| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
If a zone index is present in an IPv6 address, it is ignored.
ticket 2138
|
| |
|
|
|
|
|
| |
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.
https://fedorahosted.org/freeipa/ticket/2127
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
|
| |
|
|
|
|
|
|
|
|
|
| |
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.
This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.
https://fedorahosted.org/freeipa/ticket/2419
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master->replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
|
| |
|
|
|
|
|
|
|
|
|
| |
inifile_replace_variables() works similar to config_replace_variables() but
allows to apply changes to specific section of an inifile. Inifiles are
commonly used by freedesktop.org software and particularly used by systemd.
When modifying inifile, all changes will be applied to specific section.
Also fixes corner case in config_replace_variables() which would dublicate
variables when adding them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.
Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).
I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.
https://fedorahosted.org/freeipa/ticket/1979
|
| |
|
|
|
|
|
|
|
|
|
|
| |
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This would blow up if you tried to append a value to an entry that looked
like:
NAME=
https://fedorahosted.org/freeipa/ticket/1983
|
| |
|
|
|
|
|
|
|
| |
Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
IP address parsing. We will use the same function in IPv4/IPv6
conversions + be stricter and don't allow IP addresses such as
'1.1.1' at the same time.
https://fedorahosted.org/freeipa/ticket/1965
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backup_and_replace_hostname() was doing three things:
1. Given config file in 'key=value' style, replace value for a
specified key (HOSTNAME)
2. Backup original file and install a replacement
3. Restore original security context after editing
We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:
1. config_replace_variables(filepath, replacevars=dict(),
appendvars=dict())
Replaces or appends values to specified keys, adding new key=value
pairs if key was absent
2. backup_config_and_replace_variables(fstore, filepath,
replacevars=dict(),
appendvars=dict())
Backups config file and calls config_replace_variables()
A caller must handle security context after using these two tools.
In addition, as before, there is
ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.
The code will be used extensively for systemd integration for Fedora 16.
Fixes:
https://fedorahosted.org/freeipa/ticket/1871
|
| |
|
|
|
|
|
|
|
|
|
| |
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
|
| |
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
| |
|
|
|
|
|
|
|
| |
When LDAP server contains more that one suffixes, the ipa client
installation does not detect it as IPA server and fails to install.
Fix ipa server discovery so that it correctly searches all naming
contexts for the IPA one.
https://fedorahosted.org/freeipa/ticket/1868
|
| |
|
|
|
|
|
|
|
| |
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.
https://fedorahosted.org/freeipa/ticket/1605
|
| |
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
| |
|
|
| |
ticket 1375
|
| |
|
|
|
|
|
|
| |
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.
https://fedorahosted.org/freeipa/ticket/1378
|
| |
|
|
|
|
|
| |
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.
https://fedorahosted.org/freeipa/ticket/1175
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
|
| |
|
|
| |
ticket 1213
|
| |
|
|
| |
ticket 1212
|
| |
|
|
|
|
|
|
| |
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.
https://fedorahosted.org/freeipa/ticket/1207
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1193
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Request logging on the server only happened if you added verbose=True
or debug=True to the IPA config file. We should log the basics at
least: who, what, result.
Move a lot of entries from info to debug logging as well.
Related to ticket 873
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/856
|
| | |
|
| |
|
|
|
|
|
|
| |
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.
Fixes: https://fedorahosted.org/freeipa/ticket/765
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a randomly generated password contains a space character
as the first or the last character, installation fails on
kdb5_ldap_util calling, which does not accept that. This patch
fixes the generator to generate space only on allowed position.
This patch also ensures that no password is printed to
server install log.
https://fedorahosted.org/freeipa/ticket/731
|
| |
|
|
|
|
|
| |
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements
Fixes: https://fedorahosted.org/freeipa/ticket/625
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
| |
Also check for url-encoded passwords before logging them.
ticket 324
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6
Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata
ticket 155
|
| |
|
|
|
|
|
|
|
|
|
| |
This replaces the old no logging mechanism that only handled not logging
passwords passed on the command-line. The dogtag installer was including
passwords in the output.
This also adds no password logging to the sslget invocations and removes
a couple of extraneous log commands.
ticket 156
|
| |
|
|
|
|
| |
This was causing replica creation and installation to fail.
596446
|
| |
|
|
|
|
|
| |
This is primarily designed to not log passwords but it could have other
uses.
567867
|
| |
|
|
|
|
|
|
| |
Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(),
wrap_binary_data(), unwrap_binary_data() from both instances
of ipautil.py. This code is no longer in use and the
SAFE_STRING_PATTERN regular expression string was causing xgettext
to abort because it wasn't a valid ASCII string.
|
| |
|
|
|
|
|
| |
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.
This also lets the caller get the contents of stdout and stderr.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: John Dennis <jdennis@redhat.com>
along with stdout,stderr also log the initial command
This implements better logging of external commands. Formerly we were
just outputting stdout and stderr without labeling which was which. We
also omitted the initial command and it's arguments. This made it
difficult when reviewing the logs to know what the command was and
what was stdout vs. stderr. This patch fixes that.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.
The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
|
| | |
|
| |
|
|
|
| |
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
|
| | |
|
|
|
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
|
