use the dns_update_system_records command to set proper DNS records
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS Servers and DNS Administrators must have access to
'idnsTemplateAttribute' to be able set/read template
for generating CNAME records pointing to proper location records.
Also user must be able to add objectclass for idnsTemplateAttribute
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New permission was added: "System: Read Status of Services on IPA Servers"
This permission is needed for detection which records should be created
on which servers.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adding module that allows to work with IPA DNS system records:
* getting system records
* updating system records
* work with DNS locations
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For performace ipalocation should be indexed because it is used by
referint plugin
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Sometimes the lock table would run out of available locks. This should
improve the lock table default configuration.
https://fedorahosted.org/freeipa/ticket/5914
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.
https://fedorahosted.org/freeipa/ticket/5898
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The upgrade script always attempts to start the CA, even on
instances where the CA is not configured. Add guards.
Fixes: https://fedorahosted.org/freeipa/ticket/5958
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Commands inherited from Local can't be executed remotely, so exclude them
from API schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Instead of pre-generating all command classes from API schema on API
initialization and using them as plugins, use placeholder objects which
generate the classes on demand.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Use a new API namespace class which does not initialize plugins until they
are accessed.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Allow registering any object that is callable and has `name` and `bases`
attributes as a plugin.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This makes IPA servers that publish their NTP services in LDAP searchable by
`server-role-find` and `server-find` command.
The list of active IPA NTP servers will be displayed in to output of `ipa
config-show` command.
https://fedorahosted.org/freeipa/ticket/5815
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
IPA masters can be configured as NTP servers but the status of this service
can not be determined centrally from querying relevant LDAP subtree. This
patch makes IPA master and replica publish the newly configured NTP service in
their service container during installation.
If the master was configured as NTP server, the NTP service entry will be
created upon upgrade.
https://fedorahosted.org/freeipa/ticket/5815https://fedorahosted.org/freeipa/ticket/5826
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
`ipa trust-find' command should only show trusted forest root domains
The child domains should be visible via
ipa trustdomain-find forest.root
The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.
Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.
Fixes https://fedorahosted.org/freeipa/ticket/5942
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add field for choosing CA when issuing new certificate. Add new item to action menu
on cert details page which allows user to download the certificate as file.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
After installing a replica, Dogtag's Lightweight CA key retrieval
fails until Dogtag is restarted, because the already-running
instance doesn't pick up the changes to CS.cfg. Configure the key
retriever before the instance is started.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the optional 'ca_id' argument to ra.request_certificate(), for
passing an Authority ID to Dogtag.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In addition to user-created lightweight CAs, CA ACLs need to be able
to refer to the "main" CA. Add an entry for the IPA CA on
installation and upgrade.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The request dialog is not closed directly after clicking 'Issue' button, but only
after successful issuing or after clicking 'Close' button. So, the user can check
inputed data.
https://fedorahosted.org/freeipa/ticket/5652
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add attribute 'disable_search_field' which hides search field on search or
nested_search facet.
Part of: https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Adds new tab on topology page which shows server roles. Also extends
server details page and server config page (setting of ca renewal server).
https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There is new attribute of table facet which allows to set which column of
table will be its primary key. This patch also move some code into separate
method - it will be easier to overide some functionality in child classes.
Part of: https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Switch 'ipa' command to py3 has been done prematurely, this commit sets python2 as interpreter for ipa cli.
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This reverts commit 1ebd8334bc.
Switch 'ipa' command to py3 has been done prematurely, thus this commit
reverts it from IPA 4.3.2 and temporarily from master because it is
blocker for developing of the new features.
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)
https://fedorahosted.org/freeipa/ticket/5810
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Expecting IndexError instead of ValueError led to traceback instead of correctly
reporting the error situation.
https://fedorahosted.org/freeipa/ticket/5945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Setting string here was causing search for substring instead of search for value
in tuple or list.
https://fedorahosted.org/freeipa/ticket/5945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.
https://fedorahosted.org/freeipa/ticket/5689http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:
* config-{show,mod} will show list of all IPA masters, CA servers and CA
renewal master
* dnsconfig-{show,mod} will list all DNS server and DNS key master
* trustconfig-{show,mod} will list all AD trust controllers and agents
* vaultconfig-show will list all Key Recovery Agents
http://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).
server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.
http://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This patch implements the `serverroles` API plugin which introduces the
following commands:
* server-role-show SERVER ROLE: show status of a single role on a server
* server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
find role(s) SERVROLE and return their status on IPA
masters. If --server option is given, the query is limited to this
server. --status options filters the output by status [enabled vs.
configurer vs. absent]
https://fedorahosted.org/freeipa/ticket/5181http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>