Commit Graph

2222 Commits

Author SHA1 Message Date
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
97dfa586de Make primary_key optional.
The pwpolicy plugin doesn't have a primary key but can still take advantage
of other parts of the framework.
2009-10-05 13:28:24 -06:00
Rob Crittenden
48785a5af1 Loosen the ACI for the KDC to allow adds/deletes
Password policy entries must be a child of the entry protected by this
ACI.

Also change the format of this because in DS it was stored as:
\n(target)\n so was base64-encoded when it was retrieved.
2009-10-05 13:27:34 -06:00
Rob Crittenden
8de6dc00dc Robustness fix for updater, in case updates['updates'] is not set yet. 2009-10-05 13:26:41 -06:00
Rob Crittenden
e62bbab37a Let the updater delete entries and add small test harness
In order to run the tests you must put your DM password into
~/.ipa/.dmpw

Some tests are expected to generate errors. Don't let any ERROR
messages from the updater fool you, watch the pass/fail of the nosetests.
2009-10-05 13:25:42 -06:00
Rob Crittenden
aa7792a000 Add option to not normalize a DN when adding/updating a record.
The KDC ldap plugin is very picky about the format of DNs. It does
not allow spacing between elements so we can't normalize it.
2009-10-05 12:57:31 -06:00
Rob Crittenden
0d70c68395 Fix aci plugin, enhance aci parsing capabilities, add user group support
- The aci plugin didn't quite work with the new ldap2 backend.
- We already walk through the target part of the ACI syntax so skip that
  in the regex altogether. This now lets us handle all current ACIs in IPA
  (some used to be ignored/skipped)
- Add support for user groups so one can do v1-style delegation (group A
  can write attributes x,y,z in group B). It is actually quite a lot more
  flexible than that but you get the idea)
- Improve error messages in the aci library
- Add a bit of documentation to the aci plugin
2009-09-28 22:27:42 -06:00
Rob Crittenden
e4877c946f Only initialize the API once in the installer
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors

525303
2009-09-28 22:17:01 -06:00
Rob Crittenden
38a27b1c2f Properly own (via ghost) the Apache configuration files. 2009-09-28 15:35:55 -06:00
Rob Crittenden
30f9f77727 Fix Python 2.6 deprecation warning with the md5 import. Use hashlib instead. 2009-09-28 15:30:22 -06:00
Pavel Zuna
944371a38c Make the host plugin use baseldap classes. 2009-09-28 15:00:27 -06:00
Jason Gerard DeRose
e2ecf02822 Added BuildRequires: xmlrpc-c-devel 2009-09-24 17:49:16 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
4f4d57cd30 Use the same variable name in the response as the dogtag plugin 2009-09-24 17:42:26 -04:00
Rob Crittenden
31ad1973c5 Better upgrade detection so we don't print spurious errors
Also add copyright

519414
2009-09-15 17:42:36 -04:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Rob Crittenden
bb09db2228 Explicitly set verbosity off in the XML-RPC client
This is so I don't have to hunt for where to set this to True when doing
low-level client debugging.
2009-09-14 09:46:42 -04:00
Rob Crittenden
eca7cdc94a Raise more specific error when an Objectclass Violation occurs Fix the virtual plugin to work with the new backend 2009-09-14 09:46:39 -04:00
Rob Crittenden
2c3bca7e74 Remove deprecated comment on plugin naming conventions 2009-09-14 09:46:35 -04:00
Pavel Zuna
d0b3ba4523 Fix typos and minor bugs in baseldap. Add --all to LDAPUpdate.
Also, member attributes are now mapped to 'member user', 'member group',
etc. instead of 'member users', 'member groups'. In other words,
the second word is now taken from LDAPObject.object_name instead of
LDAPObject.object_name_plural.
2009-09-11 09:21:51 -04:00
Pavel Zuna
db7e0802fa Fix incorrect imports in ipa-server-certinstall. 2009-09-11 09:19:41 -04:00
Rob Crittenden
df17e42216 Many SELinux fixes: ldapi, ctypes and dogtag
ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.
2009-09-10 11:40:59 -04:00
Rob Crittenden
a269df5420 Allow httpd to read unix sockets so it can communicate to DS over ldapi 2009-09-10 11:40:55 -04:00
Pavel Zuna
b80e773c1d Automatically generate an auto.master map for new automount location.
Also, add the automountlocation-show command for completeness sake.
2009-09-10 10:06:27 -04:00
Pavel Zuna
fa140e7f2a Remove parent_key parameter kwarg.
Also replace a TYPE_ERROR with ValidationError.
2009-09-10 10:01:05 -04:00
Pavel Zuna
9fcd431477 Add support for different automount maps per location. 2009-09-10 10:00:50 -04:00
Rob Crittenden
0c28978a8d Ensure that dnaMaxValue is higher than dnaNextValue at install time
Resolves 522179
2009-09-09 22:05:24 -04:00
Pavel Zuna
e0f3e765db Fix: Object.params_minus_pk was invalid when there was no primary_key. 2009-09-09 09:56:34 -04:00
Pavel Zuna
2147a845cf Improve ipalib.plugins.baseldap classes.
- remove obsolete code related to PluginProxy
- remove parent_key attribute, for the purpose of nested objects
  the parent's primary key is retrieved automatically
- added support for auto-generating of UUIDs
- make use of the improved attribute printing in CLI
- make LDAPDelete delete all sub-entries, not just one-level
- minor bug fixes
2009-09-09 09:55:35 -04:00
Martin Nagy
b519b87ea4 Add forgotten chunks from commit 4e5a68397a
I accidentally pushed the older patch that didn't contain bits for
ipa-replica-install.
2009-09-08 22:48:34 +02:00
Pavel Zuna
6f37d139cb Remove obsolete CRUD base classes as they aren't used anymore. 2009-09-08 13:43:33 -04:00
Pavel Zuna
34970fef5e Improve attribute printing in the CLI.
- allow choice between single/multiple value per line
- word wrapping
2009-09-08 13:41:54 -04:00
Pavel Zuna
f294bee09d Fix bug in dns_find - execute() returned different value than expected. 2009-09-08 13:39:06 -04:00
Pavel Zuna
356375ef18 Make ldap2.add_entry proof to None values, because python-ldap hate'em. 2009-09-08 13:38:25 -04:00
Jason Gerard DeRose
391b1f2b88 Fixed dns_forwarders not being defined when options.setup_dns is False 2009-09-08 13:09:05 +02:00
Martin Nagy
205a41205b Add A and PTR records of ourselves during installation
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
2009-09-02 22:04:25 +02:00
Martin Nagy
b07d1b54f9 Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.
2009-09-02 22:04:25 +02:00
Martin Nagy
fbda06269d Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
2009-09-02 22:04:25 +02:00
Martin Nagy
4e5a68397a Use DNS forwarders in /etc/named.conf
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
2009-09-02 19:09:28 +02:00
Jason Gerard DeRose
5e871a0abb Fleshed out krb plugin and added example of scripting against Python API 2009-08-31 15:47:14 -06:00
Pavel Zuna
91d01a532a Introduce a list of attributes for which only MOD_REPLACE operations are generated. 2009-08-28 13:18:21 -04:00
Rob Crittenden
aafdb755a3 Install the ldapi ldif file 2009-08-28 08:46:54 -04:00
Rob Crittenden
38ae093c7b Add the CA constraint to the self-signed CA we generate
514027
2009-08-27 16:49:09 -04:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
08fc563212 Generate CRLs and make them available from the IPA web server 2009-08-26 09:51:19 -04:00
Rob Crittenden
7a7041045e Fix service_mod and add a test case 2009-08-26 09:51:15 -04:00
Rob Crittenden
dacfddfdc8 Remove Python 2.6 BaseException.message deprecation warning 2009-08-20 15:16:52 -06:00
Rob Crittenden
d9c54cd83e Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00