Commit Graph

184 Commits

Author SHA1 Message Date
Rob Crittenden
d4adbc8052 Add container and initial ACIs for entitlement support
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.

ticket #27
2010-07-29 10:50:29 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Dmitri Pal
fd1ff372dc 1. Schema cleanup
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.

Fixed matching rules and some attribute types.

Addressing ticket: https://fedorahosted.org/freeipa/ticket/89

Removed unused password attribute and realigned OIDs.
2010-07-21 11:40:25 -04:00
Rob Crittenden
0d12b0344f Fix nis netgroup configuration
This was originally configured to pull from the compat area but Nalin
thinks that is a bad idea (and it stopped working anyway). This configures
the netgroup map to create the triples on its own.

Ticket #87
2010-07-15 11:18:15 -04:00
Rob Crittenden
ed488c6349 Fix ipa-compat-manage and ipa-nis-manage
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.

After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer

I took some time and fixed up some things pylint complained about too.

Ticket #83
2010-07-15 11:18:11 -04:00
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Rob Crittenden
e036283fbb Add maintainer-clean target 2010-06-24 14:23:27 -04:00
Rob Crittenden
8c6c93125f Add separate role group for enrolling hosts, enrollhost 2010-06-22 13:56:17 -04:00
Rob Crittenden
c42684ad5b Remove unused attribute serviceName and re-number schema
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
2010-06-21 09:53:02 -04:00
Rob Crittenden
ebab635250 Drop --with-openldap option in the client. This is no longer optional. 2010-06-21 09:52:11 -04:00
Rob Crittenden
af49945ae4 Fall back to DM password if GSSAPI fails and make deleting more user-friendly
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
2010-06-01 09:52:21 -04:00
Rob Crittenden
8911c92c8d Query the remote server to see if this replica host already exists.
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
2010-06-01 09:52:14 -04:00
Rob Crittenden
b29de6bf27 Add LDAP upgrade over ldapi support.
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).

Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
2010-06-01 09:52:10 -04:00
Rob Crittenden
49b3d3ba0f Include missing update file 30-hbacsvc.update 2010-05-27 10:51:49 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
fe7cb34f76 Re-number some attributes to compress our usage to be contiguous
No longer install the policy or key escrow schemas and remove their
OIDs for now.

594149
2010-05-27 10:50:49 -04:00
Rob Crittenden
de154919a6 Add 'all' serviceCategory to default HBAC group and add some default services 2010-05-27 10:50:44 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
John Dennis
792f58fae3 Update Kannada translations 2010-05-11 14:22:49 -04:00
Martin Nagy
e29be7ac3e named.conf: Add trailing dot to the fake_mname
Yet another trailing dot issue, but this one was kept hidden because
only the latest bind-dyndb-ldap package uses the fake_mname option.
2010-05-06 10:27:21 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
205724b755 Remove some duplicated schema
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
2010-04-30 10:07:58 -04:00
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Rob Crittenden
088cc6dc13 Use correct name for CA PKCS#12 file.
I recently renamed this and missed this reference.
2010-04-23 04:56:20 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Rob Crittenden
c6e6fa758e Enable anonymous VLV so Solaris clients will work out of the box.
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.

By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
2010-04-16 11:05:20 -04:00
Rob Crittenden
45acd086f5 Remove incorrect option -U for --uninstall. -U is short for --unattended. 2010-04-16 09:28:08 -04:00
John Dennis
f5afc9bed5 Update Spanish translations 2010-04-13 13:59:07 -04:00
John Dennis
04cb57eeb6 Update Polish and Chinese translations 2010-03-22 13:46:10 -04:00
John Dennis
1b31415343 update Polish translations 2010-03-22 13:46:05 -04:00
Rob Crittenden
c19911845d Use GSSAPI auth for the ipa-replica-manage list and del commands.
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.

Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
2010-03-19 17:17:14 -04:00
Rob Crittenden
ff4ddbbb72 Better customize the message regarding the CA based on the install options.
There are now 3 cases:

- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
  for the server certs. The installed CA will still be used by the cert
  plugin to issue any server certs.
2010-03-19 04:55:33 -06:00
Rob Crittenden
f4cb248497 Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
2010-03-19 04:45:41 -06:00
Rob Crittenden
99cb2fe64a Initialize the api so imports work, trust all CAs included in the PKCS#12. 2010-03-19 04:41:05 -06:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00
John Dennis
c1b828563b Update Ukrainian translations 2010-03-17 10:58:44 -04:00
Rob Crittenden
4216a627c3 Proper use of set up vs setup (verb vs noun)
Resolves #529787
2010-03-16 22:37:26 -06:00
Rob Crittenden
7ff4efecaa Fix typo in automount doc message.
Update the po to pick up this change too.

573979
2010-03-16 17:23:06 -04:00
John Dennis
f932123e4d Add Ukrainian translations 2010-03-16 13:59:48 -04:00
John Dennis
ae1d6d38f0 remove .pot target from Makefile.in
We want to manually make the .pot file, we shouldn't have anything
in the Makefile which will cause the .pot file to be rebuilt
because of dependencies.
2010-03-16 13:58:17 -04:00
John Dennis
a0a94a9a04 Update Spanish translations 2010-03-09 17:28:42 -05:00
John Dennis
f72c26f956 Add Chinese Simplified (zh_CN) translation 2010-03-09 17:28:37 -05:00
John Dennis
abe4e4526d update POT 2010-03-02 18:22:13 -05:00
Rob Crittenden
bc47ad0c22 Make the CA a required component and configured by default.
To install IPA without dogtag use the --selfsign option.

The --ca option is now deprecated.

552995
2010-03-02 18:21:12 -05:00