freeipa.git/ipaserver/plugins, branch webui-cleanup FreeIPA patches Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss 2010-07-29T14:50:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-20T18:00:43+00:00 b7ca3d68c28b54500a2f908c4e2e6c89b2433461 This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now. 
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Use newer API in ipalib/x509 and add missing import. 2010-07-15T15:17:58+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T13:44:27+00:00 18476c95384ef242923398bbf1985a002dcc87b6 The import was only used when running the in-tree lite-server 
The import was only used when running the in-tree lite-server
Add API to delete a service principal key, service-disable. 2010-07-13T13:29:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-12T21:45:06+00:00 1e1985b17c3988056bef045fa84a9c7aaf0c4c65 I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey. 
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
Handle errors raised by plugins more gracefully in mod_wsgi. 2010-07-12T13:32:33+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T17:37:27+00:00 ccaf537aa6323c5161d3420b653025771db75010 This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow. 
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
Add support for User-Private Groups 2010-07-06T19:39:34+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T20:14:46+00:00 ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4). 
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27T20:29:36+00:00 Pavel Zuna pzuna@redhat.com 2010-04-27T14:35:07+00:00 44c18444935443e3ea1cb9bb6c543a436bc84cd8 






Use the certificate subject base in IPA when requesting certs in certmonger.
2010-04-23T10:57:40+00:00

Rob Crittenden
rcritten@redhat.com

2010-04-05T20:27:46+00:00

1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908

When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.





When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.







Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-04-19T15:27:10+00:00

Pavel Zuna
pzuna@redhat.com

2010-03-24T14:51:31+00:00

3620135ec97c156b84a310cd423d5df52732b3f8












Remove older MITM fixes to make compatible with dogtag 1.3.3
2010-04-19T14:04:25+00:00

Rob Crittenden
rcritten@redhat.com

2010-03-30T19:27:28+00:00

70049496e3cfe0db01a58bcc51c7ea13e6caac24

We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.





We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.







Retrieve the LDAP schema using kerberos credentials.
2010-03-18T05:36:53+00:00

Rob Crittenden
rcritten@redhat.com

2010-03-17T14:01:24+00:00

f0d51b65f18d73e9b97e22e9fa4146468fed3d16

This is required so we can disable anonymous access in 389-ds.





This is required so we can disable anonymous access in 389-ds.