The roles can be thought of as membership attributes so we should only
list
them if `--all` is specified and `--no-members` is not.
Also do not show them if `--raw` is passed in.
https://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.
`server-del` nows performs these actions:
* check topology connectivity
* check that at least one CA/DNS server and DNSSec masters are left
after removal
* cleanup all LDAP entries/attributes exposing information about the master
* cleanup master DNS records
* remove master and service principals
* remove master entry from LDAP
* check that all segments pointing to the master were removed
`server-del` now accepts the following options:
* `--force`: force master removal even if it doesn't exist
* `--ignore-topology-disconnect`: ignore errors arising from disconnected
topology before and after master removal
* `--ignore-last-of-role`: remove master even if it is last DNS server,
and DNSSec key master. The last CA will *not* be removed regardless of
this option.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
This module should aggregate common functionality utilized in the commands
managing domain-level 1 topology.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add to output list of DNS servers which advertise location and list fo
roles per server
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
User should be notified that location is used by IPA server(s) and
deletion should be aborted.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNS servers must be in each location, otherwise DNS location without DNS
server assigned will not work.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Send a warning message that named-pkcs11 service must be restarted after
changes related to locations or server weight
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNS Server (bind-dyndb-ldap) needs to have set
'idnsSubstitutionVariable;ipalocation' in ldap to the proper location
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
For any location or server weight change is required to update records
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS Servers and DNS Administrators must have access to
'idnsTemplateAttribute' to be able set/read template
for generating CNAME records pointing to proper location records.
Also user must be able to add objectclass for idnsTemplateAttribute
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New permission was added: "System: Read Status of Services on IPA Servers"
This permission is needed for detection which records should be created
on which servers.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adding module that allows to work with IPA DNS system records:
* getting system records
* updating system records
* work with DNS locations
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commands inherited from Local can't be executed remotely, so exclude them
from API schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This makes IPA servers that publish their NTP services in LDAP searchable by
`server-role-find` and `server-find` command.
The list of active IPA NTP servers will be displayed in to output of `ipa
config-show` command.
https://fedorahosted.org/freeipa/ticket/5815
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
`ipa trust-find' command should only show trusted forest root domains
The child domains should be visible via
ipa trustdomain-find forest.root
The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.
Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.
Fixes https://fedorahosted.org/freeipa/ticket/5942
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add field for choosing CA when issuing new certificate. Add new item to action menu
on cert details page which allows user to download the certificate as file.
Part of: https://fedorahosted.org/freeipa/ticket/5939
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.
Also add the issuer DN to the output of cert-find.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the optional 'ca_id' argument to ra.request_certificate(), for
passing an Authority ID to Dogtag.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Adds new tab on topology page which shows server roles. Also extends
server details page and server config page (setting of ca renewal server).
https://fedorahosted.org/freeipa/ticket/5906
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)
https://fedorahosted.org/freeipa/ticket/5810
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.
https://fedorahosted.org/freeipa/ticket/5689http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:
* config-{show,mod} will show list of all IPA masters, CA servers and CA
renewal master
* dnsconfig-{show,mod} will list all DNS server and DNS key master
* trustconfig-{show,mod} will list all AD trust controllers and agents
* vaultconfig-show will list all Key Recovery Agents
http://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).
server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.
http://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This patch implements the `serverroles` API plugin which introduces the
following commands:
* server-role-show SERVER ROLE: show status of a single role on a server
* server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
find role(s) SERVROLE and return their status on IPA
masters. If --server option is given, the query is limited to this
server. --status options filters the output by status [enabled vs.
configurer vs. absent]
https://fedorahosted.org/freeipa/ticket/5181http://www.freeipa.org/page/V4/Server_Roles
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
`serverroles` backend consumes the role/attribute instances defined in
`ipaserver/servroles.py` module to provide low-level API for querying
role/attribute status in the topology. This plugin shall be used to implement
higher-level API commands.
https://www.freeipa.org/page/V4/Server_Roleshttps://fedorahosted.org/freeipa/ticket/5181
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.
FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.
In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspxhttps://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Part of https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.
The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.
Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Use the existing remote server API to create service entries instead of a
client API.
This fixes a crash during replica promotion due to unavailable schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Request specific params when getting the defaults instead of getting
defaults for all params and filtering the result.
This fixes command_defaults failing with validation errors on unrequested
params.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add custom_checkbox_widget on service page. The old aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.
https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.
https://fedorahosted.org/freeipa/ticket/5645
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
