Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Use a new mechanism for delegating certificate issuance. | Rob Crittenden | 2009-11-03 | 6 | -45/+52 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com | ||||
* | Use Directory String sytnax for the fqdn attribute, not DN syntax. | Rob Crittenden | 2009-10-28 | 1 | -1/+1 |
| | |||||
* | Add mod_python adapter and some UI tuning | Jason Gerard DeRose | 2009-10-27 | 7 | -64/+236 |
| | |||||
* | Back down to version 1.9.0 in preparation for release of first alpha.alpha-1-9-0 | Rob Crittenden | 2009-10-26 | 1 | -2/+2 |
| | | | | | | | There was much back and forth and gnashing of teeth about what the version should actually be in these pre-releases. We decided it isn't 2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to declare 2.0.0. | ||||
* | Remove a bunch of unused imports, general cleanup | Rob Crittenden | 2009-10-25 | 1 | -13/+4 |
| | |||||
* | Remove ipalib/plugins/basegroup.py. It's become obsolete. | Pavel Zuna | 2009-10-23 | 1 | -551/+0 |
| | |||||
* | Fix bug in print_attribute. | Pavel Zuna | 2009-10-23 | 1 | -1/+1 |
| | | | | | When the attribute had no values an exception was generated while trying to word-wrap it. | ||||
* | Auto-detect whether dogtag needs to be uninstalled | Rob Crittenden | 2009-10-21 | 1 | -5/+8 |
| | |||||
* | Display membership attributes (member, memberOf) by default in show/find. | Pavel Zuna | 2009-10-21 | 3 | -3/+5 |
| | |||||
* | Require that a host exist before creating a service for it. | Rob Crittenden | 2009-10-21 | 1 | -0/+5 |
| | |||||
* | The name coming out of DNS will have a trailing dot (.). Remove it. | Rob Crittenden | 2009-10-21 | 1 | -1/+1 |
| | |||||
* | First pass at enforcing certificates be requested from same host | Rob Crittenden | 2009-10-21 | 6 | -36/+131 |
| | | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs. | ||||
* | Add can_add() and can_delete() GER helpers | Rob Crittenden | 2009-10-21 | 1 | -0/+37 |
| | |||||
* | Change Password param so (password, confirm_password) can be passed to ↵ | Jason Gerard DeRose | 2009-10-18 | 3 | -0/+29 |
| | | | | _convert_scalar() | ||||
* | Add a separate client-only target | Rob Crittenden | 2009-10-17 | 3 | -6/+106 |
| | |||||
* | Fix ACI for host delegation | Rob Crittenden | 2009-10-17 | 1 | -2/+2 |
| | | | | | We had changed the DN format, I must have missed these ACIs the first go around. | ||||
* | Fix an oops where I forgot to replace a string with a template | Rob Crittenden | 2009-10-17 | 1 | -6/+6 |
| | |||||
* | Fixed compatability break in rpcserver.py | Jason Gerard DeRose | 2009-10-17 | 1 | -2/+2 |
| | |||||
* | Add a sleep() prior to calling tasks to ensure postop writes are done | Rob Crittenden | 2009-10-16 | 1 | -0/+3 |
| | | | | | | We were seeing a rare deadlock of DS when creating the memberOf task because one thread was adding memberOf in a postop while another was trying to create an index and this was causing a PRLock deadlock. | ||||
* | Use the FQDN and not just the hostname internally. | Rob Crittenden | 2009-10-16 | 1 | -2/+2 |
| | |||||
* | Be more forgiving when trying to replace older DS schema. | Rob Crittenden | 2009-10-16 | 1 | -4/+8 |
| | | | | | | | We have to replace 05rfc2247.ldif because it contains some conflicting attributes with DNS in some older versions of 389-DS/RHDS. This fails on some newer versions of 389-DS/RHDS so this lets it continue installing if the new file is not needed. | ||||
* | Fixed 'import json' for simplejson compatability | Jason Gerard DeRose | 2009-10-16 | 4 | -3/+54 |
| | |||||
* | parse_qs is in cgi on Python < 2.6, use that instead | Rob Crittenden | 2009-10-16 | 1 | -1/+1 |
| | | | | | Python 2.6's cgi module calls the parse_qs in urlparse for backwards compatibility | ||||
* | Fixed try/except/finally for Python 2.4 compatability | Jason Gerard DeRose | 2009-10-15 | 1 | -19/+20 |
| | |||||
* | Make plugin browser show plugin parent class | Jason Gerard DeRose | 2009-10-14 | 2 | -0/+8 |
| | |||||
* | Removed util.add_global_options() and frontend.Application | Jason Gerard DeRose | 2009-10-14 | 5 | -109/+4 |
| | |||||
* | Giant webui patch take 2 | Jason Gerard DeRose | 2009-10-13 | 30 | -4302/+956 |
| | |||||
* | Add man page for ipa-join command | Rob Crittenden | 2009-10-12 | 3 | -1/+63 |
| | |||||
* | Use nestedgroup instead of groupofnames for rolegroups so we have memberof | Rob Crittenden | 2009-10-12 | 1 | -50/+50 |
| | |||||
* | No longer use the IPA-specific memberof plugin. Use the DS-supplied one. | Rob Crittenden | 2009-10-12 | 4 | -3/+6 |
| | |||||
* | Improve debugging, general output, initialize xmlrpc-c properly | Rob Crittenden | 2009-10-12 | 1 | -9/+34 |
| | |||||
* | Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. | Pavel Zuna | 2009-10-08 | 2 | -2/+8 |
| | |||||
* | Fix bug in group plugin. Was using wrong variable for attributes. | Pavel Zuna | 2009-10-08 | 1 | -1/+1 |
| | | | | Fix bug #527537. | ||||
* | Fix unit tests for plugins using baseldap classes. | Pavel Zuna | 2009-10-07 | 1 | -3/+1 |
| | |||||
* | Make the taskgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-07 | 1 | -135/+40 |
| | |||||
* | Make the rolegroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -46/+41 |
| | |||||
* | Make the hostgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -173/+45 |
| | |||||
* | Make the netgroup plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -309/+116 |
| | |||||
* | Make the user plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -230/+76 |
| | |||||
* | Make the service plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -205/+66 |
| | |||||
* | Fix unit tests for plugins using baseldap classes. | Pavel Zuna | 2009-10-05 | 11 | -277/+231 |
| | |||||
* | Make the group plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -124/+65 |
| | |||||
* | Make the config plugin use baseldap classes. | Pavel Zuna | 2009-10-05 | 1 | -103/+33 |
| | |||||
* | Add HBAC plugin and introduce GeneralizedTime parameter type. | Pavel Zuna | 2009-10-05 | 5 | -1/+738 |
| | |||||
* | Add support for per-group kerberos password policy. | Rob Crittenden | 2009-10-05 | 4 | -20/+437 |
| | | | | | | | | | | Use a Class of Service template to do per-group password policy. The design calls for non-overlapping groups but with cospriority we can still make sense of things. The password policy entries stored under the REALM are keyed only on the group name because the MIT ldap plugin can't handle quotes in the DN. It also can't handle spaces between elements in the DN. | ||||
* | Make primary_key optional. | Rob Crittenden | 2009-10-05 | 1 | -2/+4 |
| | | | | | The pwpolicy plugin doesn't have a primary key but can still take advantage of other parts of the framework. | ||||
* | Loosen the ACI for the KDC to allow adds/deletes | Rob Crittenden | 2009-10-05 | 1 | -3/+1 |
| | | | | | | | | Password policy entries must be a child of the entry protected by this ACI. Also change the format of this because in DS it was stored as: \n(target)\n so was base64-encoded when it was retrieved. | ||||
* | Robustness fix for updater, in case updates['updates'] is not set yet. | Rob Crittenden | 2009-10-05 | 1 | -1/+1 |
| | |||||
* | Let the updater delete entries and add small test harness | Rob Crittenden | 2009-10-05 | 13 | -7/+322 |
| | | | | | | | | In order to run the tests you must put your DM password into ~/.ipa/.dmpw Some tests are expected to generate errors. Don't let any ERROR messages from the updater fool you, watch the pass/fail of the nosetests. | ||||
* | Add option to not normalize a DN when adding/updating a record. | Rob Crittenden | 2009-10-05 | 1 | -4/+6 |
| | | | | | The KDC ldap plugin is very picky about the format of DNs. It does not allow spacing between elements so we can't normalize it. |