Commit Graph

2390 Commits

Author SHA1 Message Date
Rob Crittenden
4f010cfda6 Bring ipa-server-install man page up-to-date, fix some syntax errors
Remove a bunch of trailing spaces
Add the --ca option
Add the --no-host-dns option
Add the --subject option
Fix the one-character option for --no-ntp, should be -N not -n
Add missing line break between --no-ntp and --uninstall

Resolves #545260
2010-02-03 14:42:55 -05:00
Rob Crittenden
ececb849d2 Add permissions for named to communicate over ldapi 2010-02-03 14:40:57 -05:00
Rob Crittenden
e672510c06 Implement pwplicy_find to show all group password policies
find is a bit of a misnomer here because we consider no search terms, it
is all or nothing.
2010-02-03 13:27:46 -05:00
Rob Crittenden
5760170bb3 Add flag to allow a cert to be re-issued
I don't want a user to accidentally re-issue a certificate so I've
added a new flag, --revoke, to revoke the old cert and load the new one.
2010-02-03 13:22:03 -05:00
Rob Crittenden
f43f6c50c6 Only change the log level if it isn't already set
This primarily affects the installer. We want to log to the install/
uninstall file in DEBUG. This was getting reset to INFO causing lots of
details to not show in the logs.
2010-02-03 11:52:15 -05:00
Rob Crittenden
dc55240fe8 Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
2010-02-02 14:02:46 -05:00
Rob Crittenden
8ca97cdf35 Base64-encode binary values on the command-line 2010-02-02 14:02:42 -05:00
Rob Crittenden
e24812ee2d Remove group-specific password policy on group deletion 2010-01-29 09:43:51 -05:00
Rob Crittenden
bf63cd30a6 Remove some configuration files we create upon un-installation
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
2010-01-28 17:29:18 -05:00
John Dennis
9409b5cf2e Remove (un)wrap_binary_data cruft from */ipautil.py
Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(),
wrap_binary_data(), unwrap_binary_data() from both instances
of ipautil.py. This code is no longer in use and the
SAFE_STRING_PATTERN regular expression string was causing xgettext
to abort because it wasn't a valid ASCII string.
2010-01-28 14:26:29 -05:00
Jason Gerard DeRose
1d6cc1bb7b Remove __public__ and __proxy__ hold-overs from Plugin class 2010-01-28 13:32:00 -05:00
Rob Crittenden
b7cda86697 Update dogtag configuration to work after CVE-2009-3555 changes
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
2010-01-27 17:01:26 -05:00
Pavel Zuna
c092f3780d Fix schema loading in the ldap backend. 2010-01-27 16:24:20 -05:00
Jason Gerard DeRose
ec142329aa Update spec to require python-wehjit >= 0.2.0 2010-01-27 09:41:28 -05:00
Rob Crittenden
7baafe4f41 Require that the hostname we are joining as is fully-qualified 2010-01-26 10:41:56 -05:00
Rob Crittenden
0b0cd7872f Remove duplicated code
This strange bit of duplication was not surprisingly causing a double-free
2010-01-26 10:39:30 -05:00
Jason Gerard DeRose
7b571e3693 Enabled CRUDS in webUI using wehjit 0.2.0 2010-01-26 10:32:44 -05:00
Jason Gerard DeRose
e9dc9de23a Fixed xmlrpc_test.fuzzy_digits for Fedora12 2010-01-22 14:41:49 -05:00
Martin Nagy
d6ca88f331 Set BIND to use ldapi and use fake mname
The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
2010-01-21 17:37:42 -05:00
Martin Nagy
d53df67c95 Move some functions from ipa-server-install into installutils
We will need these functions in the new upcoming ipa-dns-install
command.
2010-01-21 17:37:24 -05:00
Martin Nagy
5f5eb2fe13 Allow a custom file mode when setting up debugging
This will be handy in the future if we will want to install or uninstall
only single IPA components and want to append to the installation logs.
This will be used by the upcoming ipa-dns-install script.
2010-01-21 17:37:21 -05:00
Martin Nagy
7aa78ee060 Only add an NTP SRV record if we really are setting up NTP
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.

Fixes #500238
2010-01-21 17:09:21 -05:00
Martin Nagy
686203c074 Use the dns plug-in for addition of records during installation
Fixes #528943
2010-01-21 17:09:18 -05:00
Martin Nagy
f8ec022ed0 Move api finalization in ipa-server-install after writing default.conf
We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
2010-01-21 17:09:15 -05:00
Rob Crittenden
4789bc8f56 Fix merge issue, cut-and-paste error 2010-01-21 15:23:36 -05:00
Rob Crittenden
0ab9df8632 Fix merge error, variable mis-named label instead of doc 2010-01-21 15:10:47 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
2955c955ac Stop looking when removing entries from a keytab.
keytab entries are locked when looping. Temporarily suspend the looping.
2010-01-20 17:02:50 -05:00
Rob Crittenden
3a536353fb Fix plugin to work with new output validation, add new helpers
Add a new get_subject() helper and return the subject when retrieving
certificates.

Add a normalizer so that everything before and after the BEGIN/END
block is removed.
2010-01-20 17:01:24 -05:00
Pavel Zuna
c15c1eee72 Add DS migration plugin and password migration page. 2010-01-20 16:54:17 -05:00
Pavel Zuna
41a7a8d3d4 Add --enable-migration option in config plugin. 2010-01-20 16:54:02 -05:00
Pavel Zuna
ba0e7b9c68 Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin. 2010-01-20 16:53:51 -05:00
root
fd5742cc79 Allow adding entries with pre-hashed passwords, but don't generate keys for them.
Fix bug #528922.
2010-01-20 16:53:41 -05:00
Pavel Zuna
cfe47a3553 Temporary fix for name collision of textui.print_entry.
Somehow there's two of them... rename old one to print_entry1.
2010-01-20 16:53:28 -05:00
Pavel Zuna
54631247a7 Make DNS plugin support output validation and thus make it work again. 2010-01-20 19:29:48 +01:00
John Dennis
baba8e91b2 Create pkiuser before calling pkicreate, pkicreate depends on the user existing 2010-01-20 11:32:41 -05:00
Rob Crittenden
28321f7a2c Correct some comment errors 2010-01-19 17:33:28 -05:00
John Dennis
30bc14a15e pass DER flag to x509.get_serial_number() 2010-01-19 17:28:40 -05:00
Rob Crittenden
8376979aa7 Allow cospriority to be updated and fix description of priority ordering
Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
2010-01-19 17:02:13 -05:00
Pavel Zuna
f262a132be Use 'l' instead of 'localityname' in host plugin.
It seems that 'localityname' and 'locality' aliases were dropped in
newer versions of DS.
2010-01-14 16:02:16 -05:00
Pavel Zuna
ce87e04af0 Make host objects aware of their membership and that l==localityName. 2010-01-14 16:01:22 -05:00
Pavel Zuna
2e22963a2d Add default values for krb ticket policy attributes during installation. 2010-01-13 13:43:51 -05:00
Pavel Zuna
a11436113b Add Kerberos Ticket Policy management plugin. 2010-01-13 13:40:44 -05:00
Pavel Zuna
0023ffb881 Fix backend.Executioner unit test.
Before the patch that allows to create unshared instances of Connectible
objects, all Connection object were deleted at once in destroy_context().
It made sense at the time, because there was always at most one Connection
per Connectible subclass and Connectible.disconnect() was called only
internally by the Executioner class. Now that we can make arbitrary
connections, it makes more sense to delete the Connection object when
Connectible.disconnect() is called.
2010-01-13 13:39:50 -05:00
Pavel Zuna
e1c1f077c0 Improve modlist generation in ldap2. Some code cleanup as bonus.
ldap2._generate_modlist now uses more sophisticated means to decide
when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE.

MOD_REPLACE is always used for single value attributes and never
for multi value.
2010-01-11 12:27:04 -07:00
Pavel Zuna
314fe71787 Allow creation of new connections by unshared instances of backend.Connectible. 2010-01-11 13:51:05 -05:00
Rob Crittenden
49fb5ad493 Add start/stop for the CA 2010-01-11 13:38:45 -05:00
Rob Crittenden
b4d039871d Missed explicit reference to pki-ca, replace with self.service_name 2010-01-11 13:30:25 -05:00
Pavel Zuna
74a5384169 Add --all to LDAPCreate and make LDAP commands always display default attributes. 2010-01-11 13:28:05 -05:00
Rob Crittenden
b8016807eb Use the caIPAserviceCert profile for issuing service certs.
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.

This is the first step of allowing the subject to be set at
installation time.

Also fix 2 more issues related to the return results migration.
2010-01-08 13:36:16 -07:00