Commit Graph

60 Commits

Author SHA1 Message Date
Rob Crittenden
ccaf537aa6 Handle errors raised by plugins more gracefully in mod_wsgi.
This started as an effort to display a more useful error message in the
Apache error log if retrieving the schema failed. I broadened the scope
a little to include limiting the output in the Apache error log
so errors are easier to find.

This adds a new configuration option, startup_traceback. Outside of
lite-server.py it is False by default so does not display the traceback
that lead to the StandardError being raised. This makes the mod_wsgi
error much easier to follow.
2010-07-12 09:32:33 -04:00
Rob Crittenden
ba59d9d648 Add support for User-Private Groups
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.

If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.

The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
2010-07-06 15:39:34 -04:00
Rob Crittenden
c42684ad5b Remove unused attribute serviceName and re-number schema
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
2010-06-21 09:53:02 -04:00
Rob Crittenden
e123fa6671 Add ipaUniqueID to HBAC services and service groups
Also fix the memberOf attribute for the HBAC services
2010-05-27 10:51:02 -04:00
Rob Crittenden
fe7cb34f76 Re-number some attributes to compress our usage to be contiguous
No longer install the policy or key escrow schemas and remove their
OIDs for now.

594149
2010-05-27 10:50:49 -04:00
Rob Crittenden
de154919a6 Add 'all' serviceCategory to default HBAC group and add some default services 2010-05-27 10:50:44 -04:00
Rob Crittenden
58fed69768 Add groups of services to HBAC
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.

588574
2010-05-17 13:47:37 -04:00
Martin Nagy
e29be7ac3e named.conf: Add trailing dot to the fake_mname
Yet another trailing dot issue, but this one was kept hidden because
only the latest bind-dyndb-ldap package uses the fake_mname option.
2010-05-06 10:27:21 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
Rob Crittenden
205724b755 Remove some duplicated schema
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
2010-04-30 10:07:58 -04:00
Rob Crittenden
cc336cf9c1 Use escapes in DNs instead of quoting.
Based on initial patch from Pavel Zuna.
2010-04-19 10:06:04 -04:00
Rob Crittenden
c6e6fa758e Enable anonymous VLV so Solaris clients will work out of the box.
Since one needs to enable the compat plugin we will enable anonymous
VLV when that is configured.

By default the DS installs an aci that grants read access to ldap:///all
and we need ldap:///anyone
2010-04-16 11:05:20 -04:00
Jason Gerard DeRose
1d529a8d09 Run ipaserver under mod_wsgi 2010-03-01 20:22:22 -07:00
Nalin Dahyabhai
4ab0651449 - also ensure that krbCanonicalName is unique 2010-02-05 15:34:23 -05:00
Nalin Dahyabhai
58ba0d5573 - allow the KDC to read krbCanonicalName 2010-02-05 15:34:04 -05:00
Nalin Dahyabhai
a2891afb5d - pull in updated schema which adds the krbCanonicalName attribute 2010-02-04 11:36:13 -05:00
Martin Nagy
d6ca88f331 Set BIND to use ldapi and use fake mname
The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
2010-01-21 17:37:42 -05:00
Martin Nagy
7aa78ee060 Only add an NTP SRV record if we really are setting up NTP
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.

Fixes #500238
2010-01-21 17:09:21 -05:00
Martin Nagy
686203c074 Use the dns plug-in for addition of records during installation
Fixes #528943
2010-01-21 17:09:18 -05:00
Rob Crittenden
4789bc8f56 Fix merge issue, cut-and-paste error 2010-01-21 15:23:36 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Pavel Zuna
ba0e7b9c68 Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin. 2010-01-20 16:53:51 -05:00
Pavel Zuna
2e22963a2d Add default values for krb ticket policy attributes during installation. 2010-01-13 13:43:51 -05:00
Rob Crittenden
c3f9ec14d9 Make hosts more like real services so we can issue certs for host principals
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
2009-12-16 19:26:59 -07:00
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Pavel Zuna
2f8129a17c Add ipaUserGroup objectClass to default groups where missing. 2009-12-01 10:41:27 -05:00
Rob Crittenden
bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
Rob Crittenden
e4c119ed4b Use Directory String sytnax for the fqdn attribute, not DN syntax. 2009-10-28 01:07:35 -06:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
0c28978a8d Ensure that dnaMaxValue is higher than dnaNextValue at install time
Resolves 522179
2009-09-09 22:05:24 -04:00
Martin Nagy
4e5a68397a Use DNS forwarders in /etc/named.conf
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
2009-09-02 19:09:28 +02:00
Rob Crittenden
aafdb755a3 Install the ldapi ldif file 2009-08-28 08:46:54 -04:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Rob Crittenden
dbeb409ebd Include schema for key escrow management
https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
2009-08-10 16:38:18 -06:00
Martin Nagy
de53d0a26e Make --setup-dns work on replica installation
The ipa-replica-install script will setup the DNS if user specifies the
--setup-dns option. It will only add the zone into LDAP if the
cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add
the records.
2009-07-22 18:02:22 +02:00
Martin Nagy
a09d2c3498 Add a reverse zone with server's PTR record
Also, small cosmetic change in dns.ldif.
2009-07-22 18:02:22 +02:00
Martin Nagy
017f236d6a Use uppercase boolean values in dns.ldif
The newest 389 server implements syntax checking and causes problems if
the boolean attribute is set to "True". The correct value should be
"TRUE".
2009-07-15 07:34:28 +02:00
Rob Crittenden
c21e003cdf Let anonymous users browse the VLV index
This is needed for automount support on Solaris

http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
2009-07-10 16:45:45 -04:00
Martin Nagy
5149803873 Configure BIND LDAP driver to use SASL authentication
We use /etc/named.keytab generated by ipa-server-install to authenticate
against the LDAP server. Also tidy up /etc/named.conf since we're there.
2009-07-10 09:55:29 -04:00
Simo Sorce
9fe707a3f2 Basic changes to get a default principal for DNS
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>
2009-07-10 09:42:22 -04:00
Pavel Zuna
94181d54fe Make object classes of automatically created entries lowercase.
This makes them more consistent with entries created by plugins.
It's a cosmetic thing, not that useful.
2009-07-10 08:58:44 -04:00
Martin Nagy
8345e8e1f1 Use root.$HOST.$DOMAIN. instead of root.$DOMAIN. 2009-06-02 12:32:06 +02:00
Martin Nagy
1bc786e379 Use LDAP instead of flat file for zone storage 2009-06-02 12:32:01 +02:00
Martin Nagy
1893a802c7 Change DNS LDAP attributes
Removes two unneeded attributes and adds one attribute for specifying
DNS update policy. Additionally, use different namespace for them: 5.x
for attribute types and 6.x for object classes.
2009-06-02 12:30:59 +02:00
Rob Crittenden
e396cc26bf Add memberOf as a MAY to ipaHost
499731
2009-05-26 14:26:49 -04:00
Rob Crittenden
e5bec4ae39 Schema change so the nisnetgroup triples work properly.
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
2009-05-19 09:54:17 -04:00