Commit Graph

2325 Commits

Author SHA1 Message Date
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Rob Crittenden
7105a0c0d6 Add pdb options to make-test to pass onto nosetests 2009-12-11 22:41:39 -07:00
Rob Crittenden
72840c7ad8 This plugin was replaced by the aci plugin 2009-12-11 22:36:31 -07:00
Rob Crittenden
6a3ed31221 Add force option to ipa-replica-manage to allow forcing deletion of a replica
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
2009-12-11 22:34:58 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
Rob Crittenden
d08b8858dd Pass on debug option from ipa-client-install to ipa-join 2009-12-09 17:17:08 -05:00
John Dennis
ee909d871c rebase dogtag clean-up patch 2009-12-09 01:57:08 -07:00
Rob Crittenden
62d40286ac A utility for removing principals from a keytab.
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.

This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed

This does not change the KDC at all, just removes entries from a file
on the client machine.
2009-12-04 16:29:09 -05:00
Rob Crittenden
8ecb5897c1 Bump the installation version number to V2.0 2009-12-03 09:59:31 -07:00
Rob Crittenden
8115b28c99 Add minimal test for the cert plugin
This assumes that the developer has the equivalent of a selfsign CA
installed. To do this, install IPA without a CA and copy
/etc/httpd/alias/*.db to ~/.ipa/alias and
/etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-03 09:58:56 -07:00
Rob Crittenden
a535cb0772 Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type 2009-12-02 12:47:39 -07:00
Martin Nagy
0d1962962f Add idnsUpdatePolicy into the dns plug-in
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
2009-12-02 13:07:13 +01:00
Martin Nagy
d147eafb07 Ask the user before overwriting /etc/named.conf 2009-12-02 13:07:07 +01:00
Martin Nagy
377907e221 Remove unnecessary "error: " prefixes
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
2009-12-02 13:07:00 +01:00
Pavel Zuna
f3bd9bfb59 Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it. 2009-12-02 13:04:00 +01:00
Rob Crittenden
4348b5f8c4 Add NotImplementedError type so CA plugins can return client-friendly errors
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.

Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.
2009-12-01 23:18:05 -07:00
Rob Crittenden
cb4c0d6caf Add type argument to x509.load_certificate() so it can handle binary certs 2009-12-01 23:17:55 -07:00
Rob Crittenden
060662f320 Better LDAP error handling in ipa-client-install 2009-12-01 09:52:14 -07:00
Rob Crittenden
384eec771d Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.

This wipes out the last vestiges of the old ipa.conf from v1.
2009-12-01 09:11:23 -07:00
Pavel Zuna
2f8129a17c Add ipaUserGroup objectClass to default groups where missing. 2009-12-01 10:41:27 -05:00
Pavel Zuna
34deb3fef3 Rename GeneralizedTime to AccessTime. 2009-12-01 10:38:56 -05:00
Pavel Zuna
40368f0d01 Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. 2009-12-01 10:38:49 -05:00
Rob Crittenden
0dcaea8d16 Add server option to ipa-join so the IPA server can be specified.
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
2009-11-30 18:12:11 -07:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Rob Crittenden
7c2c2d6130 Add option to have ipautil.run() not raise an exception
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.

This also lets the caller get the contents of stdout and stderr.
2009-11-30 15:28:41 -05:00
Pavel Zuna
29aa8fb05d Fix boolean attributes in DNS plugin.
Sometimes they worked fine and sometimes DS rejected them
as invalid.
2009-11-30 13:39:46 -05:00
Pavel Zuna
973f36c496 Fix Bool parameter type. It was impossible to set it to FALSE. 2009-11-30 13:38:23 -05:00
Pavel Zuna
ce72b59f55 Fix takes_options in automount plugin. 2009-11-30 13:28:22 -05:00
Pavel Zuna
582228714e Print only one line of docstrings in command listings.
Full docstring is shown on `ipa help COMMAND`.
2009-11-30 13:25:19 -05:00
Rob Crittenden
cfec51819b Add SELinux policy for CRL file publishing.
This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.

To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
2009-11-26 00:16:30 -07:00
Rob Crittenden
986c4e23e7 Point to correct location of self-signed CA and set pw on 389-DS cert db
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.

The DS db wasn't getting a password set on it. Go ahead and set one.
2009-11-25 09:57:14 -07:00
Rob Crittenden
87d93e2c74 Use correct attribute for hosts. 2009-11-25 09:52:22 -07:00
Rob Crittenden
1ea6def129 Fix two bugs: one in parsing the ACI and one in comparing two ACIs
The parsing bug was looking for the string 'version' expecting to find
the ACI version. This blew up with the attribute nsosversion. Use
the string 'version 3.0' instead.

The comparison bug appeared if neither ACI had a targetattr attribute.
It was trying to create a set out of a None which is illegal. If an
ACI doesn't have any targetattrs then return () instead.
2009-11-25 09:38:33 -07:00
Rob Crittenden
f14f5156d4 Integrate ipa-join and ipa-rmkeytab into the client install/uninstall
This will fetch a keytab on installation and remove it upon uninstallation.
2009-11-25 09:21:34 -07:00
Rob Crittenden
8a7c22939d Bash tab completion script 2009-11-25 08:48:38 -07:00
Nalin Dahyabhai
a094dfa91c Add code to handle stash files using keytab format
In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM
on Fedora) is created in the regular keytab format instead of the older
less-portable one.  Based from comments and code in kt_file.c, here's a
change to try to recognize that case (the file starts with a magic
number) and read the master key from Python.

The KDC will still read either format, so I left the bits that set
things up on replicas alone (advice appreciated).  The patch works as
expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional
stash file) and on Raw Hide (krb5 1.7 with a keytab).
2009-11-24 12:07:27 -05:00
John Dennis
5d2bbf5325 Reading INT parameter class should respect radix prefix
This modifies the original patch by including a unit test, handling floats
when passed as unicode, and handling large magnitude values beyond maxint.

The INT parameter class was not respecting any radix prefix (e.g. 0x) the user
may have supplied. This patch implements _convert_scalar method for the Int
class so that we can pass the special radix base of zero to the int constructor
telling it to determine the radix from the prefix (if present).
2009-11-23 16:53:43 -05:00
John Dennis
55422cb7b9 Require current versions of python-nss & python-lxml
ipa.spec.in         |    3 ++-
 ipapython/nsslib.py |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
2009-11-23 16:52:06 -05:00
John Dennis
b1b2654ddb along with stdout, stderr also log the initial command
Signed-off-by: John Dennis <jdennis@redhat.com>

along with stdout,stderr also log the initial command

This implements better logging of external commands. Formerly we were
just outputting stdout and stderr without labeling which was which. We
also omitted the initial command and it's arguments. This made it
difficult when reviewing the logs to know what the command was and
what was stdout vs. stderr. This patch fixes that.
2009-11-23 16:31:02 -05:00
John Dennis
dbb5721e7c If plugin fails to load log the traceback
Signed-off-by: John Dennis <jdennis@redhat.com>

If plugin fails to load log the traceback

If a plugin fails to load due to some kind of error it would be nice
if the error log contained the traceback so you can examine what went
wrong rather than being left blind as to why it failed to load.
2009-11-23 16:30:01 -05:00
John Dennis
ce3df4f74a Make NotImplementedError in rabase return the correct function name
ipaserver/plugins/rabase.py |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)
2009-11-19 16:18:45 -05:00
John Dennis
0d880b3ee3 add new error class for certificate operations
add new error class for certificate operations
2009-11-19 14:52:17 -05:00
John Dennis
76fc1f75f9 error strings in documentation were missing unicode specifier
error strings in documentation were missing unicode specifier
2009-11-19 14:51:49 -05:00
John Dennis
eb5793b5ea respect debug arg during server install
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
2009-11-19 14:46:18 -05:00
Rob Crittenden
50b683dc3c Provide additional help to --help option 2009-11-19 14:38:01 -05:00
Rob Crittenden
6e5c15b1db Gracefully handle a valid kerberos ticket for a deleted entry.
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
2009-11-19 14:37:41 -05:00
Rob Crittenden
34f6cba0c3 Clean up some return values
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
2009-11-19 03:07:52 -07:00
Pavel Zuna
2bbdf7be0d Handle ipaEnabledFlag as bool (TRUE/FALSE) instead of string (enabled/disabled). 2009-11-18 14:40:53 -05:00
Pavel Zuna
e1e2e020a7 Remove 'ipaObject' objectClass from rolegroups and taskgroups. 2009-11-18 14:37:15 -05:00
Pavel Zuna
f5d63dbecc Filter all NULL values in ldap2.add_entry. python-ldap doesn't like'em.
Previously we only filtered None values, but it turns out that's not enough.
2009-11-18 14:34:16 -05:00