summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
...
* Detection of v1 server during ipa-client-installMartin Kosek2011-02-141-1/+5
| | | | | | | | | | When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. https://fedorahosted.org/freeipa/ticket/553
* Fine tuning DNS optionsJakub Hrozek2011-02-141-0/+1
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* Make sure only root can run ipa-client-installJakub Hrozek2011-02-141-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/957
* nscd should be disabled before sssd is configured/started.Rob Crittenden2011-02-101-22/+22
| | | | | | | | | | | If not then sssd spits out a warning message: sssd: nscd socket was detected. As nscd caching capabilities may conflict with SSSD, it is recommended to not run nscd in parallel with SSSD Stop nscd before configuring sssd so we don't confuse our users. ticket 743
* Fix prompt for confirmation of fixed values wrapping around terminal.Rob Crittenden2011-02-101-1/+1
| | | | ticket 940
* Fix filter_keys in ipa-getkeytabJakub Hrozek2011-01-281-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/723
* Add an option for overriding the hostname value.Rob Crittenden2011-01-262-0/+8
| | | | Ticket 834
* Improve output when options are not found in non-interactive client installRob Crittenden2011-01-211-1/+3
| | | | | | | We should still give some feedback when things go wrong when in non-interactive mode. ticket 828
* Do not try to dereference bindpw if it is nullSimo Sorce2011-01-181-2/+7
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/783
* Mozldap-specific code removedMartin Kosek2011-01-142-6/+0
| | | | | | | | Mozldap code removed from all sources and configure source script. Now, IPA will compile even when package mozldap-devel is not installed on the system. https://fedorahosted.org/freeipa/ticket/756
* Unitialized pointer read in ipa-joinMartin Kosek2011-01-141-2/+2
| | | | | | | This patch fixes a possible situation when krb5_kt_close() function is called with uninitialized keytab parameter. https://fedorahosted.org/freeipa/ticket/712
* Potential memory leaks in ipa-getkeytabMartin Kosek2011-01-141-0/+2
| | | | | | | | This patch fixes 2 situations where a pointer to allocated error string could be overwritten - which could have resulted in a memory leak. https://fedorahosted.org/freeipa/ticket/714
* Unchecked return values in ipa-joinMartin Kosek2011-01-122-10/+62
| | | | | | | | | | | krb5_get_default_realm() and asprintf() return values were ignored. This could lead to unhandled error issues or memory access issues. This patch adds return value checks to all such functions. As a consequence, one new return value has been added to man page. https://fedorahosted.org/freeipa/ticket/720
* Unchecked return value in ipa-getkeytabMartin Kosek2011-01-121-3/+15
| | | | | | | | | | | | krb5_init_context return value was not checked. This could lead to unhandled error issues. This patch moves the Kerberos context initialization to the branch where it is needed and handles the error value in a way that allows program exit in a standard way deallocating all resources. https://fedorahosted.org/freeipa/ticket/721
* Uninitialized pointer read in ipa-rmkeytabMartin Kosek2011-01-121-5/+14
| | | | | | | Fix "--realm" parameter processing in ipa-rmkeytab. Also make sure that memory allocated in this process is also freed. https://fedorahosted.org/freeipa/ticket/711
* Use of pointer after free in ipa-joinMartin Kosek2011-01-121-4/+10
| | | | | | | | In some cases recently freed memory was used/freed again. This patch introduces more consistency between functions join_ldap/join_krb5 when dealing with affected variables. https://fedorahosted.org/freeipa/ticket/709
* Better detection when not working with a real keytab in ipa-rmkeytab.Rob Crittenden2011-01-071-1/+11
| | | | | | | Resolving the keytab isn't enough, this just creates a name. Try to create a cursor into the keytab to see if it is a valid keytab. ticket 654
* Do not use LDAP_DEPRECATED in pluginsJakub Hrozek2011-01-073-8/+31
| | | | | | | | | Remove the LDAP_DEPRECATED constant and do not use functions that are marked as deprecated in recent OpenLDAP releases. Also always define WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that depend on that constant. https://fedorahosted.org/freeipa/ticket/576
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2019-98/+117
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fixing typos in man page of ipa-getkeytabGowrishankar Rajaiyan2010-12-201-2/+2
|
* build tweaks - use automake's foreign mode, avoid creating empty files to ↵Nalin Dahyabhai2010-11-291-1/+1
| | | | satisfy gnu mode - run autoreconf -f to ensure that everything matches
* ipa-client code cleanupJakub Hrozek2010-11-227-98/+73
| | | | | | | Fixes errors about implicit function declaration and moves duplicated gettext code into a common module. Also silences some warnings. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Don't use deprecated ldap_bind_sJakub Hrozek2010-11-221-1/+11
| | | | | | ldap_bind_s is marked as deprecated in new libldap releases. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Use internal implementation of internal Kerberos functionsJakub Hrozek2010-11-222-4/+11
| | | | | | | | | | | Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Stricter compilation flagsJakub Hrozek2010-11-222-0/+11
| | | | | | | Use a little stricter compilation flags, in particular -Wall and treat implicit function declarations as errors. Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Handle wget failures trying to retrieve the CA during the client installRob Crittenden2010-11-221-1/+5
| | | | ticket 405
* Use sys.exit to quit scriptsJakub Hrozek2010-11-221-25/+18
| | | | | | | Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
* Use provided domain name for the rest of installationJan Zeleny2010-11-191-1/+1
| | | | | | | | When installing IPA client, the install script used detected domain name of the machine instead of that given by administrator (in case one was given) https://fedorahosted.org/freeipa/ticket/363
* Log interactive options in install scriptsJakub Hrozek2010-11-191-0/+8
|
* Use Realm as certs subject base nameSimo Sorce2010-11-181-2/+2
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-5/+7
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Error out when configure finds missing dependenciesRob Crittenden2010-10-261-5/+5
| | | | ticket 315
* Initial gettext support for C utilsSimo Sorce2010-10-125-145/+318
| | | | | | | | Add automatic creation of python an C file lists for potfiles Deletes useless copy of Makefile in install/po Remove duplicate maintainer-clean target Add debug target that prints file lists Unbreak update-po target, merges in patch from John
* Add missing options to ipa-getkeytab man page.Rob Crittenden2010-10-111-8/+20
| | | | ticket 229
* Don't do autodiscovery on master install.Rob Crittenden2010-09-231-2/+8
| | | | | | If we pass in the domain and server to ipa-client-install it doesn't do service discovery which is what we want. We want to be sure the server is properly configured at install time.
* Add minimal client configuration for when we eventually get to PKINITRob Crittenden2010-09-231-8/+13
| | | | | | Also move the unenroll to clients only. This isn't necessary on the master ticket 53
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-205-73/+356
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Better distinguish between when DNS discovery works and search more domains.Rob Crittenden2010-09-202-13/+66
| | | | | | | | | | | | | | | | | | | | | | Passing domain and server on the command-line used to be considered as DNS autodiscovery worked. This was problematic if there was in fact no SRV records because krb5.conf would be configured without a specific KDC causing all Kerberos ops to fail. Now if you pass in a domain/server it still tries to see if they are discoverable and if so won't hardcode a server, but will fall back to doing so if necessary. Also be a lot more aggressive on looking for the SRV records. Use the search and domain values from /etc/resolv.conf on the chance that the SRV records aren't in the domain of the hostname of the machine. An example of this would be if your laptop is in dhcp.example.com and your company's SRV records are in corp.example.com. Searching dhcp.example.com and example.com won't find the SRV records but the user is likely to have corp.redhat.com in the search list, at least. ticket 234
* Use a more specific name for the IPA server certificate we install.Rob Crittenden2010-09-171-9/+24
| | | | | | | This should avoid conflicts with any other certs that might be installed there. ticket 49
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-5/+5
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-092-6/+15
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Configure nslcd and a host of possible systems that use LDAP.Rob Crittenden2010-08-271-9/+53
| | | | | | | | | We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf. nslcd is the replacement for nss_ldap. ticket 50
* ldap_initializeAdam Young2010-08-201-3/+24
| | | | the code was calling ldap_init, which is a deprecated function, and getting a compilation warning. This version uses the recommended function ldap_initilaize.
* const correctnessAdam Young2010-08-201-3/+3
| | | | made the data type for server consistant and correct across its usage
* Enable a host to retrieve a keytab for all its services.Rob Crittenden2010-08-161-15/+21
| | | | | | | | | | | | | | | | | | | | | | | | Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
* Retrieve the CA certificate before starting enrollment.Rob Crittenden2010-06-211-2/+9
| | | | | We need the CA certificate so we can use SSL when binding with a one-time password (bulk enrollment)
* Drop --with-openldap option in the client. This is no longer optional.Rob Crittenden2010-06-211-38/+30
|
* Remove Requires on separate package python-krbV in clientRob Crittenden2010-06-021-3/+7
| | | | | | We need the configured kerberos realm so we can clean up /etc/krb5.keytab. We have this already in /etc/ipa/default.conf so use that instead of requiring a whole other python package to do it.
* Check to see if we are configured before uninstalling.Rob Crittenden2010-05-071-1/+5
| | | | Allow the --force flag to override on both install and uninstall
* Add simple test to see if client is already configuredRob Crittenden2010-05-061-0/+4
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
generated by cgit (git 2.34.1) at 2024-04-28 18:01:46 +0000