We lacked good error messages if the user/group container you used doesn't
exist.
Add a --continue option so things can continue if you use a bad user/group
container. This has the side-effect of letting you migrate just users or
groups by using a bad container for the one you don't want.
Fix a Gettext() error when displaying the migrated password message.
ticket 289
In ipa-replica-prepare a call to search_ext() was returning ldap.SUCCESS.
The search actually was fine and returned data but an exception was returned
and handled (though we didn't know what to do with it). This patch
lets it continue along.
ticket 285
Fix a logic problem in ldap2:get_schema() for determining if it
can fetch the schema or not. Normally we only want to do this for servers
but if you pass in your own connection it will use that.
This has been annoying for developers who switch back and forth. It will
still break v1 but at least going from v1 to v2 will work seemlessly.
ticket 240
We used to check for these one at a time so you'd run it once and find
out you're missing the bind package. Install that and run the installer
again and you'd discover you're missing bind-dyndb-ldap.
ticket 140
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
When making LDAP calls via api.Backend.ldap2 the ldap2 object will already
be locked by the api.finalize() call. So the first time that
api.Backend.ldap2.connect() is called an error would be thrown that
self.schema cannot be set because the object is ReadOnly. This uses the
documented procedure for working around this lock.
This was preventing the DNS installation to proceed.
ticket #188
Move the user-private group caching code out of the global config and
determine the value the first time it is needed.
Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.
Moved the global get_syntax() into a class method so that a schema
can be passed in.
If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).
ticket 63
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6
Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata
ticket 155
This replaces the old no logging mechanism that only handled not logging
passwords passed on the command-line. The dogtag installer was including
passwords in the output.
This also adds no password logging to the sslget invocations and removes
a couple of extraneous log commands.
ticket 156
Installing dogtag is quite slow and it isn't always clear that things
are working. This breaks out some restart calls into separate steps
to show some amount of progress. There are still some steps that take
more than a minute (pkicreate and pkisilent).
Add new argument to pkisilent, -key_algorithm
Update a bunch of minimum required versions in the spec file.
tickets 139 (time) and 144 (key_algorithm)
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.
I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.
This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.
This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
This causes the installation to blow up badly otherwise.
To remove an existing instance run:
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
We set a new port to be used with dogtag but IPA doesn't utilize it.
This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
Also print out a restart message after applying the custom subject.
It takes a while to restart dogtag and this lets the user know things
are moving forward.
