summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Add code to handle stash files using keytab formatNalin Dahyabhai2009-11-241-3/+59
| | | | | | | | | | | | | In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Cache installer questions for the 2-step process of an externally-signed CARob Crittenden2009-11-181-1/+2
| | | | | | | | Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
* Fix SASL mappingsSimo Sorce2009-11-181-2/+2
|
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-041-4/+5
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-273-17/+175
|
* Remove a bunch of unused imports, general cleanupRob Crittenden2009-10-251-13/+4
|
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-212-2/+3
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Fixed compatability break in rpcserver.pyJason Gerard DeRose2009-10-171-2/+2
|
* Add a sleep() prior to calling tasks to ensure postop writes are doneRob Crittenden2009-10-161-0/+3
| | | | | | We were seeing a rare deadlock of DS when creating the memberOf task because one thread was adding memberOf in a postop while another was trying to create an index and this was causing a PRLock deadlock.
* Be more forgiving when trying to replace older DS schema.Rob Crittenden2009-10-161-4/+8
| | | | | | | We have to replace 05rfc2247.ldif because it contains some conflicting attributes with DNS in some older versions of 389-DS/RHDS. This fails on some newer versions of 389-DS/RHDS so this lets it continue installing if the new file is not needed.
* Fixed 'import json' for simplejson compatabilityJason Gerard DeRose2009-10-161-1/+1
|
* parse_qs is in cgi on Python < 2.6, use that insteadRob Crittenden2009-10-161-1/+1
| | | | | Python 2.6's cgi module calls the parse_qs in urlparse for backwards compatibility
* Fixed try/except/finally for Python 2.4 compatabilityJason Gerard DeRose2009-10-151-19/+20
|
* Giant webui patch take 2Jason Gerard DeRose2009-10-132-3/+193
|
* Loosen the ACI for the KDC to allow adds/deletesRob Crittenden2009-10-051-3/+1
| | | | | | | | Password policy entries must be a child of the entry protected by this ACI. Also change the format of this because in DS it was stored as: \n(target)\n so was base64-encoded when it was retrieved.
* Robustness fix for updater, in case updates['updates'] is not set yet.Rob Crittenden2009-10-051-1/+1
|
* Let the updater delete entries and add small test harnessRob Crittenden2009-10-051-6/+49
| | | | | | | | In order to run the tests you must put your DM password into ~/.ipa/.dmpw Some tests are expected to generate errors. Don't let any ERROR messages from the updater fool you, watch the pass/fail of the nosetests.
* Add option to not normalize a DN when adding/updating a record.Rob Crittenden2009-10-051-4/+6
| | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it.
* Fix aci plugin, enhance aci parsing capabilities, add user group supportRob Crittenden2009-09-281-1/+3
| | | | | | | | | | | | - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
* Only initialize the API once in the installerRob Crittenden2009-09-282-11/+20
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-243-1/+165
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Use the same variable name in the response as the dogtag pluginRob Crittenden2009-09-241-1/+1
|
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-157-192/+652
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Raise more specific error when an Objectclass Violation occurs Fix the ↵Rob Crittenden2009-09-141-0/+2
| | | | virtual plugin to work with the new backend
* Remove deprecated comment on plugin naming conventionsRob Crittenden2009-09-141-3/+0
|
* Make ldap2.add_entry proof to None values, because python-ldap hate'em.Pavel Zuna2009-09-081-0/+4
|
* Add A and PTR records of ourselves during installationMartin Nagy2009-09-021-3/+16
| | | | | | | If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively.
* Use DNS forwarders in /etc/named.confMartin Nagy2009-09-021-1/+12
| | | | | | | | | This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
* Introduce a list of attributes for which only MOD_REPLACE operations are ↵Pavel Zuna2009-08-281-2/+10
| | | | generated.
* Add the CA constraint to the self-signed CA we generateRob Crittenden2009-08-271-8/+19
| | | | 514027
* Add option to the installer for uid/gid starting numbers.Rob Crittenden2009-08-271-2/+5
| | | | | | | | | | | | This also adds a new option to the template system. If you include eval(string) in a file that goes through the templater then the string in the eval will be evaluated by the Python interpreter. This is used so one can do $UIDSTART+1. If any errors occur during the evaluation the original string is is returned, eval() and all so it is up to the developer to make sure the evaluation passes. The default value for uid and gid is now a random value between 1,000,000 and (2^31 - 1,000,000)
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-272-20/+15
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Generate CRLs and make them available from the IPA web serverRob Crittenden2009-08-261-0/+46
|
* Clean up additional issues discovered with pylint and pycheckerRob Crittenden2009-08-201-1/+1
|
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-1211-81/+59
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Fix bug in _get_syntax (it was always returning None).Pavel Zuna2009-08-031-15/+7
| | | | Also prevent a few cases of double processing of arguments.
* Fixed whitespace indentation error in certs.pyJason Gerard DeRose2009-07-271-34/+34
|
* Identify CAs to trust from an imported PKCS#12 fileRob Crittenden2009-07-272-14/+45
| | | | | | | | | | We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
* Fix deprecation warning for the sha library on Python 2.6Rob Crittenden2009-07-231-2/+8
| | | | | | | | | | sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so this will use hashlib if available but fall back onto sha if not. Fortunately they use the same API for the function we need. 509042 Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
* No need to trust NSS built-in CA's, more specific regex for finding CA nicknameRob Crittenden2009-07-231-4/+16
| | | | | | | | | | - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
* Make --setup-dns work on replica installationMartin Nagy2009-07-221-4/+34
| | | | | | | The ipa-replica-install script will setup the DNS if user specifies the --setup-dns option. It will only add the zone into LDAP if the cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add the records.
* Add a reverse zone with server's PTR recordMartin Nagy2009-07-221-5/+17
| | | | Also, small cosmetic change in dns.ldif.
* Allow replicas of an IPA server using an internal dogtag server as the CARob Crittenden2009-07-154-93/+201
| | | | | | | | This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
* Basic changes to get a default principal for DNSSimo Sorce2009-07-102-1/+61
| | | | | | | | Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
* Import explode_dn from ldap.functions for backward compatibility with older ↵Pavel Zuna2009-07-081-2/+4
| | | | | | version of python-ldap. Fix bug in add_entry_to_group. Resolves 510149
generated by cgit (git 2.34.1) at 2024-11-19 04:52:31 +0000