Commit Graph

47 Commits

Author SHA1 Message Date
Rob Crittenden
c69d8084c1 Add API version and have server reject incompatible clients.
This patch contains 2 parts.

The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.

The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).

To determine the API version of the server from a client use the ping
command.

ticket 584
2011-01-14 14:26:22 -05:00
Simo Sorce
7ee490e35c Remove radius options completely.
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.

Fixes: https://fedorahosted.org/freeipa/ticket/761
2011-01-14 14:06:56 -05:00
Simo Sorce
efd8b03ccf Make ipa-replica-manage list return all known masters
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements

Fixes: https://fedorahosted.org/freeipa/ticket/625
2010-12-21 17:28:13 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Jakub Hrozek
ee4d2739f1 Make the IPA installer IPv6 friendly
Notable changes include:
 * parse AAAA records in dnsclient
 * also ask for AAAA records when verifying FQDN
 * do not use functions that are not IPv6 aware - notably socket.gethostbyname()
   The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
   section "Interface Checklist"
2010-12-20 11:27:34 -05:00
Rob Crittenden
623abc6bdf Properly quote passwords sent to pkisilent so special characters work.
Also check for url-encoded passwords before logging them.

ticket 324
2010-12-17 16:50:14 -05:00
Rob Crittenden
0ad0f4ba6c Catch when we fail to get a cert chain from the CA during installation
Also don't free the XML document if it was never created.

ticket 404
2010-11-24 08:39:00 -05:00
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00
Jakub Hrozek
594adb9877 Log script options to logfile
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.

https://fedorahosted.org/freeipa/ticket/393
2010-11-09 13:28:10 -05:00
Rob Crittenden
0ef9d88104 Add default python encoding module to reset default from ascii to utf-8
Also clean up some duplicate files in the rpm for the UI.
2010-10-22 21:39:20 -04:00
Rob Crittenden
3703062ab2 Use consistent, specific nickname for the IPA CA certificate.
Also fix some imports for sha. We have a compat module for it, use it.

ticket 181
2010-10-01 13:37:34 -04:00
Rob Crittenden
67a4549519 Remove some additional instances of krbV from ipa-client
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.

Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.

ticket 136
2010-09-10 17:04:01 -04:00
Rob Crittenden
f87bd57c1d Fix certmonger errors when doing a client or server uninstall.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.

This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.

I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.

ticket 142
2010-09-09 16:38:52 -04:00
Nalin Dahyabhai
e93932b323 ipautil Syntax error in comment 2010-09-01 11:56:05 -04:00
Rob Crittenden
d0ea0bb638 Changes to fix compatibility with Fedora 14
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6

Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata

ticket 155
2010-08-31 16:59:27 -04:00
Rob Crittenden
e05400dad8 Remove passwords when running commands including stdout and stderr
This replaces the old no logging mechanism that only handled not logging
passwords passed on the command-line. The dogtag installer was including
passwords in the output.

This also adds no password logging to the sslget invocations and removes
a couple of extraneous log commands.

ticket 156
2010-08-31 16:50:47 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
c67b47f9f6 gpg2 requires --batch to use the --passphrase* arguments.
This was causing replica creation and installation to fail.

596446
2010-05-27 11:02:39 -04:00
Rob Crittenden
3bf7268d74 Add simple test to see if client is already configured
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.

One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
2010-05-06 15:17:16 -06:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Martin Nagy
1340875165 Accept unicode for sysrestore 2010-04-23 17:19:28 -04:00
Pavel Zuna
9dd082eb33 Fix http(s)_request in dogtag. Was blowing up because of unicode strings. 2010-03-30 15:11:56 -04:00
Rob Crittenden
99da0d88f0 Provide mechanism in ipautil.run() to not log all arguments.
This is primarily designed to not log passwords but it could have other
uses.

567867
2010-03-19 07:59:24 -06:00
Rob Crittenden
8a4ab2a0e5 Move the HTTP/S request code to a common library
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.

These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
2010-02-09 03:26:01 -07:00
John Dennis
9409b5cf2e Remove (un)wrap_binary_data cruft from */ipautil.py
Remove SAFE_STRING_PATTERN, safe_string_re, needs_base64(),
wrap_binary_data(), unwrap_binary_data() from both instances
of ipautil.py. This code is no longer in use and the
SAFE_STRING_PATTERN regular expression string was causing xgettext
to abort because it wasn't a valid ASCII string.
2010-01-28 14:26:29 -05:00
Rob Crittenden
384eec771d Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.

This wipes out the last vestiges of the old ipa.conf from v1.
2009-12-01 09:11:23 -07:00
Rob Crittenden
7c2c2d6130 Add option to have ipautil.run() not raise an exception
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.

This also lets the caller get the contents of stdout and stderr.
2009-11-30 15:28:41 -05:00
John Dennis
55422cb7b9 Require current versions of python-nss & python-lxml
ipa.spec.in         |    3 ++-
 ipapython/nsslib.py |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
2009-11-23 16:52:06 -05:00
John Dennis
b1b2654ddb along with stdout, stderr also log the initial command
Signed-off-by: John Dennis <jdennis@redhat.com>

along with stdout,stderr also log the initial command

This implements better logging of external commands. Formerly we were
just outputting stdout and stderr without labeling which was which. We
also omitted the initial command and it's arguments. This made it
difficult when reviewing the logs to know what the command was and
what was stdout vs. stderr. This patch fixes that.
2009-11-23 16:31:02 -05:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00
Rob Crittenden
d9c54cd83e Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
rcrit
9352d2fc10 Add a local implementation of httplib.SSLFile and httplib.FakeSocket
Python 2.6 changed its internal implementation which makes it difficult
to override in a way that is backwards compatible.

508953
2009-07-01 08:51:23 -04:00
Rob Crittenden
13696ae18b Raise an exception if the certificate chain is not returned from the CA 2009-05-21 17:34:00 -04:00
Rob Crittenden
252e9b61eb Fix a comment and some typos 2009-05-13 14:18:01 -04:00
Rob Crittenden
82223f3ed1 Fix breakage on python 2.4 with missing object subclass 2009-05-05 14:05:40 -04:00
Rob Crittenden
8424ea8c03 A class for dealing with a temporary NSS certificate database 2009-05-04 16:56:12 -04:00
Rob Crittenden
d5290a60f9 Utilities for dealing with dogtag 2009-04-24 16:22:38 -04:00
Rob Crittenden
a9387b48e6 Handle GSSAPI exceptions more gracefully 2009-04-20 13:44:08 -04:00
Rob Crittenden
484eff1016 Implement an installer for the Dogtag certificate system.
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.

What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs

What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
2009-04-03 14:06:09 -04:00
Jason Gerard DeRose
66099d2e0f Fixed problems in ipapython/test/ 2009-02-09 16:37:08 -05:00
Rob Crittenden
262ff2d731 Rename ipa-python directory to ipapython so it is a real python library
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
2009-02-09 14:35:15 -05:00