summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+4
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Decode script arguments using file system encodingJan Cholasta2015-09-072-2/+2
| | | | | | | | This mimics Python 3's behavior, where sys.argv is automatically decoded using file system encoding, as returned by sys.getfilesystemencoding(). This includes reimplementation of os.fsdecode() from Python 3. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use new-style raise syntaxPetr Viktorin2015-09-011-1/+1
| | | | | | | | | The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use the print functionPetr Viktorin2015-09-012-35/+39
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove use of sys.exc_valuePetr Viktorin2015-09-011-2/+2
| | | | | | | sys.exc_value is deprecated since Python 1.5, and was removed in Python 3. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Simplify adding options in ipachangeconfSimo Sorce2015-08-271-0/+21
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Port from python-krbV to python-gssapiMichael Simacek2015-08-263-10/+10
| | | | | | | | | | | | | | | | | | python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* client: Add description of --ip-address and --all-ip-addresses to man pageDavid Kupka2015-08-191-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: Add support for multiple IP addresses during installation.David Kupka2015-08-181-66/+223
| | | | | | https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-client-install: warn when IP used in --serverStanislav Laznicka2015-08-141-0/+19
| | | | | | | | | ipa-client-install fails when an IP address is passed to ipa-join instead of a FQDN https://fedorahosted.org/freeipa/ticket/4932 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-125-98/+98
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-313-7/+7
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-client-install: Do not (re)start certmonger and DBus daemons.David Kupka2015-07-201-56/+15
| | | | | | | | | | | | When DBus is present in the system it is always running. Starting of certmomger is handled in ipapython/certmonger.py module if necessary. Restarting is no longer needed since freeipa is not changing certmonger's files. https://fedorahosted.org/freeipa/ticket/5095 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* enable debugging of ntpd during client installationMartin Babinsky2015-07-202-4/+8
| | | | | | | | | | When installing IPA client in debug mode, the ntpd command spawned during initial time-sync with master KDC will also run in debug mode. https://fedorahosted.org/freeipa/ticket/4931 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.pyChristian Heimes2015-07-141-2/+2
| | | | | | | | | | Python 3 doesn't support tuple unpacking in except clauses. All implicit tuple unpackings have been replaced with explicit unpacking of e.args. https://fedorahosted.org/freeipa/ticket/5120 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib: Fix skip_version_check optionJan Cholasta2015-07-081-0/+3
| | | | | | | | | | | This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* FIX: Clear SSSD caches when uninstalling the clientMartin Basti2015-07-071-7/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Clear SSSD caches when uninstalling the clientGabe2015-06-301-0/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* increase NSS memcache timeout for IPA serverMartin Babinsky2015-06-301-0/+9
| | | | | | | | | Increasing memcache timeout to 600 seconds when configuring sssd on IPA server should improve performance when dealing with large groups in trusts. https://fedorahosted.org/freeipa/ticket/4964 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* Clarify host name output in ipa-client-installPetr Spacek2015-06-051-1/+1
| | | | | | Proposed by Tomas Capek Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added vault plugin.Endi S. Dewata2015-05-251-0/+1
| | | | | | | | | A new plugin has been added to manage vaults. Test scripts have also been added to verify the functionality. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* client-install: Fix kinits with non-default Kerberos config fileJan Cholasta2015-05-211-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* suppress errors arising from deleting non-existent files during client uninstallMartin Babinsky2015-04-291-18/+22
| | | | | | | | | | | When rolling back partially configured IPA client a number of OSErrors pop up due to uninstaller trying to remove files that do not exist anymore. This patch supresses these errors while keeping them in log as debug messages. https://fedorahosted.org/freeipa/ticket/4966 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa client: use NTP servers specified by userMartin Basti2015-04-241-9/+15
| | | | | | | | NTP servers specified by user should be used to synchronize time. https://fedorahosted.org/freeipa/ticket/4983 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: use NTP servers detected from SRVMartin Basti2015-04-241-1/+8
| | | | | | | | | Detected NTP servers from SRV records should be used in NTP client configuration. https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa client: make --ntp-server option multivaluedMartin Basti2015-04-243-14/+18
| | | | | | | | There can be more ntp servers in ntp.conf Required for ticket: https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Adopted kinit_keytab and kinit_password for kerberos authMartin Babinsky2015-04-202-4/+8
| | | | | | | | | Calls to ipautil.run using kinit were replaced with calls kinit_keytab/kinit_password functions implemented in the PATCH 0015. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-client-install: try to get host TGT several times before giving upMartin Babinsky2015-04-202-29/+48
| | | | | | | | | | | | | | New option '--kinit-attempts' enables the host to make multiple attempts to obtain host TGT from master before giving up and aborting client installation. In addition, all kinit attempts were replaced by calls to 'ipautil.kinit_keytab' and 'ipautil.kinit_password'. https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add message for skipping NTP configuration during client installGabe2015-04-141-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/3092 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Skip time sync during client install when using --no-ntpNathan Kinder2015-03-261-1/+2
| | | | | | | | | | When --no-ntp is specified during ipa-client-install, we still attempt to perform a time sync before obtaining a TGT from the KDC. We should not be attempting to sync time with the KDC if we are explicitly told to not configure ntp. Ticket: https://fedorahosted.org/freeipa/ticket/4842 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* client: Fix ca_is_enabled callsJan Cholasta2015-03-192-4/+4
| | | | | | | | | The command was added in API version 2.107. Old IPA servers may crash with NetworkError on ca_is_enabled, handle this case gracefully. https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* client-install: Do not crash on invalid CA certificate in LDAPJan Cholasta2015-03-191-4/+13
| | | | | | | | | When CA certificates in LDAP are corrupted, use the otherwise acquired CA certificates from before. https://fedorahosted.org/freeipa/ticket/4565 Reviewed-By: David Kupka <dkupka@redhat.com>
* Timeout when performing time sync during client installNathan Kinder2015-03-161-1/+7
| | | | | | | | | | | | | We use ntpd now to sync time before fetching a TGT during client install. Unfortuantely, ntpd will hang forever if it is unable to reach the NTP server. This patch adds the ability for commands run via ipautil.run() to have an optional timeout. This capability is used by the NTP sync code that is run during ipa-client-install. Ticket: https://fedorahosted.org/freeipa/ticket/4842 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.David Kupka2015-03-051-2/+8
| | | | | | | | | | | ipa-client-automount is run after ipa-client-install so the CA certificate should be available. If the certificate is not available and ipadiscovery.ipacheckldap returns NO_TLS_LDAP warn user and try to continue. https://fedorahosted.org/freeipa/ticket/4902 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipa-client-install: put eol character after the last line of altered config ↵Martin Babinsky2015-02-101-0/+3
| | | | | | | | file(s) https://fedorahosted.org/freeipa/ticket/4864 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Typos in ipa-rmkeytab options help and man pageGabe2015-02-102-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4890 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Use dyndns_update instead of deprecated sssd optionMartin Basti2015-01-281-1/+1
| | | | | | | | | ipa_dyndns_update is deprecated in SSSD, dyndns_update should be used instead. https://fedorahosted.org/freeipa/ticket/4849 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add debug messages into client autodetectionMartin Basti2015-01-211-0/+5
| | | | | | Is hard to debug what the problem with REALM is without debug messages. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove usage of app_PYTHON in ipaserver MakefilesGabe2014-12-101-20/+0
| | | | | | | | - Remove ChangeLog from ipa-client/Makefile.am https://fedorahosted.org/freeipa/ticket/4700 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Prefer TCP connections to UDP in krb5 clientsNathaniel McCallum2014-12-081-0/+1
| | | | | | | | | | | | | | In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* No explicit zone specification.Jan Pazdziora2014-12-051-6/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4780 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix unchecked return value in ipa-joinJan Cholasta2014-11-251-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Use asn1c helpers to encode/decode the getkeytab controlSimo Sorce2014-11-203-199/+53
| | | | | | | | | | | Replaces manual encoding with automatically generated code. Fixes: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Fix memory leaks in ipa-joinJan Cholasta2014-11-052-11/+9
| | | | | | | | | Also remove dead code in ipa-join and add initializer to a variable in ipa-getkeytab to prevent false positives in static code analysis. https://fedorahosted.org/freeipa/ticket/4651 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-042-44/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not wait for new CA certificate to appear in LDAP in ipa-certupdateJan Cholasta2014-10-301-2/+4
| | | | | | | | | If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-172-15/+38
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add ipa-client-install switch --request-cert to request cert for the hostJan Cholasta2014-10-162-12/+97
| | | | | | | | | The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-09 06:26:07 +0000