summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Wait for Directory Server ports to openMartin Kosek2011-03-213-12/+34
| | | | | | | | | | | When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-212-21/+53
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-0/+3
| | | | ticket 1080
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-154-15/+79
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Domain to RealmSimo Sorce2011-03-141-10/+15
| | | | | | | | Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. https://bugzilla.redhat.com/show_bug.cgi?id=684690 https://fedorahosted.org/freeipa/ticket/1091
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-4/+52
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* ipa-dns-install script failsMartin Kosek2011-03-081-1/+1
| | | | | | | This patch fixes a typo in class Service, function __get_conn which causes ipa-dns-install script to fail every time. https://fedorahosted.org/freeipa/ticket/1065
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-15/+30
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
* Replace only if old and new have nothing in commonRob Crittenden2011-03-031-1/+1
| | | | | | | Jakub did the initial diagnosis of this, I added a fix for removing the last entry when removing members and a test case. ticket 1000
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+5
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-1/+1
| | | | ticket 1005
* Fix replica setup using replication admin kerberos credentialsSimo Sorce2011-03-011-1/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1022
* Use wrapper for sasl gssapi binds so it behaves like other bindsSimo Sorce2011-03-013-11/+12
| | | | | | | | | | By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
* Fix winsync agreements setupSimo Sorce2011-03-011-23/+38
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1006
* Send Accept-Language header over XML-RPC and translate on server.Pavel Zuna2011-03-011-4/+10
| | | | | Fix #904 Fix #917
* Set SuiteSpotGroup when setting up our 389-ds instances.Rob Crittenden2011-02-242-1/+5
| | | | | | | | The group is now required because 389-ds has tightened the permissions on /var/run/dirsrv. We use the same group for both our LDAP instances and /var/run/dirsrv ends up as root:dirsrv mode 0770. ticket 1010
* Collect memberof information for sudo commands.Rob Crittenden2011-02-231-0/+8
| | | | | | | | | | | | We weren't searching the cn=sudo container so all members of a sudocmdgroup looked indirect. Add a label for sudo command groups. Update the tests to include verifying that membership is done properly. ticket 1003
* Create default disabled sudo bind userJr Aquino2011-02-232-2/+12
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-221-2/+14
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Add handling for indirect memberof other entries.Rob Crittenden2011-02-211-0/+71
| | | | | | | | | | | | | | | This creates a new custom attribute, memberofindirect_[plugin]. Using this you can tell the difference between being an actual memberof another entry and being a memberof as the result if inheritence. This is particularly useful when trying to remove members of an entry, you can only remove direct members. I had to add a couple of short sleep calls to make things work a little better. The memberof plugin runs as a postop and we have no way of knowing when it has done its work. If we don't pause we may show some stale data that memberof hasn't updated yet. .3 seconds is an arbitrary choice. ticket 966
* Use unicode parameters in the host pluginJakub Hrozek2011-02-181-3/+1
| | | | https://fedorahosted.org/freeipa/ticket/977
* Fix NSS initialization errors during ipa-replica-prepareRob Crittenden2011-02-181-1/+1
| | | | | | | | | | | When enabling replication we make an SSL connection. I think the way this goes is python-ldap -> openldap -> NSS. It may be a problem in the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any case if we use ldapi instead the problem goes away. Back out the temporary code to ignore nss_shutdown errors. ticket 965
* Try to register DNS name through a DNS Update on install.Simo Sorce2011-02-171-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/935
* Raise NotImplementedError for selfsigned cert-remove-holdJakub Hrozek2011-02-171-1/+1
|
* Code cleanupJan Zeleny2011-02-152-893/+0
| | | | | This patch removes two files which seem to be long obsoleted and not used any more.
* Fix handling of /etc/hostsJan Cholasta2011-02-151-5/+14
| | | | ticket 971
* Fine tuning DNS optionsJakub Hrozek2011-02-142-4/+23
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* Let 389-ds start up even if Kerboros is not configured yet.Rob Crittenden2011-02-141-5/+9
| | | | | | | | | | | | The situation is if during installation /etc/krb5.conf either doesn't exist or configures no realms then 389-ds won't start up at all, causing the installation to fail. This will let the server start up in a degraded mode. Also need to make the sub_dict in ldapupdate.py handle no realm otherwise the installation will abort enabling the compat plugin. ticket 606
* Add a replace option to ipa-ldap-updater.Rob Crittenden2011-02-141-1/+14
| | | | | | | | We have no way to say "replace value X with Y". This would be useful for us to replace a default value only if the user hasn't already updated it. related to ticket 930
* Add default success/failure output logging.Rob Crittenden2011-02-141-4/+9
| | | | | | | | | | Request logging on the server only happened if you added verbose=True or debug=True to the IPA config file. We should log the basics at least: who, what, result. Move a lot of entries from info to debug logging as well. Related to ticket 873
* Ignore case when removing group members.Rob Crittenden2011-02-141-1/+1
| | | | ticket 944
* Convert json strings to unicode when they are unmarshalled.Rob Crittenden2011-02-111-2/+11
| | | | | | | | | This patch removes some individual work-arounds of converting strings to unicode, they only masked the problem. String values are not passed to the validator or normalizers so things like adding the realm automatically to services weren't happening. ticket 941
* Don't include error.kw in the error response in the JSON server.Rob Crittenden2011-02-111-1/+0
| | | | | | | This can include a full exception which cannot be marshalled. This value contains duplicate information and isn't used by the client. ticket 905
* Ensure that file ownership doesn't change when config is updated.Rob Crittenden2011-02-111-0/+4
| | | | | | | | | Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
* Disable replication version plugin by default.Rob Crittenden2011-02-102-0/+25
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Fix crash in DNS installer.Pavel Zuna2011-02-101-3/+3
| | | | Fix #927
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-033-7/+7
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* IPv6 enhancementsJakub Hrozek2011-02-022-14/+23
| | | | | | | * Make host-add, host-del and reverse zone creation IPv6 aware * Make Bind listen on IPv6 interfaces, too https://fedorahosted.org/freeipa/ticket/398
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-0/+14
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-0/+23
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Force sync in both direction before changing replication agreementsSimo Sorce2011-02-011-15/+25
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/887
* Add an address for a nameserver when a new zone is created during installJakub Hrozek2011-01-311-8/+12
| | | | https://fedorahosted.org/freeipa/ticket/881
* Fix privilege name we are assigning to DNS principal.Rob Crittenden2011-01-311-1/+1
| | | | This fixes an installation failure.
* Use a common group for all DS instancesSimo Sorce2011-01-313-65/+58
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Add ldap2 method to retrieve allowed attributes for specified objectClasses.Pavel Zuna2011-01-261-3/+17
| | | | | | | ldap2.get_allowed_attribute(['posixuser']) returns a list of unicode all lower case attribute names allowed for the object class 'posixuser'
* Fix assorted bugs found by pylintJakub Hrozek2011-01-257-23/+5
|
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-252-3/+6
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-0/+58
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-252-0/+51
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
generated by cgit (git 2.34.1) at 2024-04-16 22:04:19 +0000