summaryrefslogtreecommitdiffstats
path: root/ipaplatform
Commit message (Collapse)AuthorAgeFilesLines
* ipaplatform: Add Debian platform module.Timo Aaltonen2017-01-197-1/+365
| | | | | | | | | | | | | | | | | | | | | | | v2: - use redhat_services.redhat_system_units.copy - don't use wildcard imports - add some empty lines to make pep8 happy v3: - make parse_ipa_version static v4: - make more methods static v5: - fix pylint issues - use syntax that doesn't break with python3 v6: - remove IPA_GETKEYTAB from paths, it's the same across distros Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Fix for handling CalledProcessError in authconfigAbhijeet Kasurde2017-01-182-3/+16
| | | | | | | | | | | NIS configuration error should be hidden from user while running ipa-client-install Fixes https://fedorahosted.org/freeipa/ticket/5244 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client, platform: Use paths.SSH* instead of get_config_dir().Timo Aaltonen2017-01-053-10/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-1/+2
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove BIN_FALSE and BIN_TRUEChristian Heimes2016-12-021-2/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Adjustments for setup requirementsChristian Heimes2016-11-301-3/+0
| | | | | | | | | | | | | | * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaclient: remove hard dependency on ipaplatformJan Cholasta2016-11-291-15/+0
| | | | | | | | Hard-code the user cache directory path in ipaclient.remote_plugins.schema. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipapython: remove hard dependency on ipaplatformJan Cholasta2016-11-292-1/+1
| | | | | | | | | | | | | | Use hard-coded paths to certutil, pk12util and openssl in certdb if ipaplatform is not available. Hard-coded the path to setpasswd in ipautil.run() doc string. Remove ipaplatform dependency from ipapython's setup.py and add ipapython dependency to ipaplatform's setup.py. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: move is_fips_enabled() to ipaplatform.tasksJan Cholasta2016-11-292-0/+22
| | | | | | | | The FIPS setting is platform-specific. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIRJan Cholasta2016-11-292-2/+1
| | | | | | | | | | | SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform. Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove both SHARE_DIR and PLUGIN_SHARE_DIR. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* certdb: use a temporary file to pass password to pk12utilJan Cholasta2016-11-291-1/+0
| | | | | | | | | | | Currently the PKCS#12 file password is passed via stdin and pk12util reads it from /dev/stdin, which is platform-specific. Use a temporary file instead. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* paths: remove DEV_NULLJan Cholasta2016-11-291-1/+0
| | | | | | | | | | | The platform-specific path to /dev/null is provided by the Python standard library in os.devnull. Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Break ipaplatform / ipalib import cycle of hellChristian Heimes2016-11-245-34/+41
| | | | | | | | | | | Here is an attempt to break the import cycle of hell between ipaplatform and ipalib. All services now pass an ipalib.api object to services.service(). RedHatServices.__init__() still needs to do a local import because it initializes its wellknown service dict with service instances. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Minor fixes for IPAVersion classChristian Heimes2016-11-221-5/+11
| | | | | | | | | | | | | Py3: classes with __eq__ must provide __hash__ function or set __hash__ to None. Comparison function like __eq__ must signal unsupported types by returning NotImplemented. Python turns this in a proper TypeError. Make the version member read-only and cache _bytes represention. https://fedorahosted.org/freeipa/ticket/6473 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove references to ds_newinst.plFraser Tweedale2016-11-211-1/+0
| | | | | | | | ds_newinst.pl was removed from 389 DS over 9 years ago. Remove references to it. Fixes: https://fedorahosted.org/freeipa/ticket/6496 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add install requirements to Python packagesChristian Heimes2016-11-161-0/+10
| | | | | | | https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Don't modify redhat_system_unitsChristian Heimes2016-11-161-1/+1
| | | | | | | | ipaplatform.fedora.services used to modify the redhat_system_units dict. It now creates a proper shallow copy. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Build: Makefiles for Python packagesPetr Spacek2016-11-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | This version builds only one version of Python packages. If you want to build for Python 2 & 3 call configure twice using different --with-python or specify PYTHON variable when calling make. dist-hook is using SOURCES.txt file from egg-info. According to Petr Viktorin this should be enough for our purposes and avoids need to create plugins for setuptools. Currently VPATH builds do not work for various reasons. This should be fixed later on. Most credit goes to these guys: Christian Heimes <cheimes@redhat.com> Petr Viktorin <pviktori@redhat.com> Kevin Brown <kevin@kevin-brown.com> https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add __name__ == __main__ guards to setup.pysChristian Heimes2016-10-251-17/+17
| | | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
* Build: replace ipaplatform magic with symlinks generated by configurePetr Spacek2016-10-244-24/+3
| | | | | | | | | | | | | | | The original approach with __path__ implemented by 8f98fa1bd5f1da207fab6f89b75e0cdc19d00797 broke Pylint: We decided to resort back to symlinks as it is easiest solution which does not break pylint in weird ways. This commit introduces configure --with-ipaplatform option. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Port all setup.py to setuptoolsChristian Heimes2016-10-203-79/+47
| | | | | | | | | | | All setup.py files are now using setuptools through a common file ipasetup.py. The file is auto-generated and contain all common settings. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Replace ipaplatform's symlinks with a meta importerChristian Heimes2016-10-202-6/+17
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Purge obsolete firefox extensionTimo Aaltonen2016-10-131-4/+0
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* pylint: fix simplifiable-if-statement warningsJan Barta2016-09-221-8/+4
| | | | | | | fix inefficient if statements, enable pylint check Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* client: remove hard dependency on pam_krb5Jan Cholasta2016-09-192-0/+3
| | | | | | | | | If ipa-client-install is executed with --no-sssd, check if pam_krb5 is available before proceeding with the install. https://fedorahosted.org/freeipa/ticket/5557 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* support schema files from third-party pluginsAlexander Bokovoy2016-08-191-0/+1
| | | | | | | | | | | | | Allow upgrade process to include schema files from third-party plugins installed in /usr/share/ipa/schema.d/*.schema. The directory /usr/shar/eipa/schema.d is owned by the server-common subpackage and therefore third-party plugins should depend on freeipa-server-common (ipa-server-common) package in their package dependencies. Resolves: https://fedorahosted.org/freeipa/ticket/5864 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Call hostnamectl set-hostname only if --hostname option is usedPetr Spacek2016-08-102-16/+4
| | | | | | | | | | This commit also splits hostname backup and configuration into two separate functions. This allows us to backup hostname without setting it at the same time. https://fedorahosted.org/freeipa/ticket/6071 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.confMartin Basti2016-08-091-0/+1
| | | | | | | | | | This file allows daemon tmpfiles.d to re-create the dirs in volatile directories like /var/run or /var/lock. Without this file Dirsrv will not start. https://fedorahosted.org/freeipa/ticket/6165 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* RedHatCAService should wait for local Dogtag instanceChristian Heimes2016-08-031-1/+2
| | | | | | | | | | | | | | | | RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus returns OK. The ca_status() function defaults to api.env.ca_host as host. On a replica without CA ca_host is a remote host (e.g. master's FQDN). ipa-ca-install waits for master:8080 instead of replica:8080, which might be blocked by a firewall. https://fedorahosted.org/freeipa/ticket/6016 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* compat: Save server's API version in for pre-schema serversDavid Kupka2016-08-031-0/+15
| | | | | | | | | | | | When client comunicates with server that doesn't support 'schema' command it needs to determine its api version to be able to use the right compat code. Storing information about server version reduces the need to call 'env' or 'ping' command only to first time the server is contacted. https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Correct path to HTTPD's systemd service directoryChristian Heimes2016-08-021-2/+2
| | | | | | | | | | | | | Ticket #5681 and commit 586fee293f42388510fa5436af19460bbe1fdec5 changed the location of the ipa.conf for Apache HTTPD. The variables SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to the wrong directory /etc/systemd/system/httpd.d/. The path is corrected to /etc/systemd/system/httpd.service.d/. https://fedorahosted.org/freeipa/ticket/6158 https://bugzilla.redhat.com/show_bug.cgi?id=1362537 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
* CI tests: improve log collectingMartin Basti2016-07-261-0/+1
| | | | | | | | We should collect as much as possible relevant logs to be able do better investigation from test automation Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* unite log file name of ipa-ca-installPetr Vobornik2016-07-211-1/+0
| | | | | | | | | | | | | | | | | | | ipa-ca-install said that it used /var/log/ipareplica-ca-install.log but in fact it used /var/log/ipaserver-ca-install.log This patch unites it to ipareplica-ca-install.log It was chosen because of backwards compatibility - ipareplica-ca-install was more commonly used. ipaserver-ca-install.log was used only in rare CA less -> CA installation. https://fedorahosted.org/freeipa/ticket/6086 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Do not log error when removing a non-existing fileFlorence Blanc-Renaud2016-07-011-4/+11
| | | | | | | | | When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and the file does not exist, only log to debug instead of error. https://fedorahosted.org/freeipa/ticket/6012 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-0/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fixes CA always being presented as runningStanislav Laznicka2016-06-152-2/+19
| | | | | | | | | | Even after manually stopping the pki-tomcatd service instance the service's is_running() method would still return True. https://fedorahosted.org/freeipa/ticket/5898 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add custodia store for lightweight CA key replicationFraser Tweedale2016-06-091-0/+1
| | | | | | | | | | | | | | | Due to limitations in Dogtag's use of NSSDB, importing private keys must be done by the Dogtag Java process itself. This requires a PKIArchiveOptions format (signing key wrapped with host CA key) - PKCS #12 cannot be used because that would require decrypting the key in Dogtag's memory, albeit temporarily. Add a new custodia store that executes a 'pki' command to acquire the wrapped key. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Added krb5.conf.d/ to included dirs in krb5.confStanislav Laznicka2016-06-051-0/+1
| | | | | | | | | The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparisonPetr Viktorin2016-05-301-2/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Tasks: raise NotImplementedError for not implemented methodsMartin Basti2016-04-261-15/+15
| | | | | | | | | | | | Is safer to raise error than trying to find what is wrong with method that is not correctly overriden The new method set_hostname has been added which should be overriden on other platforms. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Log errors from backup_and_replace hostname to loggerMartin Basti2016-04-261-2/+5
| | | | | | | | Without logging errors to logger is hard to debug issue from logfile. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove deprecated hostname restoration from Fedora18Martin Basti2016-04-262-12/+0
| | | | | | | | This is not needed on new Fedora, because restore will not be effective. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Always set hostnameMartin Basti2016-04-263-33/+28
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Configure httpd service from installer instead of directly from RPMMartin Basti2016-04-223-0/+40
| | | | | | | | | | | | | | File httpd.service was created by RPM, what causes that httpd service may fail due IPA specific configuration even if IPA wasn't installed or was uninstalled (without erasing RPMs). With this patch httpd service is configured by httpd.d/ipa.conf during IPA installation and this config is removed by uninstaller, so no residual http configuration related to IPA should stay there. https://fedorahosted.org/freeipa/ticket/5681 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Use netifaces module instead of 'ip' commandMartin Basti2016-04-141-1/+0
| | | | | | | | | Netifaces allows to get addresses from local interfaces of the host in safer way than parsing output of the ip command. https://fedorahosted.org/freeipa/ticket/5591 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix kdc.conf.template to use ipaplatform.paths.Timo Aaltonen2016-03-231-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaplatform: Move remaining user/group constants to ipaplatform.constants.Timo Aaltonen2016-03-233-38/+5
| | | | | | | | | Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* Move user/group constants for PKI and DS into ipaplatformChristian Heimes2016-03-222-2/+7
| | | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-221-2/+2
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Use platform path constant for SSSD log dirMartin Basti2016-03-161-0/+1
| | | | | | | The path to SSSD log directory is platform specific and should be in ipaplatform module. Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 07:22:11 +0000