Go to file
Rob Crittenden 49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
checks Added a sys.path hack to get checks/check-ra.py working again 2009-02-17 16:03:10 -05:00
contrib/RHEL4 Now that admin is in the common users tree make the nss_ldap 2008-05-29 09:43:08 -04:00
daemons Check error in kpasswd 2009-07-10 09:42:21 -04:00
doc/examples Fleshed out krb plugin and added example of scripting against Python API 2009-08-31 15:47:14 -06:00
install Add external CA signing and abstract out the RA backend 2009-09-15 10:01:08 -04:00
ipa-client Clean up additional issues discovered with pylint and pychecker 2009-08-20 09:20:56 -04:00
ipa-radius-admintools Rework config.py and change cli tools. Maintain order of IPA servers from command line, config and DNS. Parse options before detecting IPA configuration. Don't ignore rest of the options if one is missing in ipa.conf. Drop the --usage options, we will rely on --help. Fixes: 458869, 459070, 458980, 459234 2008-09-11 23:34:01 +02:00
ipa-radius-server Fix versioning for configure.ac and ipa-python/setup.py 2008-08-11 18:31:05 -04:00
ipalib Add external CA signing and abstract out the RA backend 2009-09-15 10:01:08 -04:00
ipapython Add option to the installer for uid/gid starting numbers. 2009-08-27 14:15:26 -04:00
ipaserver Add external CA signing and abstract out the RA backend 2009-09-15 10:01:08 -04:00
ipawebui Renamed ipa_webui/ to ipawebui/ and tests/test_ipa_webui/ to tests/test_ipawebui 2009-01-04 19:48:02 -07:00
selinux Add external CA signing and abstract out the RA backend 2009-09-15 10:01:08 -04:00
tests Fix service_mod and add a test case 2009-08-26 09:51:15 -04:00
.bzrignore Added top-level tests/ package that will contain all unit tests 2008-10-07 20:36:44 -06:00
.gitignore Add build to .gitignore 2008-10-23 10:37:16 -04:00
autogen.sh Complete consolidation into a single autogen.sh 2009-02-04 09:04:26 -05:00
ipa Started reworking CLI class into cli plugin 2009-02-03 15:29:03 -05:00
ipa.spec.in Generate CRLs and make them available from the IPA web server 2009-08-26 09:51:19 -04:00
LICENSE Added GPL v2 in LICENSE file 2008-10-14 16:51:04 -06:00
lite-webui.py Renamed all references to 'ipa_webui' to 'ipawebui' 2009-01-04 19:45:53 -07:00
lite-xmlrpc.py Finished small tweaks to get new ipaserver.xmlrpc() mod_python handler working 2009-02-03 15:29:05 -05:00
make-doc Renamed all references to 'ipa_webui' to 'ipawebui' 2009-01-04 19:45:53 -07:00
make-test Re-enable doctest, fix broken docstrings 2009-05-13 14:22:09 -04:00
Makefile Added Rob's 'srpms' make target 2009-05-11 15:38:07 -04:00
MANIFEST.in Renamed all references to 'ipa_webui' to 'ipawebui' 2009-01-04 19:45:53 -07:00
README Add a copy of the LICENSE and populate some README's 2008-01-23 10:30:18 -05:00
setup.py Get merged tree into an installalble state. 2009-02-03 15:29:20 -05:00
TODO Updated TODO based on discussion between Rob, Pavel, and Jason; put TODO in reStructuredText style formatting 2009-05-19 09:55:34 -04:00
VERSION Bump version to 2.0.0pre1 2009-05-11 16:26:55 -04:00
version.m4.in Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

                               IPA Server

  What is it?
  -----------

  For efficiency, compliance and risk mitigation, organizations need to
  centrally manage and correlate vital security information including:

    * Identity (machine, user, virtual machines, groups, authentication
      credentials)
    * Policy (configuration settings, access control information)
    * Audit (events, logs, analysis thereof) 

  Since these are not new problems. there exist many approaches and
  products focused on addressing them. However, these tend to have the
  following weaknesses:

    * Focus on solving identity management across the enterprise has meant
      less focus on policy and audit.
    * Vendor focus on Web identity management problems has meant less well
      developed solutions for central management of the Linux and Unix
      world's vital security info. Organizations are forced to maintain
      a hodgepodge of internal and proprietary solutions at high TCO.
    * Proprietary security products don't easily provide access to the
      vital security information they collect or manage. This makes it
      difficult to synchronize and analyze effectively. 

  The Latest Version
  ------------------

  Details of the latest version can be found on the IPA server project
  page under <http://www.freeipa.org/>.

  Documentation
  -------------

  The most up-to-date documentation can be found at
  <http://freeipa.org/page/Documentation/>.

  Licensing
  ---------

  Please see the file called LICENSE.

  Contacts
  --------

     * If you want to be informed about new code releases, bug fixes,
       security fixes, general news and information about the IPA server
       subscribe to the freeipa-announce mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-interest/>.

     * If you have a bug report please submit it at:
       <https://bugzilla.redhat.com>

     * If you want to participate in actively developing IPA please
       subscribe to the freeipa-devel mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
       us in IRC at irc://irc.freenode.net/freeipa