summaryrefslogtreecommitdiffstats
path: root/ipaclient/install/client.py
Commit message (Collapse)AuthorAgeFilesLines
* Support certificate login after installation and upgradePavel Vomacka2017-03-141-0/+20
| | | | | | | | | | | | Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* install: re-introduce option groupsJan Cholasta2017-03-131-10/+7
| | | | | | | | | Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client install: split off SSSD options into a separate classJan Cholasta2017-03-131-41/+3
| | | | | | | | | Split off SSSD knob definitions from the ClientInstallInterface class into a new SSSDInstallInterface class. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix error in ca_cert_files validatorStanislav Laznicka2017-02-211-0/+4
| | | | | | | | | ClientInstall expects a single ca_cert_file as a string but the framework gives it a list. https://fedorahosted.org/freeipa/ticket/6694 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* client install: create /etc/ipa/nssdb with correct modeJan Cholasta2017-02-201-1/+1
| | | | | | | | | | | | The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add password to certutil calls in NSSDatabaseStanislav Laznicka2017-02-171-14/+3
| | | | | | | | | | NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove is_fips_enabled checks in installers and ipactlStanislav Laznicka2017-02-131-5/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* client install: correctly report all failuresJan Cholasta2017-01-201-12/+13
| | | | | | | | | | | | | In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* disable hostname canonicalization by Kerberos libraryMartin Babinsky2017-01-111-0/+1
| | | | | | | | | | | | | | | | By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa_generate_password algorithm changePetr Spacek2017-01-061-1/+1
| | | | | | | | | | | | | | | | A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* client, platform: Use paths.SSH* instead of get_config_dir().Timo Aaltonen2017-01-051-27/+16
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-1/+1
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* server install: fix external CA installJan Cholasta2016-12-081-0/+3
| | | | | | | | | | | | | Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Set explicit confdir option for global contextsChristian Heimes2016-12-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaclient: move install modules to the install subpackageJan Cholasta2016-11-291-6/+2
| | | | | | | | | | | | The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-291-27/+29
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib: move certstore to the install subpackageJan Cholasta2016-11-291-7/+2
| | | | | | | | | | The certstore module depends on ipaplatform. Move it to ipalib.install, as it is used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: move kinit functions to ipalib.installJan Cholasta2016-11-291-13/+13
| | | | | | | | | | | kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: move is_fips_enabled() to ipaplatform.tasksJan Cholasta2016-11-291-2/+1
| | | | | | | | The FIPS setting is platform-specific. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* certdb: move IPA NSS DB install functions to ipaclient.installJan Cholasta2016-11-291-1/+49
| | | | | | | | | | | The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer and ipa-restore. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipapython: move certmonger and sysrestore to ipalib.installJan Cholasta2016-11-291-9/+2
| | | | | | | | | | The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* paths: remove DEV_NULLJan Cholasta2016-11-291-1/+1
| | | | | | | | | | | The platform-specific path to /dev/null is provided by the Python standard library in os.devnull. Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Break ipaplatform / ipalib import cycle of hellChristian Heimes2016-11-241-4/+4
| | | | | | | | | | | Here is an attempt to break the import cycle of hell between ipaplatform and ipalib. All services now pass an ipalib.api object to services.service(). RedHatServices.__init__() still needs to do a local import because it initializes its wellknown service dict with service instances. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: migrate client install to the new class hierarchyJan Cholasta2016-11-111-1/+126
| | | | | | | | | Migrate ipa-client-install from the custom script to the new installer class hierarchy classes. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: introduce installer class hierarchyJan Cholasta2016-11-111-0/+194
| | | | | | | | | Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added file permissions option to IPAChangeConf.newConf()Stanislav Laznicka2016-11-111-0/+2
| | | | | | | | | Also added information about why os.chmod is called sometimes after newConf() calls. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: use correct code for failed uninstallMartin Basti2016-11-111-2/+2
| | | | | | | | | Hardcoded value 1 means CLIENT_INSTALL_ERROR, but this part belongs to uninstallation so it should be CLIENT_UNINSTALL_ERROR https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: use exceptions instead of return statesMartin Basti2016-11-111-81/+100
| | | | | | | | | | | Python has builtin exceptions which can be used very well to handling errors in python instead of returning error states (C style) Exception will allow better client-server integration in future https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move install cleanup from ipa-client-install to moduleMartin Basti2016-11-111-1/+15
| | | | | | | | Cleanup should be part of installation function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move clean CCACHE to moduleMartin Basti2016-11-111-0/+10
| | | | | | | | | | According 04b8575c52410bb6d31e0e55f1cf431d7cc9c7c3 cleaning CCACHE is needed after installation. This commit moves this cleanup from ipa-client-install to client.install() function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move custom env variable into client moduleMartin Basti2016-11-111-2/+10
| | | | | | | | | | | | | There is no need to have env as parameter because this is used only once, so it can eb safely moved to client.py module NOTE: PATH should be overwritten to safe values before we execute any command https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: extract checks from uninstall to uninstall_checkMartin Basti2016-11-111-2/+8
| | | | | | | | Checks if uninstallation is possible should be moved to uninstall_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: extract checks from install to install_checkMartin Basti2016-11-111-20/+46
| | | | | | | | | client install contained installation check that have been moved to install_check function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move checks to client.install_checkMartin Basti2016-11-111-1/+20
| | | | | | | | Move checks from ipa-client-install to clien.install_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: make statestore and fstore consistent with serverMartin Basti2016-11-111-15/+18
| | | | | | | | | | | | There should not be mixed statestore as global variable and as local function parameter. This commit fixes usage of sysrestore and statestore as local variables only. In future we may need to change default statestore and fstore depending on where the functions are called and this change makes it easier and less error prone. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Separate function to purge IPA host principals from keytabMartin Babinsky2016-11-111-24/+31
| | | | | | | | | This functionality will be reused in the DL0 host enrollment https://fedorahosted.org/freeipa/ticket/6434 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replaced EMPTY_LINE constant with a function callStanislav Laznicka2016-11-111-22/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: Making the configure functions more readableStanislav Laznicka2016-11-111-301/+84
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* IPAChangeConf: use constant for empty lineMartin Basti2016-11-111-84/+21
| | | | | | | | | Instead of copy&paste is better to use constant. It makes code shorter and improves readability, saves resources. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: import IPAChangeConf directly instead the moduleMartin Basti2016-11-111-8/+8
| | | | | | | | | We should use as specific import as possible, better for python memory consumption and speed, and looks better in code. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: remove extra return from hardcode_ldap_serverMartin Basti2016-11-111-2/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: install function: return constant not hardcoded numberMartin Basti2016-11-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: remove unneded return from configure_ipa_confMartin Basti2016-11-111-2/+0
| | | | | | | | | Function always returns return code 0, and this code is even not used elsewehere. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: remove unneded return configure_krb5_confMartin Basti2016-11-111-25/+20
| | | | | | | | | Function configure_krb5_conf always returns 0 as return state. Remove the 'return' statement and let exceptions work https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-client-install: move client install to moduleMartin Basti2016-11-111-0/+3476
This commit only moves the code from ipa-client-install to module ipaclient/install/client.py and fixes PEP8. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-08 20:16:49 +0000