summaryrefslogtreecommitdiffstats
path: root/ipa-client/man
Commit message (Collapse)AuthorAgeFilesLines
* Switch client to JSON-RPCPetr Viktorin2013-11-261-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* Add nsswitch.conf to FILES section of ipa-client-install man pageMartin Kosek2013-10-291-0/+1
| | | | | | This file is always updated when client is installed or uninstalled. https://fedorahosted.org/freeipa/ticket/3995
* Add option to ipa-client-install to configure automountAna Krivokapic2013-09-051-1/+5
| | | | | | | Add the --automount-location option to ipa-client-install. If the option is used, ipa-client-automount is called at the end of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3740
* Improve help entry for ipa hostTomas Babej2013-08-061-0/+25
| | | | | | | | Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
* Remove entitlement supportMartin Kosek2013-06-261-1/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-1/+1
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Allow host re-enrollment using delegationTomas Babej2013-03-251-1/+4
| | | | | | | | | | A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
* Add support for re-enrolling hosts using keytabTomas Babej2013-03-122-0/+6
| | | | | | | | | | | | | | | | | | A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374
* Add autodiscovery section in ipa-client-install man pagesMartin Kosek2013-02-191-6/+28
| | | | | | | Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-071-0/+3
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-3/+3
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-3/+3
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-184-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-131-0/+3
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Adding exit status 3 & 4 to ipa-client-install man pageGowrishankar Rajaiyan2012-07-121-0/+4
|
* Make client server option multi-valued, allow disabling DNS discoveryRob Crittenden2012-07-101-2/+2
| | | | | | | | | | | | | Let the --server option be specified multiple times on the command line. The first one passed in is the one we enroll against. Do additional verification before setting dnsok so we can be sure that the record(s) were actually discovered in DNS. If servers are provided on the CLI and --fixed-primary is set then _srv_ is not added to ipa_server in sssd.conf. https://fedorahosted.org/freeipa/ticket/2841
* Typo fixesPetr Viktorin2012-06-251-1/+1
|
* Configure automount using autofs or sssd.Rob Crittenden2012-06-252-0/+90
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-131-1/+4
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282
* Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.confRob Crittenden2012-03-141-1/+33
| | | | | | | | | Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810
* Add --noac option to ipa-client-install man pageRob Crittenden2012-03-041-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2369
* Implement session activity timeoutJohn Dennis2012-02-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-131-0/+6
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-131-0/+3
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* add session manager and cache krb authJohn Dennis2012-02-091-7/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Fix ipa-client-install -U option alignmentMartin Kosek2011-10-141-0/+1
|
* Document --preserve-sssd option of ipa-client-installAlexander Bokovoy2011-10-141-0/+9
| | | | | | | | | | | Add documentation about --preserve-sssd, an ipa-client-install's option to honor previously available SSSD configuration in case it is not possible to merge it cleanly with the new one. In this case ipa-client-install will fail and ask user to fix SSSD config before continuing. Additional fix for https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-111-1/+4
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Improve ipa-join man pageMartin Kosek2011-09-071-1/+12
| | | | | | Make it clear in man pages that ipa-join -u does not remove keytab. https://fedorahosted.org/freeipa/ticket/1317
* Improve man pages structureMartin Kosek2011-09-075-29/+38
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Modify /etc/sysconfig/network on a client when IPA manages hostnameAlexander Bokovoy2011-07-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1368
* Configure SSSD to store user password if offline.Jan Cholasta2011-07-141-0/+3
| | | | ticket 1359
* Consolidate man pages and IPA tools helpMartin Kosek2011-05-121-7/+7
| | | | | | | | IPA tools options are not consistent with information in man pages. https://fedorahosted.org/freeipa/ticket/1163 https://fedorahosted.org/freeipa/ticket/1178
* Bad return values for ipa-rmkeytab commandMartin Kosek2011-05-031-1/+1
| | | | | | | | | ipa-rmkeytab returns success even when the realm passed to the program is not found in a keytab. This patch adds an explanatory error message and returns error code 5 - Principal or realm not found. https://fedorahosted.org/freeipa/ticket/694
* Suppress --on-master from ipa-client-install command-line and man page.Rob Crittenden2011-04-121-3/+0
| | | | | | | | This option is only used when configuring an IPA client on an IPA server. Describing it on the command-line will only confuse people so don't list it as an option. Ticket 1050
* Add man page for the IPA configuration fileRob Crittenden2011-02-232-2/+187
| | | | ticket 969
* Document --enable-dns-updates in ipa-client-install man pageJakub Hrozek2011-02-211-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/991
* Fixes in ipa-join man pageJan Zeleny2011-02-181-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787
* Fix a typo in ipa-client-install man pageJan Zeleny2011-02-151-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/782
* Add an option for overriding the hostname value.Rob Crittenden2011-01-261-0/+3
| | | | Ticket 834
* Unchecked return values in ipa-joinMartin Kosek2011-01-121-0/+2
| | | | | | | | | | | krb5_get_default_realm() and asprintf() return values were ignored. This could lead to unhandled error issues or memory access issues. This patch adds return value checks to all such functions. As a consequence, one new return value has been added to man page. https://fedorahosted.org/freeipa/ticket/720
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-204-24/+24
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fixing typos in man page of ipa-getkeytabGowrishankar Rajaiyan2010-12-201-2/+2
|
* Add missing options to ipa-getkeytab man page.Rob Crittenden2010-10-111-8/+20
| | | | ticket 229
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-203-44/+119
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-0/+2
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
generated by cgit (git 2.34.1) at 2024-05-17 21:20:19 +0000