summaryrefslogtreecommitdiffstats
path: root/ipalib/constants.py
Commit message (Collapse)AuthorAgeFilesLines
* Let Bind track data changesMartin Kosek2011-08-311-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+1
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* enable proxy for dogtagAdam Young2011-08-291-3/+7
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-191-0/+1
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-2/+10
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-0/+1
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Move HBAC services and service groups to cn=hbacJan Zeleny2011-01-181-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/762
* Move sudo related data all under cn=sudoSimo Sorce2011-01-171-3/+3
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/773
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
* Move Virtual Operations container under cn=etcSimo Sorce2011-01-141-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/759
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-2/+2
| | | | ticket 638
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-2/+3
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-271-0/+3
|
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-161-0/+1
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-2/+0
| | | | Javascript based ui.
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-0/+1
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-031-1/+1
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* Add groups of services to HBACRob Crittenden2010-05-171-0/+2
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* Consolidate to single WSGI entry pointJason Gerard DeRose2010-03-011-1/+1
|
* Allow one-character Param namesRob Crittenden2010-02-121-1/+1
| | | | This is done explicitly to support the l/localityname attribute.
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-041-2/+1
|
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-3/+15
|
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-151-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-2/+0
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Allow replicas of an IPA server using an internal dogtag server as the CARob Crittenden2009-07-151-1/+1
| | | | | | | | This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
* Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.Rob Crittenden2009-07-101-0/+1
| | | | | | | | | | | | There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
* Remove use_ldap2 constant.Pavel Zuna2009-07-021-1/+0
|
* Add new env variables: container_taskgroup, container_rolegroup and ↵Pavel Zuna2009-05-261-0/+3
| | | | container_netgroup.
* Dogtag keeps telling me to use port 9444 and not 9443, use it.Rob Crittenden2009-05-261-1/+1
|
* Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ ↵Jason Gerard DeRose2009-05-111-22/+22
| | | | don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
* Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new ↵Pavel Zuna2009-04-221-0/+2
| | | | LDAP backend debugging.
* Add 'container_hbac' env variable.root2009-04-031-1/+1
|
* Implemented more elegant way for entire plugin module to be conditionally ↵Jason Gerard DeRose2009-02-171-1/+1
| | | | skipped; updated cert.py and ra.py modules to use this
* Added env.enable_ra variable and change cert.py and ra.py plugin modules to ↵Jason Gerard DeRose2009-02-171-0/+3
| | | | register plugins conditionally
* Add policy-related container constantsJakub Hrozek2009-02-101-0/+7
|
* Finished reworked cli.CLI class into cli.cli pluginJason Gerard DeRose2009-02-031-0/+4
|
* More work on xmlrpc stuff, started migrated more code to use errors2 instead ↵Jason Gerard DeRose2009-02-031-2/+2
| | | | of errors
* Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requestedJason Gerard DeRose2009-02-031-0/+6
|
* Added Object.params_minus() method; various small tweaksJason Gerard DeRose2009-02-031-24/+8
|
* Started moving some core classes and functions from plugable.py to new ↵Jason Gerard DeRose2008-12-301-2/+8
| | | | base.py module
* Some more reorganization in Env and added class docstring to Env with lots ↵Jason Gerard DeRose2008-12-221-2/+2
| | | | of examples
* Cleaned up Env.__setattr__() and Env.__setitem__() a bit updated their unit ↵Jason Gerard DeRose2008-12-221-1/+6
| | | | tests
* The Env.__setitem__() implied conversion is now case sensitive; ↵Jason Gerard DeRose2008-12-221-17/+20
| | | | Env.__setitem__() now also accepts None as a value
* Started work on per-request gettext setupJason Gerard DeRose2008-12-181-2/+4
|
* New Param: added unit tests for TypeError cases in DefaultFrom.__init__()Jason Gerard DeRose2008-12-181-1/+1
|
* New Param: added missing unit tests for TypeError and ValueError cases in ↵Jason Gerard DeRose2008-12-181-1/+1
| | | | parse_param_spec()
* Finished kwarg validation and extension mechanism in parameter.ParamJason Gerard DeRose2008-12-111-0/+6
|
* Started roughing out the consolidated type/parameter system in ↵Jason Gerard DeRose2008-12-101-1/+5
| | | | parameters.py; started corresponding unit tests
* Add autmount-specific location and default entriesRob Crittenden2008-11-141-0/+1
|
generated by cgit (git 2.34.1) at 2024-04-27 00:56:41 +0000