Commit Graph

2565 Commits

Author SHA1 Message Date
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Rob Crittenden
1943993737 Remove left-over debugging statement 2010-05-14 17:28:22 -04:00
Pavel Zuna
64490a3ee0 Correctly handle EmptyModlist exception in pwpolicy2-mod.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.

This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
2010-05-14 11:07:10 -04:00
Pavel Zuna
7993719329 Add exception callback (exc_callback) to baseldap.py classes.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
2010-05-14 11:06:59 -04:00
John Dennis
792f58fae3 Update Kannada translations 2010-05-11 14:22:49 -04:00
Rob Crittenden
caf32115ec Become IPA v2 alpha 3 (1.9.0.pre3) 2010-05-07 13:22:39 -04:00
Rob Crittenden
2876bd11dd Check to see if we are configured before uninstalling.
Allow the --force flag to override on both install and uninstall
2010-05-07 12:02:12 -04:00
Rob Crittenden
3bf7268d74 Add simple test to see if client is already configured
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.

One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
2010-05-06 15:17:16 -06:00
Rob Crittenden
cd5eddd843 Make calling service and chkconfig tolerant of the service not installed
For example, if nscd is not installed this would throw lots of errors about
not being able to disable it, stop it, etc.
2010-05-06 14:47:25 -06:00
Rob Crittenden
83cb7e75b8 Call certmonger after krb5, avoid uninstall errors, better password handling.
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
2010-05-06 09:05:30 -06:00
Rob Crittenden
c2f89941ed Initialize XML-RPC structures to fix issues uncovered by MALLOC_PERTURB_
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
2010-05-06 09:04:49 -06:00
Martin Nagy
e29be7ac3e named.conf: Add trailing dot to the fake_mname
Yet another trailing dot issue, but this one was kept hidden because
only the latest bind-dyndb-ldap package uses the fake_mname option.
2010-05-06 10:27:21 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
Rob Crittenden
fa59c8b9d3 Increase the attributes we display by default and fix up some labels. 2010-05-05 14:58:01 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
6d35812252 Set SO_REUSEADDR when determining socket availability
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
2010-05-03 13:40:54 -06:00
Rob Crittenden
2f50668753 Fix output of summary and embedded dictionaries
Summaries were appearing as "Gettext(...")

Embedded dictionaries, such as group membership failures, didn't have
labels so were basically just being dumped.
2010-05-03 13:40:34 -06:00
Rob Crittenden
cef30893ec client installation fixes: nscd, sssd min version, bogus join error
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
2010-05-03 13:40:14 -06:00
Rob Crittenden
244870932c Reorder some things in the client installer
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
2010-05-03 13:33:08 -06:00
Rob Crittenden
205724b755 Remove some duplicated schema
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
2010-04-30 10:07:58 -04:00
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
a8409b7db1 Add file with example plugins/tutorial.
Note that this is still work in progress and will be finished
in another patch. Specifically, it currently doesn't cover baseldap.py
classes.
2010-04-27 16:33:08 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
9dc7cf9338 Some more changes for DNS forwarders prompt 2010-04-23 17:21:53 -04:00
Martin Nagy
04182bf68f Add forgotten trailing dots in DNS records
583023
2010-04-23 17:19:41 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Martin Nagy
1a9d49730d Delete old SRV records during uninstallation 2010-04-23 17:19:32 -04:00
Martin Nagy
1340875165 Accept unicode for sysrestore 2010-04-23 17:19:28 -04:00
Rob Crittenden
ba85312bf1 Don't require kerberos principal with the LDAP password change operation.
This was preventing ldappasswd from resetting a password.

471287
2010-04-23 15:22:28 -04:00
Rob Crittenden
c7f50ac7ef Return more specific errors when returning an LDAP_OPERATIONS_ERROR
472332
2010-04-23 15:22:24 -04:00
Rob Crittenden
1d635090cb Use the certificate subject base in IPA when requesting certs in certmonger.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.
2010-04-23 04:57:40 -06:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Rob Crittenden
088cc6dc13 Use correct name for CA PKCS#12 file.
I recently renamed this and missed this reference.
2010-04-23 04:56:20 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Rob Crittenden
70049496e3 Remove older MITM fixes to make compatible with dogtag 1.3.3
We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
2010-04-19 10:04:25 -04:00
Pavel Zuna
34ee09e243 Fix ipa-dns-install. It was failing when DNS was reinstalling. 2010-04-19 11:38:40 +02:00
Pavel Zuna
bc5b5a82d9 Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
  had the has_output attribute in place
- --all: this is related to the output definitions as
  Command.get_options() adds the --all and --raw options automatically
  if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
  overwritten everytime a new one was added from the CLI
2010-04-19 11:38:19 +02:00
Pavel Zuna
18349dda0f Enable LDAPObject subclasses to disable DN normalization in their methods. 2010-04-16 14:24:20 -04:00
Pavel Zuna
671bb9c978 Add interface for baseldap plugins to register additional callbacks. 2010-04-16 13:43:05 -04:00
Pavel Zuna
e143c22d69 Fix output of env plugin. It displayed more than it should. 2010-04-16 11:06:54 -04:00
Rob Crittenden
c6e6fa758e Enable anonymous VLV so Solaris clients will work out of the box.
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.

By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
2010-04-16 11:05:20 -04:00
Rob Crittenden
270292f70b Configure the CRL URI in dogtag.
Also print out a restart message after applying the custom subject.
It takes a while to restart dogtag and this lets the user know things
are moving forward.
2010-04-16 11:03:47 -04:00
Rob Crittenden
017913a613 Use more traditional make notation to build the test language 2010-04-16 10:58:48 -04:00
John Dennis
5b9d1ee180 Add gettext translation test using test language. 2010-04-16 10:56:48 -04:00
Rob Crittenden
45acd086f5 Remove incorrect option -U for --uninstall. -U is short for --unattended. 2010-04-16 09:28:08 -04:00