Commit Graph

187 Commits

Author SHA1 Message Date
Simo Sorce
c4ed025001 Fix delegation using the special python-kerberos patch. 2009-01-26 14:44:49 -05:00
Martin Nagy
1913996584 Don't try to discover servers if we specified them on command line. 2008-09-17 23:06:23 +02:00
Rob Crittenden
ec57bc3e44 Tool for doing configuration updates over LDAP
This tool takes as input a file which contains basically an LDIF, prefixed
with a command: default, add, remove or only. These define the operations
to perform such as adding new entries, adding new sub-entries to an existing
entry, adding or modifying attributes in a record.

If an index entry is modified a task is created to re-create the index.

Schema may be added using this tool.

454031
2008-09-12 20:06:46 -04:00
Martin Nagy
fa019e932d Ignore GSS exception when iterating through server list. Fixes: 459864 2008-09-11 23:38:41 +02:00
Martin Nagy
a9e8a72059 Try servers from ipa.conf even if we specified them on the command line. 2008-09-11 23:34:01 +02:00
Martin Nagy
885103c321 Rework config.py and change cli tools. Maintain order of IPA servers from command line, config and DNS. Parse options before detecting IPA configuration. Don't ignore rest of the options if one is missing in ipa.conf. Drop the --usage options, we will rely on --help. Fixes: 458869, 459070, 458980, 459234 2008-09-11 23:34:01 +02:00
Rob Crittenden
76bf420754 Display name as separate attributes instead of showing common name.
We allow one to individually set first and last name but we do not
automatically update the common name so changes don't seem to happen.

451318
2008-08-22 18:02:20 -04:00
Rob Crittenden
e9bde984e0 Add tool to manage IPA Search and User policy
448624, 448625
2008-08-20 17:39:46 -04:00
Simo Sorce
9648da8f5f Fix versioning for configure.ac and ipa-python/setup.py
Fix make maintainer-clean

Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)

Version 1.1.0 was released some times ago, bump up to 1.1.1
2008-08-11 18:31:05 -04:00
Simo Sorce
5cbc453d89 Add encrypt_file and decrypt_file utility functions.
We will use them to encrypt the replica file so that we can
transport it over more safely.
It contains sensitive data, by encrypting it we assure that
even if a distracted admin leaves it around it cannot be accessed
without knowing the access passphrase (usually the Directory Manager
password)

Along the way fix also ipautil.run which was buggy and not passing
in correctly stdin.

Add dependency for gnupg in spec file
2008-08-11 18:30:50 -04:00
Simo Sorce
599fe1a0f5 Use larger set from which to choose chars for random passwords.
Use SystemRandom() instead of Random() so that the randomicity
is non-deterministic.
2008-08-11 18:30:40 -04:00
Rob Crittenden
110f60da8e Change user and group validators to match shadow-utils
This sets the regex to [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?

Also change the validators to return True/False

450613, 457124
2008-08-07 11:21:33 -04:00
Martin Nagy
f7ca405716 Wrap up the raw_input() to user_input() for convenience and uniformity. 2008-07-23 10:05:06 -04:00
Rob Crittenden
ec2eff9774 Under some conditions rl may not have been initialized so the config may error out with:
UnboundLocalError: "local variable 'rl' referenced before assignment"

This is caught and ignored but the result is that the records in DNS may
not be used at all. Initializing rl to zero fixes this.

I also convert the server list into a set to make each entry unique (and
back to a list because that is what we are supposed to return)

433506
2008-06-04 22:40:32 -04:00
Rob Crittenden
c58b7a3d7c Move version.py to the common ipa directory instead of being server-based so it can be used by the client tool.
Fix the client tool imports to fail more gracefully.
2008-06-03 22:39:11 -04:00
Simo Sorce
53afb67537 Fix the case where domain != lower(REALM)
add the domain to the ipa.conf file for apps that need to know
This should fix a bug in the replica setup
2008-05-29 09:43:00 -04:00
Rob Crittenden
99141e3a04 Enforce the maximum username length set by IPA Policy
439891
2008-05-14 09:48:21 -04:00
Simo Sorce
0b2756bed7 Fix existence check, default_server is an array so we need to
check its length to determine if it is empty
2008-05-10 11:25:31 -04:00
Rob Crittenden
24f43bc846 Don't allow the IPA server service principals to be removed.
440282
2008-05-08 12:57:31 -04:00
Rob Crittenden
570b71372f Second half of the redoing how the version is managed. 2008-05-07 18:26:03 -04:00
Simo Sorce
70d5209b11 Fix a bug in our dns library, do not return the query as a reply if 0 replies were returned. 2008-05-07 14:42:49 -04:00
Rob Crittenden
8e7561cff6 Refine our web space some more so that everything we reference is in /ipa
UI: /ipa/ui
XML-RPC: /ipa/xml
errors: /ipa/errors
config: /ipa/config

I had to hardcode that URI into the CSS pages but TurboGears handles the
rest of the translations with tg.url().

Added a version to ipa.conf and ipa-rewrite.conf so we can update them
in the future if needed with ipa-upgradeconfig

440443
2008-05-07 09:41:32 -04:00
Rob Crittenden
5ad2af3429 Redo the way versioning works in freeIPA.
The file VERSION is now the sole-source of versioning.

The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.

By default a GIT build is done. To do a non-GIT build do:

 $ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no

When updating the version you can run this to regenerate the version:

 $ make version-update

The version can be determined in Python by using ipaserver.version.VERSION
2008-05-05 13:53:57 -04:00
Rob Crittenden
306d8241b3 Fix the client-side search size limit.
I've changed the variable name searchlimit to sizelimit to match the
name in python-ldap (and hopefully therefore be more readable).

The big change was changing the default value from 0 to -1. As 0 we were
never using the value from cn=ipaconfig

python-ldap expects this to be an int type

In the UI sizelimit was hardcoded at 0 for users

439880
2008-04-25 16:46:13 -04:00
Rob Crittenden
12ea8efc0b Add --verbose option so the HTTP headers and XML request/response can be seen.
Also re-do the way modules are imported. I was attemping to have ^C handled
gracefully but the way I did it could mask other problems.

443987
2008-04-25 10:35:22 -04:00
Rob Crittenden
def28f3d5b Become version 1.0.0 2008-04-16 14:29:17 -07:00
Simo Sorce
3e47b48068 Make sure we use the configured server in ipa.conf first, and
fallback to the discovered ones only if that's not available
2008-04-09 14:37:01 -04:00
Rob Crittenden
ac5a35086e Don't allow the admin user to be removed from the admins group.
439281
2008-04-04 17:41:32 -04:00
Rob Crittenden
cb4648a8af Add missing normalizeDN() when removing members from a group.
438387
2008-04-04 16:30:36 -04:00
Simo Sorce
7b5088955a Sysrestore fixes.
Latest patch used the wrong path and all files where actually going to /tmp
even if a different path was specified.
Makes also StateFile behave the same as FileStore, and be a public class, this
way a common path can be used too.
2008-03-31 17:27:56 -04:00
Rob Crittenden
58cfc7ab68 Fix account activation.
We do account activation by using a Class of Service based on group
membership. A problem can happen if the entry itself has an nsaccountlock
attribute and you try doing Class of Service work as well because the
local attribute has priority. So try to detect that the entry has a local
nsAccountLock attribute and report an appropriate error.

Don't allow the admins or editors groups to be de-activated.

Return a better error message if account [in]activation fails.

Catch errors when doing group [in]activation.

439230
2008-03-31 11:36:13 -04:00
Simo Sorce
aac086582a Move sysrestore to ipa-python so it can be used by client scripts too.
Change backup format so files are all in a single directory (no dir
hierarchies) and use an index file so we can save also ownership and
permission info for the restore (and eventually other data later on).
2008-03-27 19:01:38 -04:00
Rob Crittenden
b7924139d8 Don't allow the admin user to be removed using the XML-RPC Interface.
If a site really wants it gone then can delete it via LDAP.

439281
2008-03-28 15:28:28 -04:00
Rob Crittenden
bde9959091 When getting members let user indicate what type of member they want.
The memberOf attribute includes members that are directly in the group
via the "member" attribute and those that are included as a result of
being in a group that is in the group.

The UI needs to be able to distinguish between the two.

438706
2008-03-27 09:54:41 -04:00
Rob Crittenden
4c288e653a Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml.
438021
2008-03-24 15:54:55 -04:00
Rob Crittenden
e54a16ae1c Allow the realm to be included in the name passed to add_service_principal()
This is more kerberos-like and it doesn't hurt anything, we just won't
allow realms other than our own to be used.

437566
2008-03-17 14:09:44 -04:00
Rob Crittenden
c3fedca013 Don't define bogus realm/server in configuration file by default
Add default exception handler to avoid backtraces in cmdline tools
Enhance error message when the IPA server or realm can't be found

437565
2008-03-17 13:16:56 -04:00
Rob Crittenden
6301914941 Require that the hostname is a DNS A record and that the forward and reverse
match.

433515
2008-03-03 16:10:06 -05:00
Rob Crittenden
b49942fe96 Close all fds when running another program. This fixes the SELinux AVCs.
Put installation log files into /var/log.

430024
2008-03-03 16:14:48 -05:00
Rob Crittenden
79557e6bf2 Do argument type checking in the XML-RPC interface
Fix error in service principals where the service wasn't being removed before
doing the DNS lookup.
2008-02-29 10:58:07 -05:00
Rob Crittenden
ad8096b51f - Centralize try/except so the entire program is covered. This make it
possible to catch KeyboardInterrupt during the import process.
- Add function for handling python differences with GSSError

434798
2008-02-27 10:40:18 -05:00
Rob Crittenden
f49ed705b3 The admins group cannot be renamed.
433880
2008-02-27 10:50:17 -05:00
Rob Crittenden
d6d12e9dc5 Require that service principals resolve to a DNS A record.
There is a --force option for those who know what they are doing.

433483
2008-02-26 13:51:56 -05:00
Rob Crittenden
8f0d4a8ed3 Add failover to the XML-RPC client
433506
2008-02-22 14:47:15 -05:00
Rob Crittenden
02d3c5aff3 Don't allow a group to be a member of itself.
434542
2008-02-22 15:40:21 -05:00
Rob Crittenden
44797e3917 Command-line utility to manage password policy
432814
2008-02-25 13:11:15 -05:00
Rob Crittenden
84d1e08d76 Become freeipa-0.99.0 2008-02-21 16:11:42 -05:00
Rob Crittenden
f82b3b0b28 Handle input range properly and catch KeyboardInterrupt and exit gracefully
433496
2008-02-20 09:32:25 -05:00
Rob Crittenden
0300952ec7 Use ldap_explode_dn instead of ldap_str2dn so we can use python-ldap 2.2.0 2008-02-11 09:42:47 -05:00
Rob Crittenden
c50ebd9657 Don't set blank values so we don't end up with empty attributes
Resolves 429895
2008-01-30 09:31:03 -05:00