freeipa.git/ipaserver/plugins/rabase.py, branch oneway-trust FreeIPA project plugable: Pass API to plugins on initialization rather than using set_api 2015-07-01T13:05:30+00:00 Jan Cholasta jcholast@redhat.com 2015-06-22T10:58:43+00:00 e39fe4ed31042bd28357d093fdbd93b4d6d59aaa https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add profile_id parameter to 'request_certificate' 2015-06-04T08:27:33+00:00 Fraser Tweedale ftweedal@redhat.com 2015-05-08T06:23:24+00:00 4cf2bfcaa62e9220fdeee952bf719452884507cd Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Add the profile_id parameter to the 'request_certificate' function
and update call sites.

Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipaplatform: Move all filesystem paths to ipaplatform.paths module 2014-06-16T17:48:20+00:00 Tomas Babej tbabej@redhat.com 2014-05-29T12:47:17+00:00 4d2ef43f287aa96df3d65b97977fc7a824b6b33c https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Drop --selfsign server functionality 2013-04-15T20:56:12+00:00 Petr Viktorin pviktori@redhat.com 2013-03-27T13:25:18+00:00 e736e75ce9724ae8298a5b69d093313cd6e62b60 Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494 
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
Implement the cert-find command for the dogtag CA backend. 2013-02-19T16:52:33+00:00 Rob Crittenden rcritten@redhat.com 2012-11-15T15:55:33+00:00 462beacc9d13968128fa320d155016df2d72a20a Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528 
Use a new RESTful API provided by dogtag 10+. Construct an XML document
representing the search request. The output is limited to whatever dogtag
sends us, there is no way to request additional attributes other than
to read each certificate individually.

dogtag uses a boolean for each search term to indicate that it is used.
Presense of the search item is not enough, both need to be set.

The search operation is unauthenticated

Design page: http://freeipa.org/page/V3/Cert_find

https://fedorahosted.org/freeipa/ticket/2528
Raise NotImplementedError for selfsigned cert-remove-hold 2011-02-17T22:34:01+00:00 Jakub Hrozek jhrozek@redhat.com 2011-02-17T19:35:50+00:00 817dac3f043d2700a565dcd64666da69eb458cc4 






Change FreeIPA license to GPLv3+
2010-12-20T22:19:53+00:00

Jakub Hrozek
jhrozek@redhat.com

2010-12-09T12:59:11+00:00

7493d781dfcaa7995f7864a09ad39ba6a89f1a9c

The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239





The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239







Remove older MITM fixes to make compatible with dogtag 1.3.3
2010-04-19T14:04:25+00:00

Rob Crittenden
rcritten@redhat.com

2010-03-30T19:27:28+00:00

70049496e3cfe0db01a58bcc51c7ea13e6caac24

We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.





We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.







Make NotImplementedError in rabase return the correct function name
2009-11-19T21:18:45+00:00

John Dennis
jdennis@redhat.com

2009-11-19T21:18:45+00:00

ce3df4f74ab66ee9e041d8ca12294fb621468298

ipaserver/plugins/rabase.py |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)





ipaserver/plugins/rabase.py |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)







Add external CA signing and abstract out the RA backend
2009-09-15T14:01:08+00:00

Rob Crittenden
rcritten@redhat.com

2009-09-10T20:15:14+00:00

49b36583a50e7f542e0667f3e2432ab1aa63924e

External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())





External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())