summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* Update named.conf parserMartin Kosek2013-03-141-21/+48
| | | | | | | | Refactor the named.conf parsing and editing functions in bindinstance so that both "dynamic-db" and "options" sections of named.conf can be read and updated https://fedorahosted.org/freeipa/ticket/3429
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-132-2/+99
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-137-21/+11
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Fix installing server with external CAPetr Viktorin2013-03-082-31/+32
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Don't base64-encode the CA cert when uploading it during an upgrade.Rob Crittenden2013-03-071-2/+1
| | | | | | | | We want to store the raw value. Tools like ldapsearch will automatically base64 encode the value because it's binary so we don't want to duplicate that. https://fedorahosted.org/freeipa/ticket/3477
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-012-5/+4
|
* Remove some uses of raw python-ldapPetr Viktorin2013-03-013-15/+12
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-012-2/+2
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.simple_bind_sPetr Viktorin2013-03-012-4/+5
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace IPAdmin.start_tls_s by an __init__ argumentPetr Viktorin2013-03-011-6/+6
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove search_s and search_ext_s from IPAdminPetr Viktorin2013-03-014-12/+16
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Inline waitForEntry in its only callerPetr Viktorin2013-03-011-1/+40
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Inline inactivateEntry in its only callerPetr Viktorin2013-03-011-1/+3
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)Petr Viktorin2013-03-016-38/+42
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Fix typo and traceback suppression in replication.pyPetr Viktorin2013-03-011-3/+4
|
* Replace deleteEntry with delete_entryPetr Viktorin2013-03-014-11/+11
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace addEntry with add_entryPetr Viktorin2013-03-017-23/+23
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove toTupleList and attrList from LDAPEntryPetr Viktorin2013-03-011-4/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace getList by a get_entries methodPetr Viktorin2013-03-013-18/+22
| | | | | | | | | | | The find_entries method is cumbersome to use: it requires keyword arguments for simple uses, and callers are tempted to ignore the 'truncated' flag it returns. Introduce a simpler method, get_entries, that returns the found list directly, and raises an errors if the list is truncated. Replace the getList method by get_entries. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-016-39/+41
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove special-casing for missing and single-valued attributes in ↵Petr Viktorin2013-03-011-6/+0
| | | | LDAPUpdate._entry_to_entity
* Replace IPAdmin.checkTask by replication.wait_for_taskPetr Viktorin2013-03-012-3/+24
| | | | | | The method was only used for waiting, not actual checking. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.get_dns_sorted_by_lengthPetr Viktorin2013-03-011-12/+8
| | | | | | | A simple sort(key=len) is simpler both implementation-wise and semantics-wise. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.updateEntry calls from fix_replica_agreementsPetr Viktorin2013-03-011-4/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove dbdir, binddn, bindpwd from IPAdminPetr Viktorin2013-03-011-1/+9
| | | | | | | The dbdir logic was moved to replication.py, the only caller. The binddn and bindpwd attributes were unused. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused imports from ipaserver/installPetr Viktorin2013-03-0112-55/+24
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace add_s and delete_s by their newer equivalentsPetr Viktorin2013-03-013-15/+15
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.setValue/setValues by item assignmentPetr Viktorin2013-03-014-21/+21
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValues() by entry.get()Petr Viktorin2013-03-013-9/+9
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use update_entry with a single entry in adtrustinstancePetr Viktorin2013-03-011-10/+8
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace setValue by keyword arguments when creating entriesPetr Viktorin2013-03-017-157/+203
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove the Entry class.Jan Cholasta2013-03-011-2/+2
|
* Remove the Entity class.Jan Cholasta2013-03-011-31/+4
| | | | Move Entity functionality to LDAPEntry.
* Add make_entry factory method to LDAPConnection.Jan Cholasta2013-03-017-28/+26
| | | | Replace all occurences of Entry instantiation with calls to make_entry.
* Make IPAdmin not inherit from IPASimpleLDAPObjectPetr Viktorin2013-03-011-1/+1
| | | | | | | | | | | | | Instead of inheritance, the LDAPObject is kept in a `conn` attribute, as the ldap2 class does it. However, all IPASimpleLDAPObject methods are still available as before (using __getattr__-based proxying). Also, remove the IPAEntryLDAPObject class. The methods it overrode were never called in ways that would make them behave differently than the superclass. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Move the decision to force schema updates out of IPASimpleLDAPObjectPetr Viktorin2013-03-011-1/+2
| | | | | | | This decision used the api object, which might not be available in installer code. Move the decision to callers. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Derive Entity class from Entry, and move it to ldapupdatePetr Viktorin2013-03-011-3/+28
| | | | | | | The two classes were nearly identical, and the updater is the only code that uses Entity. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove some unused importsPetr Viktorin2013-03-015-31/+17
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedirJakub Hrozek2013-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-0/+504
| | | | | | | | | | | | | Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
* Better logging for AdminTool and ipa-ldap-updaterPetr Viktorin2013-02-011-26/+22
| | | | | | | | | | | | | - Automatically add a "Logging and output options" group with the --quiet, --verbose, --log-file options. - Set up logging based on these options; details are in the setup_logging docstring and in the design document. - Don't bind log methods as individual methods of the class. This means one less linter exception. - Make the help for command line options consistent with optparse's --help and --version options. Design document: http://freeipa.org/page/V3/Logging_and_output
* Drop ipapython.compat.Jan Cholasta2013-02-011-2/+1
|
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-13/+100
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Add the CA cert to LDAP after the CA installPetr Viktorin2013-01-291-2/+1
| | | | | | | | | | | | | The DS is installed before the CA cert is generated. Trying to add the cert to LDAP before it exists resulted in a nasty-looking error message. This moves the cert upload to after the CA cert is ready and the certdb is created. Move the cert upload to after thecertdb is generated. https://fedorahosted.org/freeipa/ticket/3375
* Pylint cleanup.Jan Cholasta2013-01-291-2/+2
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Update anonymous access ACI to protect secret attributes.Rob Crittenden2013-01-232-0/+82
| | | | | | | Update anonymous access ACI so that no users besides Trust Admins users can read AD Trust key attributes (ipaNTTrustAuthOutgoing, ipaNTTrustAuthIncoming). The change is applied both for updated IPA servers and new installations.
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Update plugin to upload CA certificate to LDAPAlexander Bokovoy2013-01-231-0/+56
| | | | | | Define post-update plugin to upload public CA certificate to IPA LDAP server. The plugin includes also update file that creates default container for the certificate.
* Upload CA cert in the directory on installSimo Sorce2013-01-231-0/+15
| | | | | This will later allow clients to securely download the CA cert by performaing mutual auth using LDAP with GSSAPI
* Installer should not connect to 127.0.0.1Martin Kosek2013-01-212-3/+3
| | | | | | | | | | | | | IPA installer sometimes tries to connect to the Directory Server via loopback address 127.0.0.1. However, the Directory Server on pure IPv6 systems may not be listening on this address. This address may not even be available. Rather use the FQDN of the server when connecting to the DS to fix this issue and make the connection consistent ldapmodify calls which also use FQDN instead of IP address. https://fedorahosted.org/freeipa/ticket/3355
generated by cgit (git 2.34.1) at 2024-06-30 17:48:41 +0000