| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
| |
|
| |
|
|
|
|
|
|
| |
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
|
| |
|
|
|
|
|
| |
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
|
|
|
|
|
|
| |
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
|
|
|
|
|
|
|
|
|
| |
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
|
| |
|
|
|
|
| |
Also fix the memberOf attribute for the HBAC services
|
|
|
|
|
|
|
| |
No longer install the policy or key escrow schemas and remove their
OIDs for now.
594149
|
| |
|
|
|
|
|
|
|
| |
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.
588574
|
| |
|
|
|
|
|
| |
Yet another trailing dot issue, but this one was kept hidden because
only the latest bind-dyndb-ldap package uses the fake_mname option.
|
|
|
|
|
|
|
|
|
| |
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
|
|
|
|
| |
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
|
|
|
|
| |
I meant to push these along with the original patch but pushed the wrong one.
|
| |
|
|
|
|
|
|
| |
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
|
|
|
|
|
|
|
|
| |
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
|
|
|
|
| |
I recently renamed this and missed this reference.
|
| |
|
|
|
|
| |
Based on initial patch from Pavel Zuna.
|
|
|
|
|
|
|
|
| |
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.
By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
|
|
|
|
|
|
|
|
|
|
| |
There are now 3 cases:
- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
for the server certs. The installed CA will still be used by the cert
plugin to issue any server certs.
|
|
|
|
|
| |
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
|
| |
|
|
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
| |
|
|
|
|
| |
Resolves #529787
|
|
|
|
|
|
| |
Update the po to pick up this change too.
573979
|
| |
|
|
|
|
|
|
| |
We want to manually make the .pot file, we shouldn't have anything
in the Makefile which will cause the .pot file to be rebuilt
because of dependencies.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
To install IPA without dogtag use the --selfsign option.
The --ca option is now deprecated.
552995
|
| |
|
| |
|
| |
|
| |
|
| |
|