| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | Fix plugin to work with new output validation, add new helpers | Rob Crittenden | 2010-01-20 | 1 | -34/+57 |
| | | | | | | | | | Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed. | ||||
| * | Add DS migration plugin and password migration page. | Pavel Zuna | 2010-01-20 | 1 | -0/+374 |
| | | |||||
| * | Add --enable-migration option in config plugin. | Pavel Zuna | 2010-01-20 | 1 | -1/+14 |
| | | |||||
| * | Temporary fix for name collision of textui.print_entry. | Pavel Zuna | 2010-01-20 | 1 | -2/+2 |
| | | | | | Somehow there's two of them... rename old one to print_entry1. | ||||
| * | Make DNS plugin support output validation and thus make it work again. | Pavel Zuna | 2010-01-20 | 1 | -39/+86 |
| | | |||||
| * | pass DER flag to x509.get_serial_number() | John Dennis | 2010-01-19 | 1 | -1/+1 |
| | | |||||
| * | Allow cospriority to be updated and fix description of priority ordering | Rob Crittenden | 2010-01-19 | 1 | -7/+27 |
| | | | | | | | Need to add a few more places where the DN will not be automatically normalized. The krb5 server expects a very specific format and normalizing causes it to not work. | ||||
| * | Use 'l' instead of 'localityname' in host plugin. | Pavel Zuna | 2010-01-14 | 1 | -2/+14 |
| | | | | | | It seems that 'localityname' and 'locality' aliases were dropped in newer versions of DS. | ||||
| * | Make host objects aware of their membership and that l==localityName. | Pavel Zuna | 2010-01-14 | 1 | -0/+6 |
| | | |||||
| * | Add Kerberos Ticket Policy management plugin. | Pavel Zuna | 2010-01-13 | 2 | -27/+167 |
| | | |||||
| * | Add --all to LDAPCreate and make LDAP commands always display default ↵ | Pavel Zuna | 2010-01-11 | 7 | -14/+30 |
| | | | | | attributes. | ||||
| * | Use the caIPAserviceCert profile for issuing service certs. | Rob Crittenden | 2010-01-08 | 1 | -2/+2 |
| | | | | | | | | | | | | This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration. | ||||
| * | Add messages, declarative tests for rolegroup, taskgroup plugins | Jason Gerard DeRose | 2009-12-18 | 2 | -7/+29 |
| | | |||||
| * | Handle base64-encoded certificates better, import missing function | Rob Crittenden | 2009-12-18 | 3 | -0/+11 |
| | | |||||
| * | Make hosts more like real services so we can issue certs for host principals | Rob Crittenden | 2009-12-16 | 2 | -12/+56 |
| | | | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work. | ||||
| * | host and hostgroup summary messages, declarative tests; fix tests for 'dn' | Jason Gerard DeRose | 2009-12-16 | 1 | -3/+11 |
| | | |||||
| * | Add some missing labels | Rob Crittenden | 2009-12-14 | 2 | -0/+5 |
| | | |||||
| * | Convert to using new result output handling | Rob Crittenden | 2009-12-14 | 2 | -27/+85 |
| | | | | | | This also inserts the dn into the response when adding a record. We need this in the ACI plugin when adding a taskgroup | ||||
| * | This plugin was replaced by the aci plugin | Rob Crittenden | 2009-12-11 | 1 | -93/+0 |
| | | |||||
| * | Take 2: Extensible return values and validation; steps toward a single ↵ | Jason Gerard DeRose | 2009-12-10 | 9 | -130/+257 |
| | | | | | output_for_cli(); enable more webUI stuff | ||||
| * | rebase dogtag clean-up patch | John Dennis | 2009-12-09 | 2 | -17/+24 |
| | | |||||
| * | Add idnsUpdatePolicy into the dns plug-in | Martin Nagy | 2009-12-02 | 1 | -1/+5 |
| | | | | | | | The idnsUpdatePolicy takes a list of BIND dynamic update policies, each of which must be terminated by ";". Also fix a minor error in the documentation string. | ||||
| * | Add NotImplementedError type so CA plugins can return client-friendly errors | Rob Crittenden | 2009-12-01 | 1 | -3/+10 |
| | | | | | | | | | Ignore NotImplementedError when revoking a certificate as this isn't implemented in the selfsign plugin. Also use the new type argument in x509.load_certificate(). Certificates are coming out of LDAP as binary instead of base64-encoding. | ||||
| * | Rename GeneralizedTime to AccessTime. | Pavel Zuna | 2009-12-01 | 1 | -3/+3 |
| | | |||||
| * | Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. | Pavel Zuna | 2009-12-01 | 1 | -2/+94 |
| | | |||||
| * | Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. | Rob Crittenden | 2009-11-30 | 2 | -27/+73 |
| | | | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr | ||||
| * | Fix boolean attributes in DNS plugin. | Pavel Zuna | 2009-11-30 | 1 | -3/+9 |
| | | | | | | Sometimes they worked fine and sometimes DS rejected them as invalid. | ||||
| * | Fix takes_options in automount plugin. | Pavel Zuna | 2009-11-30 | 1 | -1/+1 |
| | | |||||
| * | Use correct attribute for hosts. | Rob Crittenden | 2009-11-25 | 1 | -1/+1 |
| | | |||||
| * | Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled). | Pavel Zuna | 2009-11-18 | 1 | -4/+4 |
| | | |||||
| * | Remove 'ipaObject' objectClass from rolegroups and taskgroups. | Pavel Zuna | 2009-11-18 | 2 | -4/+2 |
| | | |||||
| * | Add support for setting/adding arbitrary attributes | Rob Crittenden | 2009-11-17 | 1 | -0/+61 |
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces 2 new params: --setattr and --addattr Both take a name/value pair, ala: ipa user-mod --setattr=postalcode=20601 jsmith --setattr replaces or sets the current attribute to the value --addattr adds the value to an attribute (or sets a new attribute) OptionsParser allows multiple versions of this, so you can have multiple setattr and addattr, either for the same attribute or for different attributes. ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith Values are silent dropped if either of these on an existing param: ipa user-mod --setattr=givenname=Jerry jsmith Is a no-op. | ||||
| * | Use File parameter for CSR in cert_request command plugin. | Pavel Zuna | 2009-11-06 | 1 | -29/+12 |
| | | |||||
| * | Use a new mechanism for delegating certificate issuance. | Rob Crittenden | 2009-11-03 | 3 | -43/+42 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com | ||||
| * | Add mod_python adapter and some UI tuning | Jason Gerard DeRose | 2009-10-27 | 1 | -1/+1 |
| | | |||||
| * | Remove ipalib/plugins/basegroup.py. It's become obsolete. | Pavel Zuna | 2009-10-23 | 1 | -551/+0 |
| | | |||||
| * | Display membership attributes (member, memberOf) by default in show/find. | Pavel Zuna | 2009-10-21 | 3 | -3/+5 |
| | | |||||
| * | Require that a host exist before creating a service for it. | Rob Crittenden | 2009-10-21 | 1 | -0/+5 |
| | | |||||
| * | The name coming out of DNS will have a trailing dot (.). Remove it. | Rob Crittenden | 2009-10-21 | 1 | -1/+1 |
| | | |||||
| * | First pass at enforcing certificates be requested from same host | Rob Crittenden | 2009-10-21 | 2 | -29/+86 |
| | | | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs. | ||||
| * | Giant webui patch take 2 | Jason Gerard DeRose | 2009-10-13 | 3 | -14/+9 |
| | | |||||
| * | Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. | Pavel Zuna | 2009-10-08 | 2 | -2/+8 |
| | | |||||
| * | Fix bug in group plugin. Was using wrong variable for attributes. | Pavel Zuna | 2009-10-08 | 1 | -1/+1 |
| | | | | | Fix bug #527537. | ||||
| * | Make the taskgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-07 | 1 | -135/+40 |
| | | |||||
| * | Make the rolegroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -46/+41 |
| | | |||||
| * | Make the hostgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -173/+45 |
| | | |||||
| * | Make the netgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -309/+116 |
| | | |||||
| * | Make the user plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -230/+76 |
| | | |||||
| * | Make the service plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -205/+66 |
| | | |||||
| * | Make the group plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -124/+65 |
| | | |||||
 |
index : .git | |
| Unnamed repository; edit this file 'description' to name the repository. | Rob Crittenden |
| summaryrefslogtreecommitdiffstats |