| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.
This also fixes up some unrelated unit test failures.
|
| |
|
|
| |
https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
|
| | |
|
| |
|
|
| |
The options in question is '--raw'.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- attribute re-mapping, ordering and hiding
(Enables plugins to completely hide LDAP internals from users
and full localisation of command output.)
- translation of member DNs into object names
(No more DNs when listing group members etc.)
- support for "singleton" LDAP objects
(Objects like "pwpolicy"; not accessed by primary key.)
- new base classes for commands: LDAPModMember, LDAPAddMember
and LDAPRemoveMember
(Providing support for objects with 'member'-like attributes.)
- LDAPSearch implicit exit code changed to 1 when nothing is found
|
| |
|
|
| |
Also prevent a few cases of double processing of arguments.
|
| | |
|
| |
|
|
| |
Also print multiple values on one line separated by commas.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We used to use certutil -O to determine the cert chain to trust. This
behavior changed in F-11 such that untrusted CAs are not displayed.
This is only used when we import PKCS#12 files so use pk12util -l to
display the list of certs and keys in the file to determine the nickname(s)
of the CAs to trust.
509111
|
| |
|
|
|
|
|
|
|
|
| |
sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so
this will use hashlib if available but fall back onto sha if not.
Fortunately they use the same API for the function we need.
509042
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
- Add some logging so we have a better idea of what happened if things fail
- Default to self-signed CA to trust if one is not found. This will fix
the self-signed CA case where certutil doesn't return untrusted CA's in
-O output.
- Remove unused httplib import
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
|
| | |
|
| |
|
|
|
|
|
| |
The ipa-replica-install script will setup the DNS if user specifies the
--setup-dns option. It will only add the zone into LDAP if the
cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add
the records.
|
| |
|
|
| |
Also, small cosmetic change in dns.ldif.
|
| | |
|
| |
|
|
|
|
|
|
| |
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.
Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
|
| | |
|
| |
|
|
|
|
| |
The newest 389 server implements syntax checking and causes problems if
the boolean attribute is set to "True". The correct value should be
"TRUE".
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This is needed for automount support on Solaris
http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
|
| |
|
|
|
|
|
|
| |
Returning the exception value doesn't work because a shell return value
is in the range of 0-255.
The default return value is 1 which means "something went wrong." The only
specific return value implemented so far is 2 which is "not found".
|
| |
|
|
|
| |
Since we may end up executing a *-show when an entry is selected we need
to defer destroying the connection context.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.
This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
|
| |
|
|
|
| |
We use /etc/named.keytab generated by ipa-server-install to authenticate
against the LDAP server. Also tidy up /etc/named.conf since we're there.
|
| |
|
|
|
|
|
|
| |
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.
Signed-off-by: Martin Nagy <mnagy@redhat.com>
|
| | |
|
| |
|
|
|
| |
This makes them more consistent with entries created by plugins.
It's a cosmetic thing, not that useful.
|
| |
|
|
| |
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
|
| |
|
|
|
|
| |
version of python-ldap. Fix bug in add_entry_to_group.
Resolves 510149
|
| |
|
|
|
| |
Older python-ldap versions will crash if you call ldap.get_option()
on a value that has not been set.
|
| |
|
|
| |
more efficient.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
