summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipaclient
Commit message (Collapse)AuthorAgeFilesLines
* ipachangeconf: Add ability to preserve section caseTomas Babej2015-11-261-1/+4
| | | | | | | | | | The IPAChangeConf normallizes section names to lower case. There are cases where this behaviour might not be desirable, so provide a way to opt out. https://fedorahosted.org/freeipa/ticket/5069 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-4/+3
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipachangeconf: Remove reference to an old-style interfaceTomas Babej2015-11-101-1/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-2/+3
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+4
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use new-style raise syntaxPetr Viktorin2015-09-011-1/+1
| | | | | | | | | The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Simplify adding options in ipachangeconfSimo Sorce2015-08-271-0/+21
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-123-11/+11
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-312-3/+3
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* enable debugging of ntpd during client installationMartin Babinsky2015-07-201-2/+5
| | | | | | | | | | When installing IPA client in debug mode, the ntpd command spawned during initial time-sync with master KDC will also run in debug mode. https://fedorahosted.org/freeipa/ticket/4931 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.pyChristian Heimes2015-07-141-2/+2
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa client: make --ntp-server option multivaluedMartin Basti2015-04-241-5/+6
| | | | | | | | There can be more ntp servers in ntp.conf Required for ticket: https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-201-1/+3
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* client: Fix ca_is_enabled callsJan Cholasta2015-03-191-2/+2
| | | | | | | | | The command was added in API version 2.107. Old IPA servers may crash with NetworkError on ca_is_enabled, handle this case gracefully. https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* Timeout when performing time sync during client installNathan Kinder2015-03-161-1/+7
| | | | | | | | | | | | | We use ntpd now to sync time before fetching a TGT during client install. Unfortuantely, ntpd will hang forever if it is unable to reach the NTP server. This patch adds the ability for commands run via ipautil.run() to have an optional timeout. This capability is used by the NTP sync code that is run during ipa-client-install. Ticket: https://fedorahosted.org/freeipa/ticket/4842 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-client-install: put eol character after the last line of altered config ↵Martin Babinsky2015-02-101-0/+3
| | | | | | | | file(s) https://fedorahosted.org/freeipa/ticket/4864 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add debug messages into client autodetectionMartin Basti2015-01-211-0/+5
| | | | | | Is hard to debug what the problem with REALM is without debug messages. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdateJan Cholasta2014-10-301-2/+4
| | | | | | | | | If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-2/+18
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manageJan Cholasta2014-09-301-0/+1
| | | | | | | | The search criteria did not include the CA agent name. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Get server hostname from jsonrpc_uri in ipa-certupdateJan Cholasta2014-09-301-4/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Check if IPA client is configured in ipa-certupdateJan Cholasta2014-09-301-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4460 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdbJan Cholasta2014-09-301-38/+21
| | | | | | | | | Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file is removed now. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSSDatabase instead of direct certutil calls in client codeJan Cholasta2014-09-301-9/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Introduce NSS database /etc/ipa/nssdbJan Cholasta2014-09-301-0/+9
| | | | | | | | | | This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow user to force Kerberos realm during installation.David Kupka2014-09-051-20/+32
| | | | | | | | | User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/4444 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-5/+4
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add client certificate update tool ipa-certupdate.Jan Cholasta2014-07-302-0/+172
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not crash client basedn discovery when SSF not metMartin Kosek2014-07-291-4/+4
| | | | | | | | | | ipa-client-install runs anonymous search in non-rootdse space which may raise UNWILLING_TO_PERFORM error. This case was only covered for BIND, but not for the actual LDAP queries. https://fedorahosted.org/freeipa/ticket/4459 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Pylint fixesTomas Babej2014-06-161-15/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-162-5/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-9/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-2/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ntpconf: remove redundant commentMartin Kosek2014-01-241-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/4094
* Fix ntpd config on clients.Jan Cholasta2014-01-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4094
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-1/+1
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Replace ntpdate calls with ntpdAna Krivokapic2013-09-091-14/+12
| | | | | | | Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20), replace ntpdate calls with ntpd. https://fedorahosted.org/freeipa/ticket/3797
* Remove __all__ specifications in ipaclient and ipaserver.installPetr Viktorin2013-09-061-3/+0
| | | | | | | | | | | The __all__ list does not cause submodules to be imported, e.g. one would still have to `import ipaclient.ipachangeconf` rather than just `import ipaclient` to use `ipaclient.ipachangeconf`. Even if they did do anything, the lists were incomplete, and (since `import *` is not used on these modules) unnecessary. Pylint 1.0 reports undeclared names in __all__ as a warning.
* Preserve already configured options in openldap confTomas Babej2013-04-301-2/+12
| | | | | | | | | | | | | We should respect already configured options present in /etc/openldap/ldap.conf when generating our own configuration. With this patch, we only rewrite URI, BASE and TLS_CACERT options only if they are not configured. In the case they are, our suggested configuration is inserted as a comment. Also adds tab as a delimeter character in /etc/openldap/ldap.conf https://fedorahosted.org/freeipa/ticket/3582
* ipa-client discovery with anonymous access offMartin Kosek2013-03-201-5/+1
| | | | | | | | | | | | | When RootDSE could be read (nsslapd-allow-anonymous-access set to "rootdse"), autodiscovery module failed to report success to the client installer. Remove faulty "verified_servers" flag from autodiscovery module as it has no point since we consider both scenarios (IPA server with anonymous access on and unknown LDAP server with anonymous access off) as success. https://fedorahosted.org/freeipa/ticket/3519
* Preserve order of servers in ipa-client-installMartin Kosek2013-03-141-9/+12
| | | | | | | | | | | | When multiple servers are passed via --server option, ipadiscovery module changed its order. Make sure that we preserve it. Also make sure that user is always warned when a tested server is not available as then the server will be excluded from the fixed server list. Log messages were made more informative so that user knows which server is actually failing to be verified. https://fedorahosted.org/freeipa/ticket/3418
* Don't download the schema in ipadiscoveryPetr Viktorin2013-03-131-1/+3
|
* Remove unneeded python-ldap importsPetr Viktorin2013-03-131-2/+0
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-131-42/+49
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Add LDAP server fallback to client installerRob Crittenden2013-02-071-28/+77
| | | | | | | | | | | | | | Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-30/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Do not crash when Kerberos SRV record is not foundMartin Kosek2013-01-021-2/+3
| | | | | | | | ipa-client-install crashed when IPA server realm TXT record was configured, but the referred domain (lower-case realm value) did not contain any Kerberos SRV record (_kerberos._udp.<realm>.) https://fedorahosted.org/freeipa/ticket/3316
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-071-0/+68
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
generated by cgit (git 2.34.1) at 2026-01-07 17:47:20 +0000