| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
When the netgroup plugin was rebased it ended up using the member
attribute for its memberships and not memberuser/memberhost.
I also fixed this same attribute problem in the tests and tried to beef
them up a little. If nis/schema compat are enabled it will try to compare
the generated triplets with a known-good value.
|
| |
|
|
|
|
|
|
| |
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.
Ticket #87
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.
After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer
I took some time and fixed up some things pylint complained about too.
Ticket #83
|
| |
|
|
| |
The import was only used when running the in-tree lite-server
|
| |
|
|
|
|
|
|
| |
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.
Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
|
| | |
|
| |
|
|
| |
I used pylint to identify a bunch of unnecessary and too-broad imports
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
|
| | |
|
| |
|
|
|
|
|
|
| |
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
|
| |
|
|
|
|
|
|
|
|
|
| |
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.
I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
|
| |
|
|
|
| |
We need the CA certificate so we can use SSL when binding with a
one-time password (bulk enrollment)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
|
| | |
|
| |
|
|
|
|
| |
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
|
| |
|
|
|
|
|
|
| |
This causes the installation to blow up badly otherwise.
To remove an existing instance run:
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
|
| |
|
|
|
| |
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
|
| |
|
|
|
|
| |
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
|
| |
|
|
|
|
|
|
|
| |
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
|
| |
|
|
|
|
| |
This was causing replica creation and installation to fail.
596446
|
| | |
|
| |
|
|
| |
Also fix the memberOf attribute for the HBAC services
|
| |
|
|
|
|
|
| |
No longer install the policy or key escrow schemas and remove their
OIDs for now.
594149
|
| | |
|
| |
|
|
|
|
| |
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
|
| |
|
|
| |
This makes creating a clone from a clone work as expected.
|
| | |
|
| | |
|
| |
|
|
| |
461325
|
| | |
|
| |
|
|
| |
Fix deletion of policy when a group is removed.
|
| |
|
|
|
|
|
| |
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.
588574
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.
This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
|
| |
|
|
|
|
| |
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
|
| | |
|
