From 15838700819a46e4268e33261fb7cd538eba522a Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Thu, 21 May 2015 10:46:48 +0200 Subject: [PATCH 01/18] updating poms for 1.0.3-SNAPSHOT development --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 484e0a2..25d39b6 100755 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ sk.eea.edem odn-cas-overlay war - 1.0.2-SNAPSHOT + 1.0.3-SNAPSHOT From 0de2c1403d52e9c323f1be8063365eb9158794b0 Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Thu, 21 May 2015 11:06:15 +0200 Subject: [PATCH 02/18] updating develop poms to master versions to avoid merge conflicts --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 25d39b6..d1e387a 100755 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ sk.eea.edem odn-cas-overlay war - 1.0.3-SNAPSHOT + 1.0.2 From 96adf02ddcc40a165aaa90e858b96a8242824bec Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Thu, 21 May 2015 11:06:15 +0200 Subject: [PATCH 03/18] Updating develop poms back to pre merge state --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d1e387a..25d39b6 100755 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ sk.eea.edem odn-cas-overlay war - 1.0.2 + 1.0.3-SNAPSHOT From ccf55257a700b8489b97ae9cff68841d96e9f77f Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Tue, 2 Jun 2015 10:02:19 +0200 Subject: [PATCH 04/18] constructor changed --- src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java b/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java index 949a62a..11e7487 100644 --- a/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java +++ b/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java @@ -147,7 +147,7 @@ public TicketGrantingTicket grantTicketGrantingTicket( this.grantedTicketAlready = Boolean.TRUE; } - return new TicketGrantingTicketImpl(id, this.getGrantingTicket(), + return new TicketGrantingTicketImpl(id, null, this.getGrantingTicket(), authentication, expirationPolicy); } From 50975f1b0444dbb70ee8db327f61db020c6a65be Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Tue, 2 Jun 2015 11:05:40 +0200 Subject: [PATCH 05/18] slapd listens on 127.0.0.1 --- src/deb/control/postinst | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/deb/control/postinst b/src/deb/control/postinst index 5f737de..01d31bd 100755 --- a/src/deb/control/postinst +++ b/src/deb/control/postinst @@ -41,6 +41,15 @@ service_start() { fi } +service_slapd_restart() { + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d slapd restart || true + else + service slapd restart || true + fi +} + + get_hostname() { HOSTNAME=`hostname --all-fqdns` if [ -z ${HOSTNAME} ] @@ -96,6 +105,7 @@ set_ldap_evolveum() { chmod +x /usr/share/odn-cas/bin/slapdadm chmod +x /usr/share/odn-cas/bin/ldaptest + CONFIG=/etc/default/slapd LDAP_DB_PATH=/var/lib/ldap_odn if [ ! -d $LDAP_DB_PATH ]; then @@ -113,7 +123,16 @@ set_ldap_evolveum() { ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/odn-simple/ldap/admin.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /usr/share/odn-simple/ldap/acl.ldif - echo "ldap user for IDM created" + echo "ldap user for IDM created" + + # set slapd to running on 127.0.0.1 + if grep -q "^SLAPD_SERVICES=\"ldap://127.0.0.1:389/" $CONFIG ; then + echo "slapd has already been set to running on localhost port" + else + sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap:\/\/127.0.0.1:389\/\/ ldapi:\/\/\/\"/" $CONFIG + fi + + service_slapd_restart else echo "ldap has already been set" fi From 483e39d8217575f01e3f62012cece9a98c4ff8b5 Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Tue, 2 Jun 2015 11:06:19 +0200 Subject: [PATCH 06/18] fixed cas log --- cas.properties | 2 +- log4j2.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++ pom.xml | 20 +++++++------- 3 files changed, 84 insertions(+), 11 deletions(-) create mode 100644 log4j2.xml diff --git a/cas.properties b/cas.properties index a3bcf65..ebf1fb5 100755 --- a/cas.properties +++ b/cas.properties @@ -133,7 +133,7 @@ host.name=cas01.example.org # # log4j refresh interval in millis # log4j.refresh.interval=60000 - +log4j.config.location=file:/etc/odn-cas/log4j2.xml ## # Password Policy # diff --git a/log4j2.xml b/log4j2.xml new file mode 100644 index 0000000..3845bc4 --- /dev/null +++ b/log4j2.xml @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/pom.xml b/pom.xml index 25d39b6..c4f3c6a 100755 --- a/pom.xml +++ b/pom.xml @@ -65,16 +65,6 @@ /etc - ${basedir}/src/deb/usr/share/odn-cas directory @@ -171,6 +161,16 @@ odn-cas + + ${project.basedir}/log4j2.xml + file + + perm + /etc/odn-cas + odn-cas + odn-cas + + From b0aaf00ea5c83632de973d2f8c007d73c7731636 Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Thu, 4 Jun 2015 22:47:16 +0200 Subject: [PATCH 07/18] modified css added --- src/main/webapp/css/cas.css | 271 ++++++++++++++++++++++++++++++++++++ 1 file changed, 271 insertions(+) create mode 100644 src/main/webapp/css/cas.css diff --git a/src/main/webapp/css/cas.css b/src/main/webapp/css/cas.css new file mode 100644 index 0000000..6895ebf --- /dev/null +++ b/src/main/webapp/css/cas.css @@ -0,0 +1,271 @@ +/* + * Licensed to Apereo under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Apereo licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +html, body, div, span, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, abbr, +address, cite, code, del, dfn, em, img, ins, kbd, q, samp, small, strong, sub, sup, var, +b, i, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, +thead, tr, th, td, article, aside, canvas, details, figcaption, figure, footer, header, +hgroup, menu, nav, section, summary, time, mark, audio, video { + margin: 0; + padding: 0; + border: 0; + outline: 0; + font-size: 100%; + vertical-align: baseline; + background: transparent; +} +body { line-height: 1; } +nav ul { list-style: none; } +blockquote, q { quotes: none; } +blockquote:before, blockquote:after, q:before, q:after { content: ''; content: none; } +a { margin: 0; padding: 0; font-size: 100%; vertical-align: baseline; background: transparent; } +ins { background-color: #ff9; color: #000; text-decoration: none; } +mark { background-color: #ff9; color: #000; font-style: italic; font-weight: bold; } +del { text-decoration: line-through; } +abbr[title], dfn[title] { border-bottom: 1px dotted; cursor: help; } +table { border-collapse: collapse; border-spacing: 0; } +hr { display: block; height: 1px; border: 0; border-top: 1px solid #cccccc; margin: 1em 0; padding: 0; } +input, select { vertical-align: middle; } +body { font-family: Verdana, sans-serif; font-size: 11px; line-height: 1.4em; background: #eee; } + +#container { width: 960px; margin: 0 auto; } + +@media only screen and (max-width: 960px) { + #container { width: 100%; } + #content { + -webkit-border-bottom-right-radius: 0px; + -webkit-border-bottom-left-radius: 0px; + -moz-border-radius-bottomright: 0px; + -moz-border-radius-bottomleft: 0px; + border-bottom-right-radius: 0px; + border-bottom-left-radius: 0px; + } +} + +body { + background: #153e50; /* Old browsers */ +} + +a:link, a:visited { + color: #257bb2; +} + +a:hover { + color: #a0b757; +} + +p { + margin-bottom: 1.4em; +} + +header { + overflow: hidden; + padding: 20px 0; +} + +#logo { + display: block; + background: url(../images/logo.png) no-repeat; + text-indent: -999em; + float: left; + height: 100px; + width: 80%; + margin-right: 40px; + border: 0px; +} + +header h1 { + float: right; + width: 119px; + height: 60px; + background: url(../images/cas-logo.png) no-repeat; + text-indent: -999em; +} + +#content { + overflow: hidden; + background: #fff; + padding: 20px; + -webkit-border-radius: 10px; + -moz-border-radius: 10px; + border-radius: 10px; +} + +#msg { + padding: 20px; + margin-bottom: 40px; +} + +#msg.errors { + border: 1px dotted #BB0000; + color: #BB0000; + padding-left: 100px; + background: url(../images/error.png) no-repeat 20px center; +} + +#msg.success { border: 1px dotted #390; color: #390; padding-left: 100px; background: url(../images/success.png) no-repeat 20px center; } +#msg.info { border: 1px dotted #008; color: #008; padding-left: 100px; background: url(../images/info.png) no-repeat 20px center; } +#msg.question { border: 1px dotted #390; color: #390; padding-left: 100px; background: url(../images/question.png) no-repeat 20px center; } +#msg.warn { border: 1px dotted #960; color: #960; padding-left: 100px; background: #ffbc8f url(../images/info.png) no-repeat 20px center; } + +.errors { + border: 1px dotted #BB0000; + color: #BB0000; + padding-left: 100px; + padding-top:5px; + margin-bottom:5px; + background: url(../images/error.png) no-repeat 20px center; +} + +#serviceui.serviceinfo { + border: 1px dotted #0066FF; + color: black; + padding-left: 10px; + padding-top: 5px; +} + +#servicedesc { + vertical-align:middle; + padding-left: 30px; + width: 90%; +} + +#login { + width: 320px; + float: left; + margin-right: 20px; +} + +#login h2 { + font-weight: normal; + font-size: 1.4em; + margin-bottom: 20px; +} + +#login .row { + padding: 10px 0; +} + +#login label { + display: block; + margin-bottom: 2px; +} + +#login .check label { + display: inline; +} + +#login input[type=text], #login input[type=password] { + font-size: 1.4em; + padding: 5px; +} + +#login .btn-submit { + background: #70ba61; + border: 0; + padding: 10px 20px; + font-weight: bold; + color: white; + -webkit-border-radius: 4px; + -moz-border-radius: 4px; + border-radius: 4px; +} + +#login .btn-reset { + background: #eee; + padding: 10px 20px; + border: 0; + -webkit-border-radius: 4px; + -moz-border-radius: 4px; + border-radius: 4px; +} + +#login .btn-submit:hover, #login .btn-reset:hover { + cursor: pointer; +} + +#login .btn-submit:hover { + background: #7fd36e; +} + +#login .btn-reset:hover { + background: #d4d4d4; +} + +#sidebar { + width: auto; + height: 100%; +} + +#sidebar-content { + padding-left: 20px; +} + +#list-languages h3 { + margin-bottom: 1.4em; +} + +#list-languages ul li { + list-style: none; + display: inline-block; + margin-right: 2em; +} + +footer { + padding: 20px; + color: white; +} + +footer a:link, footer a:visited { + color: white; +} + +@media only screen and (max-width: 960px) { + header { padding: 20px; } + #container { width: 100%; } + #content { + -webkit-border-radius: 0px; + -moz-border-radius: 0px; + border-radius: 0px; + } +} + +@media only screen and (max-width: 855px) { + #logo { display: none; } + header h1 { font-size: 1em; width: 70px; height: 40px; background-size: 70px 40px; } + #login { float: none; width: 100%; } + #fm1 .row input[type=text], + #fm1 .row input[type=password] { width: 100%; padding: 10px; box-sizing: border-box; -webkit-box-sizing: border-box; -moz-box-sizing: border-box; } + #fm1 .row .btn-submit { outline: none; -webkit-appearance: none; -webkit-border-radius: 0; border: 0; background: #70ba61; color: white; font-weight: bold; width: 100%; padding: 10px 20px; -webkit-border-radius: 3px; -moz-border-radius: 3px; border-radius: 3px; } + #fm1 .row .btn-reset { display: none; } + #sidebar { margin-top: 20px; } + #sidebar .sidebar-content { padding: 0; } +} + +/* apereo/odn css redesign code */ +body { background-color: white; } +#container header h1, #logo { visibility: hidden; } +#serviceui { display: none; } +#container a:link, #container a:visited, #container a:hover, #login h2 { color: #2c3e50; } +#container a:hover { text-decoration: none; } +#container footer, #container footer a:link, #container footer a:visited, #container footer a:hover { color: #666666; } +#content { border: 2px solid #cccccc; background-color: #f8f8f8; } +#login h2::before {font-size: 16px; font-weight: bold; display:block; padding-bottom: 20px;color: black; content: "Open Data Node authentication"; } +#login h2 { margin-bottom: 10px; } +#login .btn-submit { font-size: 14px; font-weight: 700; background-color: #2c3e50; color: white; } +#login .btn-reset { background-color: #ddd; } From 41574808882df7331e1ff769e8f7f680c63c6a05 Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Wed, 10 Jun 2015 10:13:15 +0200 Subject: [PATCH 08/18] improved ssl creation. distrubute cert and private key to specific location --- pom.xml | 31 +++++++++++-------------------- src/deb/control/postinst | 40 +++++++++++++++++++--------------------- 2 files changed, 30 insertions(+), 41 deletions(-) diff --git a/pom.xml b/pom.xml index c4f3c6a..d2fe7d0 100755 --- a/pom.xml +++ b/pom.xml @@ -71,8 +71,6 @@ perm /usr/share/odn-cas - odn-midpoint - odn-midpoint @@ -81,11 +79,11 @@ /var/cache/odn-cas/ /var/log/odn-cas/ /var/tmp/odn-cas + /etc/odn-cas/ssl/certs + /etc/odn-cas/ssl/private perm - odn-cas - odn-cas @@ -95,10 +93,17 @@ true perm - odn-cas - odn-cas + + link + /usr/local/share/ca-certificates/odn-cert.pem + /etc/odn-cas/ssl/certs/odn-cert.pem + true + + perm + + link /usr/share/odn-cas/work @@ -106,8 +111,6 @@ true perm - odn-cas - odn-cas @@ -117,8 +120,6 @@ true perm - odn-cas - odn-cas @@ -127,8 +128,6 @@ perm /usr/share/odn-cas/webapps/cas - odn-cas - odn-cas @@ -137,8 +136,6 @@ perm /usr/share/odn-simple/ldap - odn-cas - odn-cas @@ -147,8 +144,6 @@ perm /etc/odn-simple/ldap - odn-cas - odn-cas @@ -157,8 +152,6 @@ perm /etc/odn-cas - odn-cas - odn-cas @@ -167,8 +160,6 @@ perm /etc/odn-cas - odn-cas - odn-cas diff --git a/src/deb/control/postinst b/src/deb/control/postinst index 01d31bd..d2c1a00 100755 --- a/src/deb/control/postinst +++ b/src/deb/control/postinst @@ -26,9 +26,10 @@ create_user() { fix_perms() { chmod +x /etc/init.d/odn-cas - chown odn-cas /var/cache/odn-cas - chown odn-cas /var/tmp/odn-cas - chown odn-cas /var/log/odn-cas + chown odn-cas -R /var/cache/odn-cas + chown odn-cas -R /var/tmp/odn-cas + chown odn-cas -R /var/log/odn-cas + chown odn-cas -R /usr/share/odn-cas } service_start() { @@ -71,28 +72,20 @@ generate_keystore() { echo ">> generate_keystore" HOSTNAME=$(get_hostname) - + CERTS_PATH=/etc/odn-cas/ssl/certs + PRIVATE_PATH=/etc/odn-cas/ssl/private KEYSTORE_NAME=/usr/share/odn-cas/conf/.keystore KEYSTORE_PASSWORD="changeit" PRIVATEKEY_PASS="changeit" DAYS_VALID=730 - CERTS_PATH=/usr/local/share/ca-certificates/$HOSTNAME - if [ ! -d $CERTS_PATH ] ; then - mkdir $CERTS_PATH - - openssl req -x509 -days $DAYS_VALID -newkey rsa:2048 -keyout servicekey.pem -out servicecert.pem -passout pass:$KEYSTORE_PASSWORD -subj '/CN='${HOSTNAME}'' - openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name tomcat -passin pass:$KEYSTORE_PASSWORD -passout pass:$PRIVATEKEY_PASS - keytool -importkeystore -destkeystore $KEYSTORE_NAME -deststorepass $KEYSTORE_PASSWORD -deststoretype jks -srckeystore service.p12 -srcstorepass $PRIVATEKEY_PASS -srcstoretype pkcs12 - keytool -export -storepass $KEYSTORE_PASSWORD -keystore /usr/share/odn-cas/conf/.keystore -alias tomcat -file $CERTS_PATH/export.crt - rm *.pem *.p12 - - update-ca-certificates - echo "keystore created" - else - echo "keystore has already been set" - fi - + openssl req -x509 -days $DAYS_VALID -newkey rsa:2048 -keyout $PRIVATE_PATH/odn-key.pem -out $CERTS_PATH/odn-cert.pem -passout pass:$KEYSTORE_PASSWORD -subj '/CN='${HOSTNAME}'' -nodes + openssl pkcs12 -export -inkey $PRIVATE_PATH/odn-key.pem -in $CERTS_PATH/odn-cert.pem -out $CERTS_PATH/service.p12 -name tomcat -passin pass:$KEYSTORE_PASSWORD -passout pass:$PRIVATEKEY_PASS + keytool -importkeystore -destkeystore $KEYSTORE_NAME -deststorepass $KEYSTORE_PASSWORD -deststoretype jks -srckeystore $CERTS_PATH/service.p12 -srcstorepass $PRIVATEKEY_PASS -srcstoretype pkcs12 + + update-ca-certificates + echo "keystore created" + echo "<< generate_keystore" } @@ -142,10 +135,15 @@ set_ldap_evolveum() { case "$1" in configure) + VERSION="$2" create_user fix_perms set_ldap_evolveum - generate_keystore + # if not upgrade + if [ "${VERSION}" = "" ] ; then + generate_keystore + fi + service_start ;; From 274e2fa53834e4d45d37dbcb7151d475870a2094 Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Wed, 10 Jun 2015 12:56:08 +0200 Subject: [PATCH 09/18] changed extension of odn certificate - because update-ca-certificates reads *.crt in /usr/local/share/ca-certificates/ --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d2fe7d0..14f5f84 100755 --- a/pom.xml +++ b/pom.xml @@ -97,7 +97,7 @@ link - /usr/local/share/ca-certificates/odn-cert.pem + /usr/local/share/ca-certificates/odn-cert.crt /etc/odn-cas/ssl/certs/odn-cert.pem true From ae3f5c36dbab198edd48c01d381cbb84eb2209b1 Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Wed, 10 Jun 2015 15:03:25 +0200 Subject: [PATCH 10/18] midpointAccounStatus handling added --- cas.properties | 6 - src/deb/control/postinst | 5 +- src/deb/etc/ldap/schema/midpoint.schema | 80 +++++ src/deb/usr/share/odn-cas/bin/schema2ldif | 343 ++++++++++++++++++++++ src/deb/usr/share/odn-cas/bin/slapdadm | 55 +++- src/deb/usr/share/odn-cas/bin/slapdconf | 195 +++++++++++- src/slapd/data/acl.ldif | 4 +- 7 files changed, 677 insertions(+), 11 deletions(-) create mode 100644 src/deb/etc/ldap/schema/midpoint.schema create mode 100755 src/deb/usr/share/odn-cas/bin/schema2ldif diff --git a/cas.properties b/cas.properties index ebf1fb5..ff32f1d 100755 --- a/cas.properties +++ b/cas.properties @@ -187,12 +187,6 @@ ldap.useStartTLS=false # Base DN of users to be authenticated ldap.authn.baseDn=ou=people,dc=opendata,dc=org -# Manager DN for authenticated searches -ldap.authn.managerDN=uid=idm,ou=Administrators,dc=opendata,dc=org - -# Manager password for authenticated searches -ldap.authn.managerPassword=secret - # Search filter used for configurations that require searching for DNs #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) ldap.authn.searchFilter=(uid={user}) diff --git a/src/deb/control/postinst b/src/deb/control/postinst index 01d31bd..6259050 100755 --- a/src/deb/control/postinst +++ b/src/deb/control/postinst @@ -103,7 +103,8 @@ set_ldap_evolveum() { chmod +x /usr/share/odn-cas/bin/ldapgenerate chmod +x /usr/share/odn-cas/bin/slapdconf chmod +x /usr/share/odn-cas/bin/slapdadm - chmod +x /usr/share/odn-cas/bin/ldaptest + chmod +x /usr/share/odn-cas/bin/ldaptest + chmod +x /usr/share/odn-cas/bin/schema2ldif CONFIG=/etc/default/slapd LDAP_DB_PATH=/var/lib/ldap_odn @@ -121,6 +122,8 @@ set_ldap_evolveum() { /usr/share/odn-cas/bin/ldapgenerate -D cn=admin,$TREE -w admin -i -s dc=opendata,dc=org + /usr/share/odn-cas/bin/slapdconf add-schema --dbDir $LDAP_DB_PATH --rootPassword admin -f /etc/ldap/schema/midpoint.schema + ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/odn-simple/ldap/admin.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f /usr/share/odn-simple/ldap/acl.ldif echo "ldap user for IDM created" diff --git a/src/deb/etc/ldap/schema/midpoint.schema b/src/deb/etc/ldap/schema/midpoint.schema new file mode 100644 index 0000000..9134a39 --- /dev/null +++ b/src/deb/etc/ldap/schema/midpoint.schema @@ -0,0 +1,80 @@ +# MidPoint LDAP Schema +# +# Copyright (c) 2015 Evolveum +# + +objectIdentifier Evolveum 1.3.6.1.4.1.45689 + +objectIdentifier Ldap Evolveum:1 +objectIdentifier Products Ldap:1 +objectIdentifier MidPoint Products:1 +objectIdentifier MidPointObjectClass MidPoint:1 +objectIdentifier MidPointAttributeType MidPoint:2 + +#---------------------------------------------------------------------- +# Attributes +#---------------------------------------------------------------------- + +# +# All attribute values conform exatly to LDAP schema definition unless +# specified otherwise. For example, all Strings with directory string +# syntax may have national characters (any valid unicode codepoint), may +# contain spaces, etc. - unless that is explicitly constrained by +# comments in this schema definition. +# +# Case sensitivity is determined by EQUALITY matching rule (unless +# explicitly specified otherwise). +# + +# midPointAccountStatus +# +# Description: +# Activation status of the account. Active accounts behave normally. +# Inactive accounts still do exist, but any attempts for +# authentication/authorization should fail. Access using the inactive +# accounts much be denied even if they have valid credentials. +# If this attribute is not present then a default value of "enabled" +# is assumed (for compatibility). +# +# Format: String enumeration. Valid values: +# "enabled": account is active +# "disabled": account is inactive +# + +attributetype ( MidPointAttributeType:1 + NAME 'midPointAccountStatus' + DESC 'Activation status of the account' + SUP name + SINGLE-VALUE ) + + +#---------------------------------------------------------------------- +# Object Classes +#---------------------------------------------------------------------- + +# +# midPointPerson +# +# Descripton: +# Auxiliary object class to add to person-like objects to make them +# practical represenations of accounts. This is designed for use in +# Evolveum IAM solutios. It adds features that OpenLDAP normally +# does not have (such as account activation). +# +# Naming Attribute: not defined (auxiliary object class) +# +# Important Attributes: +# midPointAccountStatus: Activation status of the account. +# + +objectClass ( MidPointObjectClass:1 + NAME 'midPointPerson' + DESC 'Auxiliary object class to add to person-like objects to make them practical represenations of accounts' + AUXILIARY + MAY ( midPointAccountStatus ) ) + + +#---------------------------------------------------------------------- +# End of MidPoint schema +#---------------------------------------------------------------------- + diff --git a/src/deb/usr/share/odn-cas/bin/schema2ldif b/src/deb/usr/share/odn-cas/bin/schema2ldif new file mode 100755 index 0000000..f746a18 --- /dev/null +++ b/src/deb/usr/share/odn-cas/bin/schema2ldif @@ -0,0 +1,343 @@ +#!/usr/bin/perl +# +# Copyright (c) 2005-2015 Radovan Semancik +# Copyright (c) 2014-2015 Evolveum +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# schema2ldif: Tool for converting OpenLDAP-style schemas to the LDIF format +# ----------- +# +# The LDIF-formated LDAP schemas are difficult to edit and maintain. OpenLDAP +# defined a similar schema format that is more free-form and easier to edit. +# This tool converts the OpenLDAP-formatted schema files to the LDIF. +# +# Original author: Radovan Semancik +# +# Usage +# ----- +# +# schema2ldif < foo.schema > foo.ldif +# +# OpenLDAP schema format +# ---------------------- +# +# objectIdentifier nLight 1.3.6.1.4.1.23611 +# objectIdentifier nLightLdap nLight:1 +# +# attributetype ( oid-my-attr-1 +# NAME 'my-attr-1' +# DESC 'description of my-attr-1 attribute' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# ) +# +# attributetype ( nLightLdap:2 +# NAME 'my-attr-2' +# DESC 'description of my-attr-2 attribute' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +# ) +# +# objectclass ( oid-my-person +# NAME 'my-person' +# DESC 'description of my-person attribute' +# SUP 'inetOrgPerson' +# MAY ( my-attr-1 ) +# ) +# +# LDIF schema format +# ------------------ +# +# dn: cn=schema +# objectClass: top +# objectClass: ldapSubentry +# objectClass: subschema +# cn: schema +# attributeTypes: ( oid-my-attr-1 NAME 'my-attr-1' DESC 'description of my-attr-1 attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +# attributeTypes: ( 1.3.6.1.4.1.23611.1.2 NAME 'my-attr-2' DESC 'description of my-attr-2 attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +# objectClasses: ( oid-my-person NAME 'my-person' DESC 'description of my-person attribute' SUP 'inetOrgPerson' MAY ( my-attr-1 ) X-ORIGIN 'user defined' ) +# + +use strict; + +my $mode = "static"; +my $flavor = "schema"; +my $flavorName = undef; +my $origin = 'user defined'; + +# Turns on debug mode (for development purposes only) +my $debug = 0; + +# Process command-line + +while ($ARGV[0] =~ /^-/) { + my $arg = shift; + if ($arg eq "-h") { + usage(); + exit(); + } elsif ($arg eq "-m") { + $mode = "modify"; + } elsif ($arg eq "-s") { + $flavor = "openldap"; + $flavorName = shift; + } elsif ($arg eq "-o") { + $origin = shift; + } else { + print STDERR "Unknown option $arg\n"; + usage(); + exit(-1); + } +} + + +my $attrNameMap = undef; + +my %ldifAttrNameMap = ( + 'attributetype' => 'attributeTypes', + 'objectclass' => 'objectClasses', +); + +my %openLdapAttrNameMap = ( + 'attributetype' => 'olcAttributeTypes', + 'objectclass' => 'olcObjectClasses', +); + +my @definitionOrder = qw(attributetype objectclass); + +my %oidMapping = (); +my %definitions = (); + +# Print proper LDIF header + +if ($flavor eq "openldap") { + + print "dn: cn=".$flavorName.",cn=schema,cn=config\n"; + + if ($mode eq "modify") { + print "changetype: add\n"; + } + + print "objectClass: olcSchemaConfig\n"; + print "cn: ".$flavorName."\n"; + + $attrNameMap = \%openLdapAttrNameMap; + + +} else { + + # schema (pure) flavor + + if ($mode eq "static") { + # Header for static schema + # used to drop into a file that server picks up on start + print "dn: cn=schema\n"; + print "objectClass: top\n"; + print "objectClass: ldapSubentry\n"; + print "objectClass: subschema\n"; + print "cn: schema\n"; + + } elsif ($mode eq "modify") { + # Header for schema that is being uploaded to running server + print "dn: cn=schema\n"; + print "changetype: modify\n"; + + } else { + die ("Unknown mode $mode\n"); + } + + $attrNameMap = \%ldifAttrNameMap; + +} + +# Reading the input schema file in loop +# processing definitions + +READLOOP: +while (<>) { + + # Comments + if (/^\s*#/) { + # In static mode pass the comments to output file + print if ($mode eq "static"); + # the comments are ignored in other modes as they make + # problems when used with some LDAP clients + next; + } + + chomp; + + if ( /^\s*objectIdentifier\s+(\S+)\s+(\S+)\s*$/) { + # We have got objectIdentifier macro here. + # Parse it and process to the %oidMapping map + + my ($name,$oidExpression) = ($1,$2); + print STDERR "[P] objectIdentifier: $name -> $oidExpression\n" if $debug; + + if (isOid($oidExpression)) { + $oidMapping{$name} = $oidExpression; + print STDERR " adding mapping $name -> $oidExpression\n" if $debug; + } else { + my $oid = expandOidMacro($oidExpression); + if (defined $oid) { + $oidMapping{$name} = $oid; + print STDERR " adding mapping $name -> $oid\n" if $debug; + } else { + print STDERR "Error processing objectIdentifier macro: $_\n"; + } + } + } + + if ( /^\s*(attributetype)\s*\(/i || + /^\s*(objectclass)\s*\(/i ) { + + my $type = lc($1); + my $ldifLine = $attrNameMap->{$type}.": ("; + + $_ = $'; + my $level = 1; + my $foundOrigin = undef; + my $oid = undef; + + while ($level) { + + # raise or lower parenthesis level as necessary + + while ( /\(/g ) { $level++ } + while ( /\)/g ) { $level-- } + + + # OID expression should be the very first token + # therefore process if it was not processed yet + + if (! defined $oid && /^\s*(\S+)\s*/) { + my $oidExpression = $1; + + if (isOid($oidExpression)) { + # OID expression is OID, no transformation needed + $oid = $oidExpression; + + } else { + # Try if OID expression is macro + $oid = expandOidMacro($oidExpression); + + if (! defined $oid) { + # OID expression is not macro, copy it verbatim to output + # This is used if symbolic names are used instead of OIDs + $oid = $oidExpression; + } + } + + $ldifLine .= " $oid"; + $_ = $'; + } + + # find X-ORIGIN clause in the input + + if (/X\-ORIGIN\s+\'([^\'*])\'/) { + $foundOrigin = $1; + } + + # if we are at the end (level 0) and there was no + # X-ORIGIN clause, insert the default one + # just before the last parenthesis + + if ($level == 0 && !defined($foundOrigin)) { + s/\)\s*$/ X-ORIGIN \'$origin\' \)/; + } + + $ldifLine .= $_; + + # is we are at the end, check if the SINGLE-VALUE is in correct place + if ($level == 0) { + if ($ldifLine =~ /SINGLE-VALUE/ && $ldifLine !~ /SINGLE-VALUE\s+X-ORIGIN/) { + warn("The SINGLE-VALUE must be the last clause before X-ORIGIN (oid $oid)\n"); + } + } + + $_ = <>; + last unless defined $_; + + # trim whitespaces + chomp; + s/^\s+/ /; + s/\s+$//; + + } + + print STDERR "[P] $type: $oid\n" if $debug; + + + if ($mode eq "static") { + print $ldifLine . "\n"; + } else { + if (!$definitions{$type}) { + $definitions{$type} = []; + } + + push @{$definitions{$type}},$ldifLine; + } + + last unless defined $_; + } +} + +if ($mode eq "modify") { + my $first = 1; + foreach my $type (@definitionOrder) { + + next unless ($definitions{$type}); + + if ($flavor eq "schema") { + if ($first) { + $first = 0; + } else { + print "-\n"; + } + print "add: ".$attrNameMap->{$type}."\n"; + } + + foreach my $line (@{$definitions{$type}}) { + print $line."\n"; + } + } +} + +sub isOid { + my ($s) = @_; + + return ($s =~ /^[\.\d]+$/); +} + +sub expandOidMacro { + my ($macro) = @_; + + if ($macro =~ /:/) { + my $key = $`; + my $suffix = $'; + if (exists $oidMapping{$key}) { + return $oidMapping{$key}.".".$suffix; + } else { + return undef; + } + } + return $oidMapping{$macro}; +} + +sub usage { + print STDERR "Usage: $0 [-h ] [-m] [-o ] in.schema > out.ldif\n"; + print STDERR "\t-h\t\tThis help message.\n"; + print STDERR "\t-m\t\tGenerate \"modify\" LDIF instead of \"static\"\n"; + print STDERR "\t-s \t\tGenerate OpenLDAP LDIF flavor\n"; + print STDERR "\t-o \tSpecify X-ORIGIN to inject (default: user defined)\n"; + print STDERR "(c) 2000-2015 Radovan Semancik, Evolveum \n"; +} diff --git a/src/deb/usr/share/odn-cas/bin/slapdadm b/src/deb/usr/share/odn-cas/bin/slapdadm index bbf9713..11f63ff 100755 --- a/src/deb/usr/share/odn-cas/bin/slapdadm +++ b/src/deb/usr/share/odn-cas/bin/slapdadm @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# Copyright (c) 2014 Evolveum +# Copyright (c) 2014-2015 Evolveum # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -47,6 +47,7 @@ GetOptions ( "do-nothing|n" => \$optDoNothing, "yes|y" => \$optYes, "verbose|v" => \$verbose, + "debug|d" => \$debug, "help|h" => \$optHelp, ) or usage(); usage() if $optHelp; @@ -69,6 +70,7 @@ if ($command eq "--help") { usage(); } if ($command eq "list-suffixes") { listSuffixes() } elsif ($command eq "delete-suffix") { deleteSuffix() } elsif ($command eq "create-suffix") { createSuffix() } +elsif ($command eq "delete-schema") { deleteSchema() } elsif ($command eq "delete-all") { deleteAll() } elsif ($command eq "help") { usage() } else { usage() } @@ -317,6 +319,48 @@ sub deleteDbAndConfigFiles { } } +sub deleteSchema { + my $schemaName = shift @ARGV; + if (!$schemaName) { + die("No schema name specified\n"); + } + + checkConfigDirs(); + + stopSlapd(); + + my $schemaIndex = undef; + ($schemaName, $schemaIndex) = parseIndexedName($schemaName); + + print "schemaName=$schemaName, schemaIndex=$schemaIndex\n" if $debug; + + my $file = undef; + my (@schemaNodes) = listDir($cnConfigDir."/cn=schema"); + foreach my $schemaNode (@schemaNodes) { + if (my ($entryIndex, $entryName) = ($schemaNode =~ /^cn=\{(-?\d+)\}([^\s\.]+)(\.ldif)?$/)) { + if ($entryName eq $schemaName) { + if (defined $schemaIndex && $schemaIndex != $entryIndex) { + die("Schema $schemaName present, but it does have index $entryIndex and not $schemaIndex\n"); + } + $file="$cnConfigDir/cn=schema/$schemaNode"; + last; + } + } + } + + if (!$file) { + die("Schema $schemaName does not exist\n"); + } + + print "Deleting $file\n" if $debug; + deleteFile($file); + + startSlapd(); + +} + + + ### RC sub stopSlapd { @@ -339,6 +383,15 @@ sub startSlapd { ### Util +sub parseIndexedName { + my ($val) = @_; + if ($val =~ /^{(\d+)}/) { + return ($', $1); + } else { + return ($val, undef); + } +} + sub checkConfigDirs { if (! -d $configDir) { die("$configDir is not a directory\n"); diff --git a/src/deb/usr/share/odn-cas/bin/slapdconf b/src/deb/usr/share/odn-cas/bin/slapdconf index 4a1c943..75251d7 100755 --- a/src/deb/usr/share/odn-cas/bin/slapdconf +++ b/src/deb/usr/share/odn-cas/bin/slapdconf @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# Copyright (c) 2014 Evolveum +# Copyright (c) 2014-2015 Evolveum # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,6 +29,8 @@ use Digest::SHA qw(sha1); use MIME::Base64; use Getopt::Long qw(:config bundling no_auto_abbrev pass_through); use Pod::Usage; +use File::Basename; +use IPC::Open3; use Data::Dumper; my ($verbose,$optHelp); @@ -112,6 +114,7 @@ GetOptions ( "saslMechanism|Y=s" => \$bindSaslMechanism, "file|f=s" => \$filename, "verbose|v" => \$verbose, + "debug|d" => \$debug, "help" => \$optHelp, ) or usage(); usage() if $optHelp; @@ -153,6 +156,9 @@ elsif ($command eq "get-suffix-prop") { getSuffixProp() } elsif ($command eq "set-suffix-prop") { setSuffixProp() } elsif ($command eq "get-suffix-acis") { getSuffixAcis() } elsif ($command eq "set-suffix-acis") { setSuffixAcis() } +elsif ($command eq "list-schemas") { listSchemas() } +elsif ($command eq "add-schema") { addSchema() } +elsif ($command eq "delete-schema") { deleteSchema() } elsif ($command eq "list-suffix-overlays") { listSuffixOverlays() } elsif ($command eq "add-overlay") { addOverlay() } elsif ($command eq "get-overlay-prop") { getOverlayProp() } @@ -568,6 +574,183 @@ sub getSuffixDns { } +##### Schema + +sub listSchemas { + my $conn = ldapConnectBind(); + + foreach my $entry (getSchemaEntries($conn)) { + print $entry->get_value("cn"); + if ($verbose) { + my @attrTypes = $entry->get_value("olcAttributeTypes"); + my @objectClasses = $entry->get_value("olcObjectClasses"); + print (" (".scalar(@attrTypes)." attribute types, ".scalar(@objectClasses)." object classes)"); + } + print "\n"; + } + + ldapDisconnect($conn); +} + +sub addSchema { + my $schemaName = shift @ARGV; + my $schemaFilename = $filename; + print "schemaName=$schemaName, schemaFilename=$schemaFilename\n" if $debug; + my $schemaType = "schema"; + if ($schemaFilename) { + my ($baseFileName, $dirs, $suffix) = fileparse($schemaFilename,"ldif","schema"); + print ("schemaFilename=$schemaFilename, baseFileName=$baseFileName, dirs=$dirs, suffix=$suffix\n") if $debug; + $baseFileName = substr($baseFileName,0,-1); + $schemaType = $suffix; + if (!$schemaName) { + $schemaName = $baseFileName; + } + } + if (!$schemaName) { + die("Schema name not provided\n"); + } + + my $schemaIndex = undef; + ($schemaName, $schemaIndex) = parseIndexedName($schemaName); + + print "schemaName=$schemaName, schemaIndex=$schemaIndex, schemaFilename=$schemaFilename, schemaType=$schemaType\n" if $debug; + + my $conn = ldapConnectBind(); + + foreach my $entry (getSchemaEntries($conn)) { + my $entryCn = $entry->get_value("cn"); + my ($entryName, $entryIndex) = parseIndexedName($entryCn); + if ($entryName eq $schemaName) { + ldapDisconnect($conn); + die("Schema $schemaName already present\n"); + } + if ($schemaIndex && $schemaIndex eq $entryIndex) { + die("Index $schemaIndex already present (schema $entryName)\n"); + } + } + + my $entry; + if ($schemaType eq "schema") { + # need to convert to LDIF + $entry = schema2ldif($schemaName, $schemaFilename); + } elsif ($schemaType eq "ldif") { + open(LDIF, $schemaFilename) or die("Cannot open $schemaFilename: $!\n"); + $entry = parseLdifEntry(\*LDIF); + } else { + die ("Unknown schema type $schemaType\n"); + } + + print ("Adding entry:\n".$entry->ldif."\n") if $debug; + + my $resp = $conn->add($entry); + if ($resp->code) { + ldapDisconnect($conn); + die("Error adding schema entry: ".$resp->error." (".$resp->code.")\n"); + } + + print ("Added schema entry ".$entry->dn.", response code ".$resp->code."\n") if $debug; + + ldapDisconnect($conn); +} + +sub schema2ldif { + my ($schemaName, $fileName) = @_; + + my ($baseFileName, $path, $suffix) = fileparse($0); + my $schema2ldifCommand = $path . "/schema2ldif -m -s '$schemaName'"; + + print ("schema2ldifCommand=$schema2ldifCommand\n") if $debug; + + my $pid = open3(\*WRITE, \*READ, \*ERR, $schema2ldifCommand); + + if ($fileName) { + open(SCHEMA,$fileName) or die("Cannot open $fileName: $!\n"); + while () { + print WRITE $_; + } + close(SCHEMA); + } else { + while () { + print WRITE $_; + } + } + close(WRITE); + + select(undef,undef,undef,.5); + + my $entry = parseLdifEntry(\*READ); + + while() { + print STDERR; + } + + waitpid($pid, 1); + return $entry; +} + +sub parseLdifEntry { + my ($fh) = @_; + + my $ldif = Net::LDAP::LDIF->new($fh); + my $entry; + while ( not $ldif->eof() ) { + if ( $ldif->error ( ) ) { + die("Error parsing LDIF: ".$ldif->error()."\n".$ldif->error_lines()."\n"); + } else { + $entry = $ldif->read_entry(); + } + } + $ldif->done ( ); + + return $entry; +} + +sub deleteSchema { + my $schemaName = shift @ARGV; + if (!$schemaName) { + die("Schema name not provided\n"); + } + + my $schemaIndex = undef; + ($schemaName, $schemaIndex) = parseIndexedName($schemaName); + + print "schemaName=$schemaName, schemaIndex=$schemaIndex\n" if $debug; + + my $conn = ldapConnectBind(); + + my $schemaEntry = undef; + foreach my $entry (getSchemaEntries($conn)) { + my $entryCn = $entry->get_value("cn"); + my ($entryName, $entryIndex) = parseIndexedName($entryCn); + if ($entryName eq $schemaName) { + if (defined $schemaIndex && $schemaIndex != $entryIndex) { + ldapDisconnect($conn); + die("Schema $schemaName present, but it does have index $entryIndex and not $schemaIndex\n"); + } + $schemaEntry = $entry; + last; + } + } + + if (!$schemaEntry) { + die("Schema $schemaName does not exist\n"); + } + + print ("Deleting entry:\n".$schemaEntry->ldif."\n") if $debug; + + ldapDelete($conn, $schemaEntry->dn); + + ldapDisconnect($conn); +} + + +sub getSchemaEntries { + my ($conn) = @_; + + return getConfigEntriesByObjectclass($conn,"cn=schema,cn=config","one","olcSchemaConfig"); +} + + ##### DSE, EXPORT, MODULES, etc. sub listModules { @@ -1292,6 +1475,16 @@ sub generateSalt { return join('',map {$saltChars[rand(64)]} (1..4)); } +sub parseIndexedName { + my ($val) = @_; + if ($val =~ /^{(\d+)}/) { + return ($', $1); + } else { + return ($val, undef); + } +} + + ####### LDAP functions sub ldapConnect { diff --git a/src/slapd/data/acl.ldif b/src/slapd/data/acl.ldif index 29e2187..ae2df3f 100644 --- a/src/slapd/data/acl.ldif +++ b/src/slapd/data/acl.ldif @@ -1,9 +1,9 @@ dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess -olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=admin,dc=opendata,dc=org" write by anonymous auth by self write by * none +olcAccess: to attrs=userPassword dn.subtree="ou=people,dc=opendata,dc=org" filter="(midPointAccountStatus=disabled)" by dn.subtree="ou=people,dc=opendata,dc=org" none by anonymous none by * break +olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=admin,dc=opendata,$ olcAccess: to dn.subtree="ou=people,dc=opendata,dc=org" by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by * read olcAccess: to dn.subtree="ou=groups,dc=opendata,dc=org" by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by * read olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" read by dn="cn=admin,dc=opendata,dc=org" write by self read by * none olcAccess: to dn.base="" by * read - From b470b9562dae47cf7e324ffd43fa705d5a16707a Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Wed, 10 Jun 2015 15:24:06 +0200 Subject: [PATCH 11/18] line trim error --- src/slapd/data/acl.ldif | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/slapd/data/acl.ldif b/src/slapd/data/acl.ldif index ae2df3f..e8c70c2 100644 --- a/src/slapd/data/acl.ldif +++ b/src/slapd/data/acl.ldif @@ -2,8 +2,9 @@ dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: to attrs=userPassword dn.subtree="ou=people,dc=opendata,dc=org" filter="(midPointAccountStatus=disabled)" by dn.subtree="ou=people,dc=opendata,dc=org" none by anonymous none by * break -olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=admin,dc=opendata,$ +olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=admin,dc=opendata,dc=org" write by anonymous auth by self write by * none olcAccess: to dn.subtree="ou=people,dc=opendata,dc=org" by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by * read olcAccess: to dn.subtree="ou=groups,dc=opendata,dc=org" by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" write by * read olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=idm,ou=Administrators,dc=opendata,dc=org" read by dn="cn=admin,dc=opendata,dc=org" write by self read by * none olcAccess: to dn.base="" by * read + From 82669f70d2c03bc40aa371697534498715a47a2a Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Wed, 10 Jun 2015 16:05:52 +0200 Subject: [PATCH 12/18] com.github -> org.jasig --- log4j2.xml | 2 +- src/main/webapp/WEB-INF/deployerConfigContext.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4j2.xml b/log4j2.xml index 3845bc4..6562858 100644 --- a/log4j2.xml +++ b/log4j2.xml @@ -63,7 +63,7 @@ - + diff --git a/src/main/webapp/WEB-INF/deployerConfigContext.xml b/src/main/webapp/WEB-INF/deployerConfigContext.xml index 39163dc..8222e89 100644 --- a/src/main/webapp/WEB-INF/deployerConfigContext.xml +++ b/src/main/webapp/WEB-INF/deployerConfigContext.xml @@ -85,7 +85,7 @@ - + From d6316e153e46762a7448810d78b109b02ab4d52b Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Thu, 11 Jun 2015 14:06:44 +0200 Subject: [PATCH 13/18] dont stop slapd in upgrade --- src/deb/control/prerm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/deb/control/prerm b/src/deb/control/prerm index c2d2211..8d7ea60 100644 --- a/src/deb/control/prerm +++ b/src/deb/control/prerm @@ -18,14 +18,16 @@ set -e case "$1" in - remove|upgrade|deconfigure) + remove|deconfigure) # stop slapd because configuration files will be removed if [ -x "/etc/init.d/slapd" ]; then invoke-rc.d slapd stop || true fi ;; - + upgrade) + + ;; failed-upgrade) ;; From 1909c6fe3b7fdec5dd06a14d496ea8aa5f0362f0 Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Thu, 11 Jun 2015 14:41:48 +0200 Subject: [PATCH 14/18] upgrade from 1.0.2 --- src/deb/control/postinst | 23 +++++++++-------- src/deb/control/postrm | 2 +- src/deb/control/preinst | 54 ++++++++++++++++++++++++++++++++++++++++ src/deb/control/prerm | 48 ----------------------------------- 4 files changed, 67 insertions(+), 60 deletions(-) create mode 100644 src/deb/control/preinst delete mode 100644 src/deb/control/prerm diff --git a/src/deb/control/postinst b/src/deb/control/postinst index bcc002a..7dd0e52 100755 --- a/src/deb/control/postinst +++ b/src/deb/control/postinst @@ -81,7 +81,7 @@ generate_keystore() { openssl req -x509 -days $DAYS_VALID -newkey rsa:2048 -keyout $PRIVATE_PATH/odn-key.pem -out $CERTS_PATH/odn-cert.pem -passout pass:$KEYSTORE_PASSWORD -subj '/CN='${HOSTNAME}'' -nodes openssl pkcs12 -export -inkey $PRIVATE_PATH/odn-key.pem -in $CERTS_PATH/odn-cert.pem -out $CERTS_PATH/service.p12 -name tomcat -passin pass:$KEYSTORE_PASSWORD -passout pass:$PRIVATEKEY_PASS - keytool -importkeystore -destkeystore $KEYSTORE_NAME -deststorepass $KEYSTORE_PASSWORD -deststoretype jks -srckeystore $CERTS_PATH/service.p12 -srcstorepass $PRIVATEKEY_PASS -srcstoretype pkcs12 + keytool -importkeystore -destkeystore $KEYSTORE_NAME -deststorepass $KEYSTORE_PASSWORD -deststoretype jks -srckeystore $CERTS_PATH/service.p12 -srcstorepass $PRIVATEKEY_PASS -srcstoretype pkcs12 -noprompt update-ca-certificates echo "keystore created" @@ -121,18 +121,19 @@ set_ldap_evolveum() { ldapmodify -Y EXTERNAL -H ldapi:/// -f /usr/share/odn-simple/ldap/acl.ldif echo "ldap user for IDM created" - # set slapd to running on 127.0.0.1 - if grep -q "^SLAPD_SERVICES=\"ldap://127.0.0.1:389/" $CONFIG ; then - echo "slapd has already been set to running on localhost port" - else - sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap:\/\/127.0.0.1:389\/\/ ldapi:\/\/\/\"/" $CONFIG - fi - - service_slapd_restart else + # set slapd to running on 127.0.0.1 echo "ldap has already been set" fi + + if grep -q "^SLAPD_SERVICES=\"ldap://127.0.0.1:389/" $CONFIG ; then + echo "slapd has already been set to running on localhost port" + else + sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap:\/\/127.0.0.1:389\/\/ ldapi:\/\/\/\"/" $CONFIG + fi + service_slapd_restart + echo "<< set_ldap" } @@ -142,8 +143,8 @@ case "$1" in create_user fix_perms set_ldap_evolveum - # if not upgrade - if [ "${VERSION}" = "" ] ; then + # if not upgrade or version = 1.0.2 + if [ "${VERSION}" = "" ] || [ "${VERSION}" = "1.0.2" ] ; then generate_keystore fi diff --git a/src/deb/control/postrm b/src/deb/control/postrm index 82d3cc8..b2cc520 100644 --- a/src/deb/control/postrm +++ b/src/deb/control/postrm @@ -62,7 +62,7 @@ case "$1" in # reload default slapd configuration if [ -x "/etc/init.d/slapd" ]; then - invoke-rc.d slapd start || true + invoke-rc.d slapd restart || true fi # clean cert diff --git a/src/deb/control/preinst b/src/deb/control/preinst new file mode 100644 index 0000000..0154f07 --- /dev/null +++ b/src/deb/control/preinst @@ -0,0 +1,54 @@ +#! /bin/sh +# +# Abort if any command returns an error value +set -e + +# This script is called before this version of this package is installed. +# When this script is called, the package's files have not been unpacked +# yet. + + +get_hostname() { + HOSTNAME=`hostname --all-fqdns` + if [ -z ${HOSTNAME} ] + then + HOSTNAME=`hostname` + fi + + if [ -z ${HOSTNAME} ] + then + HOSTNAME="localhost" + fi + + HOSTNAME="$(echo "${HOSTNAME}" | tr -d '[[:space:]]')" + # return hostname + echo "$HOSTNAME" +} + + +case "$1" in + install) + + ;; + upgrade) + # About to upgrade this package from version $2 TO THIS VERSION. + # "prerm upgrade" has already been called for the old version of + # this package. + # discart old certificates - for 1.0.2 + HOSTNAME=$(get_hostname) + rm -f /usr/local/share/ca-certificates/$HOSTNAME + rm -f /etc/ssl/certs/odn-cert.pem + rm -f /etc/ssl/private/odn-key.pem + update-ca-certificates --fresh + + ;; + abort-upgrade) + # Back out of an attempt to upgrade this package FROM THIS VERSION to + # version $2. Undo the effects of "postrm upgrade $2". + + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 1;; +esac + +exit 0 \ No newline at end of file diff --git a/src/deb/control/prerm b/src/deb/control/prerm deleted file mode 100644 index 8d7ea60..0000000 --- a/src/deb/control/prerm +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# prerm script for #PACKAGE# -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `upgrade' -# * `failed-upgrade' -# * `remove' `in-favour' -# * `deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - - -case "$1" in - remove|deconfigure) - # stop slapd because configuration files will be removed - if [ -x "/etc/init.d/slapd" ]; then - invoke-rc.d slapd stop || true - fi - - ;; - upgrade) - - ;; - failed-upgrade) - ;; - - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - - -#DEBHELPER# - -exit 0 - - From 78199cff71dd4c6a3e6b5a89625058fc76b63fa0 Mon Sep 17 00:00:00 2001 From: Jan Marcek Date: Thu, 11 Jun 2015 14:52:09 +0200 Subject: [PATCH 15/18] remove whole directory --- src/deb/control/preinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/deb/control/preinst b/src/deb/control/preinst index 0154f07..01f1e7f 100644 --- a/src/deb/control/preinst +++ b/src/deb/control/preinst @@ -36,7 +36,7 @@ case "$1" in # this package. # discart old certificates - for 1.0.2 HOSTNAME=$(get_hostname) - rm -f /usr/local/share/ca-certificates/$HOSTNAME + rm -rf /usr/local/share/ca-certificates/$HOSTNAME rm -f /etc/ssl/certs/odn-cert.pem rm -f /etc/ssl/private/odn-key.pem update-ca-certificates --fresh From c71bd72216a6b5794e61d5b8a8eb2c74448d2836 Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Mon, 15 Jun 2015 14:37:45 +0200 Subject: [PATCH 16/18] slovak locale added --- src/main/resources/messages_sk.properties | 105 ++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 src/main/resources/messages_sk.properties diff --git a/src/main/resources/messages_sk.properties b/src/main/resources/messages_sk.properties new file mode 100644 index 0000000..62f9a20 --- /dev/null +++ b/src/main/resources/messages_sk.properties @@ -0,0 +1,105 @@ +screen.welcome.welcome=Congratulations on bringing CAS online! To learn how to arthenticate, please review the default authentication handler configuration. +screen.welcome.security=For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication! +screen.welcome.instructions=Vložte Vaše používateľské meno a heslo +screen.welcome.label.netid=Meno: +screen.welcome.label.netid.accesskey=m +screen.welcome.label.password=Heslo: +screen.welcome.label.password.accesskey=h +screen.welcome.label.publicstation=Som na verejnej pracovnej stanici. +screen.welcome.label.warn=Varuj ma pred prihásením do ostatných stránok. +screen.welcome.label.warn.accesskey=v +screen.welcome.button.login=LOGIN +screen.welcome.button.clear=CLEAR + +screen.cookies.disabled.title=Cookies v prehliadači sú zakázané +screen.cookies.disabled.message=Váš browser nepodporuje cookies. Single Sign On NEBUDE FUNGOVAŤ. + +screen.aup.button.accept=ACCEPT +screen.aup.button.cancel=CANCEL + +screen.nonsecure.title=Non-secure Connection +screen.nonsecure.message=You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS. + +logo.title=choď na domovskú stránku Apereo +copyright=Copyright © 2005–2015 Apereo, Inc. All rights reserved. +screen.capslock.on = Klávesa CAPSLOCK je zapnutá! + +# Remember-Me Authentication +screen.rememberme.checkbox.title=Zapamätaj si ma + +# Blocked Errors Page +screen.blocked.header=Prístup zamietnutý +screen.blocked.message=Vložili ste viackrát nesprávne heslo pre používateľa. You've been throttled. +AbstractAccessDecisionManager.accessDenied=Nie ste oprávnený k prístupu k tomuto zdroju. Pre viac informácií kontaktujte prosím CAS administrátora. + +#Confirmation Screen Messages +screen.confirmation.message=Click here to go to the application. + +#Generic Success Screen Messages +screen.success.header=Prihlásenie bolo úspešné +screen.success.success=You, {0}, have successfully logged into the Central Authentication Service. +screen.success.security=When you are finished, for security reasons, please Log Out and Exit your web browser. + +#Logout Screen Messages +screen.logout.header=Odhlásenie bolo úspešné +screen.logout.success=You have successfully logged out of the Central Authentication Service. +screen.logout.security=Z bezpečnostných dôvodov ukončite prácu s prehliadačom. +screen.logout.redirect=The service from which you arrived has supplied a link you may follow by clicking here. + +screen.service.sso.error.header=Re-Authentication Required to Access this Service +screen.service.sso.error.message=You attempted to access a service that requires authentication without re-authenticating. Please try authenticating again. +screen.service.required.message=You attempted authentication without specifying the target application. Please re-examine the request and try again. + +error.invalid.loginticket=You cannot attempt to re-submit a form that has been submitted already. +username.required=Username is a required field. +password.required=Password is a required field. + +# Authentication failure messages +authenticationFailure.AccountDisabledException=This account has been disabled. +authenticationFailure.AccountLockedException=This account has been locked. +authenticationFailure.CredentialExpiredException=Your password has expired. +authenticationFailure.InvalidLoginLocationException=You cannot login from this workstation. +authenticationFailure.InvalidLoginTimeException=Your account is forbidden to login at this time. +authenticationFailure.AccountNotFoundException=Invalid credentials. +authenticationFailure.FailedLoginException=Invalid credentials. +authenticationFailure.UNKNOWN=Invalid credentials. + +INVALID_REQUEST_PROXY=The request is incorrectly formatted. Ensure all required parameters are properly encoded and included. +INVALID_TICKET_SPEC=Ticket failed validation specification. Possible errors could include attempting to validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew true request. +INVALID_REQUEST='service' and 'ticket' parameters are both required +INVALID_TICKET=Ticket ''{0}'' not recognized +INVALID_SERVICE=Ticket ''{0}'' does not match supplied service. The original service was ''{1}'' and the supplied service was ''{2}''. +INVALID_PROXY_CALLBACK=The supplied proxy callback url ''{0}'' could not be authenticated. +UNAUTHORIZED_SERVICE_PROXY=The supplied service ''{0}'' is not authorized to use CAS proxy authentication. + +screen.service.error.header=Application Not Authorized to Use CAS +service.not.authorized.missing.attr=You are not authorized to access the application as your account \ +is missing privileges required by the CAS server to authenticate into this service. Please notify your support desk. +screen.service.error.message=The application you attempted to authenticate to is not authorized to use CAS. +screen.service.empty.error.message=The services registry of CAS is empty and has no service definitions. \ +Applications that wish to authenticate with CAS must explicitly be defined in the services registry. + +# Password policy +password.expiration.warning=Your password expires in {0} day(s). Please change your password now. +password.expiration.loginsRemaining=You have {0} login(s) remaining before you MUST change your password. +screen.accountdisabled.heading=This account has been disabled. +screen.accountdisabled.message=Please contact the system administrator to regain access. +screen.accountlocked.heading=This account has been locked. +screen.accountlocked.message=Please contact the system administrator to regain access. +screen.expiredpass.heading=Your password has expired. +screen.expiredpass.message=Please change your password. +screen.mustchangepass.heading=You must change your password. +screen.mustchangepass.message=Please change your password. +screen.badhours.heading=Your account is forbidden to login at this time. +screen.badhours.message=Please try again later. +screen.badworkstation.heading=You cannot login from this workstation. +screen.badworkstation.message=Please contact the system administrator to regain access. + +# OAuth +screen.oauth.confirm.header=Authorizácia +screen.oauth.confirm.message=Chete povoliť prístup k Vášmu kompletnému profilu to "{0}" ? +screen.oauth.confirm.allow=Povoliť + +# Unavailable +screen.unavailable.heading=CAS je nedostupný +screen.unavailable.message=Pri spracovaní požiadavkz nastala chyba. Prosím informujte podporu alebo skúste znovu. From 9e1c962a4c194968fbf6e742df6c3e621f7d0b9e Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Tue, 16 Jun 2015 12:18:06 +0200 Subject: [PATCH 17/18] slovak translation improved --- src/main/resources/messages_sk.properties | 108 +++++++++++----------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/src/main/resources/messages_sk.properties b/src/main/resources/messages_sk.properties index 62f9a20..af59117 100644 --- a/src/main/resources/messages_sk.properties +++ b/src/main/resources/messages_sk.properties @@ -1,5 +1,5 @@ screen.welcome.welcome=Congratulations on bringing CAS online! To learn how to arthenticate, please review the default authentication handler configuration. -screen.welcome.security=For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication! +screen.welcome.security=Z bezpečnostných dôvodov sa prosím odhláste a ukončite prácu s webovým prehliadačom ak ste ukončili prácu so službami vyžadujúcimi autentifikáciu! screen.welcome.instructions=Vložte Vaše používateľské meno a heslo screen.welcome.label.netid=Meno: screen.welcome.label.netid.accesskey=m @@ -8,8 +8,8 @@ screen.welcome.label.password.accesskey=h screen.welcome.label.publicstation=Som na verejnej pracovnej stanici. screen.welcome.label.warn=Varuj ma pred prihásením do ostatných stránok. screen.welcome.label.warn.accesskey=v -screen.welcome.button.login=LOGIN -screen.welcome.button.clear=CLEAR +screen.welcome.button.login=PRIHLÁSIŤ +screen.welcome.button.clear=VYMAZAŤ screen.cookies.disabled.title=Cookies v prehliadači sú zakázané screen.cookies.disabled.message=Váš browser nepodporuje cookies. Single Sign On NEBUDE FUNGOVAŤ. @@ -17,8 +17,8 @@ screen.cookies.disabled.message=Váš browser nepodporuje cookies. Single Sign O screen.aup.button.accept=ACCEPT screen.aup.button.cancel=CANCEL -screen.nonsecure.title=Non-secure Connection -screen.nonsecure.message=You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS. +screen.nonsecure.title=Nezabezpečené spojenie +screen.nonsecure.message=Pristupujete k serveru CAS cez nezabezpečené spojenie. Single Sign On NEBUDE FUNGOVAŤ. Ak chcete aby single sign on fungovalo, musíte sa prihlásiť cez HTTPS. logo.title=choď na domovskú stránku Apereo copyright=Copyright © 2005–2015 Apereo, Inc. All rights reserved. @@ -33,67 +33,67 @@ screen.blocked.message=Vložili ste viackrát nesprávne heslo pre používateľ AbstractAccessDecisionManager.accessDenied=Nie ste oprávnený k prístupu k tomuto zdroju. Pre viac informácií kontaktujte prosím CAS administrátora. #Confirmation Screen Messages -screen.confirmation.message=Click here to go to the application. +screen.confirmation.message=Kliknite sem na prístup k aplikácii. #Generic Success Screen Messages screen.success.header=Prihlásenie bolo úspešné -screen.success.success=You, {0}, have successfully logged into the Central Authentication Service. -screen.success.security=When you are finished, for security reasons, please Log Out and Exit your web browser. +screen.success.success= {0}, práve ste sa úspešne prihlásili do služby centrálnej autentifikácie. +screen.success.security=Ak ste ukončili prácu, z bezpečnostných dôvodov prosím odhláste sa a ukončite prácu s prehliadačom. #Logout Screen Messages screen.logout.header=Odhlásenie bolo úspešné -screen.logout.success=You have successfully logged out of the Central Authentication Service. +screen.logout.success=Úspešne ste sa odhlásili zo služby centrálnej autentifikácie. screen.logout.security=Z bezpečnostných dôvodov ukončite prácu s prehliadačom. -screen.logout.redirect=The service from which you arrived has supplied a link you may follow by clicking here. +screen.logout.redirect=Služba, z ktorej ste prišli poskytla linku, ktorú môžete nasledovať kliknutím sem. -screen.service.sso.error.header=Re-Authentication Required to Access this Service -screen.service.sso.error.message=You attempted to access a service that requires authentication without re-authenticating. Please try authenticating again. -screen.service.required.message=You attempted authentication without specifying the target application. Please re-examine the request and try again. +screen.service.sso.error.header=Na prístup k službe je nutná opakovaná autentifikácia +screen.service.sso.error.message=Pokúsili ste sa o prístup k službe, ktorá vyžaduje autentifkáciu bez opätovnej autentifikácie. Prosím skúste sa autentifikovať znovu. +screen.service.required.message=Pokúsili ste sa autentifikovať bez zadania cieľovej aplikácie. Prosím preverte požiadavku a skúste znovu. -error.invalid.loginticket=You cannot attempt to re-submit a form that has been submitted already. -username.required=Username is a required field. -password.required=Password is a required field. +error.invalid.loginticket=Nie je možné odoslať opakovanú požiadavku na formulár, ktorý už bol odoslaný. +username.required=Meno používateľa je povinné pole. +password.required=Heslo je povinné pole. # Authentication failure messages -authenticationFailure.AccountDisabledException=This account has been disabled. -authenticationFailure.AccountLockedException=This account has been locked. -authenticationFailure.CredentialExpiredException=Your password has expired. -authenticationFailure.InvalidLoginLocationException=You cannot login from this workstation. -authenticationFailure.InvalidLoginTimeException=Your account is forbidden to login at this time. -authenticationFailure.AccountNotFoundException=Invalid credentials. -authenticationFailure.FailedLoginException=Invalid credentials. -authenticationFailure.UNKNOWN=Invalid credentials. - -INVALID_REQUEST_PROXY=The request is incorrectly formatted. Ensure all required parameters are properly encoded and included. -INVALID_TICKET_SPEC=Ticket failed validation specification. Possible errors could include attempting to validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew true request. -INVALID_REQUEST='service' and 'ticket' parameters are both required -INVALID_TICKET=Ticket ''{0}'' not recognized -INVALID_SERVICE=Ticket ''{0}'' does not match supplied service. The original service was ''{1}'' and the supplied service was ''{2}''. -INVALID_PROXY_CALLBACK=The supplied proxy callback url ''{0}'' could not be authenticated. -UNAUTHORIZED_SERVICE_PROXY=The supplied service ''{0}'' is not authorized to use CAS proxy authentication. - -screen.service.error.header=Application Not Authorized to Use CAS -service.not.authorized.missing.attr=You are not authorized to access the application as your account \ -is missing privileges required by the CAS server to authenticate into this service. Please notify your support desk. -screen.service.error.message=The application you attempted to authenticate to is not authorized to use CAS. -screen.service.empty.error.message=The services registry of CAS is empty and has no service definitions. \ -Applications that wish to authenticate with CAS must explicitly be defined in the services registry. +authenticationFailure.AccountDisabledException=Toto používateľské heslo bolo deaktivované. +authenticationFailure.AccountLockedException=Toto používateľské heslo bolo uzamknuté. +authenticationFailure.CredentialExpiredException=Vaše heslo je expirované. +authenticationFailure.InvalidLoginLocationException=Z tejto pracovnej stanice nie je možné sa prihlásiť. +authenticationFailure.InvalidLoginTimeException=Vaše používateľské heslo bolo v tomto čase zakázané. +authenticationFailure.AccountNotFoundException=Nesprávne používateľské meno alebo heslo. +authenticationFailure.FailedLoginException=Nesprávne používateľské meno alebo heslo. +authenticationFailure.UNKNOWN=Nesprávne používateľské meno alebo heslo. + +INVALID_REQUEST_PROXY=Vaša požiadavka je nekorektne formátovaná. Prosím uistite sa že všetky požadované parametre sú v požiadavke a sú správne formátované. +INVALID_TICKET_SPEC=Ticket neprešiel validáciou. Možná príčina je validácia Proxy Ticketu cez Service Ticket validator. +INVALID_REQUEST='service' a 'ticket' parametre sú povinné +INVALID_TICKET=Ticket ''{0}'' nebol rozpoznaný +INVALID_SERVICE=Ticket ''{0}'' nezodpovedá dodanej službe. Pôvodná služba bola ''{1}'' a dodaná bola ''{2}''. +INVALID_PROXY_CALLBACK=Dodaný proxy callback url ''{0}'' nemôže byť authentifikovaný. +UNAUTHORIZED_SERVICE_PROXY=Dodaná služba ''{0}'' nie je autorizovaná na použitie CAS autentifikácie. + +screen.service.error.header=Aplikácia nie je autorizovaná na použitie CAS +service.not.authorized.missing.attr=Nie ste autorizovaný na prístup k aplikácii pretože Vaše používateľské konto \ +neobsahuje privilégiá požadované serverom CAS na autentifikáciu do tejto služby. Prosím oboznámte Vášho správcu systému. +screen.service.error.message=Aplikácia do ktorej sa pokúšate prihlásiť nie je autorizovaná na použitie týmto CAS serverom. +screen.service.empty.error.message=Register služieb serveru CAS je prázdny a neobsahuje definície služieb. \ +Aplikácia ktorá sa chce autentifikovať serverom CAS musí byť explicitne definovaná v registri služieb. # Password policy -password.expiration.warning=Your password expires in {0} day(s). Please change your password now. -password.expiration.loginsRemaining=You have {0} login(s) remaining before you MUST change your password. -screen.accountdisabled.heading=This account has been disabled. -screen.accountdisabled.message=Please contact the system administrator to regain access. -screen.accountlocked.heading=This account has been locked. -screen.accountlocked.message=Please contact the system administrator to regain access. -screen.expiredpass.heading=Your password has expired. -screen.expiredpass.message=Please change your password. -screen.mustchangepass.heading=You must change your password. -screen.mustchangepass.message=Please change your password. -screen.badhours.heading=Your account is forbidden to login at this time. -screen.badhours.message=Please try again later. -screen.badworkstation.heading=You cannot login from this workstation. -screen.badworkstation.message=Please contact the system administrator to regain access. +password.expiration.warning=Vaše heslo expiruje za {0} deň/dní. Prosím zmente Vaše heslo teraz. +password.expiration.loginsRemaining=Máte {0} prístup(ov) k dispozícii kým MUSÍTE zmeniť Vaše heslo. +screen.accountdisabled.heading=Toto používateľské konto bolo deaktivované. +screen.accountdisabled.message=Prosím kontaktujte systémového administrátora na opätovné získanie prístupu. +screen.accountlocked.heading=Toto používateľské konto bolo uzamknuté. +screen.accountlocked.message=Prosím kontaktujte systémového administrátora na opätovné získanie prístupu. +screen.expiredpass.heading=Vaše heslo expirovalo. +screen.expiredpass.message=Prosím zmente svoje heslo. +screen.mustchangepass.heading=Je nutné zmeniť Vaše heslo. +screen.mustchangepass.message=Prosím zmente svoje heslo. +screen.badhours.heading=Vaše používateľské konto je v tomto momente zakázané. +screen.badhours.message=Prosím skúste znovu neskôr. +screen.badworkstation.heading=Nie je možné sa prihlásiť z tejto pracovnej stanice. +screen.badworkstation.message=Na opätovné získanie prístupu prosím kontaktujte administrátora. # OAuth screen.oauth.confirm.header=Authorizácia @@ -102,4 +102,4 @@ screen.oauth.confirm.allow=Povoliť # Unavailable screen.unavailable.heading=CAS je nedostupný -screen.unavailable.message=Pri spracovaní požiadavkz nastala chyba. Prosím informujte podporu alebo skúste znovu. +screen.unavailable.message=Pri spracovaní požiadavky nastala chyba. Prosím informujte podporu alebo skúste znovu. From 1ed9a121343fce37de3d63b7b91c63d2dd9ccfaf Mon Sep 17 00:00:00 2001 From: Peter Klimo Date: Tue, 16 Jun 2015 15:52:46 +0200 Subject: [PATCH 18/18] updating poms for branch'ODN_v1.0.3' with non-snapshot versions --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 14f5f84..163e6eb 100755 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ sk.eea.edem odn-cas-overlay war - 1.0.3-SNAPSHOT + 1.0.3