IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9
freeipa/ipapython
History
John Dennis a1991aeac1 Use secure method to acquire IPA CA certificate 
Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2013-01-23 14:26:42 -05:00
..
platform
convert the base platform modules into packages
2013-01-14 14:39:54 +01:00
py_default_encoding
Check for Python.h during build of py_default_encoding extension
2011-11-16 18:34:16 -05:00
test
Fix failed tests. API for utcoffset changed and strings are more robust.
2011-01-24 14:34:38 -05:00
__init__.py
Rename ipa-python directory to ipapython so it is a real python library
2009-02-09 14:35:15 -05:00
admintool.py
Ticket #2850 - Ipactl exception not handled well
2012-08-27 15:30:28 +02:00
certdb.py
Move the compat module from ipalib to ipapython.
2012-02-13 22:22:49 -05:00
certmonger.py
Use correct Dogtag configuration in get_pin and get_ca_certchain
2012-11-23 12:19:19 +01:00
compat.py
Move the compat module from ipalib to ipapython.
2012-02-13 22:22:49 -05:00
config.py
Fix winsync agreements creation
2012-08-12 23:26:16 -04:00
cookie.py
Cookie Expires date should be locale insensitive
2012-12-20 16:39:25 +01:00
dn.py
Ticket #3008: DN objects hash differently depending on case
2012-08-22 17:23:12 +03:00
dogtag.py
Use correct Dogtag configuration in get_pin and get_ca_certchain
2012-11-23 12:19:19 +01:00
entity.py
Use DN objects instead of strings
2012-08-12 16:23:24 -04:00
ipa_log_manager.py
Use DN objects instead of strings
2012-08-12 16:23:24 -04:00
ipa.conf
Rename ipa-python directory to ipapython so it is a real python library
2009-02-09 14:35:15 -05:00
ipautil.py
Use secure method to acquire IPA CA certificate
2013-01-23 14:26:42 -05:00
ipavalidate.py
Change FreeIPA license to GPLv3+
2010-12-20 17:19:53 -05:00
kernel_keyring.py
Store session cookie in ccache for cli users
2012-06-14 14:02:26 +02:00
log_manager.py
Fix various typos.
2012-09-18 08:45:28 +02:00
Makefile
Introduce platform-specific adaptation for services used by FreeIPA.
2011-09-13 11:25:58 +02:00
MANIFEST.in
Rename ipa-python directory to ipapython so it is a real python library
2009-02-09 14:35:15 -05:00
nsslib.py
Close connection after each request, avoid NSS shutdown problem.
2012-10-24 15:07:53 -04:00
README
Replace DNS client based on acutil with python-dns
2012-05-24 13:55:56 +02:00
services.py.in
Save service name on service startup/shutdown
2012-11-01 14:24:41 -04:00
setup.py.in
convert the base platform modules into packages
2013-01-14 14:39:54 +01:00
ssh.py
SSHPublicKey.fingerprint_dns_sha1 should return unicode value.
2012-09-20 10:44:28 +02:00
sysrestore.py
Improves sssd.conf handling during ipa-client uninstall
2012-09-20 16:57:13 +02:00
version.py.in
Add API version and have server reject incompatible clients.
2011-01-14 14:26:22 -05:00

README 

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines