summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Enforce existence of 389-ds header files.Rob Crittenden2010-08-061-0/+7
| | | | ticket #82
* Check to see if the command is available before running command tests.Rob Crittenden2010-08-062-2/+12
|
* Fix RPC tests. The method comes back as a unicode from xmlrpclib.Rob Crittenden2010-08-061-2/+2
|
* Add optional error message to pattern validatorRob Crittenden2010-08-065-3/+51
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Skip the i18n test if the test language has not been builtRob Crittenden2010-08-061-0/+6
|
* Require that hosts be resolvable in DNS. Use --force to ignore warnings.Rob Crittenden2010-08-0612-33/+99
| | | | | | | | | | | | | This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
* Have the env plugin print all attributes by defaultRob Crittenden2010-08-061-0/+11
| | | | ticket #113
* Fix replacing a certificate in a service.Rob Crittenden2010-08-062-14/+42
| | | | | | | | | | | | When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
* Add framework for other command-line tests, starting with ipa-getkeytab.Rob Crittenden2010-08-062-0/+210
|
* Fix this test to work from source tree rootRob Crittenden2010-08-061-2/+2
| | | | | | | | It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py
* Add hbac service for su-l, su with a login shellRob Crittenden2010-08-061-0/+6
|
* Changes to the install and config files to support deploying the javascript ↵Adam Young2010-08-064-0/+23
| | | | code.
* The Javascript code for the new web UIAdam Young2010-08-0633-0/+10392
| | | | Now with whitespace cleanup.
* Images for the Javascript Based webui.Adam Young2010-08-0623-0/+0
| | | | These are all binary files, in png format.
* whoami plugin.Adam Young2010-08-051-0/+41
| | | | | | It returns the user prinicpal. This is required by the webui, as the Kerberos credential mechanism in http does not expose the cleartext prinicpal to the web browser.
* Add container and initial ACIs for entitlement supportRob Crittenden2010-07-292-0/+43
| | | | | | | | The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-2911-481/+158
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* Add some basic tests for ipalib/x509Rob Crittenden2010-07-291-0/+139
|
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-2917-675/+4
| | | | Javascript based ui.
* 1. Schema cleanupDmitri Pal2010-07-211-13/+12
| | | | | | | | | | | | The ipaAssociation is the core of different association object. It seems that the service is an exception rather then rule. So it is moved into the object where it belongs. Fixed matching rules and some attribute types. Addressing ticket: https://fedorahosted.org/freeipa/ticket/89 Removed unused password attribute and realigned OIDs.
* Become IPA v2 alpha 4 (1.9.0.pre4)alpha_4-1-9-0Rob Crittenden2010-07-151-1/+1
|
* Fix netgroup plugin to use correct member attribute names.Rob Crittenden2010-07-152-70/+148
| | | | | | | | | When the netgroup plugin was rebased it ended up using the member attribute for its memberships and not memberuser/memberhost. I also fixed this same attribute problem in the tests and tried to beef them up a little. If nis/schema compat are enabled it will try to compare the generated triplets with a known-good value.
* Fix nis netgroup configurationRob Crittenden2010-07-151-1/+11
| | | | | | | | This was originally configured to pull from the compat area but Nalin thinks that is a bad idea (and it stopped working anyway). This configures the netgroup map to create the triples on its own. Ticket #87
* Fix ipa-compat-manage and ipa-nis-manageRob Crittenden2010-07-152-54/+100
| | | | | | | | | | | | | | | Neither of these was working properly, I assume due to changes in the ldap backend. The normalizer now appends the basedn if it isn't included and this was causing havoc with these utilities. After fixing the basics I found a few corner cases that I also addressed: - you can't/shouldn't disable compat if the nis plugin is enabled - we always want to load the nis LDAP update so we get the netgroup config - LDAPupdate.update() returns True/False, not an integer I took some time and fixed up some things pylint complained about too. Ticket #83
* Use newer API in ipalib/x509 and add missing import.Rob Crittenden2010-07-152-6/+2
| | | | The import was only used when running the in-tree lite-server
* Clean up crypto code, take advantage of new nss-python capabilitiesRob Crittenden2010-07-155-338/+147
| | | | | | | | This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-136-7/+149
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Add test to ensure that a certificate we issue is actually stored properly.Rob Crittenden2010-07-131-2/+32
|
* Include contents of has_output_params in get_output_paramsRob Crittenden2010-07-131-0/+2
|
* Add separate var for search attributes and config attribute for search fieldsRob Crittenden2010-07-133-1/+17
| | | | | | | | Add an optional search_attributes variable in case the attributes you want to display by default aren't what you want to search on. Also link in any cn=ipaconfig attributes that contain a comma-separated list of attributes to search on.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-126-22/+36
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Change expected aci summary from Updated to Modify in test casesRob Crittenden2010-07-061-4/+4
|
* Clean up imports of hbacsvc pluginRob Crittenden2010-07-061-6/+4
| | | | I used pylint to identify a bunch of unnecessary and too-broad imports
* Add support for User-Private GroupsRob Crittenden2010-07-067-19/+119
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Fix indentation problem causing build breakageRob Crittenden2010-06-241-2/+2
|
* Include missing file from version plugin and update min version of 389-dsRob Crittenden2010-06-242-2/+57
|
* Don't try to convert a host's password into a keytab.Rob Crittenden2010-06-241-5/+15
| | | | | | | | | | The migration plugin uses a pre-op function to automatically create kerberos credentials when binding using a password. The problem is that we do a simple bind when doing password-base host enrollment. This was causing krbPasswordExpiration to be set which isn't what we want for hosts. They really shouldn't go through this code at all.
* Add maintainer-clean targetRob Crittenden2010-06-241-0/+2
|
* Replication version checking.Rob Crittenden2010-06-249-0/+297
| | | | | | | | Whenever we upgrade IPA such that any data incompatibilities might occur then we need to bump the DATA_VERSION value so that data will not replicate to other servers. The idea is that you can do an in-place upgrade of each IPA server and the different versions own't pollute each other with bad data.
* Fix aci_mod command. It should handle more complex operations now.Rob Crittenden2010-06-242-68/+265
| | | | | | | | | | | The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation.
* First pass at per-command documentationRob Crittenden2010-06-2217-7/+432
|
* Add separate role group for enrolling hosts, enrollhostRob Crittenden2010-06-221-0/+8
|
* Remove unused attribute serviceName and re-number schemaRob Crittenden2010-06-211-8/+7
| | | | | | serviceName was originally part of the HBAC rules. We dropped it to use a separate service object instead so we could more easily do groups of services in rules.
* Retrieve the CA certificate before starting enrollment.Rob Crittenden2010-06-211-2/+9
| | | | | We need the CA certificate so we can use SSL when binding with a one-time password (bulk enrollment)
* Drop --with-openldap option in the client. This is no longer optional.Rob Crittenden2010-06-214-41/+36
|
* use NSS for SSL operationsJohn Dennis2010-06-157-434/+175
|
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-035-9/+12
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* Increase supported weeks per month from 4 to 6 in AccessTime() typeRob Crittenden2010-06-031-1/+1
|
* Remove Requires on separate package python-krbV in clientRob Crittenden2010-06-022-4/+10
| | | | | | We need the configured kerberos realm so we can clean up /etc/krb5.keytab. We have this already in /etc/ipa/default.conf so use that instead of requiring a whole other python package to do it.
* Catch the condition where dogtag is already configured (no preop.pin)Rob Crittenden2010-06-011-0/+3
| | | | | | | | This causes the installation to blow up badly otherwise. To remove an existing instance run: # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
generated by cgit (git 2.34.1) at 2024-06-23 10:31:59 +0000