The EntityBuilder has been modified to obtain the pkey value by
invoking getPKey(). This function can be overriden for different
entities.
The addOptionsFunction() has been renamed to getOptions() and it
can be overriden for different entities. Each entity that uses this
function has been modified accordingly.
The addEdit(), addAnother(), add_fail() has been moved into the
EntityBuilder class. The global builders is no longer needed because
a reference to the builder object can be obtained via enclosure.
The ServiceForms has been modified to take service name and
hostname and combine them to generate the service principal by
overriding the getPKey().
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
-Refactored the associations code into a set of objects that are configured by the entities
-Added support for associations that can be done in a single rpc
-hostgroup to host and group to user associations working
-Restructed sampledata so that the file is matched automatically by the RPC method name
-The new ipa_cmd/sampledata scheme insists on there being sample data for any commands or the ipa_command fails.
-Added sampledata files for all the calls we make
-renamed several of the sampledata files to match their rpc calls
-Started a pattern of refactoring where all the forms for the entity fall under a single object
We now catch the hashchange event and use that to drive most of the site.
To trigger page transitions, modify location.hash.
Params start with # not ?.
Removed user-group.inc.
converted tabs to spaces
trivial imlementation of add and details for netgroup and hostgroup
lots of bug fixes based on routing problems and the refactorings.
- Add/Remove links are now only available for multivalue
attributes (Param.multivalue = true) and attributes with param
types, that are multivalue by definition (as of now only List).
Single-value attributes with no value are displayed as empty
input elements.
- When updating an attribute, leading and trailing spaces are
stripped
- Context help available in the form of hints, that are extracted
form Param.hint.
to hash params ( starting with # ). User Details are now part of
index.xhtml, ao one more .inc file has been removed.
Updated commit to catch a few things that had been left out, including
sampledata handling and updateing Makefile.am
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
This disables debug output in the Apache log by default. If you want
increased output create /etc/ipa/server.conf and set it to:
[global]
debug=True
If this is too much output you can select verbose output instead:
[global]
debug=False
verbose=True
ticket 60
The problem was that parameters with no values are automatically
set to None by the framework and it wasn't handled properly in
baseldap.py:get_attributes function. Also, there were two logical
bugs in details.js:
1) atttribute callback to update values were called for input elements
instead of dt elements
2) it was always trying to update the primary key
Unfortunately we can't have any javascript in *.inc files, because
the browser will strip them for security reasons. I moved all the
attribute callbacks etc. to the only logical place: user.js.
It's fine for now, but user.js is going to need some serious cleaning
up in the future.
What does it mean?
I removed duplicate code, that was pasted here from the user details page.
ipa_details_init doesn't call ipa_init anymore.
ipa_details_create takes a second optional parameter, that can be set to
a container element if we want to place the definition lists into a specific
element instead of <body>. In our case, we place stuff in <div id="content">
What it means?
Well, first I removed some development control variables from ipa.js.
Namely useSampleData and sizelimit. I moved useSampleData to the top
of index.xhtml. This way we won't forget about it when we don't need
it anymore. sizelimit has nothing to do in ipa.js and be hardcoded
for ALL commands! Some don't have this parameter and could fail.
Since ipa_init now loads meta-data over JSON-RPC, we need to wait for
it to finish its job. That's why I put a second parameter to ipa_init:
on_win. ipa_init will call on_win when all data is loaded properly and
we can start building the page.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
To do this we need to break the link manually on both sides, the user and
the group.
We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.
ticket 75
Hide the search bar when showing the groups listed for a user, and resotre it when doing other searches.
The enroll button is added only on the groups page, and removed along with anything else in the searchButtons div when a new search is started.
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.
ticket #27
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.
Fixed matching rules and some attribute types.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/89
Removed unused password attribute and realigned OIDs.
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.
Ticket #87
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.
After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer
I took some time and fixed up some things pylint complained about too.
Ticket #83
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.
By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
There are now 3 cases:
- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
for the server certs. The installed CA will still be used by the cert
plugin to issue any server certs.
We want to manually make the .pot file, we shouldn't have anything
in the Makefile which will cause the .pot file to be rebuilt
because of dependencies.
There was a typo in install/po/Makefile.in which caused (some) of
the .po files to be overwritten because the test to see if a po
file existed had a typo in it.
This patch also removes the unnecessary rebuilding of the pot which was
happening when using the "all" target (the default). The pot file now
must be manually remade, which is what we want.
Added a new target "mo-files" to manually generate the .mo files.
This is useful to run before checking in a new .po file just to
assure it "compiles" and we don't have to discover this during a
build.
Formerly running 'make update-pot' would write an insignificantly
different pot file even if the msgid's xgettext found were unmodfied.
Now the result of running xgettext is compared to the existing
pot file after adjusting for things like timestamps, and only
copies the result of xgettext to the new pot file if there
were differences.
This will help eliminate git commits on the pot file if all one
did was see if the pot file was up to date, if it was up to date
git won't see any modifications. It used to be that timestamps
would be different in the pot file just by virtue of checking
if the pot file was current.
fix exit status; replace POT with $(DOMAN).pot
Add new Russian translation.
Update the Polish translation.
Add count of how many po translations we have in msg-stats.
Current translation statistics with this patch:
ipa.pot has 133 messages. There are 5 po translation files.
bn_IN: 14/133 10.5% 106 po untranslated, 13 missing, 119 untranslated
id: 107/133 80.5% 13 po untranslated, 13 missing, 26 untranslated
kn: 4/133 3.0% 116 po untranslated, 13 missing, 129 untranslated
pl: 133/133 100.0% 0 po untranslated, 0 missing, 0 untranslated
ru: 120/133 90.2% 0 po untranslated, 13 missing, 13 untranslated
The goal is to get the statistics to line up in
columns and not exceed an 80 character line which might
cause wrapping. Removing .po suffix from the translation
name gives us 3 extra characters. Formatting problems were
observed when bn_IN.po was added.
The Makefile in install/po has a new target "msg-stats" which
prints out statistics concerning the current pot and po files.
Here is an example:
% make msg-stats
ipa.pot has 133 messages
id.po: 107/133 80.5% 13 po untranslated, 13 missing, 26 untranslated
kn.po: 4/133 3.0% 116 po untranslated, 13 missing, 129 untranslated
pl.po: 120/133 90.2% 0 po untranslated, 13 missing, 13 untranslated
Also update configure.ac to search for msgcmp, awk & sed programs.
Add 3 new translations for Polish, Indonesian, Kannada.
Remove the dummy Italian translation (it.po), it's only purpose was to
have some translation in the tarball so %{find_lang} wouldn't fail.
Add a new file contributing_translators.txt so we can track our
translators contributions and give them credit.
The %{find_lang} macro in the ipa.spec file will fail if there
are no language translations causing the build to fail.
This patch creates an Italian translation (in honor of Simo).
The Italian translation is initially fully untranslated.
msginit should have been passed the locale because the resulting
.po file is parameterized from the locale. Also, if the target
locale is not specified it defaults to the current locale.
If the target locale is Engish msgid's are copied to their msgstr's
resulting in a fully translated .po instead of a fully untranslated
.po.
Add some comments to better explain some of the cryptic sed commands.
A new directory install/po has been added which contains all
the translations for all files in IPA.
The build has been agumented to build these files. Also the
autogen.sh script was mostly replaced by autoreconf, the preferred
method. The old autogen.sh sript also had some serious bugs in the
way it compared versions which caused it to run old versions of some
of the tools, using standared autoreconf is much better.
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
Remove a bunch of trailing spaces
Add the --ca option
Add the --no-host-dns option
Add the --subject option
Fix the one-character option for --no-ntp, should be -N not -n
Add missing line break between --no-ntp and --uninstall
Resolves#545260
The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.
This wipes out the last vestiges of the old ipa.conf from v1.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.
Subject alt names are only allowed if:
- the host for the alt name exists in IPA
- if binding as host principal, the host is in the services managedBy attr
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.
The DS db wasn't getting a password set on it. Go ahead and set one.
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.
No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.
In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service
It might look something like:
admin
ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin
client
ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.
The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.
This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.
The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.
A run would look like:
# ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
# ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com
This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.
To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.
One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.
Lots of general fixes were also made in ipaserver.install.certs including:
- better handling when multiple CA certificates are in a single file
- A temporary directory for request certs is not always created when the
class is instantiated (you have to call setup_cert_request())
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.
The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.
This also fixes up some unrelated unit test failures.
The ipa-replica-install script will setup the DNS if user specifies the
--setup-dns option. It will only add the zone into LDAP if the
cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add
the records.
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.
Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.
This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.
Signed-off-by: Martin Nagy <mnagy@redhat.com>
Removes two unneeded attributes and adds one attribute for specifying
DNS update policy. Additionally, use different namespace for them: 5.x
for attribute types and 6.x for object classes.
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
Use the requestId we get back from the CA when requesting the RA agent cert
and use that to issue the certificate rather than hardcoding 7.
This also adds some clean-up of file permissions and leaking fds
Notes:
- will create a CA instance (pki-ca) if it doesn't exist
- maintains support for a self-signed CA
- A signing cert is still not created so Firefox autoconfig still won't work
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.
What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs
What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
This adds:
group administration
host administration
host group administration
delegation administration
service administration
automount administration
netgroup administration
Role groups will be part of the ACI system. It will let one create broad
categories of permissions. Things like: helpdesk, user admin, group admin,
whatever.
This change depends on DS bugs 487574 and 487725. Groups cannot be
promoted properly without these fixed. It will fail with an
Object Class violation because gidNumber isn't set.
Loading this via LDIF is a temporary measure until we can load it online.
This requires removing the dNSRecord declarations from 05rfc2247.ldif
so a replacement copy is included for now.
Also add the netgroups container.
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.
The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.