summaryrefslogtreecommitdiffstats
path: root/daemons/dnssec
Commit message (Collapse)AuthorAgeFilesLines
* Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding ↵Petr Spacek2015-10-072-8/+4
| | | | | | | | | | | | | | | | LDAP limits ldap2 internally does LDAP search to find out what LDAP search limits should be used (!). The problem is that this internal search has hardcoded limits and throws LimitExceeded exception when DS is too slow. DNSSEC daemons do not need any abstractions from ldap2 so we are going to use ipaldap directly. This will avoid the unnecessary search and associated risks. https://fedorahosted.org/freeipa/ticket/5342 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.Petr Spacek2015-09-031-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Fix key metadata exportPetr Spacek2015-09-031-1/+1
| | | | | | | | | | Incorrect SQL join condition could lead to situation where metadata from ZSK and KSK were interchanged. https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interactionPetr Spacek2015-09-031-8/+31
| | | | | | | https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* DNSSEC: prevent ipa-ods-exporter from looping after service auto-restartPetr Spacek2015-09-031-0/+6
| | | | | | | | | | | | It might happen that systemd will restart the service even if there is no incomming connection to service socket. In that case we want to exit because HSM synchronization is done before socket.accept() and we want to synchronize HSM and DNS zones at the same time. https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* DNSSEC: remove ccache and keytab of ipa-ods-exporterMartin Basti2015-09-031-1/+1
| | | | | | | | | Reusing old ccache after reinstall causes authentication error. And prevents DNSSEC from working. Related to ticket: https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-1/+2
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-012-5/+5
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-262-4/+4
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* improve the handling of krb5-related errors in dnssec daemonsMartin Babinsky2015-08-183-4/+20
| | | | | | | | | ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully instead of crashing with tracebacks. https://fedorahosted.org/freeipa/ticket/5229 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-2/+2
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-1/+1
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-011-1/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: Store time & date key metadata in UTC.Petr Spacek2015-07-011-1/+7
| | | | | | | | | OpenDNSSEC stores key metadata in local time zone but BIND needs timestamps in UTC. UTC will be stored in LDAP. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Improve ipa-ods-exporter log messages with key metadata.Petr Spacek2015-06-291-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.Petr Spacek2015-06-291-45/+57
| | | | | | | | | | | | | New exporter's command 'ipa-full-update' will resynchronize all zone keys from ODS database to LDAP. This command holds database lock for the whole time to avoid race conditions so it should be used only in special cases, e.g. during master server migration. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: log ipa-ods-exporter file lock operations into debug logPetr Spacek2015-06-291-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-ods-exporter: move zone synchronization into separate functionPetr Spacek2015-06-291-60/+64
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Accept ipa-ods-exporter commands from command line.Petr Spacek2015-06-291-36/+60
| | | | | | | | | | Previously only systemd socket activation was supported. Ability to call the command directly is handy in special cases, e.g. for debugging or moving key master role from one server to another. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Detect invalid master keys in LDAP.Petr Spacek2015-06-291-0/+1
| | | | | | | | This should never happen ... https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide traceback in ipa-dnskeysyncd if kinit failed.Petr Spacek2015-06-241-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: fix traceback during shutdown phaseMartin Basti2015-06-151-11/+11
| | | | | | | ipa-dnskeysyncd causes traceback when receive SIGTERM, SIGINT Ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* use separate ccache filename for each IPA DNSSEC daemonMartin Babinsky2015-04-243-3/+3
| | | | | | | | | ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic 'ccache' filename for credential storage, making debugging Kerberos-related errors unnecessarily complicated. This patch renames the ccache files so that each of these daemons now has its own credenital cache. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-203-5/+11
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: Do not log into filesMartin Basti2015-04-023-3/+3
| | | | | | | | We want to log DNSSEC daemons only into console (journald) https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipapython: Fix incorrect python shebangsTomas Babej2015-01-263-3/+3
| | | | | | Make sure shebangs explicitly reference python2. Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC catch ldap exceptions in ipa-dnskeysyncdMartin Basti2015-01-231-2/+6
| | | | | | Server down exception causes lot of false positive abrt reports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNSSEC: remove container_dnssec_keysJan Cholasta2014-10-212-2/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: add ipa dnssec daemonsPetr Spacek2014-10-216-0/+806
Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2024-10-02 13:58:37 +0000