I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
Add an optional search_attributes variable in case the attributes you
want to display by default aren't what you want to search on.
Also link in any cn=ipaconfig attributes that contain a comma-separated
list of attributes to search on.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
The migration plugin uses a pre-op function to automatically create
kerberos credentials when binding using a password.
The problem is that we do a simple bind when doing password-base
host enrollment. This was causing krbPasswordExpiration to be set
which isn't what we want for hosts. They really shouldn't go through
this code at all.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.
I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
This causes the installation to blow up badly otherwise.
To remove an existing instance run:
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.
This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.
One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
