summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use new service schema for HBAC testsRob Crittenden2010-05-171-3/+35
|
* Replace old pwpolicy plugin with new one using baseldap, fix tests.Rob Crittenden2010-05-175-919/+254
| | | | Fix deletion of policy when a group is removed.
* Add groups of services to HBACRob Crittenden2010-05-176-11/+323
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* Remove left-over debugging statementRob Crittenden2010-05-141-2/+0
|
* Correctly handle EmptyModlist exception in pwpolicy2-mod.Pavel Zuna2010-05-141-7/+15
| | | | | | | | | | | EmptyModlist exception was generated by pwpolicy2-mod when modifying policy priority only. It was because the priority attribute is stored outside of the policy entry (in a CoS entry) and there was nothing left to be changed in the policy entry. This patch uses the new exception callbacks in baseldap.py classes to catch the EmptyModlist exception and checks if there was really nothing to be modified before reraising the exception.
* Add exception callback (exc_callback) to baseldap.py classes.Pavel Zuna2010-05-141-33/+150
| | | | | | It enables plugin authors to supply their own handlers for ExecutionError exceptions generated by calls to ldap2 made from the execute method of baseldap.py classes that extend CallbackInterface.
* Update Kannada translationsJohn Dennis2010-05-111-80/+904
|
* Become IPA v2 alpha 3 (1.9.0.pre3)alpha_3-1-9-0Rob Crittenden2010-05-071-1/+1
|
* Check to see if we are configured before uninstalling.Rob Crittenden2010-05-071-1/+5
| | | | Allow the --force flag to override on both install and uninstall
* Add simple test to see if client is already configuredRob Crittenden2010-05-062-0/+12
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
* Make calling service and chkconfig tolerant of the service not installedRob Crittenden2010-05-061-9/+59
| | | | | For example, if nscd is not installed this would throw lots of errors about not being able to disable it, stop it, etc.
* Call certmonger after krb5, avoid uninstall errors, better password handling.Rob Crittenden2010-05-062-23/+52
| | | | | | | | | - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode
* Initialize XML-RPC structures to fix issues uncovered by MALLOC_PERTURB_Rob Crittenden2010-05-061-13/+11
| | | | | | | Also re-arrange some code around reading the configuration file. In trying to eliminate bogus error messages I prevented the file from being read at all. It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't work if you don't pass in a server name.
* named.conf: Add trailing dot to the fake_mnameMartin Nagy2010-05-061-1/+1
| | | | | Yet another trailing dot issue, but this one was kept hidden because only the latest bind-dyndb-ldap package uses the fake_mname option.
* Add new password policy plugin based on baseldap.py classes.root2010-05-052-0/+522
|
* Increase the attributes we display by default and fix up some labels.Rob Crittenden2010-05-051-2/+8
|
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-055-4/+32
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Add weekly periodic schedule to AccessTime param type.root2010-05-042-3/+4
| | | | Fix bug #588414
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-034-23/+10
| | | | Also consolidate some duplicate code
* Add test cases for AccessTime param and fix some problems in AccessTimeRob Crittenden2010-05-032-4/+50
|
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-0310-15/+65
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
* Set SO_REUSEADDR when determining socket availabilityRob Crittenden2010-05-031-0/+2
| | | | | | The old perl DS code for detection didn't set this so was often confused about port availability. We had to match their behavior so the installation didn't blow up. They fixed this a while ago, this catches us up.
* Fix output of summary and embedded dictionariesRob Crittenden2010-05-031-3/+3
| | | | | | | Summaries were appearing as "Gettext(...") Embedded dictionaries, such as group membership failures, didn't have labels so were basically just being dumped.
* client installation fixes: nscd, sssd min version, bogus join errorRob Crittenden2010-05-033-13/+28
| | | | | | - Don't run nscd if using sssd, the caching of nscd conflicts with sssd - Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes - only try to read the file configuration if the server isn't passed in
* Reorder some things in the client installerRob Crittenden2010-05-031-16/+27
| | | | | | - Fetch the CA cert before running certmonger - Delete entries from the keytab before removing /etc/krb5.conf - Add and remove the IPA CA to /etc/pki/nssdb
* Remove some duplicated schemaRob Crittenden2010-04-301-9/+0
| | | | | Newer versions of 389-ds provide this certificate schema so no need to provide it ourselves.
* Fix a couple of syntax errors in the installer.Rob Crittenden2010-04-271-2/+5
| | | | I meant to push these along with the original patch but pushed the wrong one.
* Add file with example plugins/tutorial.Pavel Zuna2010-04-271-0/+437
| | | | | | Note that this is still work in progress and will be finished in another patch. Specifically, it currently doesn't cover baseldap.py classes.
* Replace a new instance of IPAdmin use in ipa-server-install.Pavel Zuna2010-04-272-16/+19
|
* Some more changes for DNS forwarders promptMartin Nagy2010-04-231-3/+3
|
* Add forgotten trailing dots in DNS recordsMartin Nagy2010-04-232-4/+11
| | | | 583023
* Connect to the ldap during the uninstallationMartin Nagy2010-04-231-8/+28
| | | | | | We need to ask the user for a password and connect to the ldap so the bind uninstallation procedure can remove old records. This is of course only helpful if one has more than one IPA server configured.
* Delete old SRV records during uninstallationMartin Nagy2010-04-231-11/+68
|
* Accept unicode for sysrestoreMartin Nagy2010-04-231-2/+2
|
* Don't require kerberos principal with the LDAP password change operation.Rob Crittenden2010-04-231-26/+42
| | | | | | This was preventing ldappasswd from resetting a password. 471287
* Return more specific errors when returning an LDAP_OPERATIONS_ERRORRob Crittenden2010-04-231-10/+16
| | | | 472332
* Use the certificate subject base in IPA when requesting certs in certmonger.Rob Crittenden2010-04-234-9/+103
| | | | | | | | | | | | | | | | | When using the dogtag CA we can control what the subject of an issued certificate is regardless of what is in the CSR, we just use the CN value. The selfsign CA does not have this capability. The subject format must match the configured format or certificate requests are rejected. The default format is CN=%s,O=IPA. certmonger by default issues requests with just CN so all requests would fail if using the selfsign CA. This subject base is stored in cn=ipaconfig so we can just fetch that value in the enrollment process and pass it to certmonger to request the right thing. Note that this also fixes ipa-join to work with the new argument passing mechanism.
* Fix installing IPA with an external CARob Crittenden2010-04-232-5/+19
| | | | | | | | - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
* Use correct name for CA PKCS#12 file.Rob Crittenden2010-04-231-2/+2
| | | | I recently renamed this and missed this reference.
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-1911-148/+144
|
* Use escapes in DNs instead of quoting.Rob Crittenden2010-04-194-18/+37
| | | | Based on initial patch from Pavel Zuna.
* Remove older MITM fixes to make compatible with dogtag 1.3.3Rob Crittenden2010-04-194-18/+8
| | | | | | | We set a new port to be used with dogtag but IPA doesn't utilize it. This also changes the way we determine which security database to use. Rather than using whether api.env.home is set use api.env.in_tree.
* Fix ipa-dns-install. It was failing when DNS was reinstalling.Pavel Zuna2010-04-191-1/+10
|
* Fix DNS plugin: proper output definitions, --all, dns-add-rr overwrittingPavel Zuna2010-04-191-14/+15
| | | | | | | | | | | | | | The DNS plugin is getting old, tired and already looking forward to his pension in the Carribean. It will be replaced soon by a younger, faster, safer, shorter (in terms of code) and more maintainable version. Until that happens, here's some medicine for the old guy: - proper output definitions: the DNS plugin was created before we had the has_output attribute in place - --all: this is related to the output definitions as Command.get_options() adds the --all and --raw options automatically if has_output contains entries - dns-add-rr overwritting: missing .lower() caused records to be overwritten everytime a new one was added from the CLI
* Enable LDAPObject subclasses to disable DN normalization in their methods.Pavel Zuna2010-04-161-11/+27
|
* Add interface for baseldap plugins to register additional callbacks.Pavel Zuna2010-04-161-27/+139
|
* Fix output of env plugin. It displayed more than it should.Pavel Zuna2010-04-161-0/+2
|
* Enable anonymous VLV so Solaris clients will work out of the box.Rob Crittenden2010-04-161-0/+4
| | | | | | | | Since one needs to enable the compat plugin we will enable anonymous VLV when that is configured. By default the DS installs an aci that grants read access to ldap:///all and we need ldap:///anyone
* Configure the CRL URI in dogtag.Rob Crittenden2010-04-161-1/+4
| | | | | | Also print out a restart message after applying the custom subject. It takes a while to restart dogtag and this lets the user know things are moving forward.
* Use more traditional make notation to build the test languageRob Crittenden2010-04-161-1/+1
|