summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
* Drop uniqueMember mapping with nss-pam-ldapd.Rob Crittenden2013-05-021-1/+0
| | | | | | | | | | nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to member so it is no longer needed in the config file, and in fact causes an error to be raised. Add a Conflicts on older versions. https://fedorahosted.org/freeipa/ticket/3589
* Add support for OpenSSH 6.2.Jan Cholasta2013-04-301-21/+42
| | | | | | | Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
* Preserve already configured options in openldap confTomas Babej2013-04-302-11/+65
| | | | | | | | | | | | | We should respect already configured options present in /etc/openldap/ldap.conf when generating our own configuration. With this patch, we only rewrite URI, BASE and TLS_CACERT options only if they are not configured. In the case they are, our suggested configuration is inserted as a comment. Also adds tab as a delimeter character in /etc/openldap/ldap.conf https://fedorahosted.org/freeipa/ticket/3582
* Avoid removing sss from nssswitch.conf during client uninstallTomas Babej2013-04-231-5/+7
| | | | | | | | | This patch makes sure that sss is not removed from nsswitch.conf which causes probles with later uses of sssd. Makes sure that authconfig with --disablesssd option is not executed during ipa client uninstall. https://fedorahosted.org/freeipa/ticket/3577
* Add hint message about --force-join option when enrollment failsTomas Babej2013-04-231-0/+4
| | | | | | | | When client enrollment fails due to the fact that host entry already exists on the server, display an message informing the user about the possibility of using --force-join option. https://fedorahosted.org/freeipa/ticket/3572
* Handle missing /etc/ipa in ipa-client-installAna Krivokapic2013-04-191-0/+9
| | | | | | | | Make sure /etc/ipa is created and owned by freeipa-python package. Report correct error to user if /etc/ipa is missing during client installation. https://fedorahosted.org/freeipa/ticket/3551
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-1/+1
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Remove CA cert on client uninstallAna Krivokapic2013-04-041-0/+9
| | | | | | | | The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537
* ipa-client-install: Do not request host certificate if server is CA-lessPetr Viktorin2013-04-021-10/+37
| | | | https://fedorahosted.org/freeipa/ticket/3536
* Remove build warningsMartin Kosek2013-03-291-1/+1
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Allow host re-enrollment using delegationTomas Babej2013-03-252-1/+9
| | | | | | | | | | A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
* Improve client install LDAP cert retrieval fallbackMartin Kosek2013-03-211-1/+1
| | | | | | | | CA certificate retrieval function did not fallback from LDAP to HTTP based retrieval in case of an LDAP error, when for example GSSAPI authentication failed. https://fedorahosted.org/freeipa/ticket/3512
* Use temporary CCACHE in ipa-client-installMartin Kosek2013-03-211-0/+7
| | | | | | | | ipa-client-install failed if user had set his own KRB5CCNAME in his environment. Use a temporary CCACHE for the installer to avoid these kind of errors. https://fedorahosted.org/freeipa/ticket/3512
* ipa-client discovery with anonymous access offMartin Kosek2013-03-201-5/+1
| | | | | | | | | | | | | When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519
* Avoid multiple client discovery with fixed server listMartin Kosek2013-03-141-0/+11
| | | | | | | | | | | | In client discovery module, we used to run up to three discovery processes even though we received a fixed list of servers to connect to. This could result in up to 3 identical "not an IPA server" error messages when the passed server is not an IPA server. Error out immediately when we are discovering against a fixed set of servers. Related to fixes in https://fedorahosted.org/freeipa/ticket/3418
* Preserve order of servers in ipa-client-installMartin Kosek2013-03-141-9/+12
| | | | | | | | | | | | When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418
* Make sure uninstall script prompts for reboot as lastTomas Babej2013-03-131-19/+35
| | | | | | | | | | | Parts of client uninstall logic could be skipped in attended uninstallation if user agreed to reboot the machine. Particulary, the uninstall script would not try to remove /etc/ipa/default.conf and therefore subsequent installation would fail, client being detected as already configured. https://fedorahosted.org/freeipa/ticket/3462 https://fedorahosted.org/freeipa/ticket/3463
* Don't download the schema in ipadiscoveryPetr Viktorin2013-03-131-1/+3
|
* Remove unneeded python-ldap importsPetr Viktorin2013-03-131-2/+0
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-131-42/+49
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Use IPAdmin rather than raw python-ldap in ipa-client-installPetr Viktorin2013-03-131-37/+31
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
* Add support for re-enrolling hosts using keytabTomas Babej2013-03-124-10/+50
| | | | | | | | | | | | | | | | | | A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374
* Use default.conf as flag of IPA client being installedTomas Babej2013-02-221-3/+18
| | | | | | | | | | | | | | When installing / uninstalling IPA client, the checks that determine whether IPA client is installed now take the existence of /etc/ipa/default.conf into consideration. The client will not uninstall unless either something is backed up or /etc/ipa/default.conf file does exist. The client will not install if something is backed up or default.conf file does exist (unless it's installation on master). https://fedorahosted.org/freeipa/ticket/3331
* Add autodiscovery section in ipa-client-install man pagesMartin Kosek2013-02-191-6/+28
| | | | | | | Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383
* Add LDAP server fallback to client installerRob Crittenden2013-02-073-60/+100
| | | | | | | | | | | | | | Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Pylint cleanup.Jan Cholasta2013-01-291-1/+0
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Don't initialize NSS if we don't have to, clean up unused cert refsRob Crittenden2013-01-231-0/+10
| | | | | | | | | | | Check to see if NSS is initialized before trying to do so again. If we are temporarily creating a certificate be sure to delete it in order to remove references to it and avoid NSS shutdown issues. In the certificate load validator shut down NSS if we end up initializing it. I'm not entirely sure why but this prevents a later shutdown issue if we are passed the --ca-cert-file option.
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-233-55/+408
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Do SSL CA verification and hostname validation.Rob Crittenden2013-01-231-2/+2
|
* Do not crash when Kerberos SRV record is not foundMartin Kosek2013-01-021-2/+3
| | | | | | | | ipa-client-install crashed when IPA server realm TXT record was configured, but the referred domain (lower-case realm value) did not contain any Kerberos SRV record (_kerberos._udp.<realm>.) https://fedorahosted.org/freeipa/ticket/3316
* Enable SSSD on client installMartin Kosek2012-12-181-0/+18
| | | | | | | | | | | authconfig component changed its behavior. It no longer starts and enables SSSD daemon when --enablesssd and --enablesssdauth options are used. It only enables the PAM module and adds SSSD to nsswitch. Enable SSSD on new client/server installs manually. Also make sure that we stop&disable SSSD when we delete the configuration. https://fedorahosted.org/freeipa/ticket/3307
* Compliant client side session cookie behaviorJohn Dennis2012-12-101-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In summary this patch does: * Follow the defined rules for cookies when: - receiving a cookie (process the attributes) - storing a cookie (store cookie + attributes) - sending a cookie + validate the cookie domain against the request URL + validate the cookie path against the request URL + validate the cookie expiration + if valid then send only the cookie, no attribtues * Modifies how a request URL is stored during a XMLRPC request/response sequence. * Refactors a bit of the request/response logic to allow for making the decision whether to send a session cookie instead of full Kerberous auth easier. * The server now includes expiration information in the session cookie it sends to the client. The server always had the information available to prevent using an expired session cookie. Now that expiration timestamp is returned to the client as well and now the client will not send an expired session cookie back to the server. * Adds a new module and unit test for cookies (see below) Formerly we were always returning the session cookie no matter what the domain or path was in the URL. We were also sending the cookie attributes which are for the client only (used to determine if to return a cookie). The attributes are not meant to be sent to the server and the previous behavior was a protocol violation. We also were not checking the cookie expiration. Cookie library issues: We need a library to create, parse, manipulate and format cookies both in a client context and a server context. Core Python has two cookie libraries, Cookie.py and cookielib.py. Why did we add a new cookie module instead of using either of these two core Python libaries? Cookie.py is designed for server side generation but can be used to parse cookies on the client. It's the library we were using in the server. However when I tried to use it in the client I discovered it has some serious bugs. There are 7 defined cookie elements, it fails to correctly parse 3 of the 7 elements which makes it unusable because we depend on those elements. Since Cookie.py was designed for server side cookie processing it's not hard to understand how fails to correctly parse a cookie because that's a client side need. (Cookie.py also has an awkward baroque API and is missing some useful functionality we would have to build on top of it). cookielib.py is designed for client side. It's fully featured and obeys all the RFC's. It would be great to use however it's tightly coupled with another core library, urllib2.py. The http request and response objects must be urllib2 objects. But we don't use urllib2, rather we use httplib because xmlrpclib uses httplib. I don't see a reason why a cookie library should be so tightly coupled to a protocol library, but it is and that means we can't use it (I tried to just pick some isolated entrypoints for our use but I kept hitting interaction/dependency problems). I decided to solve the cookie library problems by writing a minimal cookie library that does what we need and no more than that. It is a new module in ipapython shared by both client and server and comes with a new unit test. The module has plenty of documentation, no need to repeat it here. Request URL issues: We also had problems in rpc.py whereby information from the request which is needed when we process the response is not available. Most important was the requesting URL. It turns out that the way the class and object relationships are structured it's impossible to get this information. Someone else must have run into the same issue because there was a routine called reconstruct_url() which attempted to recreate the request URL from other available information. Unfortunately reconstruct_url() was not callable from inside the response handler. So I decided to store the information in the thread context and when the request is received extract it from the thread context. It's perhaps not an ideal solution but we do similar things elsewhere so at least it's consistent. I removed the reconstruct_url() function because the exact information is now in the context and trying to apply heuristics to recreate the url is probably not robust. Ticket https://fedorahosted.org/freeipa/ticket/3022
* Fix sshd feature checkMartin Kosek2012-12-101-4/+8
| | | | | | | | | | | OpenSSH server included in Fedora 18 raises a validation error when the tested AuthorizedKeysCommand/PubKeyAgent option is tested with an empty value. It requires a command with an absolute path to be passed. Due to this issue, sshd support is never configured on Fedora 18. Pass the real agent we will use later to the testing command to avoid this error.
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-073-0/+98
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Reorder XML-RPC initialization in ipa-join to avoid segfault.Rob Crittenden2012-12-071-7/+12
| | | | | | | | | | | There were a number of code paths where we would try to call xmlrpc_env_clean() without having first called xmlrpc_env_init() Re-order the code so we always initialize the XML-RPC client first. I also noticed a place where the return value of strdup() was not being checked for NULL. https://fedorahosted.org/freeipa/ticket/3275
* Specify includedir in krb5.conf on new installsJakub Hrozek2012-12-061-1/+6
| | | | https://fedorahosted.org/freeipa/ticket/3132
* ipachangeconf: allow specifying non-default delimeter for optionsJakub Hrozek2012-12-061-12/+23
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Change network configuration fileMartin Kosek2012-12-051-8/+2
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Restart sssd after authconfig updateSumit Bose2012-12-031-0/+6
| | | | | | | | | | | | | Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation. Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here. Fixes https://fedorahosted.org/freeipa/ticket/3267
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Make enabling the autofs service more robustJakub Hrozek2012-11-141-7/+12
|
* The SECURE_NFS value needs to be lower-case yes on SysV systems.Rob Crittenden2012-10-261-1/+1
| | | | | | | | The sysV rpcgssd init script tests for [ "${SECURE_NFS}" != "yes" ]. This also works as lower case for system so a simple fix. https://fedorahosted.org/freeipa/ticket/3207
* ipa-client-automount: Add the autofs service if it doesn't exist yetJakub Hrozek2012-10-251-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3201
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-161-1/+2
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Notify user about necessary ports in ipa-client-installTomas Babej2012-10-092-2/+19
| | | | | | | | | | | | Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-031-1/+10
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Improve DN usage in ipa-client-installMartin Kosek2012-10-022-63/+118
| | | | | | | | | | | | | | | | | | | | | A hotfix pushed in a scope of ticket 3088 forced conversion of DN object (baseDN) in IPA client discovery so that ipa-client-install does not crash when creating an IPA default.conf. Since this is not a preferred way to handle DN objects, improve its usage: - make sure, that baseDN retrieved by client discovery is always a DN object - update ipachangeconf.py code to handle strings better and instead of concatenating objects, make sure they are converted to string first As a side-effect of ipachangeconf changes, default.conf config file generated by ipa-client-install has no longer empty new line at the end of a file. Whole ipachangeconf.py has been modified to be compliant with PEP8. https://fedorahosted.org/freeipa/ticket/3088
* Don't use bare except: clauses in ipa-client-installPetr Viktorin2012-09-271-13/+13
| | | | | | | | Instead of `except:`, use `except Exception:`. This means that errors like KeyboardInterrupt are not handled, letting them terminate the script as expected. https://fedorahosted.org/freeipa/ticket/2941