IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-29 10:21:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
eeee8e1c6e
freeipa/ipalib/constants.py

195 lines
7.1 KiB
Python
Raw Normal View History

Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
# Authors:
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Martin Nagy <mnagy@redhat.com>
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
"""
Started roughing out the consolidated type/parameter system in parameters.py; started corresponding unit tests
2008-12-10 22:14:05 -06:00
All constants centralised in one file.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
"""
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
import socket
Reload UI on server upgrade. The JSON server has been modified to return the version number in all responses. The UI has been modified to keep the version obtained during env operation and check the version returned in subsequent operations. If the version changes the UI will reload itself. Ticket #946
2011-12-20 19:45:57 -06:00
from ipapython.version import VERSION
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
try:
FQDN = socket.getfqdn()
except:
try:
FQDN = socket.gethostname()
except:
FQDN = None
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
Started roughing out the consolidated type/parameter system in parameters.py; started corresponding unit tests
2008-12-10 22:14:05 -06:00
# The parameter system treats all these values as None:
NULLS = (None, '', u'', tuple(), [])
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
# regular expression NameSpace member names must match:
Allow one-character Param names This is done explicitly to support the l/localityname attribute.
2010-02-12 10:01:23 -06:00
NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
# Format for ValueError raised when name does not match above regex:
NAME_ERROR = 'name must match %r; got %r'
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Standard format for TypeError message:
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
TYPE_ERROR = '%s: need a %r; got %r (a %r)'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Stardard format for TypeError message when a callable is expected:
New Param: added unit tests for TypeError cases in DefaultFrom.__init__()
2008-12-18 03:08:41 -06:00
CALLABLE_ERROR = '%s: need a callable; got %r (which is a %r)'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Standard format for StandardError message when overriding an attribute:
Cleaned up Env.__setattr__() and Env.__setitem__() a bit updated their unit tests
2008-12-22 18:29:11 -06:00
OVERRIDE_ERROR = 'cannot override %s.%s value %r with %r'
# Standard format for AttributeError message when a read-only attribute is
# already locked:
Some more reorganization in Env and added class docstring to Env with lots of examples
2008-12-22 22:02:43 -06:00
SET_ERROR = 'locked: cannot set %s.%s to %r'
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
DEL_ERROR = 'locked: cannot delete %s.%s'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Changed calling signature of output_for_cli(); started work on 'textui' backend plugin
2008-11-12 01:46:04 -06:00
# Used for a tab (or indentation level) when formatting for CLI:
CLI_TAB = ' ' # Two spaces
Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True
2008-10-31 19:55:32 -05:00
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# The section to read in the config files, i.e. [global]
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
CONFIG_SECTION = 'global'
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# The default configuration for api.env
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# This is a tuple instead of a dict so that it is immutable.
# To create a dict with this config, just "d = dict(DEFAULT_CONFIG)".
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
DEFAULT_CONFIG = (
Reload UI on server upgrade. The JSON server has been modified to return the version number in all responses. The UI has been modified to keep the version obtained during env operation and check the version returned in subsequent operations. If the version changes the UI will reload itself. Ticket #946
2011-12-20 19:45:57 -06:00
('version', VERSION),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Domain, realm, basedn:
('domain', 'example.com'),
('realm', 'EXAMPLE.COM'),
('basedn', 'dc=example,dc=com'),
# LDAP containers:
('container_accounts', 'cn=accounts'),
('container_user', 'cn=users,cn=accounts'),
('container_group', 'cn=groups,cn=accounts'),
('container_service', 'cn=services,cn=accounts'),
('container_host', 'cn=computers,cn=accounts'),
Revive the hostgroup_container and include add/remove hosts in hostgroups plugin
2008-11-04 13:03:43 -06:00
('container_hostgroup', 'cn=hostgroups,cn=accounts'),
Re-implement access control using an updated model. The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
2010-12-01 10:23:52 -06:00
('container_rolegroup', 'cn=roles,cn=accounts'),
Move permissions and privileges to their own container, cn=pbac,$SUFFIX ticket 638
2010-12-22 10:11:29 -06:00
('container_permission', 'cn=permissions,cn=pbac'),
('container_privilege', 'cn=privileges,cn=pbac'),
Add autmount-specific location and default entries
2008-11-14 17:04:57 -06:00
('container_automount', 'cn=automount'),
Add policy-related container constants
2009-02-02 09:23:45 -06:00
('container_policies', 'cn=policies'),
('container_configs', 'cn=configs,cn=policies'),
('container_roles', 'cn=roles,cn=policies'),
('container_applications', 'cn=applications,cn=configs,cn=policies'),
('container_policygroups', 'cn=policygroups,cn=configs,cn=policies'),
('container_policylinks', 'cn=policylinks,cn=configs,cn=policies'),
Add new env variables: container_taskgroup, container_rolegroup and container_netgroup.
2009-05-13 07:16:03 -05:00
('container_netgroup', 'cn=ng,cn=alt'),
Add 'container_hbac' env variable.
2009-03-31 13:09:16 -05:00
('container_hbac', 'cn=hbac'),
Move HBAC services and service groups to cn=hbac https://fedorahosted.org/freeipa/ticket/762
2011-01-18 03:56:17 -06:00
('container_hbacservice', 'cn=hbacservices,cn=hbac'),
('container_hbacservicegroup', 'cn=hbacservicegroups,cn=hbac'),
Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging.
2009-04-21 08:12:49 -05:00
('container_dns', 'cn=dns'),
Move Virtual Operations container under cn=etc Fixes: https://fedorahosted.org/freeipa/ticket/759
2011-01-13 14:54:06 -06:00
('container_virtual', 'cn=virtual operations,cn=etc'),
Move sudo related data all under cn=sudo Fixes: https://fedorahosted.org/freeipa/ticket/773
2011-01-14 14:27:56 -06:00
('container_sudorule', 'cn=sudorules,cn=sudo'),
('container_sudocmd', 'cn=sudocmds,cn=sudo'),
('container_sudocmdgroup', 'cn=sudocmdgroups,cn=sudo'),
Add support for tracking and counting entitlements Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
2011-02-01 13:24:46 -06:00
('container_entitlements', 'cn=entitlements,cn=etc'),
34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
2011-08-30 19:48:15 -05:00
('container_automember', 'cn=automember,cn=etc'),
Add SELinux user mapping framework. This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
2011-11-23 15:59:21 -06:00
('container_selinux', 'cn=usermap,cn=selinux'),
Remove memberPrincipal for deleted replicas When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451
2012-03-02 05:10:27 -06:00
('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Ports, hosts, and URIs:
Giant webui patch take 2
2009-10-13 12:28:00 -05:00
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),
('rpc_json_uri', 'http://localhost:8888/ipa/json'),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
('ldap_uri', 'ldap://localhost:389'),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Giant webui patch take 2
2009-10-13 12:28:00 -05:00
# Web Application mount points
('mount_ipa', '/ipa/'),
# WebUI stuff:
('webui_prod', True),
Implement session activity timeout Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
2012-02-19 09:02:38 -06:00
# Session stuff:
Giant webui patch take 2
2009-10-13 12:28:00 -05:00
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
# Maximum time before a session expires forcing credentials to be reacquired.
Implement session activity timeout Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
2012-02-19 09:02:38 -06:00
('session_auth_duration', '20 minutes'),
# How a session expiration is computed, see SessionManager.set_session_expiration_time()
('session_duration_type', 'inactivity_timeout'),
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Debugging:
Connect the -v cli argument to the verbose flag in xmlrpclib If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
2010-06-03 16:07:24 -05:00
('verbose', 0),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
('debug', False),
Handle errors raised by plugins more gracefully in mod_wsgi. This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
2010-06-25 12:37:27 -05:00
('startup_traceback', False),
More CLI cleanup, got all basics working again
2008-10-28 00:30:55 -05:00
('mode', 'production'),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested
2009-01-22 11:59:46 -06:00
# CA plugin:
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
('ca_host', FQDN), # Set in Env._finalize_core()
enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-17 14:36:18 -05:00
('ca_port', 80),
('ca_agent_port', 443),
('ca_ee_port', 443),
('ca_install_port', 9180),
('ca_agent_install_port', 9443),
('ca_ee_install_port', 9444),
Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested
2009-01-22 11:59:46 -06:00
Finished reworked cli.CLI class into cli.cli plugin
2009-01-28 14:05:26 -06:00
# Special CLI:
('prompt_all', False),
('interactive', True),
Add support for client failover to the ipa command-line. This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
2010-07-26 16:54:38 -05:00
('fallback', True),
Don't set delegation flag in client, we're using S4U2Proxy now A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
2012-02-15 10:06:54 -06:00
('delegate', False),
Finished reworked cli.CLI class into cli.cli plugin
2009-01-28 14:05:26 -06:00
Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally
2009-02-11 14:07:19 -06:00
# Enable certain optional plugins:
('enable_ra', False),
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
('ra_plugin', 'selfsign'),
Optionally wait for 389-ds postop plugins to complete Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
2011-07-01 14:32:31 -05:00
('wait_for_attr', False),
Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally
2009-02-11 14:07:19 -06:00
Add API version and have server reject incompatible clients. This patch contains 2 parts. The first part is a small utility to create and validate the current API. To do this it needs to load ipalib which on a fresh system introduces a few problems, namely that it relies on a python plugin to set the default encoding to utf8. For our purposes we can skip that. It is also important that any optional plugins be loadable so the API can be examined. The second part is a version exchange between the client and server. The version has a major and a minor version. The major verion is updated whenever existing API changes. The minor version is updated when new API is added. A request will be rejected if either the major versions don't match or if the client major version is higher than then server major version (though by implication new API would return a command not found if allowed to proceed). To determine the API version of the server from a client use the ping command. ticket 584
2011-01-13 13:29:16 -06:00
# Used when verifying that the API hasn't changed. Not for production.
('validate_api', False),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# ********************************************************
# The remaining keys are never set from the values here!
# ********************************************************
#
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
# Env._bootstrap() or Env._finalize_core() will have filled in all the keys
# below by the time DEFAULT_CONFIG is merged in, so the values below are
# never actually used. They are listed both to provide a big picture and
# also so DEFAULT_CONFIG contains at least all the keys that should be
# present after Env._finalize_core() is called.
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
#
The Env.__setitem__() implied conversion is now case sensitive; Env.__setitem__() now also accepts None as a value
2008-12-22 17:16:57 -06:00
# Each environment variable below is sent to ``object``, which just happens
# to be an invalid value for an environment variable, so if for some reason
# any of these keys were set from the values here, an exception will be
# raised.
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
# Non-overridable vars set in Env._bootstrap():
Let the framework be able to override the hostname. The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
2011-06-23 01:06:49 -05:00
('host', FQDN),
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
('ipalib', object), # The directory containing ipalib/__init__.py
('site_packages', object), # The directory contaning ipalib
('script', object), # sys.argv[0]
('bin', object), # The directory containing the script
('home', object), # $HOME
# Vars set in Env._bootstrap():
('in_tree', object), # Whether or not running in-tree (bool)
('dot_ipa', object), # ~/.ipa directory
('context', object), # Name of context, default is 'default'
('confdir', object), # Directory containing config files
('conf', object), # File containing context specific config
('conf_default', object), # File containing context independent config
Finalize plugin initialization on demand. This patch changes the way plugins are initialized. Instead of finalizing all the plugins at once, plugins are finalized only after they are accessed (currently applies to Command, Object and Attribute subclasses, only in CLI by default). This change provides significant performance boost, as only the plugins that are actually used are finalized. ticket 1336
2011-11-03 05:42:17 -05:00
('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool)
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# Set in Env._finalize_core():
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
('in_server', object), # Whether or not running in-server (bool)
('logdir', object), # Directory containing log files
('log', object), # Path to context specific log file
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
)
Let Bind track data changes Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
2011-08-31 07:42:57 -05:00
# Default DNS zone refresh interval in seconds (0 = disabled)
DNS_ZONE_REFRESH = 30
Reference in New Issue Copy Permalink