summaryrefslogtreecommitdiffstats
path: root/ipaplatform
Commit message (Collapse)AuthorAgeFilesLines
...
* Move freeipa certmonger helpers to libexecdir.Timo Aaltonen2016-02-261-1/+1
| | | | | | | | | | | The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove workaround for CA running checkFraser Tweedale2016-01-211-24/+1
| | | | | | | | | | | | | A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method, and update specfile to remove ipalib dependency on curl. Reviewed-By: Martin Basti <mbasti@redhat.com>
* use FFI call to rpmvercmp function for version comparisonMartin Babinsky2016-01-111-32/+12
| | | | | | | | | | | | | Stop using rpm-python to compare package versions since the implicit NSS initialization upon the module import breaks NSS handling in IPA code. Call rpm-libs C-API function via CFFI instead. Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet that spurred this patch. https://fedorahosted.org/freeipa/ticket/5572 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upgrade: Fix upgrade of NIS Server configurationMartin Basti2016-01-111-0/+1
| | | | | | | | | | | | | Former upgrade file always created the NIS Server container, that caused the ipa-nis-manage did not set all required NIS maps. Default creation of container has been removed. Updating of NIS Server configuration and NIS maps is done only if the NIS Server container exists. https://fedorahosted.org/freeipa/ticket/5507 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove unused importsMartin Basti2015-12-232-2/+0
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use module variables for timedate_servicesMartin Basti2015-12-233-3/+3
| | | | | | | Explicitly store timedate services in module variable is safer than doind just unused import. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix: replace mkdir with chmodMartin Basti2015-12-221-1/+1
| | | | | | | | In original patches, extra mkdir has been added instead of chmod. https://fedorahosted.org/freeipa/ticket/5520 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix version comparisonMartin Basti2015-12-221-0/+53
| | | | | | | | Use RPM library to compare vendor versions of IPA for redhat platform https://fedorahosted.org/freeipa/ticket/5535 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Explicitly call chmod on newly created directoriesMartin Basti2015-12-141-0/+1
| | | | | | | | | Without calling os.chmod(), umask is effective and may cause that directory is created with permission that causes failure. This can be related to https://fedorahosted.org/freeipa/ticket/5520 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dogtaginstance: remove unused function 'check_inst'Fraser Tweedale2015-12-141-1/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-143-25/+27
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Migrate wget references and usage to curlGabe2015-12-112-5/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-253-34/+11
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Drop configure.jarMartin Basti2015-11-131-2/+0
| | | | | | | | | Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipaplatform: Add NTPD_OPTS_VAR and NTPD_OPTS_QUOTE to constantsTimo Aaltonen2015-11-041-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Add SECURE_NFS_VAR to constantsTimo Aaltonen2015-11-041-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Add NAMED_USER to constantsTimo Aaltonen2015-11-041-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Add HTTPD_USER to constants, and use it.Timo Aaltonen2015-11-041-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Handle binascii.Error from base64.b64decode()Petr Viktorin2015-10-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In Python 3, the base64.b64decode function raises binascii.Error (a ValueError subclass) when it finds incorrect padding. In Python 2 it raises TypeError. Callers should usually handle ValueError; unless they are specifically concerned with handling base64 padding issues). In some cases, callers should handle ValueError: - ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should handle ValueError - ipalib.x509 (load_certificate*, get_*): callers should handle ValueError In other cases ValueError is handled: - ipalib.parameters - ipapython.ssh - ipalib.rpc (json_decode_binary - callers already expect ValueError) - ipaserver.install.ldapupdate Elsewhere no error handling is done, because values come from trusted sources, or are pre-validated: - vault plugin - ipaserver.install.cainstance - ipaserver.install.certs - ipaserver.install.ipa_otptoken_import Reviewed-By: Tomas Babej <tbabej@redhat.com>
* topology: manage ca replication agreementsPetr Vobornik2015-10-151-0/+1
| | | | | | | | | | | | | Configure IPA so that topology plugin will manage also CA replication agreements. upgrades if CA is congigured: - ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX - ipaReplTopoManagedSuffix: o=ipaca is added to master entry - binddngroup is added to o=ipaca replica entry Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-0/+1
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add ipa-custodia serviceSimo Sorce2015-10-151-0/+4
| | | | | | | | | | Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-7/+7
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* paths: Add GENERATE_RNDC_KEY.Timo Aaltonen2015-10-051-0/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipatests: configure Network Manager not to manage resolv.confMilan KubĂ­k2015-10-021-1/+1
| | | | | | | | | For the duration of the test, makes resolv.conf unmanaged. If NetworkManager is not running, nothing is changed. https://fedorahosted.org/freeipa/ticket/5331 Reviewed-By: Martin Basti <mbasti@redhat.com>
* do not overwrite files with local users/groups when restoring authconfigMartin Babinsky2015-10-021-0/+12
| | | | | | | | | | the patch fixes regression in ipa-restore caused by overwriting /etc/passwd, /etc/shadow and fiends during restore of authconfig configuration files. These files are now excluded from authconfig backup dir. https://fedorahosted.org/freeipa/ticket/5328 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: fix kdcproxy user home directoryJan Cholasta2015-09-231-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5314 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* platform: add option to create home directory when adding userJan Cholasta2015-09-232-4/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5314 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-backup: Add mechanism to store empty directory structureTomas Babej2015-09-221-0/+3
| | | | | | | | | | | | | Certain subcomponents of IPA, such as Dogtag, cannot function if non-critical directories (such as log directories) have not been stored in the backup. This patch implements storage of selected empty directories, while preserving attributes and SELinux context. https://fedorahosted.org/freeipa/ticket/5297 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: support KRA updateJan Cholasta2015-09-171-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Using LDAPI to setup CA and KRA agents.Endi S. Dewata2015-09-071-2/+0
| | | | | | | | | | | The CA and KRA installation code has been modified to use LDAPI to create the CA and KRA agents directly in the CA and KRA database. This way it's no longer necessary to use the Directory Manager password or CA and KRA admin certificate. https://fedorahosted.org/freeipa/ticket/5257 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: remove ccache and keytab of ipa-ods-exporterMartin Basti2015-09-031-0/+1
| | | | | | | | | Reusing old ccache after reinstall causes authentication error. And prevents DNSSEC from working. Related to ticket: https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-4/+5
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace filter() calls with list comprehensionsPetr Viktorin2015-09-011-1/+1
| | | | | | | | In Python 3, filter() returns an iterator. Use list comprehensions instead. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-012-3/+5
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Removed clear text passwords from KRA install log.Endi S. Dewata2015-08-261-0/+2
| | | | | | | | | | The ipa-kra-install tool has been modified to use password files instead of clear text passwords when invoking pki tool such that the passwords are no longer visible in ipaserver-kra-install.log. https://fedorahosted.org/freeipa/ticket/5246 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Backup/resore authentication control configurationDavid Kupka2015-08-193-0/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/5071 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* fix typo in BasePathNamespace member pointing to ods exporter configMartin Babinsky2015-08-171-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-8/+8
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* DNS: check if DNS package is installedMartin Basti2015-07-213-2/+3
| | | | | | | | | | | Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Add constants submoduleTomas Babej2015-07-214-0/+60
| | | | | | | | Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* cermonger: Use private unix socket when DBus SystemBus is not available.David Kupka2015-07-201-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5095 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-071-0/+2
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipaplatform: Remove redundant definitionsTomas Babej2015-07-022-6/+0
| | | | | | | | | | The variables path_namespace and task_namespace in the base platform are not used anywhere in the rest of the codebase and are just debris from previous implementation. This patch removes them. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Do not use MagicDict for KnownServicesJan Cholasta2015-07-011-2/+23
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Clear SSSD caches when uninstalling the clientGabe2015-06-301-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
* Rate-limit while loop in SystemdService.is_active().Petr Spacek2015-06-291-0/+5
| | | | | | | Previously is_active() was frenetically calling systemctl is_active in tight loop which in fact made the process slower. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Use 389-ds centralized scripts.David Kupka2015-06-111-0/+4
| | | | | | | | | Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-101-2/+2
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 14:00:11 +0000