summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Replace a new instance of IPAdmin use in ipa-server-install.Pavel Zuna2010-04-271-8/+8
|
* Some more changes for DNS forwarders promptMartin Nagy2010-04-231-3/+3
|
* Add forgotten trailing dots in DNS recordsMartin Nagy2010-04-231-3/+3
| | | | 583023
* Delete old SRV records during uninstallationMartin Nagy2010-04-231-11/+68
|
* Use the certificate subject base in IPA when requesting certs in certmonger.Rob Crittenden2010-04-232-1/+5
| | | | | | | | | | | | | | | | | When using the dogtag CA we can control what the subject of an issued certificate is regardless of what is in the CSR, we just use the CN value. The selfsign CA does not have this capability. The subject format must match the configured format or certificate requests are rejected. The default format is CN=%s,O=IPA. certmonger by default issues requests with just CN so all requests would fail if using the selfsign CA. This subject base is stored in cn=ipaconfig so we can just fetch that value in the enrollment process and pass it to certmonger to request the right thing. Note that this also fixes ipa-join to work with the new argument passing mechanism.
* Fix installing IPA with an external CARob Crittenden2010-04-231-1/+1
| | | | | | | | - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-191-13/+9
|
* Use escapes in DNs instead of quoting.Rob Crittenden2010-04-192-1/+7
| | | | Based on initial patch from Pavel Zuna.
* Remove older MITM fixes to make compatible with dogtag 1.3.3Rob Crittenden2010-04-194-18/+8
| | | | | | | We set a new port to be used with dogtag but IPA doesn't utilize it. This also changes the way we determine which security database to use. Rather than using whether api.env.home is set use api.env.in_tree.
* Fix ipa-dns-install. It was failing when DNS was reinstalling.Pavel Zuna2010-04-191-1/+10
|
* Configure the CRL URI in dogtag.Rob Crittenden2010-04-161-1/+4
| | | | | | Also print out a restart message after applying the custom subject. It takes a while to restart dogtag and this lets the user know things are moving forward.
* Don't let failure to trust the CA abort the server installation.Rob Crittenden2010-04-071-2/+5
| | | | | | This error could result in things not working properly but it should be relatively easy to fix from the command-line. There is no point in not installing at all due to this.
* XML-RPC signature changeJason Gerard DeRose2010-03-301-4/+3
|
* Log some information on the result of a requestRob Crittenden2010-03-301-0/+2
|
* Use GSSAPI auth for the ipa-replica-manage list and del commands.Rob Crittenden2010-03-192-1/+21
| | | | | | | | | | | | This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the ipaldap.py module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
* Provide mechanism in ipautil.run() to not log all arguments.Rob Crittenden2010-03-191-1/+10
| | | | | | | This is primarily designed to not log passwords but it could have other uses. 567867
* Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12Rob Crittenden2010-03-191-0/+5
| | | | | pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12.
* Retrieve the LDAP schema using kerberos credentials.Rob Crittenden2010-03-171-7/+38
| | | | This is required so we can disable anonymous access in 389-ds.
* Handle the case where the DS group exists but the user does notRob Crittenden2010-03-161-0/+9
| | | | | | | | If the group exists but the user doesn't then useradd blows up trying to create the user and group. So test to see if the group exists and if it does pass along the -g argument to useradd. Resolves #502960
* localize doc stringsJohn Dennis2010-03-083-6/+7
| | | | | | | | | | | | A number of doc strings were not localized, wrap them in _(). Some messages were not localized, wrap them in _() Fix a couple of failing tests: The method name in RPC should not be unicode. The doc attribute must use the .msg attribute for comparison. Also clean up imports of _() The import should come from ipalib or ipalib.text, not ugettext from request.
* Fix JSON binary encode and decode errorsJohn Dennis2010-03-041-2/+99
| | | | | | | | | Traverse the objects passed to JSON for encoding and decoding. When binary data is seen during encode replace the binary data with a dict {'__base64__' : base64_encoding_of_binary_value}. On decode if a dict is seen whose single key is '__base64__' replace that dict with the base64 decoded value of the key's value.
* Run ipaserver under mod_wsgiJason Gerard DeRose2010-03-011-206/+0
|
* Consolidate to single WSGI entry pointJason Gerard DeRose2010-03-013-39/+124
|
* Don't assume local directory is valid or writable.Rob Crittenden2010-02-191-1/+6
| | | | | | | | certutil writes to the local directory when issuing a certificate. Change to the security database directory when issuing the self-signed CA. Also handle the case where a user is in a non-existent directory when doing the install.
* Convert integer and boolean values to unicode, don't leave them as str.Pavel Zuna2010-02-171-2/+0
|
* Make the DNS forwarders interactive input less confusingMartin Nagy2010-02-161-13/+17
| | | | Fixes #558984
* Get rid of ipapython.config in ipa-replica-prepareMartin Nagy2010-02-091-25/+27
| | | | | | | | | | Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
* Move the HTTP/S request code to a common libraryRob Crittenden2010-02-092-92/+20
| | | | | | | | This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
* fix error message to be i18n translator friendlyJohn Dennis2010-02-031-1/+2
| | | | | | | | This error message was producing a warning from xgettext because there were multiple substations in the string. In some languages it may be necessary to reorder the substitutions for a proper translation, this is only possible if the substitutions use named values.
* Be more careful when base64-decoding certificatesRob Crittenden2010-02-023-10/+6
| | | | | Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
* Remove (un)wrap_binary_data cruft from */ipautil.pyJohn Dennis2010-01-281-62/+0
| | | | | | | | Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(), wrap_binary_data(), unwrap_binary_data() from both instances of ipautil.py. This code is no longer in use and the SAFE_STRING_PATTERN regular expression string was causing xgettext to abort because it wasn't a valid ASCII string.
* Update dogtag configuration to work after CVE-2009-3555 changesRob Crittenden2010-01-273-6/+18
| | | | | | | | NSS is going to disallow all SSL renegotiation by default. Because of this we need to always use the agent port of the dogtag server which always requires SSL client authentication. The end user port will prompt for a certificate if required but will attempt to re-do the handshake to make this happen which will fail with newer versions of NSS.
* Fix schema loading in the ldap backend.Pavel Zuna2010-01-271-1/+4
|
* Enabled CRUDS in webUI using wehjit 0.2.0Jason Gerard DeRose2010-01-261-0/+1
|
* Set BIND to use ldapi and use fake mnameMartin Nagy2010-01-211-0/+2
| | | | | | The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now.
* Move some functions from ipa-server-install into installutilsMartin Nagy2010-01-211-0/+53
| | | | | We will need these functions in the new upcoming ipa-dns-install command.
* Allow a custom file mode when setting up debuggingMartin Nagy2010-01-211-2/+2
| | | | | | This will be handy in the future if we will want to install or uninstall only single IPA components and want to append to the installation logs. This will be used by the upcoming ipa-dns-install script.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-211-3/+12
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-211-33/+82
| | | | Fixes #528943
* User-defined certificate subjectsRob Crittenden2010-01-206-27/+83
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Create pkiuser before calling pkicreate, pkicreate depends on the user existingJohn Dennis2010-01-201-1/+1
|
* Allow cospriority to be updated and fix description of priority orderingRob Crittenden2010-01-191-9/+13
| | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work.
* Improve modlist generation in ldap2. Some code cleanup as bonus.Pavel Zuna2010-01-111-65/+89
| | | | | | | | ldap2._generate_modlist now uses more sophisticated means to decide when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE. MOD_REPLACE is always used for single value attributes and never for multi value.
* Missed explicit reference to pki-ca, replace with self.service_nameRob Crittenden2010-01-111-2/+2
|
* Use the caIPAserviceCert profile for issuing service certs.Rob Crittenden2010-01-081-1/+1
| | | | | | | | | | | This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration.
* Change the service name to reflect changes in pki-ca (now pki-cad).Rob Crittenden2010-01-071-3/+3
| | | | | | Also properly use the instance name where appropriate. There were a couple of places where the service name was used and this worked because they were the same.
* Added Fuzzy docstrings; make-test now runs doctests in tests/*; fixed ↵Jason Gerard DeRose2009-12-181-1/+1
| | | | 'existant' mispelling
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-162-5/+9
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Remove some left-over debugging statementsRob Crittenden2009-12-161-3/+0
|
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-118-20/+134
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.