Commit Graph

22 Commits

Author SHA1 Message Date
Martin Kosek
4879c68d68 Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
2012-07-13 14:25:18 +02:00
Rob Crittenden
536bcd2666 Fix NSS no_init in the NSSHTTPS class 2012-03-04 20:03:21 -05:00
Rob Crittenden
55f89dc689 Do kinit in client before connecting to backend
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
2012-03-04 17:23:01 -05:00
Jan Cholasta
04b8575c52 Add API initialization to ipa-client-install.
This change makes it possible to call IPA commands from ipa-client-install.

Done to support adding SSH host keys to DNS.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:35 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Rob Crittenden
a90e50cdf7 Shut down duplicated file handle when HTTP response code is not 200.
httplib purposely keeps the socket open as a file on failed requests. We
need to close this file otherwise nss_shutdown() will fail.

https://fedorahosted.org/freeipa/ticket/1807
2011-09-23 10:49:39 +02:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Jan Cholasta
f8cb129b93 Remove unused classes.
Removed NSPRConnection and NSPRHTTP from ipapython.nsslib, as they
are not used anywhere in FreeIPA.
2011-04-20 14:36:32 -04:00
Sylvain Baubeau
0832bf5a6a Removed wrong timeout parameter
https://fedorahosted.org/freeipa/ticket/1086

Add Sylvain Baubeau to Contributors.txt
2011-03-18 14:57:29 -04:00
Jakub Hrozek
2e25b2ed27 Make nsslib IPv6 aware 2011-02-21 14:52:25 -05:00
Rob Crittenden
7b71604521 Fix NSS initialization errors during ipa-replica-prepare
When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.

Back out the temporary code to ignore nss_shutdown errors.

ticket 965
2011-02-18 10:00:03 -05:00
Rob Crittenden
16b8d62968 Fix two problems with ipa-replica-prepare
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
   a dogtag server.

The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
2011-02-14 18:15:35 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
d0ea0bb638 Changes to fix compatibility with Fedora 14
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6

Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata

ticket 155
2010-08-31 16:59:27 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
John Dennis
55422cb7b9 Require current versions of python-nss & python-lxml
ipa.spec.in         |    3 ++-
 ipapython/nsslib.py |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
2009-11-23 16:52:06 -05:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
rcrit
9352d2fc10 Add a local implementation of httplib.SSLFile and httplib.FakeSocket
Python 2.6 changed its internal implementation which makes it difficult
to override in a way that is backwards compatible.

508953
2009-07-01 08:51:23 -04:00
Rob Crittenden
484eff1016 Implement an installer for the Dogtag certificate system.
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.

What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs

What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
2009-04-03 14:06:09 -04:00