summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Get rid of ipapython.config in ipa-replica-prepareMartin Nagy2010-02-091-25/+27
| | | | | | | | | | Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
* Move the HTTP/S request code to a common libraryRob Crittenden2010-02-092-92/+20
| | | | | | | | This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
* fix error message to be i18n translator friendlyJohn Dennis2010-02-031-1/+2
| | | | | | | | This error message was producing a warning from xgettext because there were multiple substations in the string. In some languages it may be necessary to reorder the substitutions for a proper translation, this is only possible if the substitutions use named values.
* Be more careful when base64-decoding certificatesRob Crittenden2010-02-023-10/+6
| | | | | Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
* Remove (un)wrap_binary_data cruft from */ipautil.pyJohn Dennis2010-01-281-62/+0
| | | | | | | | Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(), wrap_binary_data(), unwrap_binary_data() from both instances of ipautil.py. This code is no longer in use and the SAFE_STRING_PATTERN regular expression string was causing xgettext to abort because it wasn't a valid ASCII string.
* Update dogtag configuration to work after CVE-2009-3555 changesRob Crittenden2010-01-273-6/+18
| | | | | | | | NSS is going to disallow all SSL renegotiation by default. Because of this we need to always use the agent port of the dogtag server which always requires SSL client authentication. The end user port will prompt for a certificate if required but will attempt to re-do the handshake to make this happen which will fail with newer versions of NSS.
* Fix schema loading in the ldap backend.Pavel Zuna2010-01-271-1/+4
|
* Enabled CRUDS in webUI using wehjit 0.2.0Jason Gerard DeRose2010-01-261-0/+1
|
* Set BIND to use ldapi and use fake mnameMartin Nagy2010-01-211-0/+2
| | | | | | The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now.
* Move some functions from ipa-server-install into installutilsMartin Nagy2010-01-211-0/+53
| | | | | We will need these functions in the new upcoming ipa-dns-install command.
* Allow a custom file mode when setting up debuggingMartin Nagy2010-01-211-2/+2
| | | | | | This will be handy in the future if we will want to install or uninstall only single IPA components and want to append to the installation logs. This will be used by the upcoming ipa-dns-install script.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-211-3/+12
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-211-33/+82
| | | | Fixes #528943
* User-defined certificate subjectsRob Crittenden2010-01-206-27/+83
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Create pkiuser before calling pkicreate, pkicreate depends on the user existingJohn Dennis2010-01-201-1/+1
|
* Allow cospriority to be updated and fix description of priority orderingRob Crittenden2010-01-191-9/+13
| | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work.
* Improve modlist generation in ldap2. Some code cleanup as bonus.Pavel Zuna2010-01-111-65/+89
| | | | | | | | ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. MOD_REPLACE is always used for single value attributes and never for multi value.
* Missed explicit reference to pki-ca, replace with self.service_nameRob Crittenden2010-01-111-2/+2
|
* Use the caIPAserviceCert profile for issuing service certs.Rob Crittenden2010-01-081-1/+1
| | | | | | | | | | | This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration.
* Change the service name to reflect changes in pki-ca (now pki-cad).Rob Crittenden2010-01-071-3/+3
| | | | | | Also properly use the instance name where appropriate. There were a couple of places where the service name was used and this worked because they were the same.
* Added Fuzzy docstrings; make-test now runs doctests in tests/*; fixed ↵Jason Gerard DeRose2009-12-181-1/+1
| | | | 'existant' mispelling
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-162-5/+9
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Remove some left-over debugging statementsRob Crittenden2009-12-161-3/+0
|
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-118-20/+134
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-102-1/+7
| | | | output_for_cli(); enable more webUI stuff
* rebase dogtag clean-up patchJohn Dennis2009-12-092-210/+1643
|
* Bump the installation version number to V2.0Rob Crittenden2009-12-031-1/+1
|
* Ask the user before overwriting /etc/named.confMartin Nagy2009-12-021-1/+9
|
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.Rob Crittenden2009-11-301-5/+14
| | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
* Add option to have ipautil.run() not raise an exceptionRob Crittenden2009-11-305-14/+14
| | | | | | | There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
* Add SELinux policy for CRL file publishing.Rob Crittenden2009-11-261-0/+26
| | | | | | | | | | This policy should really be provided by dogtag. We don't want to grant read/write access to everything dogtag can handle so we change the context to cert_t instead. But we have to let dogtag read/write that too hence this policy. To top it off we can't load this policy unless dogtag is also loaded so we insert it in the IPA installer
* Point to correct location of self-signed CA and set pw on 389-DS cert dbRob Crittenden2009-11-251-1/+1
| | | | | | | | The CA was moved from residing in the DS NSS database into the Apache database to support a self-signed CA certificate plugin. This was not updated in the installer boilerplate. The DS db wasn't getting a password set on it. Go ahead and set one.
* Add code to handle stash files using keytab formatNalin Dahyabhai2009-11-241-3/+59
| | | | | | | | | | | | | In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Cache installer questions for the 2-step process of an externally-signed CARob Crittenden2009-11-181-1/+2
| | | | | | | | Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
* Fix SASL mappingsSimo Sorce2009-11-181-2/+2
|
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-041-4/+5
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-273-17/+175
|
* Remove a bunch of unused imports, general cleanupRob Crittenden2009-10-251-13/+4
|
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-212-2/+3
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Fixed compatability break in rpcserver.pyJason Gerard DeRose2009-10-171-2/+2
|
* Add a sleep() prior to calling tasks to ensure postop writes are doneRob Crittenden2009-10-161-0/+3
| | | | | | We were seeing a rare deadlock of DS when creating the memberOf task because one thread was adding memberOf in a postop while another was trying to create an index and this was causing a PRLock deadlock.
* Be more forgiving when trying to replace older DS schema.Rob Crittenden2009-10-161-4/+8
| | | | | | | We have to replace 05rfc2247.ldif because it contains some conflicting attributes with DNS in some older versions of 389-DS/RHDS. This fails on some newer versions of 389-DS/RHDS so this lets it continue installing if the new file is not needed.
* Fixed 'import json' for simplejson compatabilityJason Gerard DeRose2009-10-161-1/+1
|
* parse_qs is in cgi on Python < 2.6, use that insteadRob Crittenden2009-10-161-1/+1
| | | | | Python 2.6's cgi module calls the parse_qs in urlparse for backwards compatibility
generated by cgit (git 2.34.1) at 2024-05-17 15:10:04 +0000