Commit Graph

1007 Commits

Author SHA1 Message Date
Jason Gerard DeRose
0ce253fae4 Fix logging in CLI and server (take 2) 2010-02-09 16:36:27 -05:00
Jason Gerard DeRose
c43b69e77c Add support for the 'no_create', 'no_update', and 'no_search' Param flags 2010-02-05 14:32:04 -05:00
Rob Crittenden
e672510c06 Implement pwplicy_find to show all group password policies
find is a bit of a misnomer here because we consider no search terms, it
is all or nothing.
2010-02-03 13:27:46 -05:00
Rob Crittenden
5760170bb3 Add flag to allow a cert to be re-issued
I don't want a user to accidentally re-issue a certificate so I've
added a new flag, --revoke, to revoke the old cert and load the new one.
2010-02-03 13:22:03 -05:00
Rob Crittenden
f43f6c50c6 Only change the log level if it isn't already set
This primarily affects the installer. We want to log to the install/
uninstall file in DEBUG. This was getting reset to INFO causing lots of
details to not show in the logs.
2010-02-03 11:52:15 -05:00
Rob Crittenden
dc55240fe8 Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
2010-02-02 14:02:46 -05:00
Rob Crittenden
8ca97cdf35 Base64-encode binary values on the command-line 2010-02-02 14:02:42 -05:00
Rob Crittenden
e24812ee2d Remove group-specific password policy on group deletion 2010-01-29 09:43:51 -05:00
Jason Gerard DeRose
1d6cc1bb7b Remove __public__ and __proxy__ hold-overs from Plugin class 2010-01-28 13:32:00 -05:00
Jason Gerard DeRose
7b571e3693 Enabled CRUDS in webUI using wehjit 0.2.0 2010-01-26 10:32:44 -05:00
Rob Crittenden
0ab9df8632 Fix merge error, variable mis-named label instead of doc 2010-01-21 15:10:47 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
3a536353fb Fix plugin to work with new output validation, add new helpers
Add a new get_subject() helper and return the subject when retrieving
certificates.

Add a normalizer so that everything before and after the BEGIN/END
block is removed.
2010-01-20 17:01:24 -05:00
Pavel Zuna
c15c1eee72 Add DS migration plugin and password migration page. 2010-01-20 16:54:17 -05:00
Pavel Zuna
41a7a8d3d4 Add --enable-migration option in config plugin. 2010-01-20 16:54:02 -05:00
Pavel Zuna
cfe47a3553 Temporary fix for name collision of textui.print_entry.
Somehow there's two of them... rename old one to print_entry1.
2010-01-20 16:53:28 -05:00
Pavel Zuna
54631247a7 Make DNS plugin support output validation and thus make it work again. 2010-01-20 19:29:48 +01:00
Rob Crittenden
28321f7a2c Correct some comment errors 2010-01-19 17:33:28 -05:00
John Dennis
30bc14a15e pass DER flag to x509.get_serial_number() 2010-01-19 17:28:40 -05:00
Rob Crittenden
8376979aa7 Allow cospriority to be updated and fix description of priority ordering
Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
2010-01-19 17:02:13 -05:00
Pavel Zuna
f262a132be Use 'l' instead of 'localityname' in host plugin.
It seems that 'localityname' and 'locality' aliases were dropped in
newer versions of DS.
2010-01-14 16:02:16 -05:00
Pavel Zuna
ce87e04af0 Make host objects aware of their membership and that l==localityName. 2010-01-14 16:01:22 -05:00
Pavel Zuna
a11436113b Add Kerberos Ticket Policy management plugin. 2010-01-13 13:40:44 -05:00
Pavel Zuna
314fe71787 Allow creation of new connections by unshared instances of backend.Connectible. 2010-01-11 13:51:05 -05:00
Pavel Zuna
74a5384169 Add --all to LDAPCreate and make LDAP commands always display default attributes. 2010-01-11 13:28:05 -05:00
Rob Crittenden
b8016807eb Use the caIPAserviceCert profile for issuing service certs.
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.

This is the first step of allowing the subject to be set at
installation time.

Also fix 2 more issues related to the return results migration.
2010-01-08 13:36:16 -07:00
Jason Gerard DeRose
e83c54587f Add messages, declarative tests for rolegroup, taskgroup plugins 2009-12-18 10:56:16 -05:00
Rob Crittenden
af20a1a2da Handle base64-encoded certificates better, import missing function 2009-12-18 05:18:50 -07:00
Rob Crittenden
c3f9ec14d9 Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
2009-12-16 19:26:59 -07:00
Jason Gerard DeRose
8ae0f9c8aa host and hostgroup summary messages, declarative tests; fix tests for 'dn' 2009-12-16 15:54:55 -07:00
Rob Crittenden
2b8cae8a91 Add some missing labels 2009-12-14 20:01:57 -07:00
Rob Crittenden
8f9b434834 Convert to using new result output handling
This also inserts the dn into the response when adding a record.
We need this in the ACI plugin when adding a taskgroup
2009-12-14 20:01:02 -07:00
Rob Crittenden
72840c7ad8 This plugin was replaced by the aci plugin 2009-12-11 22:36:31 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
John Dennis
ee909d871c rebase dogtag clean-up patch 2009-12-09 01:57:08 -07:00
Martin Nagy
0d1962962f Add idnsUpdatePolicy into the dns plug-in
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
2009-12-02 13:07:13 +01:00
Rob Crittenden
4348b5f8c4 Add NotImplementedError type so CA plugins can return client-friendly errors
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.

Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.
2009-12-01 23:18:05 -07:00
Rob Crittenden
cb4c0d6caf Add type argument to x509.load_certificate() so it can handle binary certs 2009-12-01 23:17:55 -07:00
Pavel Zuna
34deb3fef3 Rename GeneralizedTime to AccessTime. 2009-12-01 10:38:56 -05:00
Pavel Zuna
40368f0d01 Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. 2009-12-01 10:38:49 -05:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Pavel Zuna
29aa8fb05d Fix boolean attributes in DNS plugin.
Sometimes they worked fine and sometimes DS rejected them
as invalid.
2009-11-30 13:39:46 -05:00
Pavel Zuna
973f36c496 Fix Bool parameter type. It was impossible to set it to FALSE. 2009-11-30 13:38:23 -05:00
Pavel Zuna
ce72b59f55 Fix takes_options in automount plugin. 2009-11-30 13:28:22 -05:00
Pavel Zuna
582228714e Print only one line of docstrings in command listings.
Full docstring is shown on `ipa help COMMAND`.
2009-11-30 13:25:19 -05:00
Rob Crittenden
87d93e2c74 Use correct attribute for hosts. 2009-11-25 09:52:22 -07:00
Rob Crittenden
1ea6def129 Fix two bugs: one in parsing the ACI and one in comparing two ACIs
The parsing bug was looking for the string 'version' expecting to find
the ACI version. This blew up with the attribute nsosversion. Use
the string 'version 3.0' instead.

The comparison bug appeared if neither ACI had a targetattr attribute.
It was trying to create a set out of a None which is illegal. If an
ACI doesn't have any targetattrs then return () instead.
2009-11-25 09:38:33 -07:00
John Dennis
5d2bbf5325 Reading INT parameter class should respect radix prefix
This modifies the original patch by including a unit test, handling floats
when passed as unicode, and handling large magnitude values beyond maxint.

The INT parameter class was not respecting any radix prefix (e.g. 0x) the user
may have supplied. This patch implements _convert_scalar method for the Int
class so that we can pass the special radix base of zero to the int constructor
telling it to determine the radix from the prefix (if present).
2009-11-23 16:53:43 -05:00
John Dennis
dbb5721e7c If plugin fails to load log the traceback
Signed-off-by: John Dennis <jdennis@redhat.com>

If plugin fails to load log the traceback

If a plugin fails to load due to some kind of error it would be nice
if the error log contained the traceback so you can examine what went
wrong rather than being left blind as to why it failed to load.
2009-11-23 16:30:01 -05:00
John Dennis
0d880b3ee3 add new error class for certificate operations
add new error class for certificate operations
2009-11-19 14:52:17 -05:00