summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Don't check for 389-instances.Rob Crittenden2011-11-161-13/+1
| | | | | | | | | | We no longer need to enforce that no 389-ds instances exist on an IPA server. Checking that the ports exist should be enough. This used to be one mechanism we used to check to see if IPA was already installed. We have a better mechanism now. https://fedorahosted.org/freeipa/ticket/1735
* Replication: Adjust replica installation to omit processing memberof ↵JR Aquino2011-11-142-5/+29
| | | | | | | | | | | | | computations https://fedorahosted.org/freeipa/ticket/1794 If the master does not yet support the total update list feature we still run the memberof fixup task and not fail to replicate due to the new attribute not being settable. Jointly-developed-with: Simo Sorce <ssorce@redhat.com> Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
* Remove calls to has_managed_entries()Rob Crittenden2011-11-111-30/+0
| | | | | | | | At one point in time we couldn't depend on the 389-ds having the managed entries plugin so this code was added to support both versions. It is no longer needed. https://fedorahosted.org/freeipa/ticket/1242
* Allow custom server backend encodingMartin Kosek2011-11-091-0/+17
| | | | | | | | | | | | | | Server framework does not support encoding of native Python type values stored in Param classes and sub-classes. When backend (LDAP) value encoding differs from Python type value representation user has to has to hard-code the encoders in his processing. This patch introduces a method Param.encode which is used in server context to encode native Python Param values. The new encode method is used for Bool parameter to convert native Python bool type value (True, False) to LDAP value ("TRUE", "FALSE"). https://fedorahosted.org/freeipa/ticket/2039
* Add --zonemgr/--admin-mail validatorMartin Kosek2011-10-261-0/+17
| | | | | | | | | | | Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as the SOA record stores this value without it and people may be used to configure it that way. '@' is always removed by the installer/dns plugin before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966
* Quote multiple workers optionAlexander Bokovoy2011-10-251-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2023
* Spin for connection success also when socket is not (yet) availableAlexander Bokovoy2011-10-241-1/+1
| | | | | | | | | | We were spinning for socket connection if attempt to connect returned errno 111 (connection refused). However, it is not enough for local AF_UNIX sockets as heavy applications might not be able to start yet and therefore the whole path might be missing. So spin for errno 2 (no such file or directory) as well. Partial fix for https://fedorahosted.org/freeipa/ticket/1990
* Add support for systemd environments and use it to support Fedora 16Alexander Bokovoy2011-10-243-5/+6
| | | | https://fedorahosted.org/freeipa/ticket/1192
* Check /etc/hosts file in ipa-server-installMartin Kosek2011-10-132-10/+20
| | | | | | | | There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-5/+0
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Check hostname resolution sanityMartin Kosek2011-10-131-3/+11
| | | | | | | | | Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
* Work around limits not being updatable in 389-ds.Rob Crittenden2011-10-121-1/+1
| | | | | | | | | The bug to fix updates, BZ 741744, isn't working. For the short term add the attributes we want to update to the REPLACE whitelist so rather than using an ADD and DEL operation it will use a REPLACE. https://fedorahosted.org/freeipa/ticket/1888
* Fix has_upg() to work with relocated managed entries configuration.Rob Crittenden2011-10-131-18/+17
| | | | https://fedorahosted.org/freeipa/ticket/1964
* Optimize member/memberof searches in LDAPMartin Kosek2011-10-121-5/+4
| | | | | | | | | | | | When investigating if member/memberof attribute is direct/indirect we do a lot of LDAP SCOPE_SUBTREE searches when we actually search just for one item. Make sure we search only with SCOPE_BASE to improve the performance. One not so efficient iteration was also changed to list comprehension to speed things up a tiny bit. https://fedorahosted.org/freeipa/ticket/1885
* Don't leak passwords through kdb5_ldap_util command line arguments.Jan Cholasta2011-10-111-2/+8
| | | | ticket 1948
* Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common ↵Alexander Bokovoy2011-10-111-21/+9
| | | | | | | | | | | backup_config_and_replace_variables() tool systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of /etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we need to make sure it is always existing and pointing to our realm. Partial fix for: https://fedorahosted.org/freeipa/ticket/1192
* Fix dnszone-add name_from_ip server validationMartin Kosek2011-10-111-1/+8
| | | | | | | | | | | | Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add name_from_ip validation which works fine for CLI. However, when the command is not proceeded via CLI and sent directly to the RPC server, the server throws Internal Server Error. Make sure that the server returns a reasonable error. Also implement 2 unit cases testing this option https://fedorahosted.org/freeipa/ticket/1941
* Improve default user/group object class validationMartin Kosek2011-10-111-1/+4
| | | | | | | | | | | | When user/group default object class is being modified via ipa config-mod, no validation check is run. Check at least the following: - all object classes are known to LDAP - all default user/group attributes are allowed under the new set of default object classes https://fedorahosted.org/freeipa/ticket/1893
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-2/+14
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Make mod_nss renegotiation configuration a public functionAdam Young2011-10-091-4/+4
|
* When calculating indirect membership don't test nesting on users and hosts.Rob Crittenden2011-10-061-0/+8
| | | | | | | | | Members are dereferenced when calculating indirect membership. We don't need to check hosts and users for members. This significantly reduces the number of queries required for large groups. https://fedorahosted.org/freeipa/ticket/1885
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-061-13/+28
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* replica-prepare: anonymous binds may be disallowedSimo Sorce2011-10-061-6/+17
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1900
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-23/+26
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Work around pkisilent bugs.Jan Cholasta2011-10-042-18/+28
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-055-13/+14
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Require current password when using passwd to change your own password.Rob Crittenden2011-10-041-0/+11
| | | | | | | | | | | | | | | | | | Add a new required parameter, current_password. In order to ask this first I added a new parameter option, sortorder. The lower the value the earlier it will be prompted for. I also changed the way autofill works. It will attempt to get the default and if it doesn't get anything will continue prompting interactively. Since current_password is required I'm passing a magic value that means changing someone else's password. We need to pass something since current_password is required. The python-ldap passwd command doesn't seem to use the old password at all so I do a simple bind to validate it. https://fedorahosted.org/freeipa/ticket/1808
* Detect CA installation type in ipa-replica-prepare and ipa-ca-install.Rob Crittenden2011-09-271-0/+13
| | | | | | | | | | ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
* Fix ipa-replica-prepare always warning the user about not using the system ↵Jan Cholasta2011-09-261-5/+15
| | | | | | hostname. ticket 1717
* Add admin SIDsSumit Bose2011-09-231-6/+56
| | | | | The admin SID DOMAIN-SID-500 will be assigned to the IPA admin user and the admin group SID DOMAIN-SID-512 to the admins group.
* Remove checks for ds-replication pluginMartin Kosek2011-09-221-15/+0
| | | | | | | The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
* Fix ACIs in ipa-adtrust-installSumit Bose2011-09-201-2/+13
|
* Check that install hostname matches the server hostname.Jan Cholasta2011-09-141-0/+5
| | | | ticket 1717
* Add ipa-adtrust-install utilitySumit Bose2011-09-143-1/+284
| | | | https://fedorahosted.org/freeipa/ticket/1619
* Improved handling for ipa-pki-proxy.confRob Crittenden2011-09-131-0/+5
| | | | | | | | | - Remove ipa-pki-proxy.conf when IPA is uninstalled - Move file removal to httpinstance.py and use remove_file() - Add a version stanza - Create the file if it doesn't exist on upgraded installs https://fedorahosted.org/freeipa/ticket/1771
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-123-28/+159
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Introduce platform-specific adaptation for services used by FreeIPA.Alexander Bokovoy2011-09-131-48/+20
| | | | | | | | | Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605
* Convert server install code to platform-independent access to system servicesAlexander Bokovoy2011-09-138-57/+42
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Fix configure.jar permissionsMartin Kosek2011-09-071-1/+1
| | | | | | Remove executable bit added by /usr/bin/signtool https://fedorahosted.org/freeipa/ticket/1644
* Fix permissions in installersMartin Kosek2011-09-073-13/+24
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* install: We do not need a kpasswd keytab anymoreSimo Sorce2011-08-311-14/+0
| | | | | | We now use MIT's kadmin instead of our old ipa_kpasswd daemon. kadmind knows how to fetch the keys directly from the database and doesn't need a keytab on the filesystem.
* install: We do not need a ldap password anymoreSimo Sorce2011-08-311-8/+2
| | | | | | | Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't need a bind password anymore. Fixes: https://fedorahosted.org/freeipa/ticket/1743
* Use the IPA server cert profile in the installer.Rob Crittenden2011-08-301-1/+1
| | | | | | We were still using the caRAserverCert profile during installation. https://fedorahosted.org/freeipa/ticket/1744
* Let Bind track data changesMartin Kosek2011-08-311-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+9
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-292-40/+69
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* enable proxy for dogtagAdam Young2011-08-294-5/+19
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Remove 389-ds upgrade state during uninstallRob Crittenden2011-08-251-0/+6
| | | | | | | | | | | | | When we perform an upgrade 389-ds is set to listen only on its ldapi port. Theoretically it should be restored to the previous state regardless of whether the upgrades were successful or not. To be sure that a subsequent re-install will be successful go ahead and remove the state for these options. Think of it as wearing a belt and suspenders. Otherwise a re-install could return an error message that IPA is already configured. https://fedorahosted.org/freeipa/ticket/1667
* Remove more 389-ds files/directories on uninstallation.Rob Crittenden2011-08-251-0/+17
| | | | | | | We were orphaning a few files/directories when uninstalling 389-instances both for IPA and dogtag. This should remove everything but the logs. ticket https://fedorahosted.org/freeipa/ticket/1700
* v3-schema: Add new ipaExternalGroup objectclassSimo Sorce2011-08-261-0/+1
| | | | | | | | This construct allows to have a group of ipaExternalMember attributes, that can be nested in a normal ipa Group ('memberOf' is allowed). It cannot contain normal ipa users/groups and cannot be nested with another group of the same type ('member' is not allowed).
generated by cgit (git 2.34.1) at 2024-06-20 10:07:31 +0000