| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
|
|
|
|
| |
output_for_cli(); enable more webUI stuff
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.
Subject alt names are only allowed if:
- the host for the alt name exists in IPA
- if binding as host principal, the host is in the services managedBy attr
|
|
|
|
|
| |
ipaserver/plugins/rabase.py | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
|
|
|
| |
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
|
|
|
|
| |
Previously we only filtered None values, but it turns out that's not enough.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.
In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service
It might look something like:
admin
ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin
client
ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The KDC ldap plugin is very picky about the format of DNs. It does
not allow spacing between elements so we can't normalize it.
|
|
|
|
|
|
|
|
|
|
|
|
| |
- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
in the regex altogether. This now lets us handle all current ACIs in IPA
(some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
can write attributes x,y,z in group B). It is actually quite a lot more
flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
|
|
|
|
|
|
| |
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors
525303
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.
A run would look like:
# ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
# ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com
This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.
To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.
One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.
Lots of general fixes were also made in ipaserver.install.certs including:
- better handling when multiple CA certificates are in a single file
- A temporary directory for request certs is not always created when the
class is instantiated (you have to call setup_cert_request())
|
|
|
|
| |
virtual plugin to work with the new backend
|
| |
|
| |
|
|
|
|
| |
generated.
|
|
|
|
|
|
| |
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
|
|
|
|
|
| |
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
|
|
|
|
| |
Also prevent a few cases of double processing of arguments.
|
|
|
|
|
|
| |
version of python-ldap. Fix bug in add_entry_to_group.
Resolves 510149
|
|
|
|
|
| |
Older python-ldap versions will crash if you call ldap.get_option()
on a value that has not been set.
|
|
|
|
| |
more efficient.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ldap2.find_entries now returns a tuple containing 2 values. First,
a list of entries (dn, entry_attrs), Second, the truncated flag. If
the truncated flag is True, search results hit a server limitation
and are incomplete.
This patch also removes decoding of non-string scalar python types into
unicode (they are left unchanged).
|
| |
|
|
|
|
| |
DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries.
|
|
|
|
| |
(find_entry_by_attr). Fix minor search filter generation issues.
|
|
|
|
| |
base classes and use encode_args/decode_retval where applicable.
|
| |
|
|
|
|
|
|
| |
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
|
| |
|
| |
|
| |
|
|
|
|
| |
trailing CR/LF from the password file
|
| |
|
| |
|
|
|
|
| |
member to a group.
|
| |
|
|
|
|
| |
methods. Add missing _sasl_auth variable.
|
| |
|
| |
|
|
|
|
|
|
| |
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
|
| |
|