Commit Graph

2551 Commits

Author SHA1 Message Date
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
6d35812252 Set SO_REUSEADDR when determining socket availability
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
2010-05-03 13:40:54 -06:00
Rob Crittenden
2f50668753 Fix output of summary and embedded dictionaries
Summaries were appearing as "Gettext(...")

Embedded dictionaries, such as group membership failures, didn't have
labels so were basically just being dumped.
2010-05-03 13:40:34 -06:00
Rob Crittenden
cef30893ec client installation fixes: nscd, sssd min version, bogus join error
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
2010-05-03 13:40:14 -06:00
Rob Crittenden
244870932c Reorder some things in the client installer
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
2010-05-03 13:33:08 -06:00
Rob Crittenden
205724b755 Remove some duplicated schema
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
2010-04-30 10:07:58 -04:00
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
a8409b7db1 Add file with example plugins/tutorial.
Note that this is still work in progress and will be finished
in another patch. Specifically, it currently doesn't cover baseldap.py
classes.
2010-04-27 16:33:08 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
9dc7cf9338 Some more changes for DNS forwarders prompt 2010-04-23 17:21:53 -04:00
Martin Nagy
04182bf68f Add forgotten trailing dots in DNS records
583023
2010-04-23 17:19:41 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Martin Nagy
1a9d49730d Delete old SRV records during uninstallation 2010-04-23 17:19:32 -04:00
Martin Nagy
1340875165 Accept unicode for sysrestore 2010-04-23 17:19:28 -04:00
Rob Crittenden
ba85312bf1 Don't require kerberos principal with the LDAP password change operation.
This was preventing ldappasswd from resetting a password.

471287
2010-04-23 15:22:28 -04:00
Rob Crittenden
c7f50ac7ef Return more specific errors when returning an LDAP_OPERATIONS_ERROR
472332
2010-04-23 15:22:24 -04:00
Rob Crittenden
1d635090cb Use the certificate subject base in IPA when requesting certs in certmonger.
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.
2010-04-23 04:57:40 -06:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Rob Crittenden
088cc6dc13 Use correct name for CA PKCS#12 file.
I recently renamed this and missed this reference.
2010-04-23 04:56:20 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Rob Crittenden
70049496e3 Remove older MITM fixes to make compatible with dogtag 1.3.3
We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
2010-04-19 10:04:25 -04:00
Pavel Zuna
34ee09e243 Fix ipa-dns-install. It was failing when DNS was reinstalling. 2010-04-19 11:38:40 +02:00
Pavel Zuna
bc5b5a82d9 Fix DNS plugin: proper output definitions, --all, dns-add-rr overwritting
The DNS plugin is getting old, tired and already looking forward to his
pension in the Carribean. It will be replaced soon by a younger, faster,
safer, shorter (in terms of code) and more maintainable version.
Until that happens, here's some medicine for the old guy:
- proper output definitions: the DNS plugin was created before we
  had the has_output attribute in place
- --all: this is related to the output definitions as
  Command.get_options() adds the --all and --raw options automatically
  if has_output contains entries
- dns-add-rr overwritting: missing .lower() caused records to be
  overwritten everytime a new one was added from the CLI
2010-04-19 11:38:19 +02:00
Pavel Zuna
18349dda0f Enable LDAPObject subclasses to disable DN normalization in their methods. 2010-04-16 14:24:20 -04:00
Pavel Zuna
671bb9c978 Add interface for baseldap plugins to register additional callbacks. 2010-04-16 13:43:05 -04:00
Pavel Zuna
e143c22d69 Fix output of env plugin. It displayed more than it should. 2010-04-16 11:06:54 -04:00
Rob Crittenden
c6e6fa758e Enable anonymous VLV so Solaris clients will work out of the box.
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.

By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
2010-04-16 11:05:20 -04:00
Rob Crittenden
270292f70b Configure the CRL URI in dogtag.
Also print out a restart message after applying the custom subject.
It takes a while to restart dogtag and this lets the user know things
are moving forward.
2010-04-16 11:03:47 -04:00
Rob Crittenden
017913a613 Use more traditional make notation to build the test language 2010-04-16 10:58:48 -04:00
John Dennis
5b9d1ee180 Add gettext translation test using test language. 2010-04-16 10:56:48 -04:00
Rob Crittenden
45acd086f5 Remove incorrect option -U for --uninstall. -U is short for --unattended. 2010-04-16 09:28:08 -04:00
John Dennis
f5afc9bed5 Update Spanish translations 2010-04-13 13:59:07 -04:00
Rob Crittenden
4bf70406d3 Don't let failure to trust the CA abort the server installation.
This error could result in things not working properly but it should be
relatively easy to fix from the command-line. There is no point in
not installing at all due to this.
2010-04-07 08:59:22 -04:00
Pavel Zuna
2736177938 Add ipa man page. 2010-04-07 08:59:04 -04:00
Pavel Zuna
9dd082eb33 Fix http(s)_request in dogtag. Was blowing up because of unicode strings. 2010-03-30 15:11:56 -04:00
Jason Gerard DeRose
918721c1d0 XML-RPC signature change 2010-03-30 15:10:58 -04:00
Rob Crittenden
09d3a6b910 Log some information on the result of a request 2010-03-30 09:41:20 -04:00
Rob Crittenden
c3c850b1d7 Deleting a non-fully-qualified hostname should still delete its services
We were being left with orphan services if the host entry was not removed
using the FQDN.
2010-03-30 09:41:17 -04:00
Pavel Zuna
c7a35f95c5 Fix output for commands that do not return entries.
I also changed the default value of the print_all argument in
textui.print_entry from False to True. It think it makes more sense this
way, because:

1) if order is None, it will still print something
2) if order is not None, it will print what's in order first and then the
   rest
3) commands that care about the print_all argument have to set it in any
   case, those that don't care usually want to print everything
2010-03-26 16:56:47 -04:00
Rob Crittenden
4a61ff681c Fix cut-and-paste error in pwpolicy plugin 2010-03-23 15:59:54 -04:00
Rob Crittenden
9922f47ecb Do a better query so we can optimize seeing if a cospriority is unique 2010-03-23 14:03:26 -04:00
John Dennis
04cb57eeb6 Update Polish and Chinese translations 2010-03-22 13:46:10 -04:00
John Dennis
1b31415343 update Polish translations 2010-03-22 13:46:05 -04:00
Pavel Zuna
c9831d1cc6 Use ldap2.make_*dn* methods in pwpolicy plugin.
Fixes #572423.
2010-03-22 11:49:20 -04:00
Pavel Zuna
43ab2c483d Add INTERNAL flag to frontend plugins. If set, the plugin won't show in UI. 2010-03-22 10:41:36 -04:00