholasta
68a36a2804 Fix certmonger.request_cert
https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-16 19:11:52 +02:00
Jan Cholasta
9607fe3b96 Fix CA cert validity check for CA-less and external CA installer options
https://fedorahosted.org/freeipa/ticket/4612

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-16 18:09:49 +02:00
Nathaniel McCallum
7ddf4b3539 Remove token vendor, model and serial defaults
These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-16 17:55:39 +02:00
Nathaniel McCallum
0f69e753bd Remove token ID from self-service UI
Also, fix labels to properly use i18n strings for token types.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-16 17:53:27 +02:00
Martin Kosek
0a54b1c948 Raise better error message for permission added to generated tree
https://fedorahosted.org/freeipa/ticket/4523

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
2014-10-16 16:00:18 +02:00
Jan Cholasta
e50d197fc0 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.

https://fedorahosted.org/freeipa/ticket/4447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-16 13:33:40 +02:00
David Kupka
f0464801e5 Fix typo causing certmonger is provided with wrong path to ipa-submit.
Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-16 09:49:46 +02:00
David Kupka
7e5a71dd46 Fix printing of reverse zones in ipa-dns-install.
This was forgotten in patch for ticket
https://fedorahosted.org/freeipa/ticket/3575

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-16 08:02:02 +02:00
David Kupka
080c8635de Stop dogtag when updating its configuration in ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-15 09:12:11 +02:00
Martin Basti
bac2cc9799 Make named.conf template platform independent
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Martin Basti
ec928b1aec Add missing attributes to named.conf
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Ludwig Krispenz
57eab1e18e Ignore irrelevant subtrees in schema compat plugin
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.

https://fedorahosted.org/freeipa/ticket/4586

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-10-14 11:00:43 +02:00
David Kupka
eea9da2a1b Set IPA CA for freeipa certificates.
In previous versions (before moving certmonger.py to DBus) it was set and some
tools and modules depends on it. For example: ipa-getcert uses this to filter
freeipa certificates.

https://fedorahosted.org/freeipa/ticket/4618

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-14 10:55:29 +02:00
Jan Cholasta
fdf46ac1c3 Support MS CS as the external CA in ipa-server-install and ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".

https://fedorahosted.org/freeipa/ticket/4496

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-13 12:20:28 +02:00
Alexander Bokovoy
a4798c7837 Require slapi-nis 0.54 or later for ID views support
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
Alexander Bokovoy
79c0b31c72 Update API version for ID views support
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
Alexander Bokovoy
aa0f5d35c5 Allow override of gecos field in ID views
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
Alexander Bokovoy
240d93bd80 Allow user overrides to specify GID of the user
Resolves https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
Alexander Bokovoy
ad6d019b47 Allow user overrides to specify SSH public keys
Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.

SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454

Resolves https://fedorahosted.org/freeipa/ticket/4509

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
Alexander Bokovoy
8a8d2e71f3 Support overridding user shell in ID views
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-10-13 12:11:41 +02:00
David Kupka
da61691ccc Check that port 8443 is available when installing PKI.
https://fedorahosted.org/freeipa/ticket/4564

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-10 11:58:58 +02:00
Jan Cholasta
612fcf8564 Support building RPMs for RHEL/CentOS 7.0
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-09 15:36:43 +02:00
Jan Cholasta
06f0b5b858 Add RHEL platform module
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-09 15:36:43 +02:00
Jan Cholasta
43707907f0 Split off generic Red Hat-like platform code from Fedora platform code
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-09 15:36:43 +02:00
Martin Basti
f74213877a Fix ipactl service ordering
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.

Patch fixes ipactl to use integers for ordering.

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-09 12:52:31 +02:00
Gabe
19f5ec840e Missing requires on python-dns in spec file
- Updated to required python-dns version 1.11.1

https://fedorahosted.org/freeipa/ticket/4613

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-10-09 10:11:56 +02:00
Martin Basti
6d10f98c6b DNS missing tests
* try to remove non-existent permission
* try to remove idnssoamname using dnszone-mod --name-server=

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-09 10:02:22 +02:00