Commit Graph

93 Commits

Author SHA1 Message Date
Rob Crittenden
ab67029d94 Add utility to lock user accounts. Remove lock capability from ipa-deluser
Fix bootstrap.ldif to add new Class of Service entries properly
Include some man pages that weren't being installed
2007-11-26 22:28:53 -05:00
Rob Crittenden
2e7f629d91 Remove unnecessary attribute left over from testing 2007-11-26 20:34:59 -05:00
Karl MacMillan
edc7af1446 Add xml-rpc interface for getting keytabs.
Warning: this lacks any sort of authorization.
0001-01-01 00:00:00 +00:00
Karl MacMillan
67cddce4d4 Generate master password from Simo. 0001-01-01 00:00:00 +00:00
Karl MacMillan
c373ed5c5c Initial replication setup.
This add replication setup through two new commands: ipa-replica-prepare
and ipa-replica-install. The procedure is to run ipa-replica-prepare
on an existing master. This will collect information about the realm
and the current master and create a file storing all of the information.
After copying that file to the new replica, ipa-replica-install is
run (with -r to create a read-only replica).

This version of the patch also includes fixes for the sasl mappings
on the replicas.

Remaining features:
- ssl for replication.
- automatic configuration of mesh topology for
  master (or a simpler way to replicate multiple
  masters.
- tool for view / configuring current replication.
0001-01-01 00:00:00 +00:00
Simo Sorce
b456d8424a more s/unique// wrt groups members/objectclasses 2007-11-21 16:07:07 -05:00
Simo Sorce
3580d0affb Use groupOfNames and member, not groupOfUniqueNames and uniqueMember 2007-11-20 10:22:43 -05:00
Rob Crittenden
f42f1f44c8 Enable group inactivation by using the Class of Service plugin.
This adds 2 new groups: activated and inactivated.

If you, or a group you are a member of, is in inactivated then you are too.

If you, or a group you are a member of, is in the activated group, then you
are too.

In a fight between activated and inactivated, activated wins.

The DNs for doing this matching is case and white space sensitive.

The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.

We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
2007-11-20 22:45:29 -05:00
Simo Sorce
c6532b621d fix ldif typo 2007-11-19 19:33:36 -05:00
Karl MacMillan
6d3fa7f892 Minor fixes. 0001-01-01 00:00:00 +00:00
Simo Sorce
a0d8d87b97 Fix installation
Add missing schema for GUI Config, and missing objectclass for cn=accounts
container
2007-11-18 15:02:26 -05:00
Simo Sorce
d5c269c8eb Merge upstream and fix bad suffix in default-aci 2007-11-18 14:27:25 -05:00
Simo Sorce
ae97fcf94d - Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration

- Introduce 3 kind of password change: normal, admin, and ds manager
   - normal require adherence to policies
   - admin does not but password is immediately expired
   - ds manager can just change the password any way he likes.

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:16:11 -05:00
Simo Sorce
f35ec78d56 - Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration

- Introduce 3 kind of password change: normal, admin, and ds manager
   - normal require adherence to policies
   - admin does not but password is immediately expired
   - ds manager can just change the password any way he likes.

Initial code to read the Kerberos Master Key from the Directory
2007-11-16 20:16:11 -05:00
Rob Crittenden
1967aafa39 Implement the password policy UI and finish IPA policy UI
This includes a default password policy
Custom fields are now read from LDAP. The format is a list of
  dicts with keys: label, field, required.
The LDAP-based configuration now specifies:
    ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
    ipaGroupSearchFields: cn,description
    ipaSearchTimeLimit: 2
    ipaSearchRecordsLimit: 0
    ipaCustomFields:
    ipaHomesRootDir: /home
    ipaDefaultLoginShell: /bin/sh
    ipaDefaultPrimaryGroup: ipausers
    ipaMaxUsernameLength: 8
    ipaPwdExpAdvNotify: 4
This could use some optimization.
2007-11-16 12:59:32 -05:00
Karl MacMillan
816b3e2ea5 Add memberof-task.ldif. 0001-01-01 00:00:00 +00:00
Karl MacMillan
4d96b37de1 Initialize memberof patch from Pete Rowley. 0001-01-01 00:00:00 +00:00
Rob Crittenden
3e715a04cf Add an editors group. This is used to generally grant access for users
to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
2007-11-14 10:49:03 -05:00
Rob Crittenden
cd489f0a73 Allow a user or group to change an attribute in its RDN
Add secretary to the list of indexes otherwise RDN changing could be slow
Port --addattr, --setattr and --delattr from usermod to groupmod
2007-11-12 23:11:55 -05:00
Pete Rowley
24d5777bd6 Add posix auto gen for single master case 2007-11-06 15:57:15 -08:00
Karl MacMillan
8e48393c61 Introduce service base class and clean up ipa-server-install
1) Add a base class for all of the instance objects.
2) Normalize usage of logging.
3) General cleanups of ipa-server-install.
4) Make better use of httpinstance.
5) Add webguiinstance.
6) Improve progress reporting during installation.

Works Here (TM), but it would be nice to get someone else
to test since this moves code around a bit.
0001-01-01 00:00:00 +00:00
John Dennis
8cfd270f34 merge initial radius work 2007-11-03 12:22:20 -04:00
Karl MacMillan
8f4362f2f2 Enable referential integrity plugin. 0001-01-01 00:00:00 +00:00
Karl MacMillan
36e43aed1b NTP configuration for client and server.
Configure ipa servers as an ntp server and clients
to (by default) us the ipa server as an ntp server.

Also corrected the messages about which ports should
be opened.
0001-01-01 00:00:00 +00:00
Pete Rowley
1871e8dbf6 Add user self service aci 2007-10-29 14:52:19 -07:00
Rob Crittenden
ed387e2ebb Add inetUser to the admin user so memberOf will work 2007-10-30 14:42:19 -04:00
Rob Crittenden
3c8cfd94bd Create LDAP indeces on installation for fields the web GUI searches against 2007-10-30 13:41:41 -04:00
Rob Crittenden
e40c583b12 Create configuration for MIT Windows kerberos client and install into
http://hostname/config so users can point their MIT client at the IPA
server and automatically fetch the configuration.
2007-10-29 12:00:48 -04:00
Mark McLoughlin
6e6237e54a Fix host_name buglet in ipa-server-install
This patch fixes a couple of buglets with read_ip_address():

  1) It writes host_name to /etc/hosts, but isn't currently
     being passed host_name

  2) It doesn't return the IP address even though the caller
     expects it

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-02-21 15:23:29 +00:00
Karl MacMillan
263fba1468 Handle selinux failure
Ignore errors if setsebool fails and print a warning.
0001-01-01 00:00:00 +00:00
Karl MacMillan
2703be51c8 Print warning about NTP
After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.

This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.
0001-01-01 00:00:00 +00:00
Rob Crittenden
ba0adcffb1 Require SSL for the XML-RPC interface 2007-10-19 10:14:30 -04:00
Karl MacMillan
875940ddd3 Print traceback to the install log on unexpected error. 0001-01-01 00:00:00 +00:00
Karl MacMillan
f8fba3b7dd Autotool ipa-server - patch from William Jon McCann <mccann@jhu.edu>. 0001-01-01 00:00:00 +00:00
Rob Crittenden
ed8f506b0f First step in enabling SSL in the IPA web server 2007-10-15 15:42:12 -04:00
Rob Crittenden
af0a1d989b Verify that the LDAP ports are available during installation. 2007-10-15 13:27:05 -04:00
Simo Sorce
d2c73bfd4d Fix make (local-)dist 2007-10-12 12:03:50 -04:00
Kevin McCarthy
06b107ed5f Add inetUser objectclass. Remove test-users ldif. 2007-10-11 12:19:42 -07:00
Karl MacMillan
d2a19b2009 Karl MacMillan wrote:
> > This largish patch makes the build and installation work on 64bit
> > machines. The only catch here is that to get a 64bit build you need to
> > set LIBDIR on make:
> >
> > make install LIBDIR=/usr/lib64
> >
> > The spec file does this correctly. I couldn't find any reliable way to
> > guess this that works both on real systems and in the almost entirely
> > empty rpm build root (you can't, for example, check for the existence
> > of /usr/lib64).
0001-01-01 00:00:00 +00:00
Karl MacMillan
1be00394e3 Hi,
Here is another patch for the installer.  It does a few things:

 * use socket.getfqdn() but fallback to gethostname()
 * streamlines the hostname prompting
 * fixes a bunch of spelling and grammatical errors
 * fixes a bug in the hostname reading/verification logic
 * allows "yes" and "no" as answers
 * modularizes and reuses code where possible
 * changes some of the prompts to be more like
   the FDS installer - some text is copied (which is easy to use IMO)
 * tries to make the prompts fit on smaller screens (<80 chars)

Hope you agree that it is better.  :)

Thanks,
Jon
0001-01-01 00:00:00 +00:00
Kevin McCarthy
d1899e8f35 patch queue: admin_account_fix.patch 2007-10-04 13:41:19 -07:00
mccann@jhu.edu
f023f38616 Fix copy/paste bug 2007-10-03 21:30:57 -04:00
rcritten@redhat.com
53e872fb72 Try to catch more error conditions during installation
Modify the way we detect SELinux to use selinuxenabled instead of using
  a try/except.
Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 17:37:13 -04:00
mccann@jhu.edu
3ef4a374f7 Patch to fix the installer crashing if selinux is disabled. Also changes
the exception to contain the complete command.
Add a check to make sure installer is running as root.
Add signal handler to detect a user-cancelled installation.
Detect existing DS instances and prompt to remove them.
2007-10-02 16:56:51 -04:00
Simo Sorce
2ef71a85d0 Check passwords are not empty 2007-09-28 14:55:28 -04:00
Karl MacMillan
679343594d Install the web gui
Install the turbogears web gui including an init script. This
patch includes a few related changes:

* create a production configuration
* rename the web gui startup scrip to ipa-webgui
* add an init script
* chkconfig on the ipa-webgui init script
* make the start script properly daemonize the app when not
  in a development directory.
* Install everything to the correct places (/usr/sbin/ipa-webgui
  and /usr/share/ipa/ipagui mainly).

There are some things still left to do:

* Sort out the logging - the config needs to be adjusted so
  that logging messages end up in /var/log.
0001-01-01 00:00:00 +00:00
Karl MacMillan
50d12d6d2e Misc small fixes
* Remove the rpmbuild tree with the dist-clean target.
* Move ipa-server-setupssl from /usr/sbin to /usr/share/ipa
* Check in requirement change for generated freeipa-python.spec
* Fix interactive hostname in ipa-server-install.
0001-01-01 00:00:00 +00:00
Karl MacMillan
22710a8dce Make apache work with selinux
The default configuration of the apache selinux policy doesn't allow
apache to connect to the turbogears gui. This sets the correct
boolean to allow that connection.
0001-01-01 00:00:00 +00:00
rcritten@redhat.com
7b96973711 Give ipa-adduser, ipa-addgroup and ipa-usermod an interactive mode
Add ipa-passwd tool
Add simple field validation package
This patch adds a package requirement, python-krbV. This is needed to
 determine the current user based on their kerberos ticket.
2007-09-21 10:24:36 -04:00
rcritten@redhat.com
370500ab1a Remove support for LDAP proxy connections 2007-09-20 09:01:23 -04:00