summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Convert integer and boolean values to unicode, don't leave them as str.Pavel Zuna2010-02-171-2/+0
|
* Move the HTTP/S request code to a common libraryRob Crittenden2010-02-091-61/+4
| | | | | | | | This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
* fix error message to be i18n translator friendlyJohn Dennis2010-02-031-1/+2
| | | | | | | | This error message was producing a warning from xgettext because there were multiple substations in the string. In some languages it may be necessary to reorder the substitutions for a proper translation, this is only possible if the substitutions use named values.
* Be more careful when base64-decoding certificatesRob Crittenden2010-02-021-1/+0
| | | | | Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
* Update dogtag configuration to work after CVE-2009-3555 changesRob Crittenden2010-01-271-2/+2
| | | | | | | | NSS is going to disallow all SSL renegotiation by default. Because of this we need to always use the agent port of the dogtag server which always requires SSL client authentication. The end user port will prompt for a certificate if required but will attempt to re-do the handshake to make this happen which will fail with newer versions of NSS.
* Fix schema loading in the ldap backend.Pavel Zuna2010-01-271-1/+4
|
* User-defined certificate subjectsRob Crittenden2010-01-201-1/+28
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Allow cospriority to be updated and fix description of priority orderingRob Crittenden2010-01-191-9/+13
| | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work.
* Improve modlist generation in ldap2. Some code cleanup as bonus.Pavel Zuna2010-01-111-65/+89
| | | | | | | | ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. MOD_REPLACE is always used for single value attributes and never for multi value.
* Use the caIPAserviceCert profile for issuing service certs.Rob Crittenden2010-01-081-1/+1
| | | | | | | | | | | This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration.
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-161-4/+7
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-101-0/+3
| | | | output_for_cli(); enable more webUI stuff
* rebase dogtag clean-up patchJohn Dennis2009-12-092-210/+1643
|
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.Rob Crittenden2009-11-301-5/+14
| | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-271-0/+5
|
* Remove a bunch of unused imports, general cleanupRob Crittenden2009-10-251-13/+4
|
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Giant webui patch take 2Jason Gerard DeRose2009-10-131-1/+2
|
* Add option to not normalize a DN when adding/updating a record.Rob Crittenden2009-10-051-4/+6
| | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it.
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-1/+3
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Only initialize the API once in the installerRob Crittenden2009-09-282-11/+20
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-242-1/+161
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Use the same variable name in the response as the dogtag pluginRob Crittenden2009-09-241-1/+1
|
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-153-36/+253
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+2
| | | | virtual plugin to work with the new backend
* Remove deprecated comment on plugin naming conventionsRob Crittenden2009-09-141-3/+0
|
* Make ldap2.add_entry proof to None values, because python-ldap hate'em.Pavel Zuna2009-09-081-0/+4
|
* Introduce a list of attributes for which only MOD_REPLACE operations are ↵Pavel Zuna2009-08-281-2/+10
| | | | generated.
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-20/+11
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-4/+0
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Fix bug in _get_syntax (it was always returning None).Pavel Zuna2009-08-031-15/+7
| | | | Also prevent a few cases of double processing of arguments.
* Import explode_dn from ldap.functions for backward compatibility with older ↵Pavel Zuna2009-07-081-2/+4
| | | | | | version of python-ldap. Fix bug in add_entry_to_group. Resolves 510149
* Add class variable to indicate whether SSL is required or not.Rob Crittenden2009-07-071-2/+4
| | | | | Older python-ldap versions will crash if you call ldap.get_option() on a value that has not been set.
* Fix bug in ldap2.modify_password and make adding/removing members slightly ↵Pavel Zuna2009-07-071-4/+4
| | | | more efficient.
* Add conversion of attribute name synonyms when generating modlists.Pavel Zuna2009-06-151-0/+28
|
* Add support for incomplete (truncated) search results.Pavel Zuna2009-06-151-14/+29
| | | | | | | | | | ldap2.find_entries now returns a tuple containing 2 values. First, a list of entries (dn, entry_attrs), Second, the truncated flag. If the truncated flag is True, search results hit a server limitation and are incomplete. This patch also removes decoding of non-string scalar python types into unicode (they are left unchanged).
* Fix bugs in ldap2.Pavel Zuna2009-06-121-18/+8
|
* Fix bug in ldap2.normalize_dn.Pavel Zuna2009-06-101-1/+1
| | | | DN was always returned as lower-case, sometimes resulting in 2 RDN values with different cases when creating entries.
* Make it easier to search for a single entry by attribute value ↵Pavel Zuna2009-05-261-6/+19
| | | | (find_entry_by_attr). Fix minor search filter generation issues.
* Make ldap2 always return attribute names as lowercase. Add Encoder to ldap2 ↵Pavel Zuna2009-05-221-117/+43
| | | | base classes and use encode_args/decode_retval where applicable.
* Fix password setting on python 2.4 systems (it doesn't like None for oldpw)Rob Crittenden2009-05-211-1/+1
|
* Schema change so the nisnetgroup triples work properly.Rob Crittenden2009-05-191-1/+1
| | | | | | If we use cn for hostname there is no easy way to distinguish between a host and a hostgroup. So adding a fqdn attribute to be used to store the hostname instead.
* Fix a comment and some typosRob Crittenden2009-05-131-2/+7
|
* Make search filter generation a bit safer. Minor bug fixes/code improvements.Pavel Zuna2009-04-301-8/+12
|
* Add method to generate DN from attribute directly, without making RDN first.Pavel Zuna2009-04-301-0/+10
|
generated by cgit (git 2.34.1) at 2024-06-08 23:09:42 +0000