summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add pdb options to make-test to pass onto nosetestsRob Crittenden2009-12-111-0/+14
|
* This plugin was replaced by the aci pluginRob Crittenden2009-12-111-93/+0
|
* Add force option to ipa-replica-manage to allow forcing deletion of a replicaRob Crittenden2009-12-111-5/+13
| | | | | | If a replica is not up for some reason (e.g. you've already deleted it) this used to quit and not let you delete the replica, generating errors in the DS logs. This will let you force a deletion.
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-1044-1035/+2962
| | | | output_for_cli(); enable more webUI stuff
* Pass on debug option from ipa-client-install to ipa-joinRob Crittenden2009-12-091-0/+2
|
* rebase dogtag clean-up patchJohn Dennis2009-12-096-292/+1742
|
* A utility for removing principals from a keytab.Rob Crittenden2009-12-045-0/+324
| | | | | | | | | | | | When we un-enroll a client we'll do a bit of cleanup including removing any principals for the IPA realm from /etc/krb5.keytab. This removes principals in 2 ways: - By principal, only entries matching the full principal are removed - By realm. Any principal for that realm is removed This does not change the KDC at all, just removes entries from a file on the client machine.
* Bump the installation version number to V2.0Rob Crittenden2009-12-031-1/+1
|
* Add minimal test for the cert pluginRob Crittenden2009-12-031-0/+104
| | | | | | | This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
* Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any typeRob Crittenden2009-12-021-1/+5
|
* Add idnsUpdatePolicy into the dns plug-inMartin Nagy2009-12-021-1/+5
| | | | | | The idnsUpdatePolicy takes a list of BIND dynamic update policies, each of which must be terminated by ";". Also fix a minor error in the documentation string.
* Ask the user before overwriting /etc/named.confMartin Nagy2009-12-023-9/+13
|
* Remove unnecessary "error: " prefixesMartin Nagy2009-12-022-6/+6
| | | | | The parser.error() method prepends the "error: " prefix itself. Adding it to the error string is not necessary and doesn't look good.
* Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it.Pavel Zuna2009-12-021-30/+1
|
* Add NotImplementedError type so CA plugins can return client-friendly errorsRob Crittenden2009-12-012-3/+18
| | | | | | | | Ignore NotImplementedError when revoking a certificate as this isn't implemented in the selfsign plugin. Also use the new type argument in x509.load_certificate(). Certificates are coming out of LDAP as binary instead of base64-encoding.
* Add type argument to x509.load_certificate() so it can handle binary certsRob Crittenden2009-12-011-9/+12
|
* Better LDAP error handling in ipa-client-installRob Crittenden2009-12-011-9/+5
|
* Replace /etc/ipa/ipa.conf with /etc/ipa/default.confRob Crittenden2009-12-017-37/+24
| | | | | | | The new framework uses default.conf instead of ipa.conf. This is useful also because Apache uses a configuration file named ipa.conf. This wipes out the last vestiges of the old ipa.conf from v1.
* Add ipaUserGroup objectClass to default groups where missing.Pavel Zuna2009-12-011-0/+2
|
* Rename GeneralizedTime to AccessTime.Pavel Zuna2009-12-013-8/+8
|
* Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue.Pavel Zuna2009-12-012-17/+108
|
* Add server option to ipa-join so the IPA server can be specified.Rob Crittenden2009-11-302-5/+9
| | | | | | | This is needed because in the client installer we actually perform the join before creating the configuration files that join uses. All we need is the IPA server to join to and we have that from the CLI options so use that.
* Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.Rob Crittenden2009-11-3011-32/+983
| | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
* Add option to have ipautil.run() not raise an exceptionRob Crittenden2009-11-306-17/+17
| | | | | | | There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
* Fix boolean attributes in DNS plugin.Pavel Zuna2009-11-301-3/+9
| | | | | Sometimes they worked fine and sometimes DS rejected them as invalid.
* Fix Bool parameter type. It was impossible to set it to FALSE.Pavel Zuna2009-11-302-3/+5
|
* Fix takes_options in automount plugin.Pavel Zuna2009-11-301-1/+1
|
* Print only one line of docstrings in command listings.Pavel Zuna2009-11-301-4/+3
| | | | Full docstring is shown on `ipa help COMMAND`.
* Add SELinux policy for CRL file publishing.Rob Crittenden2009-11-265-1/+59
| | | | | | | | | | This policy should really be provided by dogtag. We don't want to grant read/write access to everything dogtag can handle so we change the context to cert_t instead. But we have to let dogtag read/write that too hence this policy. To top it off we can't load this policy unless dogtag is also loaded so we insert it in the IPA installer
* Point to correct location of self-signed CA and set pw on 389-DS cert dbRob Crittenden2009-11-252-3/+3
| | | | | | | | The CA was moved from residing in the DS NSS database into the Apache database to support a self-signed CA certificate plugin. This was not updated in the installer boilerplate. The DS db wasn't getting a password set on it. Go ahead and set one.
* Use correct attribute for hosts.Rob Crittenden2009-11-251-1/+1
|
* Fix two bugs: one in parsing the ACI and one in comparing two ACIsRob Crittenden2009-11-251-4/+4
| | | | | | | | | | The parsing bug was looking for the string 'version' expecting to find the ACI version. This blew up with the attribute nsosversion. Use the string 'version 3.0' instead. The comparison bug appeared if neither ACI had a targetattr attribute. It was trying to create a set out of a None which is illegal. If an ACI doesn't have any targetattrs then return () instead.
* Integrate ipa-join and ipa-rmkeytab into the client install/uninstallRob Crittenden2009-11-251-110/+209
| | | | This will fetch a keytab on installation and remove it upon uninstallation.
* Bash tab completion scriptRob Crittenden2009-11-252-0/+43
|
* Add code to handle stash files using keytab formatNalin Dahyabhai2009-11-241-3/+59
| | | | | | | | | | | | | In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
* Reading INT parameter class should respect radix prefixJohn Dennis2009-11-232-0/+56
| | | | | | | | | | This modifies the original patch by including a unit test, handling floats when passed as unicode, and handling large magnitude values beyond maxint. The INT parameter class was not respecting any radix prefix (e.g. 0x) the user may have supplied. This patch implements _convert_scalar method for the Int class so that we can pass the special radix base of zero to the int constructor telling it to determine the radix from the prefix (if present).
* Require current versions of python-nss & python-lxmlJohn Dennis2009-11-232-2/+3
| | | | | | ipa.spec.in | 3 ++- ipapython/nsslib.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-)
* along with stdout, stderr also log the initial commandJohn Dennis2009-11-231-2/+3
| | | | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> along with stdout,stderr also log the initial command This implements better logging of external commands. Formerly we were just outputting stdout and stderr without labeling which was which. We also omitted the initial command and it's arguments. This made it difficult when reviewing the logs to know what the command was and what was stdout vs. stderr. This patch fixes that.
* If plugin fails to load log the tracebackJohn Dennis2009-11-231-1/+2
| | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> If plugin fails to load log the traceback If a plugin fails to load due to some kind of error it would be nice if the error log contained the traceback so you can examine what went wrong rather than being left blind as to why it failed to load.
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* add new error class for certificate operationsJohn Dennis2009-11-191-1/+28
| | | | add new error class for certificate operations
* error strings in documentation were missing unicode specifierJohn Dennis2009-11-191-3/+3
| | | | error strings in documentation were missing unicode specifier
* respect debug arg during server installJohn Dennis2009-11-191-0/+1
| | | | | The debug flag (e.g. -d) was not being respected during server install. This patch corrects that.
* Provide additional help to --help optionRob Crittenden2009-11-191-0/+7
|
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Clean up some return valuesRob Crittenden2009-11-191-12/+20
| | | | | | | Because ipa-join calls ipa-getkeytab I'd like to keep the return values in sync. ipa-join returns the value returned by ipa-getkeytab so in order to tell what failed the return values need to mean the same things and not overlap.
* Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled).Pavel Zuna2009-11-181-4/+4
|
* Remove 'ipaObject' objectClass from rolegroups and taskgroups.Pavel Zuna2009-11-182-4/+2
|
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Cache installer questions for the 2-step process of an externally-signed CARob Crittenden2009-11-182-7/+64
| | | | | | | | Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
generated by cgit (git 2.34.1) at 2024-11-12 11:56:00 +0000