| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS instance as the Dogtag CA.
Moreover, the same admin user/agent (and agent cert) can be used
for both subsystems. Certmonger is also confgured to monitor the
new subsystem certificates.
It is also possible to clone the DRM. When the IPA instance is
cloned, if --enable-ca and --enable-drm are specified, the DRM
is cloned as well.
Installing a DRM requires the user to have a Dogtag CA instance.
We can look into possibly relaxing that requirement in a later patch.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to DRM and CA
installs. This will become very useful when we add more PKI
subsystems.
I am still working on patches for a ipa-drm-install script, which
would be used to add a DRM to an existing master (that includes
a dogtag CA), or an existing clone.
|
|
|
|
|
|
|
|
|
|
|
| |
Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.
https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This will allow us to make vendors' lives easier by embedding a
vendor tag to installation logs.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides two new options for the ipa-client-install:
--nisdomain: specifies the NIS domain name
--no_nisdomain: flag to aviod setting the NIS domain name
In case no --nisdomain is specified and --no_nisdomain flag was
not set, the IPA domain is used.
Manual pages updated.
http://fedorahosted.org/freeipa/ticket/3202
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a parameter that represents a DateTime format using datetime.datetime
object from python's native datetime library.
In the CLI, accepts one of the following formats:
Accepts LDAP Generalized time without in the following format:
'%Y%m%d%H%M%SZ'
Accepts subset of values defined by ISO 8601:
'%Y-%m-%dT%H:%M:%SZ'
'%Y-%m-%dT%H:%MZ'
'%Y-%m-%dZ'
Also accepts above formats using ' ' (space) as a separator instead of 'T'.
As a simplification, it does not deal with timezone info and ISO 8601
values with timezone info (+-hhmm) are rejected. Values are expected
to be in the UTC timezone.
Values are saved to LDAP as LDAP Generalized time values in the format
'%Y%m%d%H%SZ' (no time fractions and UTC timezone is assumed). To avoid
confusion, in addition to subset of ISO 8601 values, the LDAP generalized
time in the format '%Y%m%d%H%M%SZ' is also accepted as an input (as this is the
format user will see on the output).
Part of: https://fedorahosted.org/freeipa/ticket/3306
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
| |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
| |
get_type returns the Python type for an LDAP attribute.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
|
|
|
| |
Before, this was done by dogtag-ipa-retrieve-agent-submit.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Run function can now run the specified command as different user by
setting the both real and effective UID and GID for executed process.
Add both the missing run function attribute doc strings as well as
a doc string for the runas attribute.
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
|
| |
Use LDAPEntry.generate_modlist instead of LDAPClient._generate_modlist and
remove LDAPClient._generate_modlist.
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
| |
Remove legacy IPAdmin methods generateModList and updateEntry.
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
| |
Add some default overrides.
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
| |
Refactor IPASimpleLDAPObject methods get_syntax and get_single_value.
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3488
|
|
|
|
|
|
|
|
|
|
| |
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
|
|
|
|
|
|
|
|
|
|
|
|
| |
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.
FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2
https://fedorahosted.org/freeipa/ticket/3438
Updated by pviktori@redhat.com
|
| |
|
|
|
|
|
|
|
| |
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3971
|
|
|
|
|
|
|
| |
Creating a LDAPEntry from dict does not set the raw entries,
to display everything we need to combine the underlying data.
https://fedorahosted.org/freeipa/ticket/4015
|
|
|
|
|
|
|
|
|
|
|
| |
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/3504
|
|
|
|
|
|
|
| |
Now that there's a dedicated schema updater, we do not need the code
in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
|
|
|
|
|
|
|
|
|
| |
Option --configure-firefox configures firefox to use Kerberos
credentials within IPA domain
Optional option --firefox-dir=DIR allows to user to specify non-standard
path where firefox install directory is placed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/3821
|
|
|
|
|
| |
The utf8_encode_value/_values functions from ipautil are no longer used.
Remove them.
|
|
|
|
|
|
| |
This change makes single_value consistent with the raw property.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
|
|
|
|
|
|
|
| |
This is achieved by storing both decoded and encoded attribute values in
LDAPEntry and synchronizing changes between them whenever an attribute is
accessed.
Added a new property "raw" to LDAPEntry. It provides a dictionary-like
object which can be used to directly access encoded attribute values.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
|
|
|
| |
Outside of LDAPEntry, it is still possible to use non-lists. Once we enforce
lists for attribute values, this will be removed.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
|
|
|
| |
This method is intended as a counterpart of IPASimpleLDAPObject.encode and
replaces IPASimpleLDAPObject.convert_value_list.
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3521
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch for ticket 3964 changed the installer so that it does not
always wait for CA if the proxy is not configured. However,
it was found out that it may freeze an installation when
a step subsequent after CA restart call the CA and receives no
reply.
Change the wait so that it always waits for CA to start up. If
HTTP proxy is already configured, it should wait on port 443.
If not, it should wait on local PKI port 8443.
https://fedorahosted.org/freeipa/ticket/3973
|
|
|
|
|
|
|
|
| |
Proxy configuration was not detected correctly. Both
ipa-pki-proxy.conf and ipa.conf need to be in place and httpd
restarted to be able to check it's status.
https://fedorahosted.org/freeipa/ticket/3964
|
|
|
|
|
| |
Previously NSPRError was given arguments in the wrong order.
Fix this by naming the arguments.
|
|
|
|
|
|
|
|
|
| |
Updating a CIDict with data like {'A': 1, 'a': 2} would lead to data
loss since only one of the items would get to the CIDict.
This can result in non-obvious bugs similar to this one in python-ldap:
https://bugzilla.redhat.com/show_bug.cgi?id=1007820
Raise an error in this case; any resolution must be done by the caller.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the CIDict interface match standard dict (except view* methods).
Add __contains__, __iter__, clear.
Add keyword and iterable support for __init__, update.
Also add values() and itervalues(). Previously the dict versions were
used; the new ones guarantee that the order matches keys().
Mark view* methods as not implemented.
CIDict.copy() now returns a CIDict.
Test the above additions, and fromkeys() which worked but wasn't tested.
|