Commit Graph

233 Commits

Author SHA1 Message Date
Rob Crittenden
9bb1e6c03e Add requires on python-krbV to client subpackage
This is needed since ipa-client-install initializes the ipalib api.

https://fedorahosted.org/freeipa/ticket/2577
2012-03-28 08:53:01 +02:00
John Dennis
e2a3907726 Replace broken i18n shell test with Python test
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy.  We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.

* add python-polib to BuildRequires

* Remove the logic for creating the test lang from Makefile.in and
  replace it with calls to test_i18n.py

* add argument parsing, usage, configuration parameters, etc. to
  test_i18n.py to make it easier to use and configurable.

* add function to generate a test po and mo file. It also
  writes the files and creates the test directory structure.

* Took the existing validate code and refactored it into validation
  function. It used to just pick one string and test it, now it
  iterates over all strings and all plural forms.

* Validate anonymous Python format substitutions in pot file

* added support for plural forms.

* Add pot po file validation for variable substitution

* In install/po subdir you can now do:
  $ make test
  $ make validate-pot
  $ make validate-po

* The options for running test_i18n.py are:

$ ./test_i18n.py --help
Usage:

test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]

Options:
  -h, --help            show this help message and exit
  -s, --show-strings    show the offending string when an error is detected
  --pedantic            be aggressive when validating
  -v, --verbose         be informative
  --traceback           print the traceback when an exception occurs

  Operational Mode:
    You must select one these modes to run in

    -g, --test-gettext  create the test translation file(s) and exercise them
    -c, --create-test   create the test translation file(s)
    -P, --validate-pot  validate pot file(s)
    -p, --validate-po   validate po file(s)

  Run Time Parameters:
    These may be used to modify the run time defaults

    --test-lang=TEST_LANG
                        test po file uses this as it's basename (default=test)
    --lang=LANG         lang used for locale, MUST be a valid lang
                        (default=xh_ZA)
    --domain=DOMAIN     translation domain used during test (default=ipa)
    --locale=LOCALE     locale used during test (default=test_locale)
    --pot-file=POT_FILE
                        default pot file, used when validating pot file or
                        generating test po and mo files (default=ipa.pot)

https://fedorahosted.org/freeipa/ticket/2044
2012-03-26 20:29:26 -04:00
Rob Crittenden
00ce15b744 Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue
The IPA upgrade process was starting before 389-ds had upgraded the
database which caused corruption.

https://fedorahosted.org/freeipa/ticket/2541
2012-03-26 09:48:43 +02:00
Petr Viktorin
a4394e5e4a Add missing BuildRequires
Since our build process runs pylint, we need all Python dependencies
installed at RPM creation time.
This adds python-lxml and python-pyasn1 to BuildRequires.

https://fedorahosted.org/freeipa/ticket/2538
2012-03-26 09:38:08 +02:00
Rob Crittenden
8f71f42ef7 No longer shell escape the DM password when calling pkisilent.
pkisilent was modified to handle escaping characters itself in
BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388

This removes the workaround from ticket 1636.

https://fedorahosted.org/freeipa/ticket/2529
2012-03-21 10:08:43 +01:00
Martin Kosek
9d0ef96c67 Allow port numbers for idnsForwarders
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]

https://fedorahosted.org/freeipa/ticket/2462
2012-03-20 15:37:53 +01:00
Petr Vobornik
2449b4d827 Fixed rpm build warning - extension.js listed twice
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js

This is because of a glob:
%{_usr}/share/ipa/ui/*.js

and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js

https://fedorahosted.org/freeipa/ticket/2253
2012-03-19 18:38:46 +01:00
Rob Crittenden
8b2090fae6 Set minimum version of selinux-policy to pick up memcached fix
This package version adds a boolean, httpd_manage_ipa, that enables
the ipa_memcached service to work.

https://fedorahosted.org/freeipa/ticket/2433
2012-03-11 22:36:44 -04:00
Jan Cholasta
afad0775e1 Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
2012-03-01 18:42:56 -05:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Rob Crittenden
872047fa0e Add Requires to ipa-client on oddjob-mkhomedir
https://fedorahosted.org/freeipa/ticket/2337
2012-02-27 11:00:26 +01:00
Martin Kosek
1816643a43 Update schema for bind-dyndb-ldap
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072
2012-02-24 09:40:36 +01:00
Rob Crittenden
915286fed2 Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag
We had this in v1 but removed it with v2 because we no longer used
TurboGears for the UI. Because we are now proxying requests to dogtag
we need to re-add this so that mod_ssl doesn't interfere with our
communication.

mod_ssl always blindly registers itself as the SSL provider for mod_proxy.
mod_nss will only register itself if mod_ssl hasn't already done so.

https://fedorahosted.org/freeipa/ticket/2177
2012-02-22 18:27:54 -05:00
Rob Crittenden
dc5592af1d Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.
https://fedorahosted.org/freeipa/ticket/2118
2012-02-15 23:43:08 -05:00
Simo Sorce
2e2b0c13e2 Require krb5 1.10 2012-02-16 14:45:38 -05:00
Rob Crittenden
2da6d6e746 Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
2012-02-15 17:08:33 +01:00
Rob Crittenden
95b1848f19 Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.

The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.

https://fedorahosted.org/freeipa/ticket/2341
2012-02-15 15:19:32 +01:00
John Dennis
d1e0c1b606 Add ipa_memcached service
* Adds ipa_memcached SystemV initscript

* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
  to recreate /var/run/ipa_memcached on reboot.

* Adds ipa_memcached config file

* Adds memcacheinstnace.py to manage ipa_memcaced as
  as SimpleService object.

* Updates the IPA service list to include ipa_memcached,
  at service positon 39, httpd is position 40

* Updates the spec file:
  - requires the memcached daemon and python client
  - installs service or initscripts depending on OS
  - installs config file
  - creates /var/run/ipa_memcached directory

* Modifies ipa-server-install to install ipa_memcached
2012-02-09 13:20:28 -06:00
Rob Crittenden
4dfec211f7 %ghost the UI files that we install/create on the fly
https://fedorahosted.org/freeipa/ticket/1764
2012-01-31 18:38:46 +01:00
Rob Crittenden
f3b606b627 Update and package ipa-upgradeconfig man page.
Require that the tool be run as root to avoid a permission-related
backtrace.

https://fedorahosted.org/freeipa/ticket/1758
2012-01-23 16:07:49 +01:00
Simo Sorce
86f908a0e4 slapi-plugins: use thread-safe ldap library 2012-01-13 19:07:47 +02:00
Rob Crittenden
c08296adff Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
2012-01-10 22:39:26 -05:00
Alexander Bokovoy
d738b6e718 Fix dependency for samba4-devel package 2011-12-09 16:58:59 +02:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00
Simo Sorce
1039653a1b spec: We do not need krb5-server-ldap anymore
We now use our own ipa-kdb DAL driver
2011-11-29 09:29:42 -05:00
Rob Crittenden
2f4b3972a0 Add plugin framework to LDAP updates.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
2011-11-22 23:57:10 -05:00
Simo Sorce
710f435c20 Create skeleton CLDAP server as a DS plugin 2011-11-21 18:52:48 -05:00
Endi S. Dewata
20ad8fe1ba Removed develop.js.
The develop.js is no longer necessary because the code in it has
been merged into the main code.

An empty extension.js has been added to provide a place for UI
customization.

Ticket #2099
2011-11-14 16:47:10 -05:00
Simo Sorce
18537d55a7 Add support for generating PAC for AS requests for user principals 2011-11-07 14:25:07 -05:00
Endi S. Dewata
52981883ab Fixed inconsistent image names.
The images have been renamed to be more consistent and moved into
the "images" directory to mimic the original jQuery UI structure.

Ticket #1613
2011-10-27 14:05:12 +00:00
Endi S. Dewata
f168afbeb6 Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444
2011-10-26 12:53:28 +00:00
Alexander Bokovoy
80b4220a05 Update spec file to use systemd on Fedora 16 and above 2011-10-24 15:11:04 +02:00
Rob Crittenden
da4b447bd0 Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324) 2011-10-13 15:28:52 -04:00
Adam Young
ae65c01932 Force the upgrade of pki-setup when upgrading the RPMS 2011-10-09 23:36:36 -04:00
JR Aquino
1ac613fc18 25 Create Tool for Enabling/Disabling Managed Entry Plugins
Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool

https://fedorahosted.org/freeipa/ticket/1181
2011-09-21 09:22:13 +02:00
Rob Crittenden
80a4db80ba Change the Requires for the server and server-selinux for proper order
The server package needs to be installed before the server-selinux
package otherwise the SELinux contexts won't get set properly.

The (postun) is so you can continue to do yum erase freeipa-python
and it will pick up everything else.

https://fedorahosted.org/freeipa/ticket/1779
2011-09-15 23:41:56 -04:00
Sumit Bose
29a7a7e8ce Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
2011-09-14 18:45:13 -04:00
Alexander Bokovoy
1362202653 Introduce platform-specific adaptation for services used by FreeIPA.
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:25:58 +02:00
Martin Kosek
806a40846b Set bind and bind-dyndb-ldap min nvr
This is a soft dependency, min nvr version will only be required
when bind/bind-dyndb-ldap are installed.

https://fedorahosted.org/freeipa/ticket/1121
https://fedorahosted.org/freeipa/ticket/1573
2011-09-09 14:24:06 +02:00
Rob Crittenden
f59e8145fa Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605
https://fedorahosted.org/freeipa/ticket/1576
2011-08-30 20:46:59 -04:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Rob Crittenden
3ef732d738 Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
https://fedorahosted.org/freeipa/ticket/1686
2011-08-28 20:56:18 -04:00
Simo Sorce
dfa944da24 daemons: Remove ipa_kpasswd
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
2011-08-26 08:26:08 -04:00
Simo Sorce
bac6f2dd13 ipa-kdb: Initial plugin skeleton 2011-08-26 08:24:49 -04:00
Jan Cholasta
9b0fa8debf Add subscription-manager dependency for RHEL.
ticket 1664
2011-08-23 00:27:30 -04:00
Martin Kosek
99e7b0c355 Update pki-ca version
Bump minimal pki-ca version in spec file to get fix for ipa
cert-request command.

https://fedorahosted.org/freeipa/ticket/1578
2011-08-12 08:52:23 +02:00
Martin Kosek
e2c8b9eee4 Update 389-ds-base version
Bump minimal 389-ds-base version in spec file to get in recent
Directory Server bug fixes.

https://fedorahosted.org/freeipa/ticket/1513
https://fedorahosted.org/freeipa/ticket/1525
https://fedorahosted.org/freeipa/ticket/1552
2011-08-11 22:08:05 +00:00
Martin Kosek
a1c690cc02 Fix client enrollment
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
2011-08-11 22:07:16 +00:00
Endi S. Dewata
bd2f4173b0 Fixed missing icons.
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.

Ticket #1559
2011-08-02 22:56:58 -04:00
Rob Crittenden
25d861dc01 Fix date order in changelog. 2011-07-28 18:53:25 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Rob Crittenden
44b3521fad Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.

https://fedorahosted.org/freeipa/ticket/1434
2011-07-29 11:18:49 +02:00
Rob Crittenden
3fe36a63b6 Add an arch-specific Requires on cyrus-sasl-gssapi
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.

https://fedorahosted.org/freeipa/ticket/1499
2011-07-24 19:58:03 -04:00
Endi S. Dewata
4ff959f55d Removed custom layouts using HTML templates.
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.

Ticket #1501
2011-07-21 11:47:57 -04:00
Jan Cholasta
95901bbdb5 Update minimum required version of python-netaddr.
ticket 1288
2011-07-17 22:44:21 -04:00
Rob Crittenden
3fdca99c48 Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
2011-07-17 22:16:32 -04:00
Adam Young
e4a444ba81 HBAC deny warning
shows dialog if there are any HBAC deny rules.  Dialog provides option to navigate to the HBAC page.  Deny rules have their rule type value show up in red.

Only shows up fro administrators, not for self service users.

https://fedorahosted.org/freeipa/ticket/1421
2011-07-06 21:52:00 +00:00
Rob Crittenden
8a32bb3746 Make dogtag an optional (and default un-) installed component in a replica.
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.

https://fedorahosted.org/freeipa/ticket/1251
2011-06-23 19:04:33 -04:00
Martin Kosek
f2df2a6954 Multi-process build problems
Fix a problem when a target missed a version-update requirement.
This caused build problems, especially in a parallel build
environment.

https://fedorahosted.org/freeipa/ticket/1215
2011-06-19 20:28:51 -04:00
Endi S. Dewata
b22a41ead5 Fixed build break.
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
2011-06-15 15:56:39 +00:00
Martin Kosek
241ee334de Connection check program for replica installation
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
     a) kinit to master as default admin user with given password
     b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
2011-06-08 09:29:52 +02:00
Jan Cholasta
80b4b3d44b Parse netmasks in IP addresses passed to server install.
ticket 1212
2011-05-30 13:36:26 +02:00
Rob Crittenden
55f9836cb6 Update min nvr for selinux-policy and pki-ca for F-15+
Done with conditionals so still installable on F-14.

ticket 1200
2011-05-13 12:56:32 -04:00
Martin Kosek
e64c1995d4 Update spec with missing BuildRequires for pylint check
https://fedorahosted.org/freeipa/ticket/1203
2011-05-05 16:23:24 +02:00
Rob Crittenden
cc87bc3f28 Bump version to 2.0.90 to distinguish between 2.0.x 2011-05-03 10:51:36 -04:00
Rob Crittenden
b9a2c11d6f Fix ORDERING in some attributetypes and remove other unnecessary elements.
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.

This requires 389-ds-base-1.2.8.0-1+

ticket 1153
2011-04-05 21:46:32 -04:00
Rob Crittenden
ca5332951c Automatically update IPA LDAP on rpm upgrades
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.

This also:
 * corrects the ipa-ldap-updater man page
 * remove automatic --realm, --server, --domain options
 * handle upgrade errors properly
 * saves a copy of dse.ldif before we change it so it can be recovered
 * fixes an error discovered by pylint

ticket 1087
2011-03-21 13:23:53 -04:00
Rob Crittenden
388c9a1705 Add man page for the IPA configuration file
ticket 969
2011-02-23 11:56:31 -05:00
Rob Crittenden
854c740065 Move some BuildRequires so building with ONLY_CLIENT works.
ticket 978
2011-02-22 09:05:57 -05:00
Jakub Hrozek
2e25b2ed27 Make nsslib IPv6 aware 2011-02-21 14:52:25 -05:00
Simo Sorce
eab4e36ee5 Try to register DNS name through a DNS Update on install.
Fixes: https://fedorahosted.org/freeipa/ticket/935
2011-02-17 19:43:52 -05:00
Rob Crittenden
f2ed8de028 Move tools that are really only applicable to be run on the server
This moves a bunch of tools that only make sense to run on the actual
server from the admintools subpackage to the server subpackage.

ticket 947
2011-02-14 10:22:28 -05:00
Rob Crittenden
a880396de9 Add pyOpenSSL as a BuildRequires 2011-02-11 09:35:38 -05:00
Rob Crittenden
f34c0ab916 Set minimum version of sssd to 1.5.1
ticket 926
2011-02-10 13:51:35 -05:00
Jan Cholasta
8c1647af2e Remove unnecessary BuildRequires from the specfile. 2011-02-10 13:47:45 -05:00
Rob Crittenden
d30592ed6d Update minimum version of 389-ds-base, mod_nss and selinux-policy.
* Set min version of 389-ds-base to 1.2.8
* Set min version of mod_nss 1.0.8-10
* Set min version of selinux-policy to 3.9.7-27
2011-02-03 10:35:05 -05:00
Rob Crittenden
275998f6bd Add support for tracking and counting entitlements
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
2011-02-02 10:00:38 -05:00
Rob Crittenden
878aa9ee1f Apply changes discovered in Fedora package review process (#672986)
Ticket 804
2011-01-27 17:09:19 -05:00
Simo Sorce
0eda5918f0 Add requires for the pki
First part of: https://fedorahosted.org/freeipa/ticket/855
2011-01-27 09:36:09 -05:00
Adam Young
fd1e78d2b2 error handling style
modifying the directories so they find the assets in the right locations
2011-01-25 16:47:09 -05:00
Jan Zeleny
24a582304f Rename package to freeipa
https://fedorahosted.org/freeipa/ticket/581
2011-01-25 14:18:18 -05:00