Commit Graph

24 Commits

Author SHA1 Message Date
Alexander Bokovoy
d5aa1ee04e trusts: add support for one-way trust and switch to it by default
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Fraser Tweedale
b24fe0eb73 Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.

Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.

Fixes https://fedorahosted.org/freeipa/ticket/4002

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Petr Vobornik
3241c2cb3a RCUE initial commit
https://fedorahosted.org/freeipa/ticket/3902
2014-01-21 12:04:02 +01:00
Martin Kosek
b9ec4d1a67 Prevent *.pyo and *.pyc multilib problems
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.

This patch:
 1) Ensures that timestamps of generated *.pyo and *.pyc files match
 2) Python integer literals greater or equal 2^32 and lower than 2^64
    are converted to long right away to prevent different type of
    the integer on architectures with different size of int

https://fedorahosted.org/freeipa/ticket/3858
2013-08-13 15:31:46 +02:00
Ana Krivokapic
fc3f3c90b9 Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:42 +02:00
Petr Vobornik
c72d0f5075 Generate plugin index dynamically
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:30 +02:00
Petr Vobornik
74b6099fb0 Web UI plugin loader
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:20 +02:00
Petr Vobornik
c71937fc0c Updated makefiles to build FreeIPA Web UI layer
Updated makefiles to comply to new directory structure and also to use builder
for building Web UI.

FreeIPA package spec is modified to use the output of the builder.

https://fedorahosted.org/freeipa/ticket/112
2013-01-18 15:10:37 +01:00
Petr Vobornik
206b6ca04b Kerberos authentication extension makefiles
Makefiles for new FF kerberos authentication extension

ihttps://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:07:34 -04:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Petr Viktorin
23e188f226 Arrange stripping .po files
The .po files we use for translations have two shortcomings when used in Git:
- They include file locations, which change each time the source is updated.
  This results in large, unreadable diffs that don't merge well.
- They include source strings for untranslated messages, wasting space
  unnecessarily.

Update the Makefile so that the extraneous information is stripped when the
files are updated or pulled form Transifex, and empty translation files are
removed entirely.
Also, translations are normalized to a common style. This should help diffs
and merges.

The validator requires file location comments to identify the programming
language, and to produce good error reports.
To make this work, merge the comments in before validation.

First patch for: https://fedorahosted.org/freeipa/ticket/2435
2012-07-24 16:54:21 -04:00
Rob Crittenden
717bbcd2bf Configure certmonger to execute restart scripts on renewal.
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
2012-04-10 01:08:41 -04:00
Petr Vobornik
2449b4d827 Fixed rpm build warning - extension.js listed twice
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js

This is because of a glob:
%{_usr}/share/ipa/ui/*.js

and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js

https://fedorahosted.org/freeipa/ticket/2253
2012-03-19 18:38:46 +01:00
Endi S. Dewata
52981883ab Fixed inconsistent image names.
The images have been renamed to be more consistent and moved into
the "images" directory to mimic the original jQuery UI structure.

Ticket #1613
2011-10-27 14:05:12 +00:00
John Dennis
4015667bbe ticket 1650 - compute accurate translation statistics
ticket 1650 (https://fedorahosted.org/freeipa/ticket/1650) has
an extensive discussion of the issues, please refer to that.

This patch does the following:

* does not count fuzzy translations when computing translation
  statistics via the "msg-stats" make target in install/po

* adds a new make target called "pull-po" which pulls updated po files
  from Transifex (configure.ac includes some trailing whitespace fixes)

* turns off the generation of fuzzy translation suggestions during the
  message merge phase.
2011-08-18 14:25:58 +02:00
Endi S. Dewata
4ff959f55d Removed custom layouts using HTML templates.
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.

Ticket #1501
2011-07-21 11:47:57 -04:00
Adam Young
b9ad279ad2 rename static to ui
Directory rename
2011-01-20 14:12:47 +00:00
Nalin Dahyabhai
b683c7261b build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
Endi S. Dewata
d99ebc0f37 HBAC Details Page
The UI framework has been extended to include a collection of widgets:
 - ipa_widget: base class
 - ipa_text_widget: text field
 - ipa_radio_widget: radio button
 - ipa_textarea_widget: textarea
 - ipa_button_widget: button
 - ipa_column_widget: column for table
 - ipa_table_widget: table

These widgets can be used to create input controls. They can also be
extended to create custom controls.

The framework has also been enhanced to support custom layouts. This
can be used to change the look of the application without changing
the code. Initially this is only available in details section.

Layout consists of a collection of HTML templates. Each template is a
complete and valid HTML file representing a portion of a page. The
template will be loaded and initialized by the code, then filled with
the data from the server. The layouts are located in
install/static/layouts/<name> folder.

By default, if no templates are used, the fields in the details page
are rendered vertically using dd/dt/dd tags. For pages that require
different layout, a custom UI needs to be developed. There are two ways
to do that:
 - write a custom widget to generate the UI dynamically
 - create an HTML template and write the initialization code

For components that are quite complex or used frequently, it's might
be better to use the first method. For simple pages that are used only
in one location or need to support customization, the second method
might be preferable. Other benefits of templates:
 - cleaner code and UI separation
 - more flexibility in customization
 - new pages can be developed quickly and require less coding
 - multiple templates can be used with the same initialization code
 - easier to maintain

The HBAC details page has been implemented using both methods. By
default it will use custom widgets to generate the page. To use a
custom layout, add the following parameter to the URL, then reload
the page:

  &layout=<name>

Currently the only available layout is 'default' which produces the
same look as the custom widgets.

The HBAC details page is usable, but it still needs additional work.
The access time is not working yet. There is no undo button, hint,
or validation yet.

The table in the association facet has also been changed to use
ipa_association_widget which is derived from ipa_table_widget.

The Makefile has been updated to include the layouts. The unit tests
have been updated as well.
2010-11-04 14:22:32 -04:00
Adam Young
b7162b3b8a Changes to the install and config files to support deploying the javascript code. 2010-08-06 11:55:52 -04:00
John Dennis
e7dbbd96b4 Add translation statistics
The Makefile in install/po has a new target "msg-stats" which
prints out statistics concerning the current pot and po files.
Here is an example:

% make msg-stats
ipa.pot has 133 messages
id.po:   107/133  80.5%   13 po untranslated,   13 missing,   26 untranslated
kn.po:     4/133   3.0%  116 po untranslated,   13 missing,  129 untranslated
pl.po:   120/133  90.2%    0 po untranslated,   13 missing,   13 untranslated

Also update configure.ac to search for msgcmp, awk & sed programs.
2010-02-19 14:53:43 -05:00
John Dennis
4461a74403 Add support for building internationalized translations.
A new directory install/po has been added which contains all
the translations for all files in IPA.

The build has been agumented to build these files. Also the
autogen.sh script was mostly replaced by autoreconf, the preferred
method. The old autogen.sh sript also had some serious bugs in the
way it compared versions which caused it to run old versions of some
of the tools, using standared autoreconf is much better.
2010-02-09 22:07:18 -05:00
Pavel Zuna
c15c1eee72 Add DS migration plugin and password migration page. 2010-01-20 16:54:17 -05:00
Rob Crittenden
2d7e0de5ea Get merged tree into an installalble state.
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.

The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.
2009-02-03 15:29:20 -05:00