get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
1) Add a base class for all of the instance objects.
2) Normalize usage of logging.
3) General cleanups of ipa-server-install.
4) Make better use of httpinstance.
5) Add webguiinstance.
6) Improve progress reporting during installation.
Works Here (TM), but it would be nice to get someone else
to test since this moves code around a bit.
Configure ipa servers as an ntp server and clients
to (by default) us the ipa server as an ntp server.
Also corrected the messages about which ports should
be opened.
The error log is rotated weekly on Sunday. 4 backups are saved.
The access log is not stored since it would be a duplicate of the
Apache logs. It can be enabled if desired.
Had to move the call to daemonize() in ipa-webgui so that the
fork is done before TurboGears is initialized. Otherwise the log
files end up getting closed.
This add replication setup through two new commands: ipa-replica-prepare
and ipa-replica-install. The procedure is to run ipa-replica-prepare
on an existing master. This will collect information about the realm
and the current master and create a file storing all of the information.
After copying that file to the new replica, ipa-replica-install is
run (with -r to create a read-only replica).
This version of the patch also includes fixes for the sasl mappings
on the replicas.
Remaining features:
- ssl for replication.
- automatic configuration of mesh topology for
master (or a simpler way to replicate multiple
masters.
- tool for view / configuring current replication.
This adds 2 new groups: activated and inactivated.
If you, or a group you are a member of, is in inactivated then you are too.
If you, or a group you are a member of, is in the activated group, then you
are too.
In a fight between activated and inactivated, activated wins.
The DNs for doing this matching is case and white space sensitive.
The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.
We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration
- Introduce 3 kind of password change: normal, admin, and ds manager
- normal require adherence to policies
- admin does not but password is immediately expired
- ds manager can just change the password any way he likes.
Initial code to read the Kerberos Master Key from the Directory
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration
- Introduce 3 kind of password change: normal, admin, and ds manager
- normal require adherence to policies
- admin does not but password is immediately expired
- ds manager can just change the password any way he likes.
Initial code to read the Kerberos Master Key from the Directory
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaCustomFields:
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
This could use some optimization.
to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
This patch uses the kerberos schema policy, this is the same policy used by
kadmin.
While this patch allows for krbPwdPolicy objects anywhere the kldap module
will make the kdc fail to provide tickets if the "krbPwdPolicyReference"
points to any object that is not a child of cn=<REALM>,cn=kerberos,dc=....
To let us set policies anywhere in the tree I enabled the code to actually
look at parent entries and the user entry itself and specify policies directly
on these objects by adding the krbPwdPolicy objectclass to them (I know its
structural but DS seem to allow multiple Structural classes on the same
entry).
The only side effect is that kadmin will not understand this, but we don't
want to use kadmin anyway as it does not understand way too many things about the
directory.
I've tested a few scenarios and all seem working as expected, but further
testing is welcome of course.
Fix error reporting in the UI to include the detailed message
Sort delegations by name when displaying them
Update the name field from "Name" to "Delegation Name"
This patch fixes a couple of buglets with read_ip_address():
1) It writes host_name to /etc/hosts, but isn't currently
being passed host_name
2) It doesn't return the IP address even though the caller
expects it
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.
This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
Current ipa-python imports and calls code from ipaserver (which is in
the ipa-server package). This makes it impossible to use the admin
tools or the ipa-python package on a system without the server bits
installed. This fixes that in a fairly minimal way.
The use of a uuid for the DS instance name is overkill and it is a real
pain. This patch will use ipa-realm-name instead (resulting in something
like slapd-EXAMPLE-COM). All periods are converted to "-" because the DS
can't handle periods in server ids.
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> >
> > make install LIBDIR=/usr/lib64
> >
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
Here is another patch for the installer. It does a few things:
* use socket.getfqdn() but fallback to gethostname()
* streamlines the hostname prompting
* fixes a bunch of spelling and grammatical errors
* fixes a bug in the hostname reading/verification logic
* allows "yes" and "no" as answers
* modularizes and reuses code where possible
* changes some of the prompts to be more like
the FDS installer - some text is copied (which is easy to use IMO)
* tries to make the prompts fit on smaller screens (<80 chars)
Hope you agree that it is better. :)
Thanks,
Jon
> William Jon McCann wrote:
> > Hi,
> >
> > After playing with the install (repeatedly) I ended up with a lot of
> > duplicate values in:
> > /etc/sysconfig/dirsrv
> > /etc/sysconfig/ipa-kpasswd
> >
> > Here is a patch that should fix this. It modifies the file "in-place"
> > and removes lines that matching the key (or commented key) and then
> > appends the new key=value.
> >
> > Jon
>
> Cool, I've wanted to fix this for a while (and recently aborted a switch
> from open with "a" to "w").
>
> What happens if the file doesn't exist yet? Do we need to wrap the
> fileinput loop in either a try/except or just look to see if the file
> exists first (my vote)?
>
> Something like:
>
> def update_key_val_in_file(filename, key, val):
> if os.path.exists(filename):
> pattern = "^[\s#]*%s\s*=" % re.escape(key)
> p = re.compile(pattern)
> for line in fileinput.input(filename, inplace=1):
> if not p.search(line):
> sys.stdout.write(line)
> fileinput.close()
> f = open(filename, "a")
> f.write("%s=%s\n" % (key, val))
> f.close()
Good point. In genera,l I prefer doing a try because it is a little
less racy but in this case it doesn't make a difference.
Updated patch attached.
Thanks,
Jon
