summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Fix ipa-server-install for dual NICsMartin Kosek2012-01-221-34/+44
| | | | | | | | | | | | | A server may have 2 or more NICs and its hostname may thus resolve to 2 and more forward addresses. IP address checks in install scripts does not expect this setup and may fail or crash. This script adds a support for multiple forward addresses for a hostname. The install scripts do not crash now. When one IP address is needed, user is asked to choose from all detected server IP addresses. https://fedorahosted.org/freeipa/ticket/2154
* User-add random password supportOndrej Hamada2011-12-121-9/+23
| | | | | | | | | | | | | | | | | | | | | | I've used code from ipalib/plugins/host.py to add support for random password generation. The '--random' option is now available in user-add and user-mod commands. If both the 'password' and 'random' options are used the 'random' option will be ignored. Two test cases were added to unit test's module test_user_plugin.py - they test creating and modifying user with random password. Two fuzzy tests were added: test for password(string that doesn't start or end with whitespace and doesn't containt other whitespace than ' ') and for whatever string(because of krbextradata). I've slightly modified ipa_generate_password in order to make passwords for users more user-friendly(reduce number of non-letters). It has two optional parameters now - first one is string of characters that should be used for generating the passwd and second one is length of password. If none parameter is set default values will be used so there's no need to modify other plugins that use random password generator. https://fedorahosted.org/freeipa/ticket/1979
* Use absolute paths when trying to find certmonger request id.Rob Crittenden2011-12-081-9/+14
| | | | | | | | | The value stored in certmonger is not guaranteed to be normalized nor is the value passed-in (could be a relative path and may or not contain trailing slash). We do direct string compares so they need to match exactly or we won't find the request. https://fedorahosted.org/freeipa/ticket/1942
* Restore default log level in server to INFOJohn Dennis2011-12-012-51/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | The default log level for server messages captured by httpd's error_log historically was INFO. The log_manager patch had it set to ERROR, this patch resets it back to INFO. Although it would have been trival to set the default_level to INFO in IPALogManager.configure_from_env() that is not logically the correct place. It would be much better if the default_level can be reset by simply assigning it to the log_mgr. To accomplish that LogManager.default_level was converted to a property with a getter and setter. The setter runs LogManager.apply_configuratin() after the default_level is modified. LogManager.set_default_level() was also added to allow simultaneously updating the configure_state. While testing some minor problems were observed and also fixed: * Removed some print statement which had been left in by mistake * Removed the ability to set the handler level in the config file because of chicken-and-egg issues of when handlers get created. The Env config file format is too inflexible to support detailed logging configuration. If the Env config format is ever made more flexible we can come back and add this back in. The handler config setting in Env had never been used and never worked so there is no issue in removing it.
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-236-298/+323
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* ticket 2022 - Add log manager moduleJohn Dennis2011-11-231-0/+1748
|
* Check for Python.h during build of py_default_encoding extensionAlexander Bokovoy2011-11-161-0/+7
| | | | | | | | For rare cases when Python development package is not installed, check that Python.h is available and bail out if not. Fixes: https://fedorahosted.org/freeipa/ticket/1838
* Add support for systemd environments and use it to support Fedora 16Alexander Bokovoy2011-10-244-12/+339
| | | | https://fedorahosted.org/freeipa/ticket/1192
* Use set class instead of dictview class as set is wider supportedAlexander Bokovoy2011-10-131-2/+2
|
* Handle an empty value in a name/value pair in config_replace_variables()Rob Crittenden2011-10-131-1/+3
| | | | | | | | | This would blow up if you tried to append a value to an entry that looked like: NAME= https://fedorahosted.org/freeipa/ticket/1983
* Save the value of hostname even if it doesn't appear in /etc/sysconfig/networkRob Crittenden2011-10-131-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/1871
* Refactor authconfig use in ipa-client-installAlexander Bokovoy2011-10-121-0/+13
| | | | | | | | | | | | | When certain features are being configured via authconfig, we need to remember what was configured and what was the state before it so that during uninstall we restore proper state of the services. Mostly it affects sssd configuration with multiple domains but also pre-existing LDAP and krb5 configurations. This should fix following tickets: https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Make IPv4 address parsing more strictMartin Kosek2011-10-131-3/+9
| | | | | | | | | Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for IP address parsing. We will use the same function in IPv4/IPv6 conversions + be stricter and don't allow IP addresses such as '1.1.1' at the same time. https://fedorahosted.org/freeipa/ticket/1965
* Refactor backup_and_replace_hostname() into a flexible config modification toolAlexander Bokovoy2011-10-112-40/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | backup_and_replace_hostname() was doing three things: 1. Given config file in 'key=value' style, replace value for a specified key (HOSTNAME) 2. Backup original file and install a replacement 3. Restore original security context after editing We have several more places where parts of the functionality are needed, thus making two tools in ipapython.ipautil: 1. config_replace_variables(filepath, replacevars=dict(), appendvars=dict()) Replaces or appends values to specified keys, adding new key=value pairs if key was absent 2. backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), appendvars=dict()) Backups config file and calls config_replace_variables() A caller must handle security context after using these two tools. In addition, as before, there is ipapython.services.backup_and_replace_hostname() that uses these common tools and restores security context after editing. The code will be used extensively for systemd integration for Fedora 16. Fixes: https://fedorahosted.org/freeipa/ticket/1871
* Force kerberos realm to be a stringAlexander Bokovoy2011-10-101-1/+1
| | | | | | Fixes issue with Python linter on Fedora 16 where it assumes for C modules-provided objects that they are of type _Chainmap during static analysis.
* Work around pkisilent bugs.Jan Cholasta2011-10-041-1/+5
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-052-3/+21
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* ipa-client assumes a single namingcontextMartin Kosek2011-09-301-0/+37
| | | | | | | | | When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868
* Shut down duplicated file handle when HTTP response code is not 200.Rob Crittenden2011-09-231-0/+11
| | | | | | | httplib purposely keeps the socket open as a file on failed requests. We need to close this file otherwise nss_shutdown() will fail. https://fedorahosted.org/freeipa/ticket/1807
* The return value of restorecon is not reliable, ignore it.Rob Crittenden2011-09-201-3/+7
| | | | https://fedorahosted.org/freeipa/ticket/1816
* Introduce platform-specific adaptation for services used by FreeIPA.Alexander Bokovoy2011-09-138-50/+403
| | | | | | | | | Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605
* Fix typosYuri Chornoivan2011-09-071-1/+1
| | | | | | Fix "The the" and "classses" in FreeIPA code and messages. https://fedorahosted.org/freeipa/ticket/1480
* enable proxy for dogtagAdam Young2011-08-292-2/+15
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Make sure that hostname specified by user is not an IP address.Jan Cholasta2011-07-251-0/+3
| | | | ticket 1375
* Remove sensitive information from logsMartin Kosek2011-07-131-8/+7
| | | | | | | | When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
* Set the client auth callback after creating the SSL connection.Rob Crittenden2011-07-011-2/+2
| | | | | | | | | | If we set the callback before calling connect() then if the connection tries a network family type and fails, it will try other family types. If this happens then the callback set on the first socket will be lost when a new socket is created. There is no way to query for the callback in an existing socket. https://fedorahosted.org/freeipa/ticket/1349
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-2/+5
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-4/+7
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Connection check program for replica installationMartin Kosek2011-06-081-0/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Do stricter checking of IP addressed passed to server install.Jan Cholasta2011-05-301-0/+11
| | | | ticket 1213
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-302-1/+79
| | | | ticket 1212
* Improve service manipulation in client installMartin Kosek2011-05-131-0/+48
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207
* ipautil: Preserve environment unless explicitly overridden by caller.Simo Sorce2011-04-271-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1193
* Remove unused classes.Jan Cholasta2011-04-201-23/+0
| | | | | Removed NSPRConnection and NSPRHTTP from ipapython.nsslib, as they are not used anywhere in FreeIPA.
* Fix lint false positives.Jan Cholasta2011-04-131-0/+1
|
* Removed wrong timeout parameterSylvain Baubeau2011-03-181-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/1086 Add Sylvain Baubeau to Contributors.txt
* If --hostname is provided for ipa-client-install use it everywhere.Rob Crittenden2011-03-081-2/+78
| | | | | | | | | | | | | | | | | | | If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-0/+1
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* Make nsslib IPv6 awareJakub Hrozek2011-02-211-16/+92
|
* Fix NSS initialization errors during ipa-replica-prepareRob Crittenden2011-02-181-5/+1
| | | | | | | | | | | When enabling replication we make an SSL connection. I think the way this goes is python-ldap -> openldap -> NSS. It may be a problem in the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any case if we use ldapi instead the problem goes away. Back out the temporary code to ignore nss_shutdown errors. ticket 965
* Fix two problems with ipa-replica-prepareRob Crittenden2011-02-141-1/+5
| | | | | | | | | | | 1. Fix a unicode() problem creating the DNS entries 2. Fix a strange NSS error when generating the certificates against a dogtag server. The NSS errors are quite strange. When generating the first certificate nss_shutdown() fails because the database isn't initialized yet but nss_is_initialized() returned True. The second pass fails because something is in use.
* Add default success/failure output logging.Rob Crittenden2011-02-141-3/+3
| | | | | | | | | | Request logging on the server only happened if you added verbose=True or debug=True to the IPA config file. We should log the basics at least: who, what, result. Move a lot of entries from info to debug logging as well. Related to ticket 873
* Handle nolog list containing None valuesSimo Sorce2011-01-271-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/856
* Fix assorted bugs found by pylintJakub Hrozek2011-01-251-3/+1
|
* Unused value in initdefault_encoding_utf8Martin Kosek2011-01-251-3/+1
| | | | | | | There is no use for return value of Py_InitModule3. Removing it in this patch. https://fedorahosted.org/freeipa/ticket/710
* Fix failed tests. API for utcoffset changed and strings are more robust.Rob Crittenden2011-01-241-4/+4
| | | | | | | In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit.
* Add a way to print output from commandsSimo Sorce2011-01-181-8/+19
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-181-2/+11
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Execute /usr/bin/python directly instead of /usr/bin/env pythonRob Crittenden2011-01-141-1/+1
| | | | ticket 608
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
generated by cgit (git 2.34.1) at 2024-11-16 14:02:34 +0000