Commit Graph

2743 Commits

Author SHA1 Message Date
Rob Crittenden
e036283fbb Add maintainer-clean target 2010-06-24 14:23:27 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
93e54366f9 Fix aci_mod command. It should handle more complex operations now.
The problem was trying to operate directly on the ACI itself. I
introduced a new function, _aci_to_kw(), that converts an ACI
into a set of keywords. We can take these keywords, like those passed
in when an ACI is created, to merge in any changes and then re-create the
ACI.

I also switched the ACI tests to be declarative and added a lot more
cases around the modify operation.
2010-06-24 10:26:08 -04:00
Rob Crittenden
901ccc1393 First pass at per-command documentation 2010-06-22 13:58:04 -04:00
Rob Crittenden
8c6c93125f Add separate role group for enrolling hosts, enrollhost 2010-06-22 13:56:17 -04:00
Rob Crittenden
c42684ad5b Remove unused attribute serviceName and re-number schema
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
2010-06-21 09:53:02 -04:00
Rob Crittenden
4ca95a0cbf Retrieve the CA certificate before starting enrollment.
We need the CA certificate so we can use SSL when binding with a
one-time password (bulk enrollment)
2010-06-21 09:52:15 -04:00
Rob Crittenden
ebab635250 Drop --with-openldap option in the client. This is no longer optional. 2010-06-21 09:52:11 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
1dd7b11b0b Connect the -v cli argument to the verbose flag in xmlrpclib
If you pass two -v to the ipa command you'll get the XML-RPC data in
the output. This can be handy so you know exactly what went out over
the wire.
2010-06-03 17:08:22 -04:00
Rob Crittenden
4924270b45 Increase supported weeks per month from 4 to 6 in AccessTime() type 2010-06-03 09:25:25 -04:00
Rob Crittenden
dbd1f50111 Remove Requires on separate package python-krbV in client
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
2010-06-02 14:41:16 -04:00
Rob Crittenden
3f5b4233cb Catch the condition where dogtag is already configured (no preop.pin)
This causes the installation to blow up badly otherwise.

To remove an existing instance run:

 # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
2010-06-01 09:53:10 -04:00
Rob Crittenden
af49945ae4 Fall back to DM password if GSSAPI fails and make deleting more user-friendly
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
2010-06-01 09:52:21 -04:00
Rob Crittenden
8911c92c8d Query the remote server to see if this replica host already exists.
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
2010-06-01 09:52:14 -04:00
Rob Crittenden
b29de6bf27 Add LDAP upgrade over ldapi support.
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).

Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
2010-06-01 09:52:10 -04:00
Rob Crittenden
c67b47f9f6 gpg2 requires --batch to use the --passphrase* arguments.
This was causing replica creation and installation to fail.

596446
2010-05-27 11:02:39 -04:00
Rob Crittenden
49b3d3ba0f Include missing update file 30-hbacsvc.update 2010-05-27 10:51:49 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
fe7cb34f76 Re-number some attributes to compress our usage to be contiguous
No longer install the policy or key escrow schemas and remove their
OIDs for now.

594149
2010-05-27 10:50:49 -04:00
Rob Crittenden
de154919a6 Add 'all' serviceCategory to default HBAC group and add some default services 2010-05-27 10:50:44 -04:00
Rob Crittenden
4ae483600f Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
2010-05-27 10:50:13 -04:00
Rob Crittenden
10ae6912e6 Include -clone_uri argument to pkisilent setting the clone URI.
This makes creating a clone from a clone work as expected.
2010-05-27 10:48:49 -04:00
Rob Crittenden
71738f9177 Remove local get_dn() from hbacsvcgroup and add tests for hbacsvcgroup 2010-05-20 13:53:02 -04:00
Rob Crittenden
72afb4c605 Try to clear up that uid is a number, not the login name 2010-05-17 13:49:50 -04:00
Rob Crittenden
4a0b38a8ec Enforce that max password lifetime is greater than the min lifetime
461325
2010-05-17 13:49:23 -04:00
Rob Crittenden
1dad0758ce Use new service schema for HBAC tests 2010-05-17 13:48:44 -04:00
Rob Crittenden
542768bec7 Replace old pwpolicy plugin with new one using baseldap, fix tests.
Fix deletion of policy when a group is removed.
2010-05-17 13:48:19 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Rob Crittenden
1943993737 Remove left-over debugging statement 2010-05-14 17:28:22 -04:00
Pavel Zuna
64490a3ee0 Correctly handle EmptyModlist exception in pwpolicy2-mod.
EmptyModlist exception was generated by pwpolicy2-mod when modifying
policy priority only. It was because the priority attribute is stored
outside of the policy entry (in a CoS entry) and there was nothing
left to be changed in the policy entry.

This patch uses the new exception callbacks in baseldap.py classes
to catch the EmptyModlist exception and checks if there was really
nothing to be modified before reraising the exception.
2010-05-14 11:07:10 -04:00
Pavel Zuna
7993719329 Add exception callback (exc_callback) to baseldap.py classes.
It enables plugin authors to supply their own handlers for
ExecutionError exceptions generated by calls to ldap2 made from
the execute method of baseldap.py classes that extend CallbackInterface.
2010-05-14 11:06:59 -04:00
John Dennis
792f58fae3 Update Kannada translations 2010-05-11 14:22:49 -04:00
Rob Crittenden
caf32115ec Become IPA v2 alpha 3 (1.9.0.pre3) 2010-05-07 13:22:39 -04:00
Rob Crittenden
2876bd11dd Check to see if we are configured before uninstalling.
Allow the --force flag to override on both install and uninstall
2010-05-07 12:02:12 -04:00
Rob Crittenden
3bf7268d74 Add simple test to see if client is already configured
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.

One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
2010-05-06 15:17:16 -06:00
Rob Crittenden
cd5eddd843 Make calling service and chkconfig tolerant of the service not installed
For example, if nscd is not installed this would throw lots of errors about
not being able to disable it, stop it, etc.
2010-05-06 14:47:25 -06:00
Rob Crittenden
83cb7e75b8 Call certmonger after krb5, avoid uninstall errors, better password handling.
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
2010-05-06 09:05:30 -06:00
Rob Crittenden
c2f89941ed Initialize XML-RPC structures to fix issues uncovered by MALLOC_PERTURB_
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
2010-05-06 09:04:49 -06:00
Martin Nagy
e29be7ac3e named.conf: Add trailing dot to the fake_mname
Yet another trailing dot issue, but this one was kept hidden because
only the latest bind-dyndb-ldap package uses the fake_mname option.
2010-05-06 10:27:21 -04:00
root
f6cde533fd Add new password policy plugin based on baseldap.py classes. 2010-05-05 15:00:04 -04:00
Rob Crittenden
fa59c8b9d3 Increase the attributes we display by default and fix up some labels. 2010-05-05 14:58:01 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
root
a3d1b17559 Add weekly periodic schedule to AccessTime param type.
Fix bug #588414
2010-05-04 13:39:42 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
3698dca8e3 Add test cases for AccessTime param and fix some problems in AccessTime 2010-05-03 14:07:34 -06:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
6d35812252 Set SO_REUSEADDR when determining socket availability
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
2010-05-03 13:40:54 -06:00
Rob Crittenden
2f50668753 Fix output of summary and embedded dictionaries
Summaries were appearing as "Gettext(...")

Embedded dictionaries, such as group membership failures, didn't have
labels so were basically just being dumped.
2010-05-03 13:40:34 -06:00
Rob Crittenden
cef30893ec client installation fixes: nscd, sssd min version, bogus join error
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
2010-05-03 13:40:14 -06:00