freeipa.git/ipa-client/ipaclient, branch mspac FreeIPA patches Replace ntpdate calls with ntpd 2013-09-09T11:37:32+00:00 Ana Krivokapic akrivoka@redhat.com 2013-09-02T14:40:55+00:00 28144e358c38e1c27eeb332b02d8470f18913af6 Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20), replace ntpdate calls with ntpd. https://fedorahosted.org/freeipa/ticket/3797 
Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20),
replace ntpdate calls with ntpd.

https://fedorahosted.org/freeipa/ticket/3797
Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06T13:42:33+00:00 Petr Viktorin pviktori@redhat.com 2013-08-19T10:01:54+00:00 85b974d1bc4f2921ea3efc1d0b769d9b8f26a5de The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning. 
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.

Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.

Pylint 1.0 reports undeclared names in __all__ as a warning.
Preserve already configured options in openldap conf 2013-04-30T14:54:10+00:00 Tomas Babej tbabej@redhat.com 2013-04-22T10:55:38+00:00 5d6a9d3befb5434dd7b2d1bbafd76050f22743a2 We should respect already configured options present in /etc/openldap/ldap.conf when generating our own configuration. With this patch, we only rewrite URI, BASE and TLS_CACERT options only if they are not configured. In the case they are, our suggested configuration is inserted as a comment. Also adds tab as a delimeter character in /etc/openldap/ldap.conf https://fedorahosted.org/freeipa/ticket/3582 
We should respect already configured options present in
/etc/openldap/ldap.conf when generating our own configuration.

With this patch, we only rewrite URI, BASE and TLS_CACERT options
only if they are not configured. In the case they are, our suggested
configuration is inserted as a comment.

Also adds tab as a delimeter character in /etc/openldap/ldap.conf

https://fedorahosted.org/freeipa/ticket/3582
ipa-client discovery with anonymous access off 2013-03-20T08:22:10+00:00 Martin Kosek mkosek@redhat.com 2013-03-19T07:57:18+00:00 be54d1deb5e40945e4ead5b34d9acde88c1e8264 When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519 
When RootDSE could be read (nsslapd-allow-anonymous-access set to
"rootdse"), autodiscovery module failed to report success to the
client installer.

Remove faulty "verified_servers" flag from autodiscovery module as
it has no point since we consider both scenarios (IPA server with
anonymous access on and unknown LDAP server with anonymous access
off) as success.

https://fedorahosted.org/freeipa/ticket/3519
Preserve order of servers in ipa-client-install 2013-03-14T08:35:17+00:00 Martin Kosek mkosek@redhat.com 2013-03-13T13:42:12+00:00 452ffa143aadba5f16f4fe67720e28852fdf1fb7 When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418 
When multiple servers are passed via --server option, ipadiscovery
module changed its order. Make sure that we preserve it.

Also make sure that user is always warned when a tested server is
not available as then the server will be excluded from the fixed
server list. Log messages were made more informative so that user
knows which server is actually failing to be verified.

https://fedorahosted.org/freeipa/ticket/3418
Don't download the schema in ipadiscovery 2013-03-13T11:36:34+00:00 Petr Viktorin pviktori@redhat.com 2013-03-08T12:34:13+00:00 63407ed477035765dda38fbead1353d4f47ac26a 






Remove unneeded python-ldap imports
2013-03-13T11:36:34+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T14:02:01+00:00

cf4b52111d384e8baa250aefe57f21ebda4dad7e

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660





Part of the work for: https://fedorahosted.org/freeipa/ticket/2660







Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
2013-03-13T11:36:33+00:00

Petr Viktorin
pviktori@redhat.com

2013-01-31T13:26:38+00:00

664248d5b846321f61e0776b646cca82c5a17884

These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446





These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446







Add LDAP server fallback to client installer
2013-02-07T21:49:31+00:00

Rob Crittenden
rcritten@redhat.com

2013-02-04T14:35:13+00:00

cbb262dc07ea0615068a630e6c7136e3200d5a06

Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388





Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388







Use secure method to acquire IPA CA certificate
2013-01-23T19:26:42+00:00

John Dennis
jdennis@redhat.com

2012-11-15T19:57:52+00:00

a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9

Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>





Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>