Commit Graph

2448 Commits

Author SHA1 Message Date
Pavel Zuna
a11436113b Add Kerberos Ticket Policy management plugin. 2010-01-13 13:40:44 -05:00
Pavel Zuna
0023ffb881 Fix backend.Executioner unit test.
Before the patch that allows to create unshared instances of Connectible
objects, all Connection object were deleted at once in destroy_context().
It made sense at the time, because there was always at most one Connection
per Connectible subclass and Connectible.disconnect() was called only
internally by the Executioner class. Now that we can make arbitrary
connections, it makes more sense to delete the Connection object when
Connectible.disconnect() is called.
2010-01-13 13:39:50 -05:00
Pavel Zuna
e1c1f077c0 Improve modlist generation in ldap2. Some code cleanup as bonus.
ldap2._generate_modlist now uses more sophisticated means to decide
when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE.

MOD_REPLACE is always used for single value attributes and never
for multi value.
2010-01-11 12:27:04 -07:00
Pavel Zuna
314fe71787 Allow creation of new connections by unshared instances of backend.Connectible. 2010-01-11 13:51:05 -05:00
Rob Crittenden
49fb5ad493 Add start/stop for the CA 2010-01-11 13:38:45 -05:00
Rob Crittenden
b4d039871d Missed explicit reference to pki-ca, replace with self.service_name 2010-01-11 13:30:25 -05:00
Pavel Zuna
74a5384169 Add --all to LDAPCreate and make LDAP commands always display default attributes. 2010-01-11 13:28:05 -05:00
Rob Crittenden
b8016807eb Use the caIPAserviceCert profile for issuing service certs.
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.

This is the first step of allowing the subject to be set at
installation time.

Also fix 2 more issues related to the return results migration.
2010-01-08 13:36:16 -07:00
Rob Crittenden
864490ff41 Replace uses of %define with %global in the .spec file
Fixes rawhide builds per
https://www.redhat.com/archives/fedora-devel-list/2010-January/msg00093.html

Contributed by Nalin Dahyabhai
2010-01-07 14:12:52 -05:00
Rob Crittenden
6d88fd6404 Change the service name to reflect changes in pki-ca (now pki-cad).
Also properly use the instance name where appropriate. There were a
couple of places where the service name was used and this worked because
they were the same.
2010-01-07 09:58:41 -05:00
Rob Crittenden
ee446ff148 Remove hardcoded domain, example.com 2009-12-18 09:41:53 -07:00
Jason Gerard DeRose
e83c54587f Add messages, declarative tests for rolegroup, taskgroup plugins 2009-12-18 10:56:16 -05:00
Jason Gerard DeRose
ab1aba5a9a Added Fuzzy docstrings; make-test now runs doctests in tests/*; fixed 'existant' mispelling 2009-12-18 10:56:13 -05:00
Rob Crittenden
bf9d4c5984 Need to supsend looping through the keytab entries when doing a delete. 2009-12-18 05:20:15 -07:00
Rob Crittenden
af20a1a2da Handle base64-encoded certificates better, import missing function 2009-12-18 05:18:50 -07:00
Jason Gerard DeRose
29f243bf4e Fuzzy feelings 2009-12-17 11:22:14 -05:00
Rob Crittenden
c3f9ec14d9 Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
2009-12-16 19:26:59 -07:00
Rob Crittenden
585540e0a2 Set the context of files needed by the selfsign CA so Apache can write them 2009-12-16 19:26:40 -07:00
Rob Crittenden
0e4a1b5be5 Remove some left-over debugging statements 2009-12-16 19:26:23 -07:00
Jason Gerard DeRose
8ae0f9c8aa host and hostgroup summary messages, declarative tests; fix tests for 'dn' 2009-12-16 15:54:55 -07:00
Rob Crittenden
c334ec4584 Add simple tests for the aci plugin 2009-12-14 20:02:33 -07:00
Rob Crittenden
2b8cae8a91 Add some missing labels 2009-12-14 20:01:57 -07:00
Rob Crittenden
8f9b434834 Convert to using new result output handling
This also inserts the dn into the response when adding a record.
We need this in the ACI plugin when adding a taskgroup
2009-12-14 20:01:02 -07:00
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Rob Crittenden
7105a0c0d6 Add pdb options to make-test to pass onto nosetests 2009-12-11 22:41:39 -07:00
Rob Crittenden
72840c7ad8 This plugin was replaced by the aci plugin 2009-12-11 22:36:31 -07:00
Rob Crittenden
6a3ed31221 Add force option to ipa-replica-manage to allow forcing deletion of a replica
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
2009-12-11 22:34:58 -07:00
Jason Gerard DeRose
b6e4972e7f Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff 2009-12-10 08:29:15 -07:00
Rob Crittenden
d08b8858dd Pass on debug option from ipa-client-install to ipa-join 2009-12-09 17:17:08 -05:00
John Dennis
ee909d871c rebase dogtag clean-up patch 2009-12-09 01:57:08 -07:00
Rob Crittenden
62d40286ac A utility for removing principals from a keytab.
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.

This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed

This does not change the KDC at all, just removes entries from a file
on the client machine.
2009-12-04 16:29:09 -05:00
Rob Crittenden
8ecb5897c1 Bump the installation version number to V2.0 2009-12-03 09:59:31 -07:00
Rob Crittenden
8115b28c99 Add minimal test for the cert plugin
This assumes that the developer has the equivalent of a selfsign CA
installed. To do this, install IPA without a CA and copy
/etc/httpd/alias/*.db to ~/.ipa/alias and
/etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-03 09:58:56 -07:00
Rob Crittenden
a535cb0772 Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type 2009-12-02 12:47:39 -07:00
Martin Nagy
0d1962962f Add idnsUpdatePolicy into the dns plug-in
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
2009-12-02 13:07:13 +01:00
Martin Nagy
d147eafb07 Ask the user before overwriting /etc/named.conf 2009-12-02 13:07:07 +01:00
Martin Nagy
377907e221 Remove unnecessary "error: " prefixes
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
2009-12-02 13:07:00 +01:00
Pavel Zuna
f3bd9bfb59 Remove ldap2.convert_attr_synonyms. Turns out python-ldap can replace it. 2009-12-02 13:04:00 +01:00
Rob Crittenden
4348b5f8c4 Add NotImplementedError type so CA plugins can return client-friendly errors
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.

Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.
2009-12-01 23:18:05 -07:00
Rob Crittenden
cb4c0d6caf Add type argument to x509.load_certificate() so it can handle binary certs 2009-12-01 23:17:55 -07:00
Rob Crittenden
060662f320 Better LDAP error handling in ipa-client-install 2009-12-01 09:52:14 -07:00
Rob Crittenden
384eec771d Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.

This wipes out the last vestiges of the old ipa.conf from v1.
2009-12-01 09:11:23 -07:00
Pavel Zuna
2f8129a17c Add ipaUserGroup objectClass to default groups where missing. 2009-12-01 10:41:27 -05:00
Pavel Zuna
34deb3fef3 Rename GeneralizedTime to AccessTime. 2009-12-01 10:38:56 -05:00
Pavel Zuna
40368f0d01 Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue. 2009-12-01 10:38:49 -05:00
Rob Crittenden
0dcaea8d16 Add server option to ipa-join so the IPA server can be specified.
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
2009-11-30 18:12:11 -07:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Rob Crittenden
7c2c2d6130 Add option to have ipautil.run() not raise an exception
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.

This also lets the caller get the contents of stdout and stderr.
2009-11-30 15:28:41 -05:00
Pavel Zuna
29aa8fb05d Fix boolean attributes in DNS plugin.
Sometimes they worked fine and sometimes DS rejected them
as invalid.
2009-11-30 13:39:46 -05:00
Pavel Zuna
973f36c496 Fix Bool parameter type. It was impossible to set it to FALSE. 2009-11-30 13:38:23 -05:00