Commit Graph

2281 Commits

Author SHA1 Message Date
Rob Crittenden
50b683dc3c Provide additional help to --help option 2009-11-19 14:38:01 -05:00
Rob Crittenden
6e5c15b1db Gracefully handle a valid kerberos ticket for a deleted entry.
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
2009-11-19 14:37:41 -05:00
Rob Crittenden
34f6cba0c3 Clean up some return values
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
2009-11-19 03:07:52 -07:00
Pavel Zuna
2bbdf7be0d Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled). 2009-11-18 14:40:53 -05:00
Pavel Zuna
e1e2e020a7 Remove 'ipaObject' objectClass from rolegroups and taskgroups. 2009-11-18 14:37:15 -05:00
Pavel Zuna
f5d63dbecc Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.
Previously we only filtered None values, but it turns out that's not enough.
2009-11-18 14:34:16 -05:00
Rob Crittenden
884301ef33 Cache installer questions for the 2-step process of an externally-signed CA
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
2009-11-18 14:28:33 -05:00
Simo Sorce
4262358111 Fix SASL mappings 2009-11-18 14:26:29 -05:00
Rob Crittenden
1e3ba09514 Add fail-safe so any kind of exception is handled in XML-RPC server.
If an exception is not handled here then the context isn't destroyed
leaving at least an LDAP connection dangling. This means the next time
this thread/process tries to handle a connection it will fail because
a context already exists.
2009-11-18 14:13:08 -05:00
Rob Crittenden
55c62ac79a Add support for setting/adding arbitrary attributes
This introduces 2 new params: --setattr and --addattr

Both take a name/value pair, ala:

ipa user-mod --setattr=postalcode=20601 jsmith

--setattr replaces or sets the current attribute to the value
--addattr adds the value to an attribute (or sets a new attribute)

OptionsParser allows multiple versions of this, so you can have multiple
setattr and addattr, either for the same attribute or for different
attributes.

ipa user-mod --addattr=postalcode=20601 --addattr=postalcode=30330 jsmith

Values are silent dropped if either of these on an existing param:

ipa user-mod --setattr=givenname=Jerry jsmith

Is a no-op.
2009-11-17 09:40:56 -07:00
Rob Crittenden
680bf7c548 _convert_scalar() should throw an error if passed a tuple or list
A parameter needs to have multivalue set in order to work on lists/tuples
and even then _convert_scalar() will be sent one value at a time.
2009-11-17 09:36:38 -07:00
Rob Crittenden
1d1d82fda4 Fix typo in name of exception 2009-11-12 17:34:19 -05:00
Pavel Zuna
63c6c12d69 Use File parameter for CSR in cert_request command plugin. 2009-11-06 16:05:36 -07:00
Pavel Zuna
566a3cb972 Add 'File' parameter type.
Accepts filenames and loads file contents as parameter value.
2009-11-06 16:05:31 -07:00
Rob Crittenden
da58b0cc75 Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
2009-11-04 04:07:38 -07:00
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Rob Crittenden
bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
Rob Crittenden
e4c119ed4b Use Directory String sytnax for the fqdn attribute, not DN syntax. 2009-10-28 01:07:35 -06:00
Jason Gerard DeRose
c4b7b70636 Add mod_python adapter and some UI tuning 2009-10-27 21:38:13 -06:00
Rob Crittenden
23b800a879 Back down to version 1.9.0 in preparation for release of first alpha.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
2009-10-26 13:55:01 -04:00
Rob Crittenden
725656119c Remove a bunch of unused imports, general cleanup 2009-10-25 22:54:55 -06:00
Pavel Zuna
192cccea97 Remove ipalib/plugins/basegroup.py. It's become obsolete. 2009-10-23 09:38:00 -04:00
Pavel Zuna
04c5b5ae42 Fix bug in print_attribute.
When the attribute had no values an exception was generated while
trying to word-wrap it.
2009-10-23 09:37:23 -04:00
Rob Crittenden
81f8c5f0db Auto-detect whether dogtag needs to be uninstalled 2009-10-21 11:14:28 -04:00
Pavel Zuna
6b38de9454 Display membership attributes (member, memberOf) by default in show/find. 2009-10-21 10:35:03 -04:00
Rob Crittenden
914d2cd4df Require that a host exist before creating a service for it. 2009-10-21 03:55:59 -06:00
Rob Crittenden
bc9684b056 The name coming out of DNS will have a trailing dot (.). Remove it. 2009-10-21 03:45:22 -06:00
Rob Crittenden
453a19fcac First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
2009-10-21 03:22:44 -06:00
Rob Crittenden
aa2183578c Add can_add() and can_delete() GER helpers 2009-10-21 03:11:45 -06:00
Jason Gerard DeRose
b35849b47d Change Password param so (password, confirm_password) can be passed to _convert_scalar() 2009-10-18 00:35:05 -06:00
Rob Crittenden
a3a0c0ae33 Add a separate client-only target 2009-10-17 22:56:47 -06:00
Rob Crittenden
383492866e Fix ACI for host delegation
We had changed the DN format, I must have missed these ACIs the first
go around.
2009-10-17 22:51:53 -06:00
Rob Crittenden
f838e7e18b Fix an oops where I forgot to replace a string with a template 2009-10-17 22:08:50 -06:00
Jason Gerard DeRose
ce8be42c56 Fixed compatability break in rpcserver.py 2009-10-17 17:59:38 -06:00
Rob Crittenden
5ad91a0781 Add a sleep() prior to calling tasks to ensure postop writes are done
We were seeing a rare deadlock of DS when creating the memberOf task because
one thread was adding memberOf in a postop while another was trying to
create an index and this was causing a PRLock deadlock.
2009-10-16 14:57:53 -04:00
Rob Crittenden
cc23838db2 Use the FQDN and not just the hostname internally. 2009-10-16 14:57:33 -04:00
Rob Crittenden
0573389370 Be more forgiving when trying to replace older DS schema.
We have to replace 05rfc2247.ldif because it contains some conflicting
attributes with DNS in some older versions of 389-DS/RHDS. This fails on
some newer versions of 389-DS/RHDS so this lets it continue installing
if the new file is not needed.
2009-10-16 14:56:49 -04:00
Jason Gerard DeRose
4a350213b7 Fixed 'import json' for simplejson compatability 2009-10-16 12:38:22 -06:00
Rob Crittenden
b8cadd90bd parse_qs is in cgi on Python < 2.6, use that instead
Python 2.6's cgi module calls the parse_qs in urlparse for backwards
compatibility
2009-10-16 09:12:17 -04:00
Jason Gerard DeRose
5fad455ff4 Fixed try/except/finally for Python 2.4 compatability 2009-10-15 15:00:57 -06:00
Jason Gerard DeRose
8dc21d6f30 Make plugin browser show plugin parent class 2009-10-14 15:08:30 -06:00
Jason Gerard DeRose
5c9437b9e6 Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00
Jason Gerard DeRose
f58ff2921d Giant webui patch take 2 2009-10-13 11:28:00 -06:00
Rob Crittenden
1d6e23136a Add man page for ipa-join command 2009-10-12 14:50:02 -04:00
Rob Crittenden
b4cef3b79b Use nestedgroup instead of groupofnames for rolegroups so we have memberof 2009-10-12 09:40:49 -04:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
Rob Crittenden
416c2a894f Improve debugging, general output, initialize xmlrpc-c properly 2009-10-12 09:37:12 -04:00
Pavel Zuna
0373166002 Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. 2009-10-08 10:11:29 -04:00
Pavel Zuna
0dd92f10cc Fix bug in group plugin. Was using wrong variable for attributes.
Fix bug #527537.
2009-10-08 10:10:01 -04:00
Pavel Zuna
5be9721292 Fix unit tests for plugins using baseldap classes. 2009-10-07 10:00:32 -04:00