Need to add a few more places where the DN will not be automatically
normalized. The krb5 server expects a very specific format and normalizing
causes it to not work.
Before the patch that allows to create unshared instances of Connectible
objects, all Connection object were deleted at once in destroy_context().
It made sense at the time, because there was always at most one Connection
per Connectible subclass and Connectible.disconnect() was called only
internally by the Executioner class. Now that we can make arbitrary
connections, it makes more sense to delete the Connection object when
Connectible.disconnect() is called.
ldap2._generate_modlist now uses more sophisticated means to decide
when to use MOD_ADD+MOD_DELETE instead of MOD_REPLACE.
MOD_REPLACE is always used for single value attributes and never
for multi value.
This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.
This is the first step of allowing the subject to be set at
installation time.
Also fix 2 more issues related to the return results migration.
Also properly use the instance name where appropriate. There were a
couple of places where the service name was used and this worked because
they were the same.
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.
This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed
This does not change the KDC at all, just removes entries from a file
on the client machine.
This assumes that the developer has the equivalent of a selfsign CA
installed. To do this, install IPA without a CA and copy
/etc/httpd/alias/*.db to ~/.ipa/alias and
/etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
The idnsUpdatePolicy takes a list of BIND dynamic update policies, each
of which must be terminated by ";". Also fix a minor error in the
documentation string.
Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.
Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.