freeipa.git/install/tools/ipa-httpd-kdcproxy, branch webui_isolate FreeIPA patches Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaldap: remove do_bind from LDAPClient 2016-11-10T16:40:49+00:00 Tomas Krizek tkrizek@redhat.com 2016-11-08T11:16:09+00:00 a68c95d11612108375877ff45bdb53ce6fc8fbe4 Remove do_bind() method that was a relict used in IPAdmin. Replace its uses with simple / external binds. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Remove do_bind() method that was a relict used in IPAdmin. Replace
its uses with simple / external binds.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipaldap: merge IPAdmin to LDAPClient 2016-11-07T10:34:03+00:00 Tomas Krizek tkrizek@redhat.com 2016-11-01T13:52:33+00:00 5b81dbfda1e4f0799d4ce87e9987a896af3ff299 * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
    IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
    enable_replication_version_checking()

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaldap: remove wait/timeout during binds 2016-11-07T10:34:03+00:00 Tomas Krizek tkrizek@redhat.com 2016-10-05T14:09:56+00:00 5760b7e983da6bda8f5383d9079551e4acb4c2da Testing whether it is possible to connect to directory server is already done in RedHatDirectoryService.restart(). https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Testing whether it is possible to connect to directory server is already done
in RedHatDirectoryService.restart().

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
differentiate between limit types when LDAP search exceeds configured limits 2016-04-13T15:52:22+00:00 Martin Babinsky mbabinsk@redhat.com 2016-03-18T08:49:41+00:00 1f0959735f9828a09439f17f1468dcd3dfb914db When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
logger: Use warning instead of warn 2016-01-18T16:49:54+00:00 Tomas Babej tbabej@redhat.com 2016-01-15T15:25:33+00:00 78c5bf9f8e85b4c6c9b67b4a26acedfd45a2c86f Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Handle timeout error in ipa-httpd-kdcproxy 2015-09-10T11:29:56+00:00 Christian Heimes cheimes@redhat.com 2015-09-10T09:54:32+00:00 a3d077443fc7f15c005f86aeed40443d0a0843a1 The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly. A timeout does no longer result into an Apache startup error. https://fedorahosted.org/freeipa/ticket/5292 Reviewed-By: Martin Basti <mbasti@redhat.com> 
The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly.
A timeout does no longer result into an Apache startup error.

https://fedorahosted.org/freeipa/ticket/5292

Reviewed-By: Martin Basti <mbasti@redhat.com>
Improve error handling in ipa-httpd-kdcproxy 2015-07-07T14:31:04+00:00 Christian Heimes cheimes@redhat.com 2015-07-07T14:05:48+00:00 25d1afdc54284c6bcf1caf08beae2e66ceb7f4e8 The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles connection and authentication errors more gracefully. If the script is not able to conenct to LDAP, it only prints a warning and exits with status code 0. All other errors are still reported as fatal error and result in a non-zero exit code. This fixes a problem with offline RPM updates. A restart of Apache no longer fails when LDAP is not running. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles
connection and authentication errors more gracefully. If the script is
not able to conenct to LDAP, it only prints a warning and exits with
status code 0. All other errors are still reported as fatal error and
result in a non-zero exit code.

This fixes a problem with offline RPM updates. A restart of Apache no
longer fails when LDAP is not running.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>