path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Log each command in a batch separately.Rob Crittenden2011-08-191-1/+6
| | | | | | | This also fixes command logging in general, it wasn't working in most cases as a regression in ticket 1322.
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-181-2/+2
| | | | ticket 1570
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-0/+2
| | | | ticket 1580
* Fix idnsUpdatePolicy for reverse zone recordMartin Kosek2011-08-091-1/+2
| | | | | | | Make sure that idnsUpdatePolicy for reverse zone does not contain double trailing "dot" after server installation.
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-032-35/+18
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one.
* Clean up existing DN object usageJohn Dennis2011-07-294-21/+16
* Make sure that hostname specified by user is not an IP address.Jan Cholasta2011-07-251-0/+3
| | | | ticket 1375
* Remove wrong kpasswd sysconfigJakub Hrozek2011-07-211-3/+0
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-191-11/+2
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate ↵Jr Aquino2011-07-191-2/+1
| | | |
* Specify the package name when the replication plugin is missing.Rob Crittenden2011-07-181-1/+2
| | | | ticket
* Generate a database password by default in all cases.Rob Crittenden2011-07-172-2/+2
| | | | | | | | | | | If the password passed in when creating a NSS certificate database is None then a random password is generated. If it is empty ('') then an empty password is set. Because of this the HTTP instance on replicas were created with an empty password.
* Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RARob Crittenden2011-07-171-2/+2
| | | | | | | | | | The old nickname was 'RA Subsystem' and this may confuse some users with the dogtag RA subsystem which we do not use. This will only affect new installs. Existing installations will continue to work fine.
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-172-29/+67
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error).
* Use information from the certificate subject when setting the NSS nickname.Rob Crittenden2011-07-172-12/+30
| | | | | | | | | | | There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname.
* Check IPA configuration in install toolsMartin Kosek2011-07-181-2/+17
| | | | | | | | | Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools.
* Fix self-signed replica installationMartin Kosek2011-07-141-2/+2
| | | | | | | | | When a replica for self-signed server is being installed, the installer crashes with "Not a dogtag CA installation". Make sure that installation is handled correctly for both dogtag and self-signed replicas.
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-151-47/+79
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-141-2/+2
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis.
* Remove sensitive information from logsMartin Kosek2011-07-131-3/+4
| | | | | | | | When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden.
* Filter reverse zones in dnszone-findMartin Kosek2011-07-131-7/+28
| | | | | | | | | Implements a new option to filter out reverse zones. This patch also do some clean up in dns plugin - debug prints were accidentally left here in the last dns patch.
* Convert nsaccountlock to always work as bool towards Python codeAlexander Bokovoy2011-07-131-1/+1
| | | | | | | | Python code will see nsaccountlock as bool. JavaScript code will also see it as bool. This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
* find_entry_by_attr() should fail if multiple entries are foundRob Crittenden2011-07-111-1/+6
| | | | | | | | | | It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. &
* Convert Bool to TRUE/FALSE when working with LDAP backend ↵Alexander Bokovoy2011-06-271-2/+5
| | | | | | | | According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE. This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values and enforces TRUE or FALSE string for account locking.
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-234-2/+170
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication.
* Let the framework be able to override the hostname.Rob Crittenden2011-06-232-15/+18
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Add backslash escape support for cvs readerJohn Dennis2011-06-221-1/+2
* Fix IPA install for secure umaskMartin Kosek2011-06-211-16/+23
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation.
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-215-28/+23
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/ into ipalib/ This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* DNS installation fails when domain and host domain mismatchMartin Kosek2011-06-191-0/+9
| | | | | | | | Create DNS domain for IPA server hostname first so that it's forward record can be added. This results in 2 forward DNS zones created when server hostname doesn't equal server domain.
* Don't let a JSON error get lost in cascading errors.Rob Crittenden2011-06-151-5/+6
| | | | | | | If a JSON decoding error was found we were still trying to call the XML-RPC function, losing the original error.
* Improve DNS zone creationMartin Kosek2011-06-151-16/+51
| | | | | | | | | | | | | | | When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone.
* Select a server with a CA on it when submitting signing requests.Nalin Dahyabhai2011-06-141-3/+65
| | | | | | | | | | | When the RA is about to submit a signing request to a CA, check if the ca_host is actually a CA. If it isn't, and it isn't the local host, check if the local host is a CA. If that doesn't work, try to select a CA host at random. If there aren't any, just give up and pretend the ca_host is a CA so that we can fail to connect to it, as we would have before. Ticket #1252.
* Fix indirect member calculationRob Crittenden2011-06-141-9/+16
| | | | | | | | | | | | | | | | | Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket
* Fix directory manager password validation in ipa-nis-manage.Jan Cholasta2011-06-131-1/+5
| | | | ticket 1283, 1284
* Support initializing memberof during replication re-init using GSSAPIRob Crittenden2011-06-131-1/+4
| | | | | | | | | | | | | The last step of a replication re-initiailization is to run the memberof task. The current function would only authenticate using simple auth to monitor the task but we may be doing this using admin GSSAPI credentials so support that type of bind as well. In short this fixes: # kinit admin # ipa-replica-manage re-initialize
* Remove root autobind search restriction, fix upgrade logging & error handling.Rob Crittenden2011-06-132-25/+21
| | | | | | | | | | | | | | | There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state.
* Handle LDAP search referencesMartin Kosek2011-06-101-2/+5
| | | | | | | | | | | | | LDAP search operation may return a search reference pointing to an LDAP resource. As the framework does not handle search references, skip these results to prevent result processing failures. Migrate operation crashed when the migrated DS contained search references. Now, it correctly skips these records and prints the failed references to user.
* IPA installation with --no-host-dns failsMartin Kosek2011-06-101-18/+19
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine.
* Fix external CA installationRob Crittenden2011-06-091-4/+5
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry.
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-18/+34
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-21/+18
| | | | ticket 1212
* Do a lazy retrieval of the LDAP schema rather than at module load.Rob Crittenden2011-05-301-18/+25
| | | | | | | | | | Attempt to retrieve the schema the first time it is needed rather than when Apache is started. A global copy is cached for future requests for performance reasons. The schema will be retrieved once per Apache child process. ticket 583
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-272-3/+19
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica.
* Configure Managed Entries on replicas.Rob Crittenden2011-05-251-0/+2
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-202-8/+52
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* Test for forwarded Kerberos credentials cache in wsgi code.Rob Crittenden2011-05-181-1/+3
| | | | | | | | | We should more gracefully handle if the TGT has not been forwarded than returning a 500 error. Also catch and display KerberosErrors from ping() in the client better. ticket 1101
* Return copy of config from ipa_get_config()Jr Aquino2011-05-131-2/+2
| | | | | | | | | It was discovered that using the batch plugin it was possible to store duplicate data in parts of the ipa_config during iterations. This was causing a cascading exec failures if any one of the batch executions failed.
* Improve service manipulation in client installMartin Kosek2011-05-131-18/+12
| | | | | | | | Remove redundant ipa-client-install error message when optional nscd daemon was not installed. Additionally, use standard IPA functions for service manipulation and improve logging.
* Let selinux-policy handle port 7390Martin Kosek2011-05-111-18/+0
| | | | | | | | Since selinux-policy-3.9.16-5.fc15 is out, the dogtag port 7390 is handled via selinux-policy and there is no need to manage it in FreeIPA installer.