summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
...
* ipapython: Fix incorrect python shebangsTomas Babej2015-01-2610-10/+3
| | | | | | Make sure shebangs explicitly reference python2. Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: fix root zone dns name conversionMartin Basti2015-01-231-0/+3
| | | | | | | | Root zone was represented as '@', which was incorrect. ksmutil did not accept it. Now root zone is represented as '.' Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-131-1/+1
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Using wget to get status of CAMartin Basti2014-12-101-7/+11
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Unload P11_Helper object's library when it is finalized in ipap11helperJan Cholasta2014-11-252-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use NSS protocol range API to set available TLS protocolsRob Crittenden2014-11-242-3/+18
| | | | | | | | | | | | | Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix pk11helper module compiler warningsMartin Basti2014-11-204-10/+6
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com>
* Raise right exception if domain name is not validMartin Basti2014-11-201-8/+9
| | | | | | | | Because of dnspython implementation, in some cases UnicodeError is raised instead of DNS SyntaxError Ticket: https://fedorahosted.org/freeipa/ticket/4734 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modififed NSSConnection not to shutdown existing database.Endi S. Dewata2014-11-111-12/+23
| | | | | | | | | | | | The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix various bugs in ipap11helperJan Cholasta2014-11-051-15/+10
| | | | | | | | | | | Fixes a memory leak, a library handle leak and a double free. Also remove some redundant NULL checks before free to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-041-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix zone name to directory name conversion in BINDMgr.Petr Spacek2014-10-291-1/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: add ipa dnssec daemonsPetr Spacek2014-10-2110-1/+1465
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: opendnssec servicesMartin Basti2014-10-211-0/+40
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-211-0/+3
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: add ipapk11helper moduleMartin Basti2014-10-216-1/+2303
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix certmonger.request_certJan Cholasta2014-10-161-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix CA cert validity check for CA-less and external CA installer optionsJan Cholasta2014-10-161-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4612 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix typo causing certmonger is provided with wrong path to ipa-submit.David Kupka2014-10-161-3/+4
| | | | | | | | | Using strip() instead split() caused that only first character of path was specified. Also using shlex for more robust parsing. https://fedorahosted.org/freeipa/ticket/4624 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Set IPA CA for freeipa certificates.David Kupka2014-10-141-1/+5
| | | | | | | | | | In previous versions (before moving certmonger.py to DBus) it was set and some tools and modules depends on it. For example: ipa-getcert uses this to filter freeipa certificates. https://fedorahosted.org/freeipa/ticket/4618 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add missing imports to ipapython.certdbJan Cholasta2014-09-301-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix certmonger.wait_for_requestJan Cholasta2014-09-301-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4558 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSSDatabase instead of direct certutil calls in client codeJan Cholasta2014-09-301-11/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add NSSDatabase.has_nickname for checking nickname presence in a NSS DBJan Cholasta2014-09-301-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move NSSDatabase from ipaserver.certs to ipapython.certdbJan Cholasta2014-09-301-0/+451
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Introduce NSS database /etc/ipa/nssdbJan Cholasta2014-09-301-0/+28
| | | | | | | | | | This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Refactoring of autobind, object_existsMartin Basti2014-09-261-0/+37
| | | | | | | | | Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move setting SELinux booleans to platform codePetr Viktorin2014-09-261-0/+47
| | | | | | | | | | | | | | | | | | | Create a platform task for setting SELinux booleans. Use an exception for the case when the booleans could not be set (since this is an error if not handled). Since ipaplatform should not depend on ipalib, create a new errors module in ipapython for SetseboolError. Handle uninstallation with the same task, which means the booleans are now restored with a single call to setsebool. Preparation for: https://fedorahosted.org/freeipa/ticket/4157 Fixes: https://fedorahosted.org/freeipa/ticket/2934 Fixes: https://fedorahosted.org/freeipa/ticket/2519 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Fix certmonger code causing the ca_renewal_master update plugin to failJan Cholasta2014-09-231-1/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4547 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-263/+270
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+2
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Provide additional functions to ipapython.certmonger.Jan Cholasta2014-07-301-0/+28
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipa-ldap-updater: make possible to use LDAPI with autobind in case of ↵Alexander Bokovoy2014-07-041-0/+4
| | | | | | | | | | | | | | | | | hardened LDAP configuration When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Clear NSS session cache when socket is closedMartin Kosek2014-07-021-0/+1
| | | | | | | | | Even when NSS connection is closed, there may be still cached certificates in the NSS lib. This may cause subsequent NSS initialization to crash. This problem especially reproduces in the unit tests. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaldap: Override conversion of nsds5replicalast{update,init}{start,end}Tomas Babej2014-07-021-0/+4
| | | | | | | | | | | | | | | | | The replication related attributes with generalized time syntax have special behaviour implemented in 389, as follows: In case they are explicitly requested for and not set, 0 is returned. However, 0 is not a valid value for LDAP Generalized time. Thus we need to add these attributes to the _SYNTAX_OVERRIDE dictionary, overriding their conversion to datetime and converting them to string instead, which perserves the old behaviour expected by the replication codebase. https://fedorahosted.org/freeipa/ticket/4350 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix handle python-dns UnicodeErrorMartin Basti2014-06-201-4/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Clarify LDAPClient docstrings about get_entry, get_entries and find_entriesPetr Spacek2014-06-201-1/+6
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaplatform: Change makefiles to accomodate for new platform packageTomas Babej2014-06-162-8/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove remnants of the ipapython/platformTomas Babej2014-06-167-304/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-168-42/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move Fedora-specific implementations of tasks to fedora base ↵Tomas Babej2014-06-162-105/+0
| | | | | | | | platform file https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove legacy redhat platform moduleTomas Babej2014-06-162-282/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Do not require custom Authconfig implementations from platform ↵Tomas Babej2014-06-162-129/+0
| | | | | | | | modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move restore_context and check_selinux_status implementations ↵Tomas Babej2014-06-161-44/+0
| | | | | | | | to base fedora platform tasks https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Moved Fedora 16 service implementations and refactored them as ↵Tomas Babej2014-06-161-201/+0
| | | | | | | | base Fedora module service implementations https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move default implementations of tasks from service.py.inTomas Babej2014-06-161-36/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move service base platfrom related functionality to ↵Tomas Babej2014-06-162-385/+1
| | | | | | | | ipaplatform/base/service.py https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-08 19:17:03 +0000