Commit Graph

743 Commits

Author SHA1 Message Date
Simo Sorce
aac086582a Move sysrestore to ipa-python so it can be used by client scripts too.
Change backup format so files are all in a single directory (no dir
hierarchies) and use an index file so we can save also ownership and
permission info for the restore (and eventually other data later on).
2008-03-27 19:01:38 -04:00
Rob Crittenden
b7924139d8 Don't allow the admin user to be removed using the XML-RPC Interface.
If a site really wants it gone then can delete it via LDAP.

439281
2008-03-28 15:28:28 -04:00
Rob Crittenden
034d9d6753 Do case-less comparisons when considering objectclass but store the
current value to prevent unnecessary LPAP updates (and failed writes)

Don't check against these lists on updates, only add them on new entries.

Disable the ability to configure in the UI these values for now.

438256
2008-03-28 14:47:53 -04:00
Rob Crittenden
b387570fe6 Properly detect when ports are available.
The DS setup program uses Perl and does a similar port available test.
It seems that perl always sets FD_CLOEXEC and python does not. This is
why the port test would pass in python but fail in perl.

439024
2008-03-27 15:33:06 -04:00
Rob Crittenden
382ff1d29e Put the replica hostname back together properly
439057
2008-03-27 10:20:15 -04:00
Rob Crittenden
c1ae716afc Normalize member DN's when determining whether they are in a group
as a direct or indirect member.

438387
2008-03-26 23:19:54 -04:00
Simo Sorce
503cea20c5 One line typo fix 2008-03-27 14:03:04 -04:00
Simo Sorce
372c8d23cd Fix setup script to use the right module name 2008-03-27 13:37:27 -04:00
Rob Crittenden
bde9959091 When getting members let user indicate what type of member they want.
The memberOf attribute includes members that are directly in the group
via the "member" attribute and those that are included as a result of
being in a group that is in the group.

The UI needs to be able to distinguish between the two.

438706
2008-03-27 09:54:41 -04:00
Nathan Kinder
07059a5ef2 Handle MODRDN operations properly for indirect group members.
Without this, an entry's memberOf attribute is not updated with
the new group DN when an indirect group is renamed.

This is in bugzilla for FDS as bz 438891.
2008-03-26 15:03:01 -07:00
Rob Crittenden
fd92652ace Make the memberof task a public function.
This is used when a new replica is created as well as whenever a replica
is re-initialized from another master.

In order for this to work when not creating an instance the __init__
function needs to be able to determine the suffix and the dm_password
is needed.

I've also added the time to the RDN of the member task to ensure
uniqueness.

438222
2008-03-27 09:33:01 -04:00
Rob Crittenden
1a1e020258 Add additional detail to error messages.
This runs the risk of showing too much and confusing users but on the other
hand it often includes required information detailing why the error
occurred such as what attribute the user lacks write access too and why
changing a password failed.

438057
2008-03-25 09:48:23 -04:00
Simo Sorce
402187c838 Make Install and Uninstall have different log files 2008-03-24 12:22:34 -04:00
Simo Sorce
934ac494b9 Add autoconf and automake stuff and provide a spec file.
To build a package one need to run autoconf and then create a tarball of the
RHEL4 directory so that the content is like this:

$ ls -1 ipa-client-0.99.0
aclocal.m4
AUTHORS
autom4te.cache
ChangeLog
configure
configure.ac
COPYING
INSTALL
install-sh
ipachangeconf.py
ipa-client-setup
ipa.conf
Makefile.am
Makefile.in
missing
NEWS
README
setup.py


the spec file will then be able to build a package for RHEL4
2008-03-25 15:17:21 -04:00
Rob Crittenden
c3a14e978c Don't error out if the user isn't in any groups.
438222
2008-03-26 16:45:06 -04:00
Rob Crittenden
79db4c3aa2 Fix file permissions on ca.crt when it is installed.
438220
2008-03-26 12:11:58 -04:00
Rob Crittenden
5f72955bca Add some missing man pages
436501
2008-03-17 18:04:49 -04:00
Rob Crittenden
4c288e653a Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml.
438021
2008-03-24 15:54:55 -04:00
Rob Crittenden
0b7117596d We are really changing the kerberos principal key and not the password when
we do updates, so use the right terminology internally. Also fix the actual
field we update (and grant permission appropriately in delegations).

The DS password handles updating userPassword and any Samba passwords
as necessary.

438256
2008-03-24 10:53:33 -04:00
Rob Crittenden
6464c40424 Start ntpd after FDS so that the ntp user can be found.
Start httpd after ipa_webgui becuse otherwise mod_proxy may not like it if it
can't connect to the UI listening port

438090
2008-03-24 11:02:49 -04:00
Simo Sorce
8bfe814358 Allow client install to specify ntp server name 2008-03-14 08:42:06 -04:00
Rob Crittenden
e54a16ae1c Allow the realm to be included in the name passed to add_service_principal()
This is more kerberos-like and it doesn't hurt anything, we just won't
allow realms other than our own to be used.

437566
2008-03-17 14:09:44 -04:00
Rob Crittenden
c3fedca013 Don't define bogus realm/server in configuration file by default
Add default exception handler to avoid backtraces in cmdline tools
Enhance error message when the IPA server or realm can't be found

437565
2008-03-17 13:16:56 -04:00
Rob Crittenden
a39f38f65b Adding items to the set needs to be lower case to prevent duplicates.
This function was assuming that the target list was all lower-case so the
set could end up with duplicate values which would get kicked out by LDAP.

433680
2008-03-10 11:36:04 -04:00
Rob Crittenden
5547ed320a Remove ACI that was causing RDN changes to fail
Fix for session code so RDN change can succeed

433523
2008-03-10 10:04:15 -04:00
Rob Crittenden
092b1b694c Add ability to initialize a replication agreement
Add ability to force a synch to occur
Clean up a lot of unused code in ipaldap.py. This lets us do a simple bind
  without being root (it used to try to read dse.ldif)

436237
2008-03-07 10:56:03 -05:00
Rob Crittenden
03d7125eac Verify that the hostname is correct in /etc/hosts
Don't ignore exceptions when getting the hostname from the user

433515
2008-03-06 13:17:28 -05:00
Rob Crittenden
546155c3af Fix build breakage. We now provide a man file, need to specify location to rpm 2008-03-11 17:02:22 -04:00
Simo Sorce
c2d3a9343f Add --quiet option to ipa-getkeytab
Return message on success
Avoid SASL output from being printed
Make sure the man page is up to date
2008-03-05 14:54:13 -05:00
Rob Crittenden
7fd656477a Prevent server and domain from being undefined or blank when we need them
Improve LDAP error reporting
Don't return the str() of discovery values because it can return "None"

436130
2008-03-05 16:33:12 -05:00
Rob Crittenden
d7e30fa7ee Use standard size and alignment for the packed data so it works on 64-bit hosts 2008-03-06 21:59:19 -05:00
Rob Crittenden
2e46645ad5 Remove some duplicate id's that are not valid HTML
Remove the footer. It was a leftover from the original TurboGears-generated
project that Kevin McCarthy had modified.
2008-03-05 13:36:39 -05:00
Rob Crittenden
74c29b1bf6 Remove the ability for the average user to add/delete groups on user edit page
If they have any delegations at all (are in editors group) they will have
these links.

433387
2008-03-04 14:27:06 -05:00
Rob Crittenden
ea53922951 Filter out K/M and krbtgt principals from the service principals list.
435713
2008-03-03 17:11:38 -05:00
Rob Crittenden
6301914941 Require that the hostname is a DNS A record and that the forward and reverse
match.

433515
2008-03-03 16:10:06 -05:00
Rob Crittenden
e88d62ffcf Allow python to look in /usr/sbin for ipa_webgui
429999
2008-03-04 15:06:11 -05:00
Rob Crittenden
f948904b5c KDC is Key Distribution Center, not Kerberos Domain Controller
435949
2008-03-04 14:47:47 -05:00
Simo Sorce
449344e683 Fix boot.ldif generation, the domain name component must be derived
from the realm not the domain.
One line fix.
2008-03-04 14:25:10 -05:00
Rob Crittenden
b3c8780c1d Fix build breakage. 2008-03-03 22:30:10 -05:00
Rob Crittenden
b49942fe96 Close all fds when running another program. This fixes the SELinux AVCs.
Put installation log files into /var/log.

430024
2008-03-03 16:14:48 -05:00
Rob Crittenden
79557e6bf2 Do argument type checking in the XML-RPC interface
Fix error in service principals where the service wasn't being removed before
doing the DNS lookup.
2008-02-29 10:58:07 -05:00
Rob Crittenden
cc3b9cddef Add small script to start/stop all of the services that IPA requires in the
proper order.

435026
2008-02-28 11:37:06 -05:00
Rob Crittenden
6b960c008a Allow groups to be added as a group membe
435134
2008-02-28 11:34:34 -05:00
Simo Sorce
d7ad62cd7e Make sure all entries are generated by us according to IPA
default tree. This patch make sure that the DS setup script
does not add unwanted entries.
2008-02-28 13:35:10 -05:00
Nathan Kinder
2c559fce85 Fixed the way we call ipa-client-install from ipa-replica-install.
434980
2008-02-28 15:24:10 -08:00
Rob Crittenden
ab86f52999 Fix off-by-one error in the number of steps to install a service 2008-02-28 21:57:52 -05:00
Rob Crittenden
6533bc1a84 Add action statement to ldap.conf update
Move imports into try/except so that ctrl-C can always be caught
Fix typo
2008-02-27 16:17:38 -05:00
Rob Crittenden
999bd4fb1e In the UI we don't want to display Edit links unless someone can actually
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.

In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.

432874
2008-02-27 15:14:52 -05:00
Rob Crittenden
ad8096b51f - Centralize try/except so the entire program is covered. This make it
possible to catch KeyboardInterrupt during the import process.
- Add function for handling python differences with GSSError

434798
2008-02-27 10:40:18 -05:00
Rob Crittenden
d5f5026454 Don't log passwords in ipaserver-install.log
433509
2008-02-26 10:48:45 -05:00