summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix CA cert validity check for CA-less and external CA installer optionsJan Cholasta2014-10-161-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4612 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix typo causing certmonger is provided with wrong path to ipa-submit.David Kupka2014-10-161-3/+4
| | | | | | | | | Using strip() instead split() caused that only first character of path was specified. Also using shlex for more robust parsing. https://fedorahosted.org/freeipa/ticket/4624 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Set IPA CA for freeipa certificates.David Kupka2014-10-141-1/+5
| | | | | | | | | | In previous versions (before moving certmonger.py to DBus) it was set and some tools and modules depends on it. For example: ipa-getcert uses this to filter freeipa certificates. https://fedorahosted.org/freeipa/ticket/4618 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add missing imports to ipapython.certdbJan Cholasta2014-09-301-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix certmonger.wait_for_requestJan Cholasta2014-09-301-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4558 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSSDatabase instead of direct certutil calls in client codeJan Cholasta2014-09-301-11/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add NSSDatabase.has_nickname for checking nickname presence in a NSS DBJan Cholasta2014-09-301-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move NSSDatabase from ipaserver.certs to ipapython.certdbJan Cholasta2014-09-301-0/+451
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Introduce NSS database /etc/ipa/nssdbJan Cholasta2014-09-301-0/+28
| | | | | | | | | | This is the new default NSS database for IPA. /etc/pki/nssdb is still maintained for backward compatibility. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Refactoring of autobind, object_existsMartin Basti2014-09-261-0/+37
| | | | | | | | | Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move setting SELinux booleans to platform codePetr Viktorin2014-09-261-0/+47
| | | | | | | | | | | | | | | | | | | Create a platform task for setting SELinux booleans. Use an exception for the case when the booleans could not be set (since this is an error if not handled). Since ipaplatform should not depend on ipalib, create a new errors module in ipapython for SetseboolError. Handle uninstallation with the same task, which means the booleans are now restored with a single call to setsebool. Preparation for: https://fedorahosted.org/freeipa/ticket/4157 Fixes: https://fedorahosted.org/freeipa/ticket/2934 Fixes: https://fedorahosted.org/freeipa/ticket/2519 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Fix certmonger code causing the ca_renewal_master update plugin to failJan Cholasta2014-09-231-1/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4547 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-263/+270
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+2
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Provide additional functions to ipapython.certmonger.Jan Cholasta2014-07-301-0/+28
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipa-ldap-updater: make possible to use LDAPI with autobind in case of ↵Alexander Bokovoy2014-07-041-0/+4
| | | | | | | | | | | | | | | | | hardened LDAP configuration When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Clear NSS session cache when socket is closedMartin Kosek2014-07-021-0/+1
| | | | | | | | | Even when NSS connection is closed, there may be still cached certificates in the NSS lib. This may cause subsequent NSS initialization to crash. This problem especially reproduces in the unit tests. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaldap: Override conversion of nsds5replicalast{update,init}{start,end}Tomas Babej2014-07-021-0/+4
| | | | | | | | | | | | | | | | | The replication related attributes with generalized time syntax have special behaviour implemented in 389, as follows: In case they are explicitly requested for and not set, 0 is returned. However, 0 is not a valid value for LDAP Generalized time. Thus we need to add these attributes to the _SYNTAX_OVERRIDE dictionary, overriding their conversion to datetime and converting them to string instead, which perserves the old behaviour expected by the replication codebase. https://fedorahosted.org/freeipa/ticket/4350 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix handle python-dns UnicodeErrorMartin Basti2014-06-201-4/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Clarify LDAPClient docstrings about get_entry, get_entries and find_entriesPetr Spacek2014-06-201-1/+6
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaplatform: Change makefiles to accomodate for new platform packageTomas Babej2014-06-162-8/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove remnants of the ipapython/platformTomas Babej2014-06-167-304/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-168-42/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move Fedora-specific implementations of tasks to fedora base ↵Tomas Babej2014-06-162-105/+0
| | | | | | | | platform file https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove legacy redhat platform moduleTomas Babej2014-06-162-282/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Do not require custom Authconfig implementations from platform ↵Tomas Babej2014-06-162-129/+0
| | | | | | | | modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move restore_context and check_selinux_status implementations ↵Tomas Babej2014-06-161-44/+0
| | | | | | | | to base fedora platform tasks https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Moved Fedora 16 service implementations and refactored them as ↵Tomas Babej2014-06-161-201/+0
| | | | | | | | base Fedora module service implementations https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move default implementations of tasks from service.py.inTomas Babej2014-06-161-36/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move service base platfrom related functionality to ↵Tomas Babej2014-06-162-385/+1
| | | | | | | | ipaplatform/base/service.py https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipalib.config: Don't autoconvert values to floatPetr Viktorin2014-06-162-1/+3
| | | | | | | | | | | | | | | | | | When api.env is loaded, strings that "look like" floats got auto-converted to floats. This is wrong, as the conversion to float can lose precision. Case in point: the api_version (e.g. '2.88') should never be interpreted as float. Do not automatically convert to float. We have two numeric options: startup_timeout and wait_for_dns. wait_for_dns is already converted to int when used in the code. Convert startup_timeout to float explicitly when used, so configuration that specified it with a decimal point continues to work. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* ipautil.run args log message is confusingGabe2014-06-091-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3724 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSName conversion in ipaldapMartin Basti2014-06-031-0/+7
| | | | | | | | | | Domain name has to be stored in LDAP in punycoded value Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNSName typeMartin Basti2014-06-031-0/+100
| | | | | | | | | | Type used to store domain names based on dnspython Part of ticket: IPA should allow internationalized domain names https://fedorahosted.org/freeipa/ticket/3169 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-271-0/+1
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib.version: Add VENDOR_VERSIONPetr Viktorin2014-05-271-0/+3
| | | | | | | | | This will allow us to make vendors' lives easier by embedding a vendor tag to installation logs. Part of the work for: https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client: Set NIS domain name in the installerTomas Babej2014-05-092-1/+4
| | | | | | | | | | | | | | | | Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipalib: Add DateTime parameterTomas Babej2014-05-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds a parameter that represents a DateTime format using datetime.datetime object from python's native datetime library. In the CLI, accepts one of the following formats: Accepts LDAP Generalized time without in the following format: '%Y%m%d%H%M%SZ' Accepts subset of values defined by ISO 8601: '%Y-%m-%dT%H:%M:%SZ' '%Y-%m-%dT%H:%MZ' '%Y-%m-%dZ' Also accepts above formats using ' ' (space) as a separator instead of 'T'. As a simplification, it does not deal with timezone info and ISO 8601 values with timezone info (+-hhmm) are rejected. Values are expected to be in the UTC timezone. Values are saved to LDAP as LDAP Generalized time values in the format '%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid confusion, in addition to subset of ISO 8601 values, the LDAP generalized time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the format user will see on the output). Part of: https://fedorahosted.org/freeipa/ticket/3306 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Keep original name when setting attribute in LDAPEntry.Jan Cholasta2014-04-181-33/+20
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Replace get_syntax method of IPASimpleObject with new get_type method.Jan Cholasta2014-04-181-13/+15
| | | | | | get_type returns the Python type for an LDAP attribute. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.Jan Cholasta2014-03-251-6/+3
| | | | | | Before, this was done by dogtag-ipa-retrieve-agent-submit. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix modlist generation code not to generate empty replace mods.Jan Cholasta2014-03-031-3/+3
| | | | | https://fedorahosted.org/freeipa/ticket/4138 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Raise an exception when legacy LDAP API is used.Jan Cholasta2014-01-241-19/+12
|
* Add runas option to run functionMartin Kosek2014-01-221-21/+38
| | | | | | | | Run function can now run the specified command as different user by setting the both real and effective UID and GID for executed process. Add both the missing run function attribute doc strings as well as a doc string for the runas attribute.
* Do not crash on bad LDAP data when formatting decode error message.Jan Cholasta2014-01-101-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Store old entry state in dict rather than LDAPEntry.Jan Cholasta2014-01-101-29/+17
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Remove legacy LDAPEntry properties data and orig_data.Jan Cholasta2014-01-101-11/+0
| | | | https://fedorahosted.org/freeipa/ticket/3488
generated by cgit (git 2.34.1) at 2025-09-04 00:47:19 +0000