| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
|
|
|
|
|
|
|
| |
No longer install the policy or key escrow schemas and remove their
OIDs for now.
594149
|
|
|
|
|
|
| |
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
|
|
|
|
| |
This makes creating a clone from a clone work as expected.
|
|
|
|
|
|
|
|
|
| |
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
|
|
|
|
| |
Also consolidate some duplicate code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
|
|
|
|
|
| |
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
|
| |
|
| |
|
|
|
|
| |
583023
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
|
|
|
|
|
|
|
|
| |
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
|
| |
|
|
|
|
| |
Based on initial patch from Pavel Zuna.
|
|
|
|
|
|
|
| |
We set a new port to be used with dogtag but IPA doesn't utilize it.
This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
|
| |
|
|
|
|
|
|
| |
Also print out a restart message after applying the custom subject.
It takes a while to restart dogtag and this lets the user know things
are moving forward.
|
|
|
|
|
|
| |
This error could result in things not working properly but it should be
relatively easy to fix from the command-line. There is no point in
not installing at all due to this.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
|
|
|
|
|
|
|
| |
This is primarily designed to not log passwords but it could have other
uses.
567867
|
|
|
|
|
| |
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
|
|
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
|
|
|
|
|
|
|
| |
If the group exists but the user doesn't then useradd blows up
trying to create the user and group. So test to see if the group
exists and if it does pass along the -g argument to useradd.
Resolves #502960
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of doc strings were not localized, wrap them in _().
Some messages were not localized, wrap them in _()
Fix a couple of failing tests:
The method name in RPC should not be unicode.
The doc attribute must use the .msg attribute for comparison.
Also clean up imports of _() The import should come from
ipalib or ipalib.text, not ugettext from request.
|
|
|
|
|
|
|
|
|
| |
Traverse the objects passed to JSON for encoding and decoding.
When binary data is seen during encode replace the binary
data with a dict {'__base64__' : base64_encoding_of_binary_value}.
On decode if a dict is seen whose single key is '__base64__' replace
that dict with the base64 decoded value of the key's value.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
certutil writes to the local directory when issuing a certificate.
Change to the security database directory when issuing the self-signed CA.
Also handle the case where a user is in a non-existent directory when doing
the install.
|
| |
|
|
|
|
| |
Fixes #558984
|
|
|
|
|
|
|
|
|
|
| |
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
|
|
|
|
|
|
|
|
| |
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.
These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
|
|
|
|
|
|
|
|
| |
This error message was producing a warning from xgettext
because there were multiple substations in the string.
In some languages it may be necessary to reorder the
substitutions for a proper translation, this is only
possible if the substitutions use named values.
|
|
|
|
|
| |
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
|
|
|
|
|
|
|
|
| |
Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(),
wrap_binary_data(), unwrap_binary_data() from both instances
of ipautil.py. This code is no longer in use and the
SAFE_STRING_PATTERN regular expression string was causing xgettext
to abort because it wasn't a valid ASCII string.
|
|
|
|
|
|
|
|
| |
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
|
| |
|
| |
|
|
|
|
|
|
| |
The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
|
|
|
|
|
| |
We will need these functions in the new upcoming ipa-dns-install
command.
|
|
|
|
|
|
| |
This will be handy in the future if we will want to install or uninstall
only single IPA components and want to append to the installation logs.
This will be used by the upcoming ipa-dns-install script.
|
|
|
|
|
|
|
| |
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.
Fixes #500238
|
|
|
|
| |
Fixes #528943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|
| |
|
|
|
|
|
|
| |
Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
|