Commit Graph

2266 Commits

Author SHA1 Message Date
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Rob Crittenden
bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
Rob Crittenden
e4c119ed4b Use Directory String sytnax for the fqdn attribute, not DN syntax. 2009-10-28 01:07:35 -06:00
Jason Gerard DeRose
c4b7b70636 Add mod_python adapter and some UI tuning 2009-10-27 21:38:13 -06:00
Rob Crittenden
23b800a879 Back down to version 1.9.0 in preparation for release of first alpha.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
2009-10-26 13:55:01 -04:00
Rob Crittenden
725656119c Remove a bunch of unused imports, general cleanup 2009-10-25 22:54:55 -06:00
Pavel Zuna
192cccea97 Remove ipalib/plugins/basegroup.py. It's become obsolete. 2009-10-23 09:38:00 -04:00
Pavel Zuna
04c5b5ae42 Fix bug in print_attribute.
When the attribute had no values an exception was generated while
trying to word-wrap it.
2009-10-23 09:37:23 -04:00
Rob Crittenden
81f8c5f0db Auto-detect whether dogtag needs to be uninstalled 2009-10-21 11:14:28 -04:00
Pavel Zuna
6b38de9454 Display membership attributes (member, memberOf) by default in show/find. 2009-10-21 10:35:03 -04:00
Rob Crittenden
914d2cd4df Require that a host exist before creating a service for it. 2009-10-21 03:55:59 -06:00
Rob Crittenden
bc9684b056 The name coming out of DNS will have a trailing dot (.). Remove it. 2009-10-21 03:45:22 -06:00
Rob Crittenden
453a19fcac First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
2009-10-21 03:22:44 -06:00
Rob Crittenden
aa2183578c Add can_add() and can_delete() GER helpers 2009-10-21 03:11:45 -06:00
Jason Gerard DeRose
b35849b47d Change Password param so (password, confirm_password) can be passed to _convert_scalar() 2009-10-18 00:35:05 -06:00
Rob Crittenden
a3a0c0ae33 Add a separate client-only target 2009-10-17 22:56:47 -06:00
Rob Crittenden
383492866e Fix ACI for host delegation
We had changed the DN format, I must have missed these ACIs the first
go around.
2009-10-17 22:51:53 -06:00
Rob Crittenden
f838e7e18b Fix an oops where I forgot to replace a string with a template 2009-10-17 22:08:50 -06:00
Jason Gerard DeRose
ce8be42c56 Fixed compatability break in rpcserver.py 2009-10-17 17:59:38 -06:00
Rob Crittenden
5ad91a0781 Add a sleep() prior to calling tasks to ensure postop writes are done
We were seeing a rare deadlock of DS when creating the memberOf task because
one thread was adding memberOf in a postop while another was trying to
create an index and this was causing a PRLock deadlock.
2009-10-16 14:57:53 -04:00
Rob Crittenden
cc23838db2 Use the FQDN and not just the hostname internally. 2009-10-16 14:57:33 -04:00
Rob Crittenden
0573389370 Be more forgiving when trying to replace older DS schema.
We have to replace 05rfc2247.ldif because it contains some conflicting
attributes with DNS in some older versions of 389-DS/RHDS. This fails on
some newer versions of 389-DS/RHDS so this lets it continue installing
if the new file is not needed.
2009-10-16 14:56:49 -04:00
Jason Gerard DeRose
4a350213b7 Fixed 'import json' for simplejson compatability 2009-10-16 12:38:22 -06:00
Rob Crittenden
b8cadd90bd parse_qs is in cgi on Python < 2.6, use that instead
Python 2.6's cgi module calls the parse_qs in urlparse for backwards
compatibility
2009-10-16 09:12:17 -04:00
Jason Gerard DeRose
5fad455ff4 Fixed try/except/finally for Python 2.4 compatability 2009-10-15 15:00:57 -06:00
Jason Gerard DeRose
8dc21d6f30 Make plugin browser show plugin parent class 2009-10-14 15:08:30 -06:00
Jason Gerard DeRose
5c9437b9e6 Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00
Jason Gerard DeRose
f58ff2921d Giant webui patch take 2 2009-10-13 11:28:00 -06:00
Rob Crittenden
1d6e23136a Add man page for ipa-join command 2009-10-12 14:50:02 -04:00
Rob Crittenden
b4cef3b79b Use nestedgroup instead of groupofnames for rolegroups so we have memberof 2009-10-12 09:40:49 -04:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
Rob Crittenden
416c2a894f Improve debugging, general output, initialize xmlrpc-c properly 2009-10-12 09:37:12 -04:00
Pavel Zuna
0373166002 Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. 2009-10-08 10:11:29 -04:00
Pavel Zuna
0dd92f10cc Fix bug in group plugin. Was using wrong variable for attributes.
Fix bug #527537.
2009-10-08 10:10:01 -04:00
Pavel Zuna
5be9721292 Fix unit tests for plugins using baseldap classes. 2009-10-07 10:00:32 -04:00
Pavel Zuna
cbbfd16e9f Make the taskgroup plugin use baseldap classes. 2009-10-07 10:00:04 -04:00
Pavel Zuna
8f29e416be Make the rolegroup plugin use baseldap classes. 2009-10-05 16:02:26 -04:00
Pavel Zuna
26b05cd364 Make the hostgroup plugin use baseldap classes. 2009-10-05 16:02:02 -04:00
Pavel Zuna
9b77455cbb Make the netgroup plugin use baseldap classes. 2009-10-05 16:01:02 -04:00
Pavel Zuna
fbd1ff40f9 Make the user plugin use baseldap classes. 2009-10-05 15:59:23 -04:00
Pavel Zuna
be82f941d0 Make the service plugin use baseldap classes. 2009-10-05 15:59:16 -04:00
Pavel Zuna
e01b1b8f99 Fix unit tests for plugins using baseldap classes. 2009-10-05 15:59:09 -04:00
Pavel Zuna
1e48662b9b Make the group plugin use baseldap classes. 2009-10-05 15:58:54 -04:00
Pavel Zuna
5af07b693a Make the config plugin use baseldap classes. 2009-10-05 15:58:40 -04:00
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
97dfa586de Make primary_key optional.
The pwpolicy plugin doesn't have a primary key but can still take advantage
of other parts of the framework.
2009-10-05 13:28:24 -06:00
Rob Crittenden
48785a5af1 Loosen the ACI for the KDC to allow adds/deletes
Password policy entries must be a child of the entry protected by this
ACI.

Also change the format of this because in DS it was stored as:
\n(target)\n so was base64-encoded when it was retrieved.
2009-10-05 13:27:34 -06:00
Rob Crittenden
8de6dc00dc Robustness fix for updater, in case updates['updates'] is not set yet. 2009-10-05 13:26:41 -06:00
Rob Crittenden
e62bbab37a Let the updater delete entries and add small test harness
In order to run the tests you must put your DM password into
~/.ipa/.dmpw

Some tests are expected to generate errors. Don't let any ERROR
messages from the updater fool you, watch the pass/fail of the nosetests.
2009-10-05 13:25:42 -06:00