Commit Graph

96 Commits

Author SHA1 Message Date
Martin Kosek
6141919fba Fix ipa-server-install for dual NICs
A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.

This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.

https://fedorahosted.org/freeipa/ticket/2154
2012-01-22 23:01:42 -05:00
Ondrej Hamada
da4b4fc4d9 User-add random password support
I've used code from ipalib/plugins/host.py to add support for random
password generation. The '--random' option is now available in user-add
and user-mod commands. If both the 'password' and 'random' options are
used the 'random' option will be ignored.

Two test cases were added to unit test's module test_user_plugin.py -
they test creating and modifying user with random password. Two fuzzy tests
were added: test for password(string that doesn't start or end with
whitespace and doesn't containt other whitespace than ' ') and for whatever
string(because of krbextradata).

I've slightly modified ipa_generate_password in order to make passwords for
users more user-friendly(reduce number of non-letters). It has two optional
parameters now - first one is string of characters that should be used for
generating the passwd and second one is length of password. If none
parameter is set default values will be used so there's no need to modify
other plugins that use random password generator.

https://fedorahosted.org/freeipa/ticket/1979
2011-12-12 00:17:07 -05:00
Rob Crittenden
58e5610592 Use absolute paths when trying to find certmonger request id.
The value stored in certmonger is not guaranteed to be normalized
nor is the value passed-in (could be a relative path and may or not
contain trailing slash). We do direct string compares so they need
to match exactly or we won't find the request.

https://fedorahosted.org/freeipa/ticket/1942
2011-12-08 09:31:20 +01:00
John Dennis
167813f343 Restore default log level in server to INFO
The default log level for server messages captured by httpd's
error_log historically was INFO. The log_manager patch had it set to
ERROR, this patch resets it back to INFO.

Although it would have been trival to set the default_level to INFO in
IPALogManager.configure_from_env() that is not logically the correct
place. It would be much better if the default_level can be reset by
simply assigning it to the log_mgr. To accomplish that
LogManager.default_level was converted to a property with a getter and
setter. The setter runs LogManager.apply_configuratin() after the
default_level is modified. LogManager.set_default_level() was also
added to allow simultaneously updating the configure_state.

While testing some minor problems were observed and also fixed:

* Removed some print statement which had been left in by mistake

* Removed the ability to set the handler level in the config file
  because of chicken-and-egg issues of when handlers get created.
  The Env config file format is too inflexible to support detailed
  logging configuration. If the Env config format is ever made more
  flexible we can come back and add this back in. The handler config
  setting in Env had never been used and never worked so there is no
  issue in removing it.
2011-12-01 08:34:02 +01:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
John Dennis
730f1228a9 ticket 2022 - Add log manager module 2011-11-23 09:35:44 +01:00
Alexander Bokovoy
ebdc752b66 Check for Python.h during build of py_default_encoding extension
For rare cases when Python development package is not installed,
check that Python.h is available and bail out if not.

Fixes:
https://fedorahosted.org/freeipa/ticket/1838
2011-11-16 18:34:16 -05:00
Alexander Bokovoy
25d5d7ed93 Add support for systemd environments and use it to support Fedora 16
https://fedorahosted.org/freeipa/ticket/1192
2011-10-24 15:10:11 +02:00
Alexander Bokovoy
447ce62966 Use set class instead of dictview class as set is wider supported 2011-10-13 18:25:57 -04:00
Rob Crittenden
f4ec8a2fa4 Handle an empty value in a name/value pair in config_replace_variables()
This would blow up if you tried to append a value to an entry that looked
like:

NAME=

https://fedorahosted.org/freeipa/ticket/1983
2011-10-13 16:37:12 -04:00
Rob Crittenden
77fdf6f7c7 Save the value of hostname even if it doesn't appear in /etc/sysconfig/network
https://fedorahosted.org/freeipa/ticket/1871
2011-10-13 01:01:44 -04:00
Alexander Bokovoy
8baec8d06b Refactor authconfig use in ipa-client-install
When certain features are being configured via authconfig, we need to
remember what was configured and what was the state before it so that
during uninstall we restore proper state of the services.

Mostly it affects sssd configuration with multiple domains but also
pre-existing LDAP and krb5 configurations.

This should fix following tickets:
https://fedorahosted.org/freeipa/ticket/1750
https://fedorahosted.org/freeipa/ticket/1769
2011-10-12 19:20:09 -04:00
Martin Kosek
f7a9da8b3f Make IPv4 address parsing more strict
Let netaddr.IPAddress() use inet_pton() rather than inet_aton() for
IP address parsing. We will use the same function in IPv4/IPv6
conversions + be stricter and don't allow IP addresses such as
'1.1.1' at the same time.

https://fedorahosted.org/freeipa/ticket/1965
2011-10-13 15:03:41 +02:00
Alexander Bokovoy
8badce286f Refactor backup_and_replace_hostname() into a flexible config modification tool
backup_and_replace_hostname() was doing three things:
    1. Given config file in 'key=value' style, replace value for a
       specified key (HOSTNAME)
    2. Backup original file and install a replacement
    3. Restore original security context after editing

We have several more places where parts of the functionality are needed,
thus making two tools in ipapython.ipautil:

    1. config_replace_variables(filepath, replacevars=dict(),
                                appendvars=dict())
       Replaces or appends values to specified keys, adding new key=value
       pairs if key was absent

    2. backup_config_and_replace_variables(fstore, filepath,
                                           replacevars=dict(),
                                           appendvars=dict())
       Backups config file and calls config_replace_variables()

A caller must handle security context after using these two tools.

In addition, as before, there is
ipapython.services.backup_and_replace_hostname() that uses
these common tools and restores security context after editing.

The code will be used extensively for systemd integration for Fedora 16.

Fixes:
    https://fedorahosted.org/freeipa/ticket/1871
2011-10-11 18:21:41 -04:00
Alexander Bokovoy
ff3d3c0ab3 Force kerberos realm to be a string
Fixes issue with Python linter on Fedora 16 where it assumes for C
modules-provided objects that they are of type _Chainmap during static
analysis.
2011-10-10 16:35:17 -04:00
Jan Cholasta
209bcb0b98 Work around pkisilent bugs.
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)

Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)

ticket 1636
2011-10-04 20:12:58 -04:00
Jan Cholasta
12bfed37d4 Add a function for formatting network locations of the form host:port for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).

ticket 1869
2011-10-05 10:58:25 +02:00
Martin Kosek
00cffce6c2 ipa-client assumes a single namingcontext
When LDAP server contains more that one suffixes, the ipa client
installation does not detect it as IPA server and fails to install.
Fix ipa server discovery so that it correctly searches all naming
contexts for the IPA one.

https://fedorahosted.org/freeipa/ticket/1868
2011-09-30 16:53:59 +02:00
Rob Crittenden
a90e50cdf7 Shut down duplicated file handle when HTTP response code is not 200.
httplib purposely keeps the socket open as a file on failed requests. We
need to close this file otherwise nss_shutdown() will fail.

https://fedorahosted.org/freeipa/ticket/1807
2011-09-23 10:49:39 +02:00
Rob Crittenden
1d8a891844 The return value of restorecon is not reliable, ignore it.
https://fedorahosted.org/freeipa/ticket/1816
2011-09-20 08:54:05 +02:00
Alexander Bokovoy
1362202653 Introduce platform-specific adaptation for services used by FreeIPA.
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:25:58 +02:00
Yuri Chornoivan
1785d0a7c1 Fix typos
Fix "The the" and "classses" in FreeIPA code and messages.

https://fedorahosted.org/freeipa/ticket/1480
2011-09-07 13:20:42 +02:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Jan Cholasta
9e7a3e7f3c Make sure that hostname specified by user is not an IP address.
ticket 1375
2011-07-25 01:47:52 -04:00
Martin Kosek
02520ab98c Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.

https://fedorahosted.org/freeipa/ticket/1378
2011-07-13 15:16:24 +02:00
Rob Crittenden
6ad7deb7ac Set the client auth callback after creating the SSL connection.
If we set the callback before calling connect() then if the connection
tries a network family type and fails, it will try other family types.
If this happens then the callback set on the first socket will be lost
when a new socket is created. There is no way to query for the callback
in an existing socket.

https://fedorahosted.org/freeipa/ticket/1349
2011-07-01 21:01:22 -04:00
Rob Crittenden
c329a54c09 The IP address provided to ipa-server-install must be local
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.

https://fedorahosted.org/freeipa/ticket/1175
2011-06-20 22:14:10 -04:00
Martin Kosek
d9808498a8 Improve IP address handling in IPA option parser
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.

Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.

https://fedorahosted.org/freeipa/ticket/1333
2011-06-19 20:06:21 -04:00
Martin Kosek
241ee334de Connection check program for replica installation
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
     a) kinit to master as default admin user with given password
     b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
2011-06-08 09:29:52 +02:00
Jan Cholasta
fd639bc88c Do stricter checking of IP addressed passed to server install.
ticket 1213
2011-05-30 13:38:46 +02:00
Jan Cholasta
80b4b3d44b Parse netmasks in IP addresses passed to server install.
ticket 1212
2011-05-30 13:36:26 +02:00
Martin Kosek
2cbc6fd6a2 Improve service manipulation in client install
Remove redundant ipa-client-install error message when optional nscd
daemon was not installed. Additionally, use standard IPA functions
for service manipulation and improve logging.

https://fedorahosted.org/freeipa/ticket/1207
2011-05-13 13:24:35 +02:00
Simo Sorce
000ba0531e ipautil: Preserve environment unless explicitly overridden by caller.
Fixes: https://fedorahosted.org/freeipa/ticket/1193
2011-04-27 11:25:37 -04:00
Jan Cholasta
f8cb129b93 Remove unused classes.
Removed NSPRConnection and NSPRHTTP from ipapython.nsslib, as they
are not used anywhere in FreeIPA.
2011-04-20 14:36:32 -04:00
Jan Cholasta
1ac3ed2c27 Fix lint false positives. 2011-04-13 15:58:45 +02:00
Sylvain Baubeau
0832bf5a6a Removed wrong timeout parameter
https://fedorahosted.org/freeipa/ticket/1086

Add Sylvain Baubeau to Contributors.txt
2011-03-18 14:57:29 -04:00
Rob Crittenden
3735450ab8 If --hostname is provided for ipa-client-install use it everywhere.
If a hostname was provided it wasn't used to configure either
certmonger or sssd. This resulted in a non-working configuration.

Additionally on un-enrollment the wrong hostname was unenrolled, it
used the value of gethostname() rather than the one that was passed
into the installer.

We have to modify the CA configuration of certmonger to make it
use the right principal when requesting certificates. The filename
is unpredicable but it will be in /var/lib/certmonger/cas.
We need to hunt for ipa_submit and add -k <principal> to it, then
undo that on uninstall. These files are created the first time
the certmonger service starts, so start and stop it before messing
with them.

ticket 1029
2011-03-08 10:23:07 -05:00
Martin Kosek
f785af4efe Inconsistent sysrestore file handling by IPA server installer
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.

The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.

https://fedorahosted.org/freeipa/ticket/1026
2011-03-03 11:02:02 -05:00
Jakub Hrozek
2e25b2ed27 Make nsslib IPv6 aware 2011-02-21 14:52:25 -05:00
Rob Crittenden
7b71604521 Fix NSS initialization errors during ipa-replica-prepare
When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.

Back out the temporary code to ignore nss_shutdown errors.

ticket 965
2011-02-18 10:00:03 -05:00
Rob Crittenden
16b8d62968 Fix two problems with ipa-replica-prepare
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
   a dogtag server.

The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
2011-02-14 18:15:35 -05:00
Rob Crittenden
29706fb13b Add default success/failure output logging.
Request logging on the server only happened if you added verbose=True
or debug=True to the IPA config file. We should log the basics at
least: who, what, result.

Move a lot of entries from info to debug logging as well.

Related to ticket 873
2011-02-14 10:23:52 -05:00
Simo Sorce
740b689696 Handle nolog list containing None values
Fixes: https://fedorahosted.org/freeipa/ticket/856
2011-01-27 09:36:26 -05:00
Jakub Hrozek
ab2ca8022e Fix assorted bugs found by pylint 2011-01-25 14:01:36 -05:00
Martin Kosek
82b4d5d6e8 Unused value in initdefault_encoding_utf8
There is no use for return value of Py_InitModule3. Removing it
in this patch.

https://fedorahosted.org/freeipa/ticket/710
2011-01-25 08:59:50 -05:00
Rob Crittenden
96469fbc88 Fix failed tests. API for utcoffset changed and strings are more robust.
In Python 2.7 the API for time.utcoffset() changed.

We do more automatic conversions of strings so need to loosen the tests
a bit.
2011-01-24 14:34:38 -05:00
Simo Sorce
373455026e Add a way to print output from commands
Instead pof always capturing the output, make it possible to let
it go to the standard output pipes.
Use this in ipactl to let init scripts show their output.

Fixes: https://fedorahosted.org/freeipa/ticket/765
2011-01-18 10:04:19 -05:00
Martin Kosek
e73efb9a90 Password generation and logging in ipa-server-install
When a randomly generated password contains a space character
as the first or the last character, installation fails on
kdb5_ldap_util calling, which does not accept that. This patch
fixes the generator to generate space only on allowed position.

This patch also ensures that no password is printed to
server install log.

https://fedorahosted.org/freeipa/ticket/731
2011-01-18 10:03:55 -05:00
Rob Crittenden
d7bd9138c8 Execute /usr/bin/python directly instead of /usr/bin/env python
ticket 608
2011-01-14 16:27:48 -05:00
Rob Crittenden
c69d8084c1 Add API version and have server reject incompatible clients.
This patch contains 2 parts.

The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.

The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).

To determine the API version of the server from a client use the ping
command.

ticket 584
2011-01-14 14:26:22 -05:00