summaryrefslogtreecommitdiffstats
path: root/client/ipa-client-install
Commit message (Collapse)AuthorAgeFilesLines
* install: migrate client install to the new class hierarchyJan Cholasta2016-11-111-228/+2
| | | | | | | | | Migrate ipa-client-install from the custom script to the new installer class hierarchy classes. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: use exceptions instead of return statesMartin Basti2016-11-111-10/+9
| | | | | | | | | | | Python has builtin exceptions which can be used very well to handling errors in python instead of returning error states (C style) Exception will allow better client-server integration in future https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move install part to else branchMartin Basti2016-11-111-5/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move install cleanup from ipa-client-install to moduleMartin Basti2016-11-111-17/+1
| | | | | | | | Cleanup should be part of installation function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move clean CCACHE to moduleMartin Basti2016-11-111-5/+0
| | | | | | | | | | According 04b8575c52410bb6d31e0e55f1cf431d7cc9c7c3 cleaning CCACHE is needed after installation. This commit moves this cleanup from ipa-client-install to client.install() function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: fix script executionMartin Basti2016-11-111-11/+12
| | | | | | | | | if __name__ == "__main__" should be first instead of try block. We want execute it only when file was executed as script https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: Remove useless except in ipa-client-installMartin Basti2016-11-111-2/+0
| | | | | | | | | SystemExit is raised by sys.exit() so catching and reraising it again is wasting of resources https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move custom env variable into client moduleMartin Basti2016-11-111-5/+3
| | | | | | | | | | | | | There is no need to have env as parameter because this is used only once, so it can eb safely moved to client.py module NOTE: PATH should be overwritten to safe values before we execute any command https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: extract checks from uninstall to uninstall_checkMartin Basti2016-11-111-0/+4
| | | | | | | | Checks if uninstallation is possible should be moved to uninstall_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move checks to client.install_checkMartin Basti2016-11-111-16/+4
| | | | | | | | Move checks from ipa-client-install to clien.install_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: make statestore and fstore consistent with serverMartin Basti2016-11-111-6/+3
| | | | | | | | | | | | There should not be mixed statestore as global variable and as local function parameter. This commit fixes usage of sysrestore and statestore as local variables only. In future we may need to change default statestore and fstore depending on where the functions are called and this change makes it easier and less error prone. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-client-install: move client install to moduleMartin Basti2016-11-111-2885/+20
| | | | | | | | | This commit only moves the code from ipa-client-install to module ipaclient/install/client.py and fixes PEP8. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* x509: use python-cryptography to process certsFraser Tweedale2016-11-101-13/+14
| | | | | | | | | | | | | | | | | Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* ipaldap: merge IPAdmin to LDAPClientTomas Krizek2016-11-071-1/+2
| | | | | | | | | | | | | | | | * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge gssapi_bind to LDAPClientTomas Krizek2016-11-071-1/+1
| | | | | | | | | * Rename do_sasl_gssapi_bind to gssapi_bind https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* do not use keys() method when iterating through dictionariesMartin Babinsky2016-10-121-1/+1
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when building FreeIPA, we have to fix these errors https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Pylint: remove unused variables from installers and scriptsMartin Basti2016-10-061-10/+7
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-271-0/+2
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Update man/help for --server optionTomas Krizek2016-09-231-1/+1
| | | | | | | | | The --server option now specifically mentions that it expects the FQDN of the IPA server. https://fedorahosted.org/freeipa/ticket/6202 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Updated help/man information about hostnameStanislav Laznicka2016-09-221-1/+2
| | | | | | | | | The man page and help of ipa-client-install and ipa-replica-conncheck had an outdated information about what is used as a hostname. https://fedorahosted.org/freeipa/ticket/5754 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Add log messages for IP checks during client installTomas Krizek2016-09-211-2/+3
| | | | | | | | | | The added log messages allow easier debugging of IP related issues during ipa-client-install. https://fedorahosted.org/freeipa/ticket/6331 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
* client: remove hard dependency on pam_krb5Jan Cholasta2016-09-191-0/+4
| | | | | | | | | If ipa-client-install is executed with --no-sssd, check if pam_krb5 is available before proceeding with the install. https://fedorahosted.org/freeipa/ticket/5557 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Abstract procedures for IP address warningsMartin Basti2016-09-141-14/+5
| | | | | | | | | | | Originaly there should be only two occurencees of this warning, one for server, one for client. But obviously is not possible with current installers to achive this goal, so I have to extract code to not mess with 5 times copy and paste. https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
* Show warning when net/broadcast IP address is used in installerMartin Basti2016-09-071-0/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Call hostnamectl set-hostname only if --hostname option is usedPetr Spacek2016-08-101-1/+2
| | | | | | | | | | This commit also splits hostname backup and configuration into two separate functions. This allows us to backup hostname without setting it at the same time. https://fedorahosted.org/freeipa/ticket/6071 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* server uninstall fails to remove krb principalsFlorence Blanc-Renaud2016-07-201-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the 3rd issue of ticket 6012: ipa-server-install --uninstall -U complains while removing Kerberos service principals from /etc/krb5.keytab ---- Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 ---- This happens because the uninstaller performs the following sequence: 1/ restore pre-install files, including /etc/krb5.keytab At this point /etc/krb5.keytab does not contain any principal for IPA domain 2/ call ipa-client-install --uninstall, which in turns runs ipa-rmkeytab -k /etc/krb5.keytab -r <domain> to remove the principals. The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not found in keytab) https://fedorahosted.org/freeipa/ticket/6012 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Create server and host certs with DNS altnameFraser Tweedale2016-07-191-1/+1
| | | | | | | | | | | | | | Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* client-install: log exceptions from certmonger.request_certPetr Spacek2016-07-011-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-1/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* client-install: do not fail if DNS times out during DNS update generationPetr Spacek2016-06-291-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: Share validator and domain name normalization with server installPetr Spacek2016-06-281-1/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5976 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added krb5.conf.d/ to included dirs in krb5.confStanislav Laznicka2016-06-051-1/+2
| | | | | | | | | The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* client install: finalize API after CA certs are availableJan Cholasta2016-06-031-1/+2
| | | | | | | | | This is required for the finalize call to be able connect to the server to retrieve API schema. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* rpc: specify connection options in API configJan Cholasta2016-06-031-51/+53
| | | | | | | | | Specify RPC connection options once in API.bootstrap rather than in each invocation of rpcclient.connect. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* rpc: respect API config in RPCClient.create_connectionJan Cholasta2016-06-031-1/+2
| | | | | | | | | | When connecting rpcclient, get the default values of the `verbose`, `fallback` and `delegate` options from API config rather than hard-code them. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Added <my_hostname>=<IPA REALM> mapping to krb5.confStanislav Laznicka2016-06-021-4/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5903 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use root_logger for verify_host_resolvable()Petr Spacek2016-05-301-1/+1
| | | | | | | | | | After discussion with Martin Basti we decided to standardize on root_logger with hope that one day we will use root_logger.getLogger('module') to make logging prettier and tunable per module. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove deprecated hostname restoration from Fedora18Martin Basti2016-04-261-2/+1
| | | | | | | | This is not needed on new Fedora, because restore will not be effective. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Always set hostnameMartin Basti2016-04-261-2/+2
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-client-install: fix typo in nslcd service namePetr Vobornik2016-04-221-1/+1
| | | | | | related but does not implement https://fedorahosted.org/freeipa/ticket/5806 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use netifaces module instead of 'ip' commandMartin Basti2016-04-141-26/+19
| | | | | | | | | Netifaces allows to get addresses from local interfaces of the host in safer way than parsing output of the ip command. https://fedorahosted.org/freeipa/ticket/5591 Reviewed-By: David Kupka <dkupka@redhat.com>
* Pylint: fix definition of global variablesMartin Basti2016-03-221-6/+5
| | | | | | | | | | Global variables should be defined in the outer space, not just marked as global inside functions. Removes unused global variables Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-221-2/+2
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* client: enable ChallengeResponseAuthentication in sshd_configMartin Basti2016-03-181-0/+1
| | | | | | | | | | | | In order to enable SSSD smart prompting and allow it to ask for 1FA and 2FA separately, ChallengeResponseAuthentication should be set to yes. This change will enable better processing of the 2FA value and it will also enable other features, like allow SSSD to make the 2FA option in some cases and have a way of informing user that 2FA is optional. https://fedorahosted.org/freeipa/ticket/5703 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* krb5conf: use 'true' instead of 'yes' for forwardable optionMartin Basti2016-03-091-1/+1
| | | | | | | | | 'yes' is also valid value in krb5.conf but we should be consistent and use only 'true' as we do for other options. https://fedorahosted.org/freeipa/ticket/5518 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove unused arguments from update_ssh_keys methodMartin Basti2016-03-041-2/+4
| | | | | | | First argumet has been unused and can be safely removed, because server is not used for nsupdate anymore Reviewed-By: David Kupka <dkupka@redhat.com>
* fix suspicious except statementsMartin Basti2016-03-041-1/+1
| | | | | | | | | The "except ValueError as UnicodeDecodeError" looks very suspicious. Commit change except to catch both exceptions. https://fedorahosted.org/freeipa/ticket/5718 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* client: stop using /etc/pki/nssdbJan Cholasta2016-02-241-30/+0
| | | | | | | | | | Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses /etc/ipa/nssdb and IPA CA certificates are provided to the system using p11-kit. Remove leftovers on upgrade. https://fedorahosted.org/freeipa/ticket/5592 Reviewed-By: David Kupka <dkupka@redhat.com>
* Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)Petr Viktorin2016-01-271-0/+3144
Make ipaclient a Python library like ipapython, ipalib, etc. Use setup.py instead of autotools for installing it. Move C client tools, Python scripts, and man pages, to client/. Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS). Remove /setup-client.py (ipalib/setup.py should be used instead). Update Makefiles and the spec file accordingly. https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-11 17:56:32 +0000