summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix takes_options in automount plugin.Pavel Zuna2009-11-301-1/+1
|
* Print only one line of docstrings in command listings.Pavel Zuna2009-11-301-4/+3
| | | | Full docstring is shown on `ipa help COMMAND`.
* Add SELinux policy for CRL file publishing.Rob Crittenden2009-11-265-1/+59
| | | | | | | | | | This policy should really be provided by dogtag. We don't want to grant read/write access to everything dogtag can handle so we change the context to cert_t instead. But we have to let dogtag read/write that too hence this policy. To top it off we can't load this policy unless dogtag is also loaded so we insert it in the IPA installer
* Point to correct location of self-signed CA and set pw on 389-DS cert dbRob Crittenden2009-11-252-3/+3
| | | | | | | | The CA was moved from residing in the DS NSS database into the Apache database to support a self-signed CA certificate plugin. This was not updated in the installer boilerplate. The DS db wasn't getting a password set on it. Go ahead and set one.
* Use correct attribute for hosts.Rob Crittenden2009-11-251-1/+1
|
* Fix two bugs: one in parsing the ACI and one in comparing two ACIsRob Crittenden2009-11-251-4/+4
| | | | | | | | | | The parsing bug was looking for the string 'version' expecting to find the ACI version. This blew up with the attribute nsosversion. Use the string 'version 3.0' instead. The comparison bug appeared if neither ACI had a targetattr attribute. It was trying to create a set out of a None which is illegal. If an ACI doesn't have any targetattrs then return () instead.
* Integrate ipa-join and ipa-rmkeytab into the client install/uninstallRob Crittenden2009-11-251-110/+209
| | | | This will fetch a keytab on installation and remove it upon uninstallation.
* Bash tab completion scriptRob Crittenden2009-11-252-0/+43
|
* Add code to handle stash files using keytab formatNalin Dahyabhai2009-11-241-3/+59
| | | | | | | | | | | | | In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
* Reading INT parameter class should respect radix prefixJohn Dennis2009-11-232-0/+56
| | | | | | | | | | This modifies the original patch by including a unit test, handling floats when passed as unicode, and handling large magnitude values beyond maxint. The INT parameter class was not respecting any radix prefix (e.g. 0x) the user may have supplied. This patch implements _convert_scalar method for the Int class so that we can pass the special radix base of zero to the int constructor telling it to determine the radix from the prefix (if present).
* Require current versions of python-nss & python-lxmlJohn Dennis2009-11-232-2/+3
| | | | | | ipa.spec.in | 3 ++- ipapython/nsslib.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-)
* along with stdout, stderr also log the initial commandJohn Dennis2009-11-231-2/+3
| | | | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> along with stdout,stderr also log the initial command This implements better logging of external commands. Formerly we were just outputting stdout and stderr without labeling which was which. We also omitted the initial command and it's arguments. This made it difficult when reviewing the logs to know what the command was and what was stdout vs. stderr. This patch fixes that.
* If plugin fails to load log the tracebackJohn Dennis2009-11-231-1/+2
| | | | | | | | | | Signed-off-by: John Dennis <jdennis@redhat.com> If plugin fails to load log the traceback If a plugin fails to load due to some kind of error it would be nice if the error log contained the traceback so you can examine what went wrong rather than being left blind as to why it failed to load.
* Make NotImplementedError in rabase return the correct function nameJohn Dennis2009-11-191-4/+4
| | | | | ipaserver/plugins/rabase.py | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
* add new error class for certificate operationsJohn Dennis2009-11-191-1/+28
| | | | add new error class for certificate operations
* error strings in documentation were missing unicode specifierJohn Dennis2009-11-191-3/+3
| | | | error strings in documentation were missing unicode specifier
* respect debug arg during server installJohn Dennis2009-11-191-0/+1
| | | | | The debug flag (e.g. -d) was not being respected during server install. This patch corrects that.
* Provide additional help to --help optionRob Crittenden2009-11-191-0/+7
|
* Gracefully handle a valid kerberos ticket for a deleted entry.Rob Crittenden2009-11-191-7/+10
| | | | | | | I saw this with a host where I joined a host, obtained a host principal, kinited to that principal, then deleted the host from the IPA server. The ticket was still valid so Apache let it through but it failed to bind to LDAP.
* Clean up some return valuesRob Crittenden2009-11-191-12/+20
| | | | | | | Because ipa-join calls ipa-getkeytab I'd like to keep the return values in sync. ipa-join returns the value returned by ipa-getkeytab so in order to tell what failed the return values need to mean the same things and not overlap.
* Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled).Pavel Zuna2009-11-181-4/+4
|
* Remove 'ipaObject' objectClass from rolegroups and taskgroups.Pavel Zuna2009-11-182-4/+2
|
* Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.Pavel Zuna2009-11-181-1/+1
| | | | Previously we only filtered None values, but it turns out that's not enough.
* Cache installer questions for the 2-step process of an externally-signed CARob Crittenden2009-11-182-7/+64
| | | | | | | | Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
* Fix SASL mappingsSimo Sorce2009-11-181-2/+2
|
* Add fail-safe so any kind of exception is handled in XML-RPC server.Rob Crittenden2009-11-181-0/+5
| | | | | | | If an exception is not handled here then the context isn't destroyed leaving at least an LDAP connection dangling. This means the next time this thread/process tries to handle a connection it will fail because a context already exists.
* Add support for setting/adding arbitrary attributesRob Crittenden2009-11-172-0/+106
| | | | | | | | | | | | | | | | | | | | | | | This introduces 2 new params: --setattr and --addattr Both take a name/value pair, ala: ipa user-mod --setattr=postalcode=20601 jsmith --setattr replaces or sets the current attribute to the value --addattr adds the value to an attribute (or sets a new attribute) OptionsParser allows multiple versions of this, so you can have multiple setattr and addattr, either for the same attribute or for different attributes. ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith Values are silent dropped if either of these on an existing param: ipa user-mod --setattr=givenname=Jerry jsmith Is a no-op.
* _convert_scalar() should throw an error if passed a tuple or listRob Crittenden2009-11-172-1/+19
| | | | | A parameter needs to have multivalue set in order to work on lists/tuples and even then _convert_scalar() will be sent one value at a time.
* Fix typo in name of exceptionRob Crittenden2009-11-121-1/+1
|
* Use File parameter for CSR in cert_request command plugin.Pavel Zuna2009-11-061-29/+12
|
* Add 'File' parameter type.Pavel Zuna2009-11-063-2/+47
| | | | Accepts filenames and loads file contents as parameter value.
* Add SELinux policy for UI assetsRob Crittenden2009-11-046-12/+18
| | | | | | | | This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-046-14/+45
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-036-45/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Use Directory String sytnax for the fqdn attribute, not DN syntax.Rob Crittenden2009-10-281-1/+1
|
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-277-64/+236
|
* Back down to version 1.9.0 in preparation for release of first alpha.alpha-1-9-0Rob Crittenden2009-10-261-2/+2
| | | | | | | There was much back and forth and gnashing of teeth about what the version should actually be in these pre-releases. We decided it isn't 2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to declare 2.0.0.
* Remove a bunch of unused imports, general cleanupRob Crittenden2009-10-251-13/+4
|
* Remove ipalib/plugins/basegroup.py. It's become obsolete.Pavel Zuna2009-10-231-551/+0
|
* Fix bug in print_attribute.Pavel Zuna2009-10-231-1/+1
| | | | | When the attribute had no values an exception was generated while trying to word-wrap it.
* Auto-detect whether dogtag needs to be uninstalledRob Crittenden2009-10-211-5/+8
|
* Display membership attributes (member, memberOf) by default in show/find.Pavel Zuna2009-10-213-3/+5
|
* Require that a host exist before creating a service for it.Rob Crittenden2009-10-211-0/+5
|
* The name coming out of DNS will have a trailing dot (.). Remove it.Rob Crittenden2009-10-211-1/+1
|
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-216-36/+131
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Add can_add() and can_delete() GER helpersRob Crittenden2009-10-211-0/+37
|
* Change Password param so (password, confirm_password) can be passed to ↵Jason Gerard DeRose2009-10-183-0/+29
| | | | _convert_scalar()
* Add a separate client-only targetRob Crittenden2009-10-173-6/+106
|
* Fix ACI for host delegationRob Crittenden2009-10-171-2/+2
| | | | | We had changed the DN format, I must have missed these ACIs the first go around.
* Fix an oops where I forgot to replace a string with a templateRob Crittenden2009-10-171-6/+6
|
generated by cgit (git 2.34.1) at 2025-09-02 19:54:39 +0000