summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* enable proxy for dogtagAdam Young2011-08-292-2/+15
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Make sure that hostname specified by user is not an IP address.Jan Cholasta2011-07-251-0/+3
| | | | ticket 1375
* Remove sensitive information from logsMartin Kosek2011-07-131-8/+7
| | | | | | | | When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
* Set the client auth callback after creating the SSL connection.Rob Crittenden2011-07-011-2/+2
| | | | | | | | | | If we set the callback before calling connect() then if the connection tries a network family type and fails, it will try other family types. If this happens then the callback set on the first socket will be lost when a new socket is created. There is no way to query for the callback in an existing socket. https://fedorahosted.org/freeipa/ticket/1349
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-2/+5
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-4/+7
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Connection check program for replica installationMartin Kosek2011-06-081-0/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Do stricter checking of IP addressed passed to server install.Jan Cholasta2011-05-301-0/+11
| | | | ticket 1213
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-302-1/+79
| | | | ticket 1212
* Improve service manipulation in client installMartin Kosek2011-05-131-0/+48
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207
* ipautil: Preserve environment unless explicitly overridden by caller.Simo Sorce2011-04-271-1/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1193
* Remove unused classes.Jan Cholasta2011-04-201-23/+0
| | | | | Removed NSPRConnection and NSPRHTTP from ipapython.nsslib, as they are not used anywhere in FreeIPA.
* Fix lint false positives.Jan Cholasta2011-04-131-0/+1
|
* Removed wrong timeout parameterSylvain Baubeau2011-03-181-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/1086 Add Sylvain Baubeau to Contributors.txt
* If --hostname is provided for ipa-client-install use it everywhere.Rob Crittenden2011-03-081-2/+78
| | | | | | | | | | | | | | | | | | | If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-0/+1
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* Make nsslib IPv6 awareJakub Hrozek2011-02-211-16/+92
|
* Fix NSS initialization errors during ipa-replica-prepareRob Crittenden2011-02-181-5/+1
| | | | | | | | | | | When enabling replication we make an SSL connection. I think the way this goes is python-ldap -> openldap -> NSS. It may be a problem in the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any case if we use ldapi instead the problem goes away. Back out the temporary code to ignore nss_shutdown errors. ticket 965
* Fix two problems with ipa-replica-prepareRob Crittenden2011-02-141-1/+5
| | | | | | | | | | | 1. Fix a unicode() problem creating the DNS entries 2. Fix a strange NSS error when generating the certificates against a dogtag server. The NSS errors are quite strange. When generating the first certificate nss_shutdown() fails because the database isn't initialized yet but nss_is_initialized() returned True. The second pass fails because something is in use.
* Add default success/failure output logging.Rob Crittenden2011-02-141-3/+3
| | | | | | | | | | Request logging on the server only happened if you added verbose=True or debug=True to the IPA config file. We should log the basics at least: who, what, result. Move a lot of entries from info to debug logging as well. Related to ticket 873
* Handle nolog list containing None valuesSimo Sorce2011-01-271-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/856
* Fix assorted bugs found by pylintJakub Hrozek2011-01-251-3/+1
|
* Unused value in initdefault_encoding_utf8Martin Kosek2011-01-251-3/+1
| | | | | | | There is no use for return value of Py_InitModule3. Removing it in this patch. https://fedorahosted.org/freeipa/ticket/710
* Fix failed tests. API for utcoffset changed and strings are more robust.Rob Crittenden2011-01-241-4/+4
| | | | | | | In Python 2.7 the API for time.utcoffset() changed. We do more automatic conversions of strings so need to loosen the tests a bit.
* Add a way to print output from commandsSimo Sorce2011-01-181-8/+19
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-181-2/+11
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Execute /usr/bin/python directly instead of /usr/bin/env pythonRob Crittenden2011-01-141-1/+1
| | | | ticket 608
* Add API version and have server reject incompatible clients.Rob Crittenden2011-01-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
* Remove radius options completely.Simo Sorce2011-01-142-368/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-1/+1
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2017-90/+89
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-201-1/+18
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Properly quote passwords sent to pkisilent so special characters work.Rob Crittenden2010-12-171-0/+5
| | | | | | Also check for url-encoded passwords before logging them. ticket 324
* Catch when we fail to get a cert chain from the CA during installationRob Crittenden2010-11-241-1/+5
| | | | | | Also don't free the XML document if it was never created. ticket 404
* Use Realm as certs subject base nameSimo Sorce2010-11-181-1/+3
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-1/+41
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Add default python encoding module to reset default from ascii to utf-8Rob Crittenden2010-10-224-1/+135
| | | | Also clean up some duplicate files in the rpm for the UI.
* Use consistent, specific nickname for the IPA CA certificate.Rob Crittenden2010-10-011-2/+4
| | | | | | Also fix some imports for sha. We have a compat module for it, use it. ticket 181
* Remove some additional instances of krbV from ipa-clientRob Crittenden2010-09-101-3/+7
| | | | | | | | | | | Make two krbV imports conditional. These aren't used during a client install so should cause no problems. Also fix the client installer to use the new env option in ipautil.run. We weren't getting the krb5 configuration set in the environment because we were overriding the environment to set the PATH. ticket 136
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-0/+248
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* ipautil Syntax error in commentNalin Dahyabhai2010-09-011-1/+1
|
* Changes to fix compatibility with Fedora 14Rob Crittenden2010-08-312-5/+14
| | | | | | | | | | | | Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
* Remove passwords when running commands including stdout and stderrRob Crittenden2010-08-311-16/+13
| | | | | | | | | | | This replaces the old no logging mechanism that only handled not logging passwords passed on the command-line. The dogtag installer was including passwords in the output. This also adds no password logging to the sslget invocations and removes a couple of extraneous log commands. ticket 156
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-161-0/+14
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-291-0/+4
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* Clean up crypto code, take advantage of new nss-python capabilitiesRob Crittenden2010-07-151-1/+0
| | | | | | | | This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
* use NSS for SSL operationsJohn Dennis2010-06-153-259/+167
|
* gpg2 requires --batch to use the --passphrase* arguments.Rob Crittenden2010-05-271-2/+2
| | | | | | This was causing replica creation and installation to fail. 596446
* Add simple test to see if client is already configuredRob Crittenden2010-05-061-0/+8
| | | | | | | | | | | | If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert).
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-031-7/+2
| | | | Also consolidate some duplicate code
generated by cgit (git 2.34.1) at 2024-04-19 03:27:21 +0000