This is used when a new replica is created as well as whenever a replica
is re-initialized from another master.
In order for this to work when not creating an instance the __init__
function needs to be able to determine the suffix and the dm_password
is needed.
I've also added the time to the RDN of the member task to ensure
uniqueness.
438222
This runs the risk of showing too much and confusing users but on the other
hand it often includes required information detailing why the error
occurred such as what attribute the user lacks write access too and why
changing a password failed.
438057
we do updates, so use the right terminology internally. Also fix the actual
field we update (and grant permission appropriately in delegations).
The DS password handles updating userPassword and any Samba passwords
as necessary.
438256
This function was assuming that the target list was all lower-case so the
set could end up with duplicate values which would get kicked out by LDAP.
433680
Add ability to force a synch to occur
Clean up a lot of unused code in ipaldap.py. This lets us do a simple bind
without being root (it used to try to read dse.ldif)
436237
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.
In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.
432874
Fix bug in exception handling where we were sending the wrong thing as detail.
Basically we were catching an LDAP error, generating an IPAError from it,
catching that, then setting the detail of the 2nd exception to another IPAError
rather than the root exception. This caused anything looking at e.detail to
crap out
Resolves 432136
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
The ipa_webgui and ipa_kpasswd instance code is identical
and I want to add another similar instance down the line,
so re-factor the code into a service.SimpleServiceInstance
class.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
DsInstance.pkcs12_info isn't currently initialised in
the constructore so, e.g. __enable_ssl() assumes that
create_instance() has initialised it.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
If, in future, we change the server ID so that it's not
derived from the realm name, there's a fair few places
that need to be changed.
Make that easier by having config_dirname() take the
server ID rather than the realm name. That makes sense
anyway so we don't have to realm_to_serverid() so
much.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Let's assume that all ipaserver.dsinstance could be used
somewhere where asking questions on stdout/stdin is not
approriate and re-factor the code to be suitable in
those situations too.
i.e. make check_existing_installation() return a list of
server IDs and make check_ports() return an (unsecure,
secure) tuple indication which ports are in use.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
- Removing shebangs (#!) from a bunch of python libraries
- Don't use a variable name in init scripts for the lock file
- Keep the init script name consistent with the binary name, so renamed
ipa-kpasswd.init to ipa_kpasswd.init
- Add status option to the init scripts
- Move most python scripts out of /usr/share/ipa and into the python
site-packages directories (ipaserver and ipaclient)
- Remove unnecessary sys.path.append("/usr/share/ipa")
- Fix the license string in the spec files
- Rename ipa-webgui to ipa_webgui everywhere
- Fix a couple of issues reported by pychecker in ipa-python
Add a --uninstall option to ipa-server-install which tries to
restore the system to the way it was before ipa-server-install
was run using the state backed up through sysrestore.py.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This patch adds a sysrestore module which allows ipa-server-install
code to backup any system state so that it can be restored again
with e.g. ipa-server-install --uninstall.
The idea is that any files ipa-server-install modifies gets backed
up to /var/cache/ipa/sysrestore/ while any "meta" state, like
whether a service is enabled with chkconfig, is saved to
/var/cache/ipa/sysrestore.state.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
httpinstance.py currently uses a hardcoded /tmp/ipa temporary
directory. Make it use tempfile.mkdtemp() instead.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Add a simple helper to check whether a service is running
and make ipa-server-install use it to check whether ntpd
is running.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Following the changelog history from my dev tree, some comments are useful imo
------------------------------------------------------
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 03:05:36 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Remove remnants of the initial test tool
changeset: 563:4fe574b7bdf1
user: Simo Sorce <ssorce@redhat.com>
date: Fri Dec 21 02:58:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Maybe actually encrypting the keys will help :-)
changeset: 562:488ded41242a
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:50 2007 -0500
files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif
description:
Fixes
changeset: 561:4518f6f5ecaf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:53:32 2007 -0500
files: ipa-admintools/Makefile ipa-admintools/ipa-addservice
description:
transform the old ipa-getkeytab in a tool to add services as the new
ipa-getkeytab won't do it (and IMO it makes more sense to keep the
two functions separate anyway).
changeset: 559:25a7f8ee973d
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:59 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Bugfixes
changeset: 558:28fcabe4aeba
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 23:48:29 2007 -0500
files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c
description:
Configure fixes
Add ipa-getkeytab to spec
Client fixes
changeset: 557:e92a4ffdcda4
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:57:10 2007 -0500
files: ipa-client/Makefile.am ipa-client/configure.ac
description:
Try to make ipa-getkeytab build via autotools
changeset: 556:224894175d6b
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:35:56 2007 -0500
files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c
description:
Messed a bit with hg commands.
To make it short:
- Remove the python ipa-getkeytab program
- Rename the keytab plugin test program to ipa-getkeytab
- Put the program in ipa-client as it should be distributed with the client
tools
changeset: 555:5e1a068f2e90
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 20:20:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Polish the client program
changeset: 554:0a5b19a167cf
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 18:53:49 2007 -0500
files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py
description:
Support retrieving enctypes from LDAP
Filter enctypes
Update test program
changeset: 553:f75d7886cb91
user: Simo Sorce <ssorce@redhat.com>
date: Thu Dec 20 00:17:40 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Fix ber generation and remove redundant keys
changeset: 552:0769cafe6dcd
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 19:31:37 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Avoid stupid segfault
changeset: 551:1acd5fdb5788
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:39:12 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
If ber_peek_tag() returns LBER_ERROR it may just be that we are at the
end of the buffer. Unfortunately ber_scanf is broken in the sense that
it doesn't actually really consider sequence endings (due probably to the fact
they are just representation and do not reflect in the underlieing DER
encoding.)
changeset: 550:e974fb2726a4
user: Simo Sorce <ssorce@redhat.com>
date: Wed Dec 19 18:35:07 2007 -0500
files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
First shot at the new method
There's a few places where we spawn of kadmin to add/modify
principals and create keytabs.
Refactor all that code into installutils.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Just in case there is an existing ipa-webgui running
before ipa-server-install, restart the instance rather
than just starting it.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This requires a bit of trickery. I use the onblur() javascript function
to note when the field is left and store whatever was entered there.
Then when the page is submitted if a dn doesn't exist for that field
but they did enter something, do a lookup to see if there is a group by
that name.
Creation steps are currently done with:
self.start_creation(2, "Create foo")
self.step("do foo")
self.foo()
self.step("do bar")
self.bar()
self.done_creation()
This patch refactors that into the much more
straightforward:
self.step("do foo", self.foo)
self.step("do bar", self.bar)
self.start_creation("Create foo")
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
The following files hav no template variables, so don't
bother templating them:
- memberof-conf.ldif
- referint-conf.ldif
- dna-conf.ldif
- certmap.conf.template
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Just a patch to refactor lots of similar code in
dsinstance and krbinstance using a simple helper
method.
Note, there are some differences:
- Some code used to call ldapmodify without -h 127.0.0.1
- Some of the code used to just print an error rather than
using logging.critical()
- Some code used to log some extra debug
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
update_key_val_in_file() shouldn't try and write to
a file if the key is already set to the given value
in the file
Rationale here is that if we write these files out
while building a system image, ipa-server-install
shouldn't need to re-write them and, therefore,
they don't need to be writable.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Recently, dsinstance and krbinstance was fixed to
not import * from ipautil; do the same for the
rest of ipaserver.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
It seems that in openldap-2.4.x ldapmodify has gotten somewhat
more picky about the ldif it accepts. See here for more details:
https://bugzilla.redhat.com/422251
Not sure whether ldapmodify will be fixed, but for now just
fix the ldif.
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This uses the UniversalPreferencesWrite function to set the browser
preferences to allow negotiation and ticket forwarding in the IPA domain.
A self-signed certificate is generated to sign the javascript.
We used to return the entire argument string ala:
('dc=freeipa,dc=org', 2, 'uid=foo', ['*'])
This adds a regex to try to print anything after = in the filter.
Not perfect but better.
Fix group RDN changes
Remove a copy/paste error in the group UI update that caused 2 updates
Fix variable name so groups don't get user objectclasses
Remove color CSS for field backgrounds as they override disabled field display
