freeipa.git/ipa-client/ipaclient, branch doc Unnamed repository; edit this file 'description' to name the repository. Preserve already configured options in openldap conf 2013-04-30T14:54:10+00:00 Tomas Babej tbabej@redhat.com 2013-04-22T10:55:38+00:00 5d6a9d3befb5434dd7b2d1bbafd76050f22743a2 We should respect already configured options present in /etc/openldap/ldap.conf when generating our own configuration. With this patch, we only rewrite URI, BASE and TLS_CACERT options only if they are not configured. In the case they are, our suggested configuration is inserted as a comment. Also adds tab as a delimeter character in /etc/openldap/ldap.conf https://fedorahosted.org/freeipa/ticket/3582 
We should respect already configured options present in
/etc/openldap/ldap.conf when generating our own configuration.

With this patch, we only rewrite URI, BASE and TLS_CACERT options
only if they are not configured. In the case they are, our suggested
configuration is inserted as a comment.

Also adds tab as a delimeter character in /etc/openldap/ldap.conf

https://fedorahosted.org/freeipa/ticket/3582
ipa-client discovery with anonymous access off 2013-03-20T08:22:10+00:00 Martin Kosek mkosek@redhat.com 2013-03-19T07:57:18+00:00 be54d1deb5e40945e4ead5b34d9acde88c1e8264 When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519 
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.

Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.

https://fedorahosted.org/freeipa/ticket/3519
Preserve order of servers in ipa-client-install 2013-03-14T08:35:17+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T13:42:12+00:00 452ffa143aadba5f16f4fe67720e28852fdf1fb7 When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418 
When multiple servers are passed via --server option, ipadiscovery
module changed its order. Make sure that we preserve it.

Also make sure that user is always warned when a tested server is
not available as then the server will be excluded from the fixed
server list. Log messages were made more informative so that user
knows which server is actually failing to be verified.

https://fedorahosted.org/freeipa/ticket/3418
Don't download the schema in ipadiscovery 2013-03-13T11:36:34+00:00 Petr Viktorin pviktori@redhat.com 2013-03-08T12:34:13+00:00 63407ed477035765dda38fbead1353d4f47ac26a 






Remove unneeded python-ldap imports
2013-03-13T11:36:34+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T14:02:01+00:00

cf4b52111d384e8baa250aefe57f21ebda4dad7e

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660





Part of the work for: https://fedorahosted.org/freeipa/ticket/2660







Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
2013-03-13T11:36:33+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T13:26:38+00:00

664248d5b846321f61e0776b646cca82c5a17884

These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446





These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446







Add LDAP server fallback to client installer
2013-02-07T21:49:31+00:00

Rob Crittenden
rcritten@redhat.com

2013-02-04T14:35:13+00:00

cbb262dc07ea0615068a630e6c7136e3200d5a06

Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388





Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388







Use secure method to acquire IPA CA certificate
2013-01-23T19:26:42+00:00

John Dennis
jdennis@redhat.com

2012-11-15T19:57:52+00:00

a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9

Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>





Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>







Do not crash when Kerberos SRV record is not found
2013-01-02T12:28:03+00:00

Martin Kosek
mkosek@redhat.com

2013-01-02T09:43:49+00:00

cbb12c7cc56ba8d9ee48d261fc86ddef5e323c34

ipa-client-install crashed when IPA server realm TXT record was
configured, but the referred domain (lower-case realm value) did
not contain any Kerberos SRV record (_kerberos._udp.<realm>.)

https://fedorahosted.org/freeipa/ticket/3316





ipa-client-install crashed when IPA server realm TXT record was
configured, but the referred domain (lower-case realm value) did
not contain any Kerberos SRV record (_kerberos._udp.<realm>.)

https://fedorahosted.org/freeipa/ticket/3316







Stop and disable conflicting time&date services
2012-12-07T18:07:36+00:00

Martin Kosek
mkosek@redhat.com

2012-12-07T15:44:32+00:00

211f6c9046ab9b43c7f40e279db7c5595ae70bd1

Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974





Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974