freeipa.git/ipaserver, branch webui-cleanup FreeIPA patches Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss 2010-07-29T14:50:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-20T18:00:43+00:00 b7ca3d68c28b54500a2f908c4e2e6c89b2433461 This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now. 
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Use newer API in ipalib/x509 and add missing import. 2010-07-15T15:17:58+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T13:44:27+00:00 18476c95384ef242923398bbf1985a002dcc87b6 The import was only used when running the in-tree lite-server 
The import was only used when running the in-tree lite-server
Add API to delete a service principal key, service-disable. 2010-07-13T13:29:10+00:00 Rob Crittenden rcritten@redhat.com 2010-07-12T21:45:06+00:00 1e1985b17c3988056bef045fa84a9c7aaf0c4c65 I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey. 
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
Handle errors raised by plugins more gracefully in mod_wsgi. 2010-07-12T13:32:33+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T17:37:27+00:00 ccaf537aa6323c5161d3420b653025771db75010 This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow. 
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
Add support for User-Private Groups 2010-07-06T19:39:34+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T20:14:46+00:00 ba59d9d648d7ee9f3e5b03ede9aeccab97f13a13 This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4). 
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Fix indentation problem causing build breakage 2010-06-25T02:51:05+00:00 Rob Crittenden rcritten@redhat.com 2010-06-25T02:51:05+00:00 83fd9ef7cc7823619692a0286cbcec5297245153 






Replication version checking.
2010-06-24T14:33:53+00:00

Rob Crittenden
rcritten@redhat.com

2010-06-24T14:31:52+00:00

09fb073e8210f1c8239c0b253672e613822fc553

Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.





Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.







use NSS for SSL operations
2010-06-15T19:03:36+00:00

John Dennis
jdennis@redhat.com

2010-05-31T11:40:17+00:00

31027c6183e3df927b08f0f0b7f84ae7420c3e88












Catch the condition where dogtag is already configured (no preop.pin)
2010-06-01T13:53:10+00:00

Rob Crittenden
rcritten@redhat.com

2010-05-28T15:19:45+00:00

3f5b4233cbf72b25ea86c4c15528200136d14c7a

This causes the installation to blow up badly otherwise.

To remove an existing instance run:

 # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca





This causes the installation to blow up badly otherwise.

To remove an existing instance run:

 # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca







Add LDAP upgrade over ldapi support.
2010-06-01T13:52:10+00:00

Rob Crittenden
rcritten@redhat.com

2010-05-27T15:58:31+00:00

b29de6bf27a51904adfdfb6cf918903f80e4c20b

This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).

Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).





This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).

Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).