IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,877 Commits 11 Branches 60 Tags
fd8e796873f34c942b8ab28d486b5edfe1c27abd
Commit Graph

37 Commits

Author SHA1 Message Date
Nathan Kinder
80aeb445e2 Timeout when performing time sync during client install 
We use ntpd now to sync time before fetching a TGT during client
install.  Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.

This patch adds the ability for commands run via ipautil.run() to
have an optional timeout.  This capability is used by the NTP sync
code that is run during ipa-client-install.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
 2015-03-16 15:55:26 +01:00
Jan Cholasta
760ebaa685 Make certificate renewal process synchronized 
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
 2015-01-13 18:36:10 +00:00
Jan Cholasta
f92d0efca6 Improve validation of --instance and --backend options in ipa-restore 
https://fedorahosted.org/freeipa/ticket/4744

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-12-09 13:46:29 +00:00
Petr Viktorin
1d7407c06c Do not restore SELinux settings that were not backed up 
https://fedorahosted.org/freeipa/ticket/4678

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-11-19 15:47:45 +01:00
Martin Basti
ba124045b9 Fix named working directory permissions 
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-18 18:49:42 +00:00
David Kupka
51795254b2 Remove service file even if it isn't link. 
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.

https://fedorahosted.org/freeipa/ticket/4658

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-13 13:53:23 +01:00
David Kupka
814479a567 Remove unneeded internal methods. Move code to public methods. 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-13 13:51:09 +01:00
Petr Viktorin
082485c283 ipaplatform: Use the dirsrv service, not target 
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.

Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.

https://fedorahosted.org/freeipa/ticket/4709

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-13 10:49:17 +00:00
Jan Cholasta
7c2aad17da Fix CA certificate backup and restore 
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-11 16:13:52 +01:00
David Kupka
71c24b187a Respect UID and GID soft static allocation. 
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation

https://fedorahosted.org/freeipa/ticket/4585

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-11-05 15:22:51 +01:00
Martin Basti
9af49ff97f DNSSEC: platform paths and services 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:18:55 +02:00
Martin Basti
f31f5f5344 Add mask, unmask methods for service 
This patch allows mask and unmask services in IPA

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:18:55 +02:00
Martin Basti
bac2cc9799 Make named.conf template platform independent 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Martin Basti
ec928b1aec Add missing attributes to named.conf 
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Petr Viktorin
7ada6dd096 backup/restore: Add files from /etc/ipa/nssdb 
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.

https://fedorahosted.org/freeipa/ticket/4597

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-02 13:53:55 +02:00
Jan Cholasta
96662124bf Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update 
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.

Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.

Also add ipa.p11-kit to the files owned by the freeipa-python package.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
483ebf9cea Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb 
Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Jan Cholasta
ed2bfffd4e Introduce NSS database /etc/ipa/nssdb 
This is the new default NSS database for IPA.

/etc/pki/nssdb is still maintained for backward compatibility.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-09-30 10:01:38 +02:00
Petr Viktorin
e3ba75d379 Move setting SELinux booleans to platform code 
Create a platform task for setting SELinux booleans.

Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.

Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.

Preparation for: https://fedorahosted.org/freeipa/ticket/4157

Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
 2014-09-26 12:12:59 +02:00
Jan Cholasta
044c5c833a Enable NSS PKIX certificate path discovery and validation for Dogtag. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d27e77adc5 Allow upgrading CA-less to CA-full using ipa-ca-install. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
55d3bab57b Get CA certs for system-wide store from cert store in ipa-client-install. 
All of the certificates and associated key policy are now stored in
/etc/pki/ca-trust/source/ipa.p11-kit.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
b5471a9f3e Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Rob Crittenden
54e4891fef Remove IPA Foreman Smart Proxy 
The code has been moved to its own, separate repository at
git://git.fedorahosted.org/git/freeipa-foreman-smartproxy.git

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-01 09:19:51 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module 
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-26 09:22:21 +02:00
Tomas Babej
2a3c746dca ipaplatform: Drop the base authconfig class 
As authconfig is a distro-specific tool there is no incentive for
implying that other platforms should implement any authconfig
implementation of their own.

Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 21:07:07 +02:00
Tomas Babej
e099ad4583 ipaplatform: Document the platform tasks API 
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-25 21:07:06 +02:00
Petr Viktorin
d868fc5566 Fix self argument in tasks 
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
3b4ab8b4f2 ipaplatform: Move hardcoded paths from Fedora platform files to path namespace 
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
8a5e2a8166 ipaplatform: Contain all the tasks in the TaskNamespace 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:21 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:20 +02:00
Tomas Babej
a7c2327a36 ipaplatform: Move Fedora-specific implementations of tasks to fedora base platform file 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
5f31f2d35f ipaplatform: Do not require custom Authconfig implementations from platform modules 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:18 +02:00
Tomas Babej
3fcaf81c64 ipaplatform: Create default implementations for tasks that were missing them 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00
Tomas Babej
1d0623ce1c ipaplatform: Move default implementations of tasks from service.py.in 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00
Tomas Babej
0b974007de ipaplatform: Move service base platfrom related functionality to ipaplatform/base/service.py 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00
Tomas Babej
1fc7b04858 ipaplatform: Create separate module for platform files 
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-06-16 19:48:17 +02:00