Commit Graph

2187 Commits

Author SHA1 Message Date
Jason Gerard DeRose
391b1f2b88 Fixed dns_forwarders not being defined when options.setup_dns is False 2009-09-08 13:09:05 +02:00
Martin Nagy
205a41205b Add A and PTR records of ourselves during installation
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
2009-09-02 22:04:25 +02:00
Martin Nagy
b07d1b54f9 Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.
2009-09-02 22:04:25 +02:00
Martin Nagy
fbda06269d Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
2009-09-02 22:04:25 +02:00
Martin Nagy
4e5a68397a Use DNS forwarders in /etc/named.conf
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
2009-09-02 19:09:28 +02:00
Jason Gerard DeRose
5e871a0abb Fleshed out krb plugin and added example of scripting against Python API 2009-08-31 15:47:14 -06:00
Pavel Zuna
91d01a532a Introduce a list of attributes for which only MOD_REPLACE operations are generated. 2009-08-28 13:18:21 -04:00
Rob Crittenden
aafdb755a3 Install the ldapi ldif file 2009-08-28 08:46:54 -04:00
Rob Crittenden
38ae093c7b Add the CA constraint to the self-signed CA we generate
514027
2009-08-27 16:49:09 -04:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
08fc563212 Generate CRLs and make them available from the IPA web server 2009-08-26 09:51:19 -04:00
Rob Crittenden
7a7041045e Fix service_mod and add a test case 2009-08-26 09:51:15 -04:00
Rob Crittenden
dacfddfdc8 Remove Python 2.6 BaseException.message deprecation warning 2009-08-20 15:16:52 -06:00
Rob Crittenden
d9c54cd83e Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Rob Crittenden
dbeb409ebd Include schema for key escrow management
https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
2009-08-10 16:38:18 -06:00
Jason Gerard DeRose
c0f558d98b Removed PluginProxy and all its uses 2009-08-05 12:18:51 -04:00
Pavel Zuna
b7b9f9b6a6 Add options in baseldap classes to display unaltered LDAP entries.
The options in question is '--raw'.
2009-08-05 09:20:49 -04:00
Jason Gerard DeRose
22493eef21 Fix three broken unit tests 2009-08-04 00:21:26 -06:00
Pavel Zuna
322d8238a0 All-around improvements to baseldap.py classes.
- attribute re-mapping, ordering and hiding
  (Enables plugins to completely hide LDAP internals from users
   and full localisation of command output.)
- translation of member DNs into object names
  (No more DNs when listing group members etc.)
- support for "singleton" LDAP objects
  (Objects like "pwpolicy"; not accessed by primary key.)
- new base classes for commands: LDAPModMember, LDAPAddMember
  and LDAPRemoveMember
  (Providing support for objects with 'member'-like attributes.)
- LDAPSearch implicit exit code changed to 1 when nothing is found
2009-08-03 23:08:21 -06:00
Pavel Zuna
b4d173d844 Fix bug in _get_syntax (it was always returning None).
Also prevent a few cases of double processing of arguments.
2009-08-03 23:01:44 -06:00
Pavel Zuna
b20c69dec7 Prevent double encoding/decoding when processing compound types. 2009-08-03 23:00:17 -06:00
Pavel Zuna
104d02e167 Enable attribute re-mapping and ordering when printing entries.
Also print multiple values on one line separated by commas.
2009-08-03 22:56:06 -06:00
Jason Gerard DeRose
03a80f512c Fixed whitespace indentation error in certs.py 2009-07-27 19:23:31 -06:00
Rob Crittenden
5bbe1108d5 Identify CAs to trust from an imported PKCS#12 file
We used to use certutil -O to determine the cert chain to trust. This
behavior changed in F-11 such that untrusted CAs are not displayed.
This is only used when we import PKCS#12 files so use pk12util -l to
display the list of certs and keys in the file to determine the nickname(s)
of the CAs to trust.

509111
2009-07-27 16:04:53 -06:00
Rob Crittenden
5767c6b37d Fix deprecation warning for the sha library on Python 2.6
sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so
this will use hashlib if available but fall back onto sha if not.
Fortunately they use the same API for the function we need.

509042

Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 20:03:01 -06:00
Rob Crittenden
b382755fee No need to trust NSS built-in CA's, more specific regex for finding CA nickname
- Add some logging so we have a better idea of what happened if things fail
- Default to self-signed CA to trust if one is not found. This will fix
  the self-signed CA case where certutil doesn't return untrusted CA's in
  -O output.
- Remove unused httplib import

Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 13:45:45 -06:00
rcrit
a9f70edb87 Add conditional for new SELinux capabilities available in Fedora 11 2009-07-23 14:59:20 -04:00
Martin Nagy
de53d0a26e Make --setup-dns work on replica installation
The ipa-replica-install script will setup the DNS if user specifies the
--setup-dns option. It will only add the zone into LDAP if the
cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add
the records.
2009-07-22 18:02:22 +02:00
Martin Nagy
a09d2c3498 Add a reverse zone with server's PTR record
Also, small cosmetic change in dns.ldif.
2009-07-22 18:02:22 +02:00
Martin Nagy
296ffe6c61 Add --setup-dns option. It will replace --setup-bind 2009-07-22 18:02:22 +02:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
Rob Crittenden
904e555404 Catch and handle HTTP exceptions (like 401, 404, etc) 2009-07-15 08:59:58 -04:00
Martin Nagy
017f236d6a Use uppercase boolean values in dns.ldif
The newest 389 server implements syntax checking and causes problems if
the boolean attribute is set to "True". The correct value should be
"TRUE".
2009-07-15 07:34:28 +02:00
Rob Crittenden
c0b6a78040 Require a password only once when it is passed in via a pipe 2009-07-10 16:47:35 -04:00
Rob Crittenden
d6e1e15fcd Add a one-character option for parameters 2009-07-10 16:46:34 -04:00
Rob Crittenden
c21e003cdf Let anonymous users browse the VLV index
This is needed for automount support on Solaris

http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
2009-07-10 16:45:45 -04:00
Rob Crittenden
fe84ffd0f1 Add a return value to exceptions.
Returning the exception value doesn't work because a shell return value
is in the range of 0-255.

The default return value is 1 which means "something went wrong." The only
specific return value implemented so far is 2 which is "not found".
2009-07-10 16:44:54 -04:00
Rob Crittenden
0e29dd7226 Add textui function to display and prompt user for selection for *-find.
Since we may end up executing a *-show when an entry is selected we need
to defer destroying the connection context.
2009-07-10 16:44:22 -04:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00
Martin Nagy
5149803873 Configure BIND LDAP driver to use SASL authentication
We use /etc/named.keytab generated by ipa-server-install to authenticate
against the LDAP server. Also tidy up /etc/named.conf since we're there.
2009-07-10 09:55:29 -04:00
Simo Sorce
9fe707a3f2 Basic changes to get a default principal for DNS
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>
2009-07-10 09:42:22 -04:00
Simo Sorce
24089821fb Check error in kpasswd 2009-07-10 09:42:21 -04:00
Pavel Zuna
94181d54fe Make object classes of automatically created entries lowercase.
This makes them more consistent with entries created by plugins.
It's a cosmetic thing, not that useful.
2009-07-10 08:58:44 -04:00
Pavel Zuna
551648b8a9 Change command names from *group-del-member to *group-remove-member.
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-09 13:25:19 -06:00
Pavel Zuna
3b613091bb Import explode_dn from ldap.functions for backward compatibility with older version of python-ldap. Fix bug in add_entry_to_group.
Resolves 510149
2009-07-08 12:15:58 -04:00
Rob Crittenden
45a40635bb Add class variable to indicate whether SSL is required or not.
Older python-ldap versions will crash if you call ldap.get_option()
on a value that has not been set.
2009-07-07 22:57:23 -04:00
Pavel Zuna
f59cab1ccd Fix bug in ldap2.modify_password and make adding/removing members slightly more efficient. 2009-07-07 22:56:56 -04:00