summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Convert Bool to TRUE/FALSE when working with LDAP backend ↵Alexander Bokovoy2011-06-271-2/+5
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE. This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values and enforces TRUE or FALSE string for account locking.
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-234-2/+170
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Let the framework be able to override the hostname.Rob Crittenden2011-06-232-15/+18
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Add backslash escape support for cvs readerJohn Dennis2011-06-221-1/+2
|
* Fix IPA install for secure umaskMartin Kosek2011-06-211-16/+23
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-215-28/+23
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* DNS installation fails when domain and host domain mismatchMartin Kosek2011-06-191-0/+9
| | | | | | | | Create DNS domain for IPA server hostname first so that it's forward record can be added. This results in 2 forward DNS zones created when server hostname doesn't equal server domain. https://fedorahosted.org/freeipa/ticket/1194
* Don't let a JSON error get lost in cascading errors.Rob Crittenden2011-06-151-5/+6
| | | | | | | If a JSON decoding error was found we were still trying to call the XML-RPC function, losing the original error. https://fedorahosted.org/freeipa/ticket/1322
* Improve DNS zone creationMartin Kosek2011-06-151-16/+51
| | | | | | | | | | | | | | | When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone. https://fedorahosted.org/freeipa/ticket/1261
* Select a server with a CA on it when submitting signing requests.Nalin Dahyabhai2011-06-141-3/+65
| | | | | | | | | | | When the RA is about to submit a signing request to a CA, check if the ca_host is actually a CA. If it isn't, and it isn't the local host, check if the local host is a CA. If that doesn't work, try to select a CA host at random. If there aren't any, just give up and pretend the ca_host is a CA so that we can fail to connect to it, as we would have before. Ticket #1252.
* Fix indirect member calculationRob Crittenden2011-06-141-9/+16
| | | | | | | | | | | | | | | | | Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket https://fedorahosted.org/freeipa/ticket/1273
* Fix directory manager password validation in ipa-nis-manage.Jan Cholasta2011-06-131-1/+5
| | | | ticket 1283, 1284
* Support initializing memberof during replication re-init using GSSAPIRob Crittenden2011-06-131-1/+4
| | | | | | | | | | | | | The last step of a replication re-initiailization is to run the memberof task. The current function would only authenticate using simple auth to monitor the task but we may be doing this using admin GSSAPI credentials so support that type of bind as well. In short this fixes: # kinit admin # ipa-replica-manage re-initialize --from=master.example.com https://fedorahosted.org/freeipa/ticket/1248
* Remove root autobind search restriction, fix upgrade logging & error handling.Rob Crittenden2011-06-132-25/+21
| | | | | | | | | | | | | | | There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
* Handle LDAP search referencesMartin Kosek2011-06-101-2/+5
| | | | | | | | | | | | | LDAP search operation may return a search reference pointing to an LDAP resource. As the framework does not handle search references, skip these results to prevent result processing failures. Migrate operation crashed when the migrated DS contained search references. Now, it correctly skips these records and prints the failed references to user. https://fedorahosted.org/freeipa/ticket/1209
* IPA installation with --no-host-dns failsMartin Kosek2011-06-101-18/+19
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
* Fix external CA installationRob Crittenden2011-06-091-4/+5
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-18/+34
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-21/+18
| | | | ticket 1212
* Do a lazy retrieval of the LDAP schema rather than at module load.Rob Crittenden2011-05-301-18/+25
| | | | | | | | | | Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-272-3/+19
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
* Configure Managed Entries on replicas.Rob Crittenden2011-05-251-0/+2
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-202-8/+52
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* Test for forwarded Kerberos credentials cache in wsgi code.Rob Crittenden2011-05-181-1/+3
| | | | | | | | | We should more gracefully handle if the TGT has not been forwarded than returning a 500 error. Also catch and display KerberosErrors from ping() in the client better. ticket 1101
* Return copy of config from ipa_get_config()Jr Aquino2011-05-131-2/+2
| | | | | | | | | It was discovered that using the batch plugin it was possible to store duplicate data in parts of the ipa_config during iterations. This was causing a cascading exec failures if any one of the batch executions failed. https://fedorahosted.org/freeipa/ticket/1220
* Improve service manipulation in client installMartin Kosek2011-05-131-18/+12
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging. https://fedorahosted.org/freeipa/ticket/1207
* Let selinux-policy handle port 7390Martin Kosek2011-05-111-18/+0
| | | | | | | | Since selinux-policy-3.9.16-5.fc15 is out, the dogtag port 7390 is handled via selinux-policy and there is no need to manage it in FreeIPA installer. https://fedorahosted.org/freeipa/ticket/1205
* install-scripts: avoid using --list with chkconfigSimo Sorce2011-05-061-18/+2
| | | | | | | | | | | | | This option does not behave properly in F15 as chkconfig does not list services moved to use systemd service files. Plus there are more direct ways than parsing its output, which are more reliable. Also just testing for the availability of the service calling 'chkconfig name' is enough. https://fedorahosted.org/freeipa/ticket/1206
* NS records not updated by replicaMartin Kosek2011-05-031-1/+8
| | | | | | | | | | | When replica with DNS is installed, NS records for the managed zone are not updated with the replica FQDN. The administrator then has to do it manually to enroll the new DNS server to the zone. This patch also removes the newly created NS records when the replica is removed via ipa-replica-manage command. https://fedorahosted.org/freeipa/ticket/1034
* LDAP Updater may crash IPA installerMartin Kosek2011-05-021-1/+1
| | | | | | | Fix a logging error in ipa-ldap-updater which may cause IPA installer to crash. https://fedorahosted.org/freeipa/ticket/1199
* Handle principal not found errors when converting replication a greementsRob Crittenden2011-04-281-0/+7
| | | | | | | | | | | There are times where one side or the other is missing its peers krbprincipalname when converting from simple to GSSAPI replication. Ticket 1188 should address the cause of this. This patch provides better information and handling should either side be missing. ticket 1044
* Improve Directory Service open port checkerMartin Kosek2011-04-282-6/+17
| | | | | | | | Wait for DS ports to open after _every_ DS service restart. Several restarts were missed by the current open port checker implementation. https://fedorahosted.org/freeipa/ticket/1182
* Optimize and dynamically verify group membershipJr Aquino2011-04-221-52/+42
| | | | | | | | | | | Rather than doing full searches for members read each member individually to determine if it is direct or indirect. Also add a fail-safe when calculating indirect membership so removing a member will log enough information for debugging (ticket 1133). https://fedorahosted.org/freeipa/ticket/1139 https://fedorahosted.org/freeipa/ticket/1133
* Wait for memberof task and DS to start before proceeding in installation.Rob Crittenden2011-04-223-0/+32
| | | | | | | | | | | | | This was causing a replica DS instance to crash if the task was not completed when we attempted a shutdown to do a restart. In replication.py we were restarting the DS instance without waiting for the ports to become available. It is unlikely that the dn of the memberof task will change but just in case I noted it in the two places it is referenced. ticket 1188
* Fix uninitialized attributes.Jan Cholasta2011-04-212-0/+5
|
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-151-1/+9
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Fix lint false positives.Jan Cholasta2011-04-131-2/+2
|
* Fix traceback in ipa-nis-manage.Rob Crittenden2011-04-111-28/+32
| | | | | | | | | | | | | | | | | The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message. This also gives priority to the DM password if it is passed in. Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root. Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade. Ticket 1157
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-052-5/+11
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Cache the value of get_ipa_config() in the request context.Rob Crittenden2011-03-311-0/+7
| | | | | | | | There are some operations that fetch the configuration multiple times. This will return a cached value instead of getting it from LDAP over and over. ticket 1023
* Escape LDAP characters in member and memberof searchesJr Aquino2011-03-311-2/+4
| | | | https://fedorahosted.org/freeipa/ticket/1140
* Fix wording of error message.Jan Cholasta2011-03-291-1/+1
| | | | ticket 1009
* Wait for Directory Server ports to openMartin Kosek2011-03-213-12/+34
| | | | | | | | | | | When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-212-21/+53
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-0/+3
| | | | ticket 1080
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-154-15/+79
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Domain to RealmSimo Sorce2011-03-141-10/+15
| | | | | | | | Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. https://bugzilla.redhat.com/show_bug.cgi?id=684690 https://fedorahosted.org/freeipa/ticket/1091
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-4/+52
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* ipa-dns-install script failsMartin Kosek2011-03-081-1/+1
| | | | | | | This patch fixes a typo in class Service, function __get_conn which causes ipa-dns-install script to fail every time. https://fedorahosted.org/freeipa/ticket/1065
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-15/+30
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
generated by cgit (git 2.34.1) at 2024-05-03 22:32:37 +0000