| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.
This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed
This does not change the KDC at all, just removes entries from a file
on the client machine.
|
| | |
|
| |
|
|
|
|
|
| |
This assumes that the developer has the equivalent of a selfsign CA
installed. To do this, install IPA without a CA and copy
/etc/httpd/alias/*.db to ~/.ipa/alias and
/etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
|
| | |
|
| |
|
|
|
|
| |
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
|
| | |
|
| |
|
|
|
| |
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
|
| | |
|
| |
|
|
|
|
|
|
| |
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.
Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.
This wipes out the last vestiges of the old ipa.conf from v1.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
|
| |
|
|
|
|
|
|
|
| |
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.
Subject alt names are only allowed if:
- the host for the alt name exists in IPA
- if binding as host principal, the host is in the services managedBy attr
|
| |
|
|
|
|
|
| |
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.
This also lets the caller get the contents of stdout and stderr.
|
| |
|
|
|
| |
Sometimes they worked fine and sometimes DS rejected them
as invalid.
|
| | |
|
| | |
|
| |
|
|
| |
Full docstring is shown on `ipa help COMMAND`.
|
| |
|
|
|
|
|
|
|
|
| |
This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.
To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
|
| |
|
|
|
|
|
|
| |
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.
The DS db wasn't getting a password set on it. Go ahead and set one.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The parsing bug was looking for the string 'version' expecting to find
the ACI version. This blew up with the attribute nsosversion. Use
the string 'version 3.0' instead.
The comparison bug appeared if neither ACI had a targetattr attribute.
It was trying to create a set out of a None which is illegal. If an
ACI doesn't have any targetattrs then return () instead.
|
| |
|
|
| |
This will fetch a keytab on installation and remove it upon uninstallation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM
on Fedora) is created in the regular keytab format instead of the older
less-portable one. Based from comments and code in kt_file.c, here's a
change to try to recognize that case (the file starts with a magic
number) and read the master key from Python.
The KDC will still read either format, so I left the bits that set
things up on replicas alone (advice appreciated). The patch works as
expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional
stash file) and on Raw Hide (krb5 1.7 with a keytab).
|
| |
|
|
|
|
|
|
|
|
| |
This modifies the original patch by including a unit test, handling floats
when passed as unicode, and handling large magnitude values beyond maxint.
The INT parameter class was not respecting any radix prefix (e.g. 0x) the user
may have supplied. This patch implements _convert_scalar method for the Int
class so that we can pass the special radix base of zero to the int constructor
telling it to determine the radix from the prefix (if present).
|
| |
|
|
|
|
| |
ipa.spec.in | 3 ++-
ipapython/nsslib.py | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: John Dennis <jdennis@redhat.com>
along with stdout,stderr also log the initial command
This implements better logging of external commands. Formerly we were
just outputting stdout and stderr without labeling which was which. We
also omitted the initial command and it's arguments. This made it
difficult when reviewing the logs to know what the command was and
what was stdout vs. stderr. This patch fixes that.
|
| |
|
|
|
|
|
|
|
|
| |
Signed-off-by: John Dennis <jdennis@redhat.com>
If plugin fails to load log the traceback
If a plugin fails to load due to some kind of error it would be nice
if the error log contained the traceback so you can examine what went
wrong rather than being left blind as to why it failed to load.
|
| |
|
|
|
| |
ipaserver/plugins/rabase.py | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
|
| |
|
|
| |
add new error class for certificate operations
|
| |
|
|
| |
error strings in documentation were missing unicode specifier
|
| |
|
|
|
| |
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
|
| | |
|
| |
|
|
|
|
|
| |
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
|
| |
|
|
|
|
|
| |
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
|
| | |
|
| | |
|
| |
|
|
| |
Previously we only filtered None values, but it turns out that's not enough.
|
| |
|
|
|
|
|
|
| |
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
|
| | |
|
| |
|
|
|
|
|
| |
If an exception is not handled here then the context isn't destroyed
leaving at least an LDAP connection dangling. This means the next time
this thread/process tries to handle a connection it will fail because
a context already exists.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces 2 new params: --setattr and --addattr
Both take a name/value pair, ala:
ipa user-mod --setattr=postalcode=20601 jsmith
--setattr replaces or sets the current attribute to the value
--addattr adds the value to an attribute (or sets a new attribute)
OptionsParser allows multiple versions of this, so you can have multiple
setattr and addattr, either for the same attribute or for different
attributes.
ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith
Values are silent dropped if either of these on an existing param:
ipa user-mod --setattr=givenname=Jerry jsmith
Is a no-op.
|
| |
|
|
|
| |
A parameter needs to have multivalue set in order to work on lists/tuples
and even then _convert_scalar() will be sent one value at a time.
|
| | |
|
| | |
|
