| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.
On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.
https://fedorahosted.org/freeipa/ticket/2368
|
|
|
|
|
|
| |
When default server was being parsed from IPA's default.conf
configuration file, the parsed server was not appended correctly to
the default_server list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
|
|
|
|
|
|
|
|
| |
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.
https://fedorahosted.org/freeipa/ticket/2050
|
|
|
|
|
|
| |
If a zone index is present in an IPv6 address, it is ignored.
ticket 2138
|
|
|
|
|
|
|
| |
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.
https://fedorahosted.org/freeipa/ticket/2127
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
|
|
|
|
|
|
|
|
|
|
|
| |
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.
This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.
https://fedorahosted.org/freeipa/ticket/2419
|
|
|
|
|
|
|
| |
Also check for the existence of restorecon. This may be overkill but
it will prevent a client installation from failing for no good reason.
https://fedorahosted.org/freeipa/ticket/2368
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master->replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
|
|
|
|
|
|
| |
These were used by ipa_kpasswd and krb5-server-ldap respectivily.
https://fedorahosted.org/freeipa/ticket/2397
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
|
|
|
|
|
|
|
|
| |
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.
https://fedorahosted.org/freeipa/ticket/2391
|
|
|
|
|
|
| |
Fixes import problems trying to import just ipalib/compat.py.
https://fedorahosted.org/freeipa/ticket/754
|
|
|
|
|
|
|
|
| |
Add method for getting configuration directory path of a service,
so that a different SSH configuration directory can be specified on
different platforms.
https://fedorahosted.org/freeipa/ticket/754
|
|
|
|
|
|
|
|
| |
This change makes it possible to call IPA commands from ipa-client-install.
Done to support adding SSH host keys to DNS.
https://fedorahosted.org/freeipa/ticket/1634
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.
Additionally, existing installs need to be handled during upgrade.
Fixes:
https://fedorahosted.org/freeipa/ticket/2117
https://fedorahosted.org/freeipa/ticket/2300
|
|
|
|
|
|
|
|
|
|
|
| |
inifile_replace_variables() works similar to config_replace_variables() but
allows to apply changes to specific section of an inifile. Inifiles are
commonly used by freedesktop.org software and particularly used by systemd.
When modifying inifile, all changes will be applied to specific section.
Also fixes corner case in config_replace_variables() which would dublicate
variables when adding them.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.
This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.
https://fedorahosted.org/freeipa/ticket/2154
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.
Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).
I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.
https://fedorahosted.org/freeipa/ticket/1979
|
|
|
|
|
|
|
|
|
| |
The value stored in certmonger is not guaranteed to be normalized
nor is the value passed-in (could be a relative path and may or not
contain trailing slash). We do direct string compares so they need
to match exactly or we won't find the request.
https://fedorahosted.org/freeipa/ticket/1942
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default log level for server messages captured by httpd's
error_log historically was INFO. The log_manager patch had it set to
ERROR, this patch resets it back to INFO.
Although it would have been trival to set the default_level to INFO in
IPALogManager.configure_from_env() that is not logically the correct
place. It would be much better if the default_level can be reset by
simply assigning it to the log_mgr. To accomplish that
LogManager.default_level was converted to a property with a getter and
setter. The setter runs LogManager.apply_configuratin() after the
default_level is modified. LogManager.set_default_level() was also
added to allow simultaneously updating the configure_state.
While testing some minor problems were observed and also fixed:
* Removed some print statement which had been left in by mistake
* Removed the ability to set the handler level in the config file
because of chicken-and-egg issues of when handlers get created.
The Env config file format is too inflexible to support detailed
logging configuration. If the Env config format is ever made more
flexible we can come back and add this back in. The handler config
setting in Env had never been used and never worked so there is no
issue in removing it.
|
|
|
|
|
|
|
|
|
|
|
|
| |
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
|
| |
|
|
|
|
|
|
|
|
| |
For rare cases when Python development package is not installed,
check that Python.h is available and bail out if not.
Fixes:
https://fedorahosted.org/freeipa/ticket/1838
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1192
|
| |
|
|
|
|
|
|
|
|
|
| |
This would blow up if you tried to append a value to an entry that looked
like:
NAME=
https://fedorahosted.org/freeipa/ticket/1983
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1871
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When certain features are being configured via authconfig, we need to
remember what was configured and what was the state before it so that
during uninstall we restore proper state of the services.
Mostly it affects sssd configuration with multiple domains but also
pre-existing LDAP and krb5 configurations.
This should fix following tickets:
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
|
|
|
|
|
|
|
|
|
| |
Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
IP address parsing. We will use the same function in IPv4/IPv6
conversions + be stricter and don't allow IP addresses such as
'1.1.1' at the same time.
https://fedorahosted.org/freeipa/ticket/1965
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backup_and_replace_hostname() was doing three things:
1. Given config file in 'key=value' style, replace value for a
specified key (HOSTNAME)
2. Backup original file and install a replacement
3. Restore original security context after editing
We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:
1. config_replace_variables(filepath, replacevars=dict(),
appendvars=dict())
Replaces or appends values to specified keys, adding new key=value
pairs if key was absent
2. backup_config_and_replace_variables(fstore, filepath,
replacevars=dict(),
appendvars=dict())
Backups config file and calls config_replace_variables()
A caller must handle security context after using these two tools.
In addition, as before, there is
ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.
The code will be used extensively for systemd integration for Fedora 16.
Fixes:
https://fedorahosted.org/freeipa/ticket/1871
|
|
|
|
|
|
| |
Fixes issue with Python linter on Fedora 16 where it assumes for C
modules-provided objects that they are of type _Chainmap during static
analysis.
|
|
|
|
|
|
|
|
|
|
|
| |
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
|
|
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
|
|
|
|
|
|
|
|
| |
When LDAP server contains more that one suffixes, the ipa client
installation does not detect it as IPA server and fails to install.
Fix ipa server discovery so that it correctly searches all naming
contexts for the IPA one.
https://fedorahosted.org/freeipa/ticket/1868
|
|
|
|
|
|
|
| |
httplib purposely keeps the socket open as a file on failed requests. We
need to close this file otherwise nss_shutdown() will fail.
https://fedorahosted.org/freeipa/ticket/1807
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1816
|
|
|
|
|
|
|
|
|
| |
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.
https://fedorahosted.org/freeipa/ticket/1605
|
|
|
|
|
|
| |
Fix "The the" and "classses" in FreeIPA code and messages.
https://fedorahosted.org/freeipa/ticket/1480
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
| |
ticket 1375
|
|
|
|
|
|
|
|
| |
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.
https://fedorahosted.org/freeipa/ticket/1378
|
|
|
|
|
|
|
|
|
|
| |
If we set the callback before calling connect() then if the connection
tries a network family type and fails, it will try other family types.
If this happens then the callback set on the first socket will be lost
when a new socket is created. There is no way to query for the callback
in an existing socket.
https://fedorahosted.org/freeipa/ticket/1349
|
|
|
|
|
|
|
| |
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.
https://fedorahosted.org/freeipa/ticket/1175
|
|
|
|
|
|
|
|
|
|
|
| |
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.
Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.
https://fedorahosted.org/freeipa/ticket/1333
|