summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-161-4/+7
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-101-0/+3
| | | | output_for_cli(); enable more webUI stuff
* rebase dogtag clean-up patchJohn Dennis2009-12-092-210/+1643
|
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.Rob Crittenden2009-11-301-5/+14
| | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-271-0/+5
|
* Remove a bunch of unused imports, general cleanupRob Crittenden2009-10-251-13/+4
|
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-1/+2
|
* Add option to not normalize a DN when adding/updating a record.Rob Crittenden2009-10-051-4/+6
| | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it.
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-1/+3
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Only initialize the API once in the installerRob Crittenden2009-09-282-11/+20
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-242-1/+161
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Use the same variable name in the response as the dogtag pluginRob Crittenden2009-09-241-1/+1
|
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-153-36/+253
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+2
| | | | virtual plugin to work with the new backend
* Remove deprecated comment on plugin naming conventionsRob Crittenden2009-09-141-3/+0
|
* Make ldap2.add_entry proof to None values, because python-ldap hate'em.Pavel Zuna2009-09-081-0/+4
|
* Introduce a list of attributes for which only MOD_REPLACE operations are ↵Pavel Zuna2009-08-281-2/+10
| | | | generated.
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-20/+11
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-4/+0
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Fix bug in _get_syntax (it was always returning None).Pavel Zuna2009-08-031-15/+7
| | | | Also prevent a few cases of double processing of arguments.
* Import explode_dn from ldap.functions for backward compatibility with older ↵Pavel Zuna2009-07-081-2/+4
| | | | | | version of python-ldap. Fix bug in add_entry_to_group. Resolves 510149
* Add class variable to indicate whether SSL is required or not.Rob Crittenden2009-07-071-2/+4
| | | | | Older python-ldap versions will crash if you call ldap.get_option() on a value that has not been set.
* Fix bug in ldap2.modify_password and make adding/removing members slightly ↵Pavel Zuna2009-07-071-4/+4
| | | | more efficient.
* Add conversion of attribute name synonyms when generating modlists.Pavel Zuna2009-06-151-0/+28
|
* Add support for incomplete (truncated) search results.Pavel Zuna2009-06-151-14/+29
| | | | | | | | | | ldap2.find_entries now returns a tuple containing 2 values. First, a list of entries (dn, entry_attrs), Second, the truncated flag. If the truncated flag is True, search results hit a server limitation and are incomplete. This patch also removes decoding of non-string scalar python types into unicode (they are left unchanged).
* Fix bugs in ldap2.Pavel Zuna2009-06-121-18/+8
|
* Fix bug in ldap2.normalize_dn.Pavel Zuna2009-06-101-1/+1
| | | | DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries.
* Make it easier to search for a single entry by attribute value ↵Pavel Zuna2009-05-261-6/+19
| | | | (find_entry_by_attr). Fix minor search filter generation issues.
* Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 ↵Pavel Zuna2009-05-221-117/+43
| | | | base classes and use encode_args/decode_retval where applicable.
* Fix password setting on python 2.4 systems (it doesn't like None for oldpw)Rob Crittenden2009-05-211-1/+1
|
* Schema change so the nisnetgroup triples work properly.Rob Crittenden2009-05-191-1/+1
| | | | | | If we use cn for hostname there is no easy way to distinguish between a host and a hostgroup. So adding a fqdn attribute to be used to store the hostname instead.
* Fix a comment and some typosRob Crittenden2009-05-131-2/+7
|
* Make search filter generation a bit safer. Minor bug fixes/code improvements.Pavel Zuna2009-04-301-8/+12
|
* Add method to generate DN from attribute directly, without making RDN first.Pavel Zuna2009-04-301-0/+10
|
* Use XML rather than string routines to handle response from dogtag Remove ↵Rob Crittenden2009-04-281-6/+17
| | | | trailing CR/LF from the password file
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-233-31/+31
|
* Fix filter generator in ldapapi. Shouldn't produce invalid filters anymore.Pavel Zuna2009-04-231-6/+12
|
* Throw AlreadyGroupMember instead of EmptyModlist when trying to re-add ↵Pavel Zuna2009-04-221-3/+4
| | | | member to a group.
* Change ldap2.__handle_errors into the global _handle_errors function.Pavel Zuna2009-04-221-52/+53
|
* Make it possible to construct partial match filters using make_filter_* ↵Pavel Zuna2009-04-221-6/+20
| | | | methods. Add missing _sasl_auth variable.
* Convert the RA plugin to use nsslib and remove the configure methodsRob Crittenden2009-04-201-134/+39
|
* Remove unwanted white spaceRob Crittenden2009-04-201-12/+12
|
* Finish work replacing the errors module with errors2Rob Crittenden2009-04-201-30/+64
| | | | | | Once this is committed we can start the process of renaming errors2 as errors. I thought that combinig this into one commit would be more difficult to review.
* Renaming the backend ldap plugin to ldapapi.py to prevent module import issuesRob Crittenden2009-04-061-0/+0
|
generated by cgit (git 2.34.1) at 2024-05-25 22:57:55 +0000