summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Fix assorted bugs found by pylintJakub Hrozek2011-01-251-3/+1
|
* Unused value in initdefault_encoding_utf8Martin Kosek2011-01-251-3/+1
| | | | | | | There is no use for return value of Py_InitModule3. Removing it in this patch. https://fedorahosted.org/freeipa/ticket/710
* Fix failed tests. API for utcoffset changed and strings are more robust.Rob Crittenden2011-01-241-4/+4
| | | | | | | In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit.
* Add a way to print output from commandsSimo Sorce2011-01-181-8/+19
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-181-2/+11
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Execute /usr/bin/python directly instead of /usr/bin/env pythonRob Crittenden2011-01-141-1/+1
| | | | ticket 608
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
* Remove radius options completely.Simo Sorce2011-01-142-368/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-1/+1
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2017-90/+89
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-201-1/+18
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Properly quote passwords sent to pkisilent so special characters work.Rob Crittenden2010-12-171-0/+5
| | | | | | Also check for url-encoded passwords before logging them. ticket 324
* Catch when we fail to get a cert chain from the CA during installationRob Crittenden2010-11-241-1/+5
| | | | | | Also don't free the XML document if it was never created. ticket 404
* Use Realm as certs subject base nameSimo Sorce2010-11-181-1/+3
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-1/+41
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Add default python encoding module to reset default from ascii to utf-8Rob Crittenden2010-10-224-1/+135
| | | | Also clean up some duplicate files in the rpm for the UI.
* Use consistent, specific nickname for the IPA CA certificate.Rob Crittenden2010-10-011-2/+4
| | | | | | Also fix some imports for sha. We have a compat module for it, use it. ticket 181
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-3/+7
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-0/+248
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* ipautil Syntax error in commentNalin Dahyabhai2010-09-011-1/+1
|
* Changes to fix compatibility with Fedora 14Rob Crittenden2010-08-312-5/+14
| | | | | | | | | | | | Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
* Remove passwords when running commands including stdout and stderrRob Crittenden2010-08-311-16/+13
| | | | | | | | | | | This replaces the old no logging mechanism that only handled not logging passwords passed on the command-line. The dogtag installer was including passwords in the output. This also adds no password logging to the sslget invocations and removes a couple of extraneous log commands. ticket 156
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-161-0/+14
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-291-0/+4
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* Clean up crypto code, take advantage of new nss-python capabilitiesRob Crittenden2010-07-151-1/+0
| | | | | | | | This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
* use NSS for SSL operationsJohn Dennis2010-06-153-259/+167
|
* gpg2 requires --batch to use the --passphrase* arguments.Rob Crittenden2010-05-271-2/+2
| | | | | | This was causing replica creation and installation to fail. 596446
* Add simple test to see if client is already configuredRob Crittenden2010-05-061-0/+8
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-031-7/+2
| | | | Also consolidate some duplicate code
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-031-0/+11
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
* Accept unicode for sysrestoreMartin Nagy2010-04-231-2/+2
|
* Fix http(s)_request in dogtag. Was blowing up because of unicode strings.Pavel Zuna2010-03-301-0/+4
|
* Provide mechanism in ipautil.run() to not log all arguments.Rob Crittenden2010-03-191-1/+34
| | | | | | | This is primarily designed to not log passwords but it could have other uses. 567867
* Move the HTTP/S request code to a common libraryRob Crittenden2010-02-091-1/+78
| | | | | | | | This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
* Remove (un)wrap_binary_data cruft from */ipautil.pyJohn Dennis2010-01-281-62/+0
| | | | | | | | Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(), wrap_binary_data(), unwrap_binary_data() from both instances of ipautil.py. This code is no longer in use and the SAFE_STRING_PATTERN regular expression string was causing xgettext to abort because it wasn't a valid ASCII string.
* Replace /etc/ipa/ipa.conf with /etc/ipa/default.confRob Crittenden2009-12-013-13/+14
| | | | | | | The new framework uses default.conf instead of ipa.conf. This is useful also because Apache uses a configuration file named ipa.conf. This wipes out the last vestiges of the old ipa.conf from v1.
* Add option to have ipautil.run() not raise an exceptionRob Crittenden2009-11-301-3/+3
| | | | | | | There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
* Require current versions of python-nss & python-lxmlJohn Dennis2009-11-231-1/+1
| | | | | | ipa.spec.in | 3 ++- ipapython/nsslib.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-)
* along with stdout, stderr also log the initial commandJohn Dennis2009-11-231-2/+3
| | | | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> along with stdout,stderr also log the initial command This implements better logging of external commands. Formerly we were just outputting stdout and stderr without labeling which was which. We also omitted the initial command and it's arguments. This made it difficult when reviewing the logs to know what the command was and what was stdout vs. stderr. This patch fixes that.
* Add option to the installer for uid/gid starting numbers.Rob Crittenden2009-08-271-1/+9
| | | | | | | | | | | | This also adds a new option to the template system. If you include eval(string) in a file that goes through the templater then the string in the eval will be evaluated by the Python interpreter. This is used so one can do $UIDSTART+1. If any errors occur during the evaluation the original string is is returned, eval() and all so it is up to the developer to make sure the evaluation passes. The default value for uid and gid is now a random value between 1,000,000 and (2^31 - 1,000,000)
* Clean up additional issues discovered with pylint and pycheckerRob Crittenden2009-08-203-15/+7
|
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-125-26/+24
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Allow replicas of an IPA server using an internal dogtag server as the CARob Crittenden2009-07-151-4/+6
| | | | | | | | This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
* Add a local implementation of httplib.SSLFile and httplib.FakeSocketrcrit2009-07-012-2/+188
| | | | | | | Python 2.6 changed its internal implementation which makes it difficult to override in a way that is backwards compatible. 508953
* Raise an exception if the certificate chain is not returned from the CARob Crittenden2009-05-211-6/+15
|
* Fix a comment and some typosRob Crittenden2009-05-131-1/+1
|
* Fix breakage on python 2.4 with missing object subclassRob Crittenden2009-05-051-1/+1
|
* A class for dealing with a temporary NSS certificate databaseRob Crittenden2009-05-041-0/+150
|
* Utilities for dealing with dogtagRob Crittenden2009-04-241-0/+41
|
* Handle GSSAPI exceptions more gracefullyRob Crittenden2009-04-201-7/+9
|