Commit Graph

77 Commits

Author SHA1 Message Date
Nalin Dahyabhai
e0c8be0c4c sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-12-21 12:29:33 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
8f87aa1288 Add krb5-pkinit-openssl as a Requires on ipa-server package
ticket 599
2010-12-16 09:33:11 -05:00
Jr Aquino
13139f2fd6 managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543 2010-12-13 17:56:12 -05:00
Simo Sorce
2efc08a6fc Introduce ipa control script that reads configuration off ldap
This replace the former ipactl script, as well as replace the current way ipa
components are started.

Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.

resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-10 12:28:38 -05:00
Simo Sorce
37f48c0019 Make use of mozldap vs openldap for plugins selectable 2010-12-06 12:23:09 -05:00
Pavel Zuna
5db7c4ec34 Add new version of DNS plugin: complete rework with baseldap + unit tests.
Ticket #36
Ticket #450
2010-12-01 21:32:09 -05:00
Nalin Dahyabhai
b683c7261b build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
Rob Crittenden
d824eee8fa Display user and host membership in netgroups.
This uses an enhanced memberof plugin that allows multiple attributes
to be configured to create memberOf attributes.

tickets 109 and 110
2010-11-24 08:38:41 -05:00
Rob Crittenden
eead9eec99 Fix build error due to rename of index.xhtml to index.html 2010-11-19 09:37:03 -05:00
Simo Sorce
23f03251e0 uuid plugin: convert the plugin to use the libuuid library
The DS guys decided not to expose the DS inetrnal functions used to generate
UUIDs for DS. This means the interface is not guaranteed to be available.
Switch the ipa_uuid plugin to use the system libuuid plugin instead.

NOTE: This causes once again a change in the tring format used for UUIDs.

fixes: https://fedorahosted.org/freeipa/ticket/465
2010-11-15 11:47:27 -05:00
Jakub Hrozek
2205620664 Rewrite the migration page using WSGI 2010-11-09 13:25:17 -05:00
Rob Crittenden
3bb0186199 Remove ipa-fix-CVE-2008-3274, it isn't needed any more.
ticket 331
2010-11-08 14:23:27 -05:00
Endi S. Dewata
d99ebc0f37 HBAC Details Page
The UI framework has been extended to include a collection of widgets:
 - ipa_widget: base class
 - ipa_text_widget: text field
 - ipa_radio_widget: radio button
 - ipa_textarea_widget: textarea
 - ipa_button_widget: button
 - ipa_column_widget: column for table
 - ipa_table_widget: table

These widgets can be used to create input controls. They can also be
extended to create custom controls.

The framework has also been enhanced to support custom layouts. This
can be used to change the look of the application without changing
the code. Initially this is only available in details section.

Layout consists of a collection of HTML templates. Each template is a
complete and valid HTML file representing a portion of a page. The
template will be loaded and initialized by the code, then filled with
the data from the server. The layouts are located in
install/static/layouts/<name> folder.

By default, if no templates are used, the fields in the details page
are rendered vertically using dd/dt/dd tags. For pages that require
different layout, a custom UI needs to be developed. There are two ways
to do that:
 - write a custom widget to generate the UI dynamically
 - create an HTML template and write the initialization code

For components that are quite complex or used frequently, it's might
be better to use the first method. For simple pages that are used only
in one location or need to support customization, the second method
might be preferable. Other benefits of templates:
 - cleaner code and UI separation
 - more flexibility in customization
 - new pages can be developed quickly and require less coding
 - multiple templates can be used with the same initialization code
 - easier to maintain

The HBAC details page has been implemented using both methods. By
default it will use custom widgets to generate the page. To use a
custom layout, add the following parameter to the URL, then reload
the page:

  &layout=<name>

Currently the only available layout is 'default' which produces the
same look as the custom widgets.

The HBAC details page is usable, but it still needs additional work.
The access time is not working yet. There is no undo button, hint,
or validation yet.

The table in the association facet has also been changed to use
ipa_association_widget which is derived from ipa_table_widget.

The Makefile has been updated to include the layouts. The unit tests
have been updated as well.
2010-11-04 14:22:32 -04:00
Simo Sorce
984942ee49 Add new plugin used to modify related attributes after a modrdn operation. 2010-10-28 07:58:31 -04:00
Adam Young
476d1947a9 remove rule for inc files. 2010-10-25 11:45:17 -04:00
Rob Crittenden
b270542863 Grant /usr/sbin/ipa_kpasswd "name_bind" access.
Requires selinux-policy-3.6.32-123 on F12
Requires selinux-policy-3.7.19-40 on F13

ticket 73
2010-10-22 21:43:00 -04:00
Rob Crittenden
0ef9d88104 Add default python encoding module to reset default from ascii to utf-8
Also clean up some duplicate files in the rpm for the UI.
2010-10-22 21:39:20 -04:00
Simo Sorce
3a05149201 ipa-uuid: DNA-like plugin that generates uuids 2010-10-22 17:22:40 -04:00
Rob Crittenden
0ceba59d87 Add Requires on ipa-client to ipa-admintools, ensure ipa client is configured
It makes little sense to install ipa-admintools without ipa-client, require it.

Also see if the client has been configured. This is a bit tricky since we
have a full set of defaults. Add a new env option that gets set if at least
one configuration file is loaded.

ticket 213
2010-10-15 15:03:51 -04:00
Rob Crittenden
77385c7e9e Drop python-configobj from Requires and remove message about ipa-ldap-updater
python-configobj is a leftover from TurboGears requires as far as I can tell.
The ipa-ldap-updater message was supposed to detect when an upgrade was
installed but not applied. We are doing upgrades differently in v2.

tickets 141 and 219
2010-09-23 11:53:46 -04:00
Pavel Zuna
1bb412239d Big webUI patch.
Quick summary:
- use jQuery UI and jQuery BBQ libraries
- code restructuring

The patch has so many changes they can't be listed here. Many parts
of the code have been rewritten from scrach.

See freeipa-devel mailing list:
webUI code restructuring [wall of text, diagrams, ... you've been warned!]
2010-09-07
2010-09-17 19:42:40 -04:00
Rob Crittenden
a091be064d Clean up the spec file, add Requires for nss-pam-ldapd for F14+
Also do the following:
- Remove conflicts on mod_ssl
- Remove a lot of version checking for EOL'd Fedora versions
- Add a few conditionals for rhel6
- Add Requires of nss-tools on ipa-client
2010-09-10 16:59:26 -04:00
Rob Crittenden
3e15e6ed6d Break out install into more steps, add -key_algorithm to pkisilent
Installing dogtag is quite slow and it isn't always clear that things
are working. This breaks out some restart calls into separate steps
to show some amount of progress. There are still some steps that take
more than a minute (pkicreate and pkisilent).

Add new argument to pkisilent, -key_algorithm

Update a bunch of minimum required versions in the spec file.

tickets 139 (time) and 144 (key_algorithm)
2010-08-19 10:50:40 -04:00
Rob Crittenden
81ae7c3a60 Add a BuildRequires for authconfig
ticket 137
2010-08-16 17:09:17 -04:00
Adam Young
b7162b3b8a Changes to the install and config files to support deploying the javascript code. 2010-08-06 11:55:52 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
97bd59d869 Include missing file from version plugin and update min version of 389-ds 2010-06-24 17:29:31 -04:00
Rob Crittenden
09fb073e82 Replication version checking.
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
2010-06-24 10:33:53 -04:00
Rob Crittenden
ebab635250 Drop --with-openldap option in the client. This is no longer optional. 2010-06-21 09:52:11 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Rob Crittenden
dbd1f50111 Remove Requires on separate package python-krbV in client
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
2010-06-02 14:41:16 -04:00
Rob Crittenden
4ae483600f Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
2010-05-27 10:50:13 -04:00
Rob Crittenden
cef30893ec client installation fixes: nscd, sssd min version, bogus join error
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
2010-05-03 13:40:14 -06:00
Pavel Zuna
2736177938 Add ipa man page. 2010-04-07 08:59:04 -04:00
rcrit
3998078461 Fix the client and client-rpms make targets 2010-03-19 07:57:55 -06:00
Rob Crittenden
b9df4f7f29 Don't create /var/log/ipa_error.log since we aren't using TurboGears any more. 2010-03-08 15:16:34 -05:00
John Dennis
06e5b8bd6b Install Contributors.txt 2010-03-04 14:52:39 -05:00
Rob Crittenden
bc47ad0c22 Make the CA a required component and configured by default.
To install IPA without dogtag use the --selfsign option.

The --ca option is now deprecated.

552995
2010-03-02 18:21:12 -05:00
Jason Gerard DeRose
3b4c4acfd2 Fixed ipa.spec.in to include share/ipa/wsgi.py* 2010-03-01 21:41:41 -07:00
Jason Gerard DeRose
1d529a8d09 Run ipaserver under mod_wsgi 2010-03-01 20:22:22 -07:00
Jason Gerard DeRose
85bb506d5b Add fix for wehjit (ctypes) SELinux problem 2010-02-12 01:22:02 -07:00
John Dennis
4461a74403 Add support for building internationalized translations.
A new directory install/po has been added which contains all
the translations for all files in IPA.

The build has been agumented to build these files. Also the
autogen.sh script was mostly replaced by autoreconf, the preferred
method. The old autogen.sh sript also had some serious bugs in the
way it compared versions which caused it to run old versions of some
of the tools, using standared autoreconf is much better.
2010-02-09 22:07:18 -05:00
Martin Nagy
b05f94fb4c Add ipa-dns-install script
Unfortunately, for now there is no --uninstall option.
2010-02-09 15:45:35 -05:00
Rob Crittenden
3ff06c498b Configure sssd and certmonger in ipa-client-install
This does a number of things under the hood:

- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
  *must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
2010-02-03 15:41:02 -05:00
Jason Gerard DeRose
ec142329aa Update spec to require python-wehjit >= 0.2.0 2010-01-27 09:41:28 -05:00
Pavel Zuna
c15c1eee72 Add DS migration plugin and password migration page. 2010-01-20 16:54:17 -05:00
Rob Crittenden
864490ff41 Replace uses of %define with %global in the .spec file
Fixes rawhide builds per
https://www.redhat.com/archives/fedora-devel-list/2010-January/msg00093.html

Contributed by Nalin Dahyabhai
2010-01-07 14:12:52 -05:00
Rob Crittenden
62d40286ac A utility for removing principals from a keytab.
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.

This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed

This does not change the KDC at all, just removes entries from a file
on the client machine.
2009-12-04 16:29:09 -05:00