summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-0/+1
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-0361-9/+34787
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* plugable: turn Plugin attributes into propertiesJan Cholasta2016-06-032-12/+12
| | | | | | | | | | | | | | Implement the `name`, `doc` and `summary` Plugin attributes as properties to allow them to be overriden in sub-classes. Always use .doc rather than .__doc__ to access plugin documentation. Remove the mostly unused `module`, `fullname`, `bases` and `label` attributes. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Deprecated the domain-level option in ipa-server-installStanislav Laznicka2016-06-021-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5907 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: topologysuffix_find doesn't have no_members optionMartin Basti2016-06-021-1/+1
| | | | | | | | | Remove no_members=False from because topologysuffix_attribute doesn't have no_members option, and this causes errors in replication.py https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-312-2/+4
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNS upgrade: change global forwarding policy in named.conf to "only" if ↵Petr Spacek2016-05-303-3/+57
| | | | | | | | | | | | | private IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This upgrade has to be done on each IPA DNS server independently. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: change global forwarding policy in LDAP to "only" if private ↵Petr Spacek2016-05-301-0/+16
| | | | | | | | | | | | | | IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: change forwarding policy to = only for conflicting forward zonesPetr Spacek2016-05-301-0/+78
| | | | | | | | | | | | This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders too (in LDAP and in named.conf on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: separate backup logic to make it reusablePetr Spacek2016-05-301-72/+73
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ipaDNSVersion option to dnsconfig* commands and use new attributePetr Spacek2016-05-301-17/+60
| | | | | | | | | | | | | | | | | | | | Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and ipaConfigString was bad idea from the very beginning as it was hard to manipulate the number in it. To avoid problems in future we are introducing new ipaDNSVersion attribute which is used on cn=dns instead of ipaConfigString. Original value of ipaConfigString is kept in the tree for now so older upgraders see it and do not execute the upgrade procedure again. The attribute can be changed only by installer/upgrade so it is not exposed in dnsconfig_mod API. Command dnsconfig_show displays it only if --all option was used. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-302-25/+17
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use root_logger for verify_host_resolvable()Petr Spacek2016-05-301-1/+1
| | | | | | | | | | After discussion with Martin Basti we decided to standardize on root_logger with hope that one day we will use root_logger.getLogger('module') to make logging prettier and tunable per module. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutilPetr Spacek2016-05-303-6/+7
| | | | | | | | | This is preparatory work to avoid (future) cyclic import between ipapython.dnsutil and ipapython.ipautil. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade: always start CAMartin Basti2016-05-251-0/+11
| | | | | | | | | | | Some CA upgrade steps in upgrader requires running CA. We have to always start CA and wait for running status using http, because systemd may return false positive result that CA is running even if CA is just starting and unable to serve. https://fedorahosted.org/freeipa/ticket/5868 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib, ipaserver: fix incorrect API.register calls in docstringsJan Cholasta2016-05-252-6/+4
| | | | | | | | | | | | Use API.add_plugin to load specific plugins into API objects. Use Registry to register plugins. This fixes doctests. https://fedorahosted.org/freeipa/ticket/4739 https://fedorahosted.org/freeipa/ticket/5115 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib, ipaserver: migrate all plugins to Registry-based registrationJan Cholasta2016-05-2516-71/+87
| | | | | | | | Do not use the deprecated API.register method. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* plugable: replace API.import_plugins with new API.add_packageJan Cholasta2016-05-251-1/+5
| | | | | | | | | | | | | | | Replace API.import_plugins with a new method API.add_package which allows loading plugin packages into an API object from a package object. This makes loading of plugin packages loading consistent with loading of plugin modules and classes. Rename API.modules to API.packages and use package objects where implemented to reflect the change. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* rpc: include structured error information in responsesJan Cholasta2016-05-251-0/+1
| | | | | | | | | | | | | | Include keyword arguments of exceptions in RPC responses. This is limited to JSON-RPC, as XML-RPC does not support additional data in error responses. Include keyword arguments of messages in RPC responses. Include keyword arguments of exceptions in batch command result. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* replica install: do not set CA renewal master flagJan Cholasta2016-05-243-4/+28
| | | | | | | | | | | | | The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Incorrect message when KRA already installedPatrice Duc-Jacquet2016-05-201-0/+5
| | | | | | | | | | | | | | | | | When trying to install a second time KRA, in case domain-level=0 the error lessage is not correct. It mentions : "ipa-kra-install: error: A replica file is required." Note that this behavior is not observed if domain-level=1 The subject of the fix consist in checking that KRA is not already installed before going ahead in the installation process. Tests done: I have made the following tests in bot domain-level=0 and domain-level=1 : - Install KRA (check it is correctly installed), - Install KRA a second time (check that the correct error message is raised) - uninstall KRA (check that it is correctly uninstalled) - Install KRA again (check that it is correctly installed) Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Detect and repair incorrect caIPAserviceCert configFraser Tweedale2016-05-192-3/+49
| | | | | | | | | | | A regression caused replica installation to replace the FreeIPA version of caIPAserviceCert with the version shipped by Dogtag. During upgrade, detect and repair occurrences of this problem. Part of: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Prevent replica install from overwriting cert profilesFraser Tweedale2016-05-191-6/+12
| | | | | | | | | | | | | | An earlier change that unconditionally triggers import of file-based profiles to LDAP during server or replica install results in replicas overwriting FreeIPA-managed profiles with profiles of the same name shipped with Dogtag. ('caIPAserviceCert' is the affected profile). Avoid this situation by never overwriting existing profiles during the LDAP import. Fixes: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Added exception handling for mal-formatted XML ParsingAbhijeet Kasurde2016-05-111-2/+7
| | | | | | | | | | In order to handle mal-formatted XML returned from Dogtag, added exception handling around etree.fromstring function. https://fedorahosted.org/freeipa/ticket/5885 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Replaced find_hostname with api.env.hostAbhijeet Kasurde2016-05-101-21/+1
| | | | | | | Fixes: https://fedorahosted.org/freeipa/ticket/5841 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix remaining relative import and enable Pylint checkPetr Viktorin2016-05-101-1/+1
| | | | | | | | Relative imports are not supported in Python 3. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: Fix upgrade - master to forward zone transformationPetr Spacek2016-05-101-1/+3
| | | | | | | | | | | | | | | This happens when upgrading from IPA <= 4.0 to versions 4.3+. DNS caching might cause false positive in code which replaces master zone with forward zone. This will effectivelly delete the master zone without adding a replacement forward zone. Solution is to use skip_overlap_check option for dnsforwardzone_add command so zone existence check is skipped and the upgrade can proceed. https://fedorahosted.org/freeipa/ticket/5851 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Auto-detect default value for --forward-policy option in installersPetr Spacek2016-04-282-1/+12
| | | | | | | | | | | | | Forward policy defaults to 'first' if no IP address belonging to a private or reserved ranges is detected on local interfaces (RFC 6303). Defaults to only if a private IP address is detected. This prevents problems with BIND automatic empty zones because conflicting zones cannot be disabled unless forwarding policy == only. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend installers with --forward-policy optionPetr Spacek2016-04-284-6/+19
| | | | | | | | | This option specified forward policy for global forwarders. The value is put inside /etc/named.conf. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added fix for notifying user about locked user account in WebUIAbhijeet Kasurde2016-04-281-1/+11
| | | | | | | | | | | | User in now notified about "Locked User account" message instead of "The password or username you entered is incorrect" or any generic error message Fixes : https://fedorahosted.org/freeipa/ticket/5076 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Remove unused hostname variablesMartin Basti2016-04-261-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Always set hostnameMartin Basti2016-04-261-17/+6
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Configure httpd service from installer instead of directly from RPMMartin Basti2016-04-222-0/+11
| | | | | | | | | | | | | | File httpd.service was created by RPM, what causes that httpd service may fail due IPA specific configuration even if IPA wasn't installed or was uninstalled (without erasing RPMs). With this patch httpd service is configured by httpd.d/ipa.conf during IPA installation and this config is removed by uninstaller, so no residual http configuration related to IPA should stay there. https://fedorahosted.org/freeipa/ticket/5681 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* replica-prepare: do not add PTR records if there is no IPA managed reverse zoneMartin Babinsky2016-04-191-0/+5
| | | | | | | | | | | ipa-replica-prepare could crash during addition of replica's PTR records if there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone' returns an unhandled None. The code will now issue a warning and skip the PTR record addition in this case. https://fedorahosted.org/freeipa/ticket/5740 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added fix for notifying user about Kerberos principal expiration in WebUIAbhijeet Kasurde2016-04-151-2/+11
| | | | | | | | | | | | - User is now notified about "Kerberos Principal expiration" message instead of "Wrong username or password" message. - User is also notified about "Invalid password" message instead of generic error message. https://fedorahosted.org/freeipa/ticket/5077 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-2/+3
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Look up HTTPD_USER's UID and GID during installation.David Kupka2016-03-231-1/+5
| | | | | | | | | Those values differ among distributions and there is no guarantee that they're reserved. It's better to look them up based on HTTPD_USER's name. https://fedorahosted.org/freeipa/ticket/5712 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix kdc.conf.template to use ipaplatform.paths.Timo Aaltonen2016-03-231-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use ODS_USER/ODS_GROUP in opendnssec_conf.templateTimo Aaltonen2016-03-231-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaplatform: Move remaining user/group constants to ipaplatform.constants.Timo Aaltonen2016-03-237-18/+20
| | | | | | | | | Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa_restore: Import only FQDN from ipalib.constantsTimo Aaltonen2016-03-231-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move user/group constants for PKI and DS into ipaplatformChristian Heimes2016-03-228-29/+35
| | | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Pylint: remove unnecessary-semicolonMartin Basti2016-03-221-1/+1
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-223-3/+6
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: use list comprehension instead of iterationMartin Basti2016-03-221-4/+1
| | | | | | | | | Iteration over indexes without calling enumeration fuction is not pythonic and should not be used. In this case iteration can be replaced by list comprehension. Fixing this allows to enable pylint consider-using-enumerate check. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: enable reimported checkMartin Basti2016-03-223-5/+2
| | | | | | | Fixes current reimports and enables pylint check for them Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: fix definition of global variablesMartin Basti2016-03-221-0/+3
| | | | | | | | | | Global variables should be defined in the outer space, not just marked as global inside functions. Removes unused global variables Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-228-12/+12
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Remove redundant parameters from CS.cfg in dogtaginstanceMartin Basti2016-03-161-8/+0
| | | | | | | | | | Bind DN is not used for client certificate authentication so they can be safely removed. https://fedorahosted.org/freeipa/ticket/5298 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure 389ds with "default" cipher suiteMartin Basti2016-03-091-2/+2
| | | | | | | | | nsSSLCiphers: "default" provides only secure ciphers that should be used when connecting to DS https://fedorahosted.org/freeipa/ticket/5684 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 23:42:16 +0000