websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.7.2-3

Browse Source
This commit is contained in:
Timo Aaltonen
2019-05-06 08:43:34 +03:00
committed by Mario Fetka
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install/Makefile.am
View File

@@ -6,7 +6,6 @@ NULL =
SUBDIRS = \
certmonger \
custodia \
html \
migration \
share \

14
install/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -244,8 +244,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -288,10 +286,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -312,6 +311,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -399,9 +400,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -419,7 +418,6 @@ AUTOMAKE_OPTIONS = 1.7
NULL =
SUBDIRS = \
certmonger \
custodia \
html \
migration \
share \

18
install/certmonger/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -218,8 +218,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -262,10 +260,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -286,6 +285,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -373,9 +374,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -638,12 +637,9 @@ uninstall-am: uninstall-nodist_appSCRIPTS
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

72
install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Jan Cholasta <jcholast@redhat.com>
@@ -85,8 +85,20 @@ def get_nickname():
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
return cainstance.get_ca_renewal_nickname(
subject_base, ca_subject_dn, DN(subject))
nickname_by_subject_dn = {
DN(ca_subject_dn): 'caSigningCert cert-pki-ca',
DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca',
DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca',
DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
DN('CN=KRA Audit', subject_base): 'auditSigningCert cert-pki-kra',
DN('CN=KRA Transport Certificate', subject_base):
'transportCert cert-pki-kra',
DN('CN=KRA Storage Certificate', subject_base):
'storageCert cert-pki-kra',
DN('CN=IPA RA', subject_base): 'ipaCert',
}
return nickname_by_subject_dn.get(DN(subject))
def is_replicated():
@@ -123,9 +135,7 @@ def call_handler(_handler, *args, **kwargs):
operation = os.environ['CERTMONGER_OPERATION']
if operation == 'POLL':
cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
if cookie is None:
return (UNCONFIGURED, "Cookie not provided")
if len(cookie) > 0:
if cookie is not None:
try:
context = json.loads(cookie)
if not isinstance(context, dict):
@@ -133,13 +143,7 @@ def call_handler(_handler, *args, **kwargs):
except (TypeError, ValueError):
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
else:
# Reconstruct the data for the missing cookie. Sanity checking
# is done elsewhere, when needed.
context = dict(cookie=u'')
profile = os.environ.get('CERTMONGER_CA_PROFILE')
if profile is not None:
profile = profile.encode('ascii').decode('raw_unicode_escape')
context['profile'] = profile
return (UNCONFIGURED, "Cookie not provided")
if 'profile' in context:
profile = context.pop('profile')
@@ -211,9 +215,9 @@ def request_cert(reuse_existing, **kwargs):
"--certfile", paths.RA_AGENT_PEM,
"--keyfile", paths.RA_AGENT_KEY] +
sys.argv[1:] +
['--submit-option', "requestor_name=IPA"] +
['--force-new', '--approval-option', 'bypassCAnotafter=true']
)
['--submit-option', "requestor_name=IPA"])
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
args += ['-N', '-O', 'bypassCAnotafter=true']
result = ipautil.run(args, raiseonerr=False, env=os.environ,
capture_output=True)
if six.PY2:
@@ -266,9 +270,23 @@ def store_cert(**kwargs):
return (REJECTED, "New certificate requests not supported")
cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
with ldap_connect() as conn:
cainstance.update_ca_renewal_entry(conn, nickname, cert)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
except Exception as e:
attempts += 1
if attempts < 10:
@@ -402,7 +420,7 @@ def retrieve_cert(**kwargs):
return result
def renew_ca_cert(reuse_existing, force_self_signed, **kwargs):
def renew_ca_cert(reuse_existing, **kwargs):
"""
This is used for automatic CA certificate renewal.
"""
@@ -420,8 +438,7 @@ def renew_ca_cert(reuse_existing, force_self_signed, **kwargs):
if operation == 'SUBMIT':
state = 'retrieve'
if (is_self_signed or force_self_signed) \
and not reuse_existing and is_renewal_master():
if not reuse_existing and is_renewal_master():
state = 'request'
csr_file = paths.IPA_CA_CSR
@@ -474,9 +491,7 @@ def renew_ca_cert(reuse_existing, force_self_signed, **kwargs):
def main():
kwargs = {
'reuse_existing': False,
'force_self_signed': False,
}
try:
sys.argv.remove('--reuse-existing')
except ValueError:
@@ -484,22 +499,13 @@ def main():
else:
kwargs['reuse_existing'] = True
try:
sys.argv.remove('--force-self-signed')
except ValueError:
pass
else:
kwargs['force_self_signed'] = True
api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
api.finalize()
operation = os.environ.get('CERTMONGER_OPERATION')
if operation not in ('SUBMIT', 'POLL'):
return OPERATION_NOT_SUPPORTED_BY_HELPER
api.bootstrap(
in_server=True, context='renew', confdir=paths.ETC_IPA, log=None
)
api.finalize()
tmpdir = tempfile.mkdtemp(prefix="tmp-")
certs.renewal_lock.acquire()
try:

52
install/certmonger/ipa-server-guard.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Jan Cholasta <jcholast@redhat.com>
@@ -19,57 +19,45 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
import os
# Prevent garbage from readline on standard output
# (see https://fedorahosted.org/freeipa/ticket/4064)
if not os.isatty(1):
os.environ['TERM'] = 'dumb'
import sys
import syslog
import traceback
# Return codes. Names of the constants are taken from
# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h
OPERATION_NOT_SUPPORTED_BY_HELPER = 6
import six
def run_operation(cmd):
from ipapython import ipautil
result = ipautil.run(cmd, raiseonerr=False, env=os.environ)
# Write bytes directly
sys.stdout.buffer.write(result.raw_output) #pylint: disable=no-member
sys.stderr.buffer.write(result.raw_error_output) #pylint: disable=no-member
sys.stdout.flush()
sys.stderr.flush()
return result.returncode
from ipapython import ipautil
from ipaserver.install import certs
def main():
if len(sys.argv) < 2:
raise RuntimeError("Not enough arguments")
# Avoid the lock if the operation is unsupported by ipa-submit
operation = os.environ.get('CERTMONGER_OPERATION')
if operation not in ('IDENTIFY',
'FETCH-ROOTS',
'GET-NEW-REQUEST-REQUIREMENTS',
'SUBMIT',
'POLL'):
return OPERATION_NOT_SUPPORTED_BY_HELPER
with certs.renewal_lock:
result = ipautil.run(sys.argv[1:], raiseonerr=False, env=os.environ)
if six.PY2:
sys.stdout.write(result.raw_output)
sys.stderr.write(result.raw_error_output)
else:
# Write bytes directly
sys.stdout.buffer.write(result.raw_output) #pylint: disable=no-member
sys.stderr.buffer.write(result.raw_error_output) #pylint: disable=no-member
sys.stdout.flush()
sys.stderr.flush()
if operation in ('SUBMIT', 'POLL', 'FETCH-ROOTS'):
from ipaserver.install import certs
with certs.renewal_lock:
return run_operation(sys.argv[1:])
else:
return run_operation(sys.argv[1:])
return result.returncode
try:
sys.exit(main())
except Exception as e:
import traceback
import syslog
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
print("Internal error")
sys.exit(3)

22
install/custodia/Makefile.am
View File

@@ -1,22 +0,0 @@
NULL =
appdir = $(libexecdir)/ipa/custodia/
nodist_app_SCRIPTS = \
ipa-custodia-dmldap \
ipa-custodia-pki-tomcat \
ipa-custodia-pki-tomcat-wrapped \
ipa-custodia-ra-agent \
$(NULL)
dist_noinst_DATA = \
ipa-custodia-dmldap.in \
ipa-custodia-pki-tomcat.in \
ipa-custodia-pki-tomcat-wrapped.in \
ipa-custodia-ra-agent.in \
$(NULL)
PYTHON_SHEBANG = $(nodist_app_SCRIPTS)
CLEANFILES = $(PYTHON_SHEBANG)
include $(top_srcdir)/Makefile.pythonscripts.am

653
install/custodia/Makefile.in
View File

@@ -1,653 +0,0 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = install/custodia
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
SCRIPTS = $(nodist_app_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
DATA = $(dist_noinst_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.pythonscripts.am
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
NULL =
appdir = $(libexecdir)/ipa/custodia/
nodist_app_SCRIPTS = \
ipa-custodia-dmldap \
ipa-custodia-pki-tomcat \
ipa-custodia-pki-tomcat-wrapped \
ipa-custodia-ra-agent \
$(NULL)
dist_noinst_DATA = \
ipa-custodia-dmldap.in \
ipa-custodia-pki-tomcat.in \
ipa-custodia-pki-tomcat-wrapped.in \
ipa-custodia-ra-agent.in \
$(NULL)
PYTHON_SHEBANG = $(nodist_app_SCRIPTS)
CLEANFILES = $(PYTHON_SHEBANG)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/Makefile.pythonscripts.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/custodia/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign install/custodia/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.pythonscripts.am $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-nodist_appSCRIPTS: $(nodist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n' \
-e 'h;s|.*|.|' \
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
if (++n[d] == $(am__install_max)) { \
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
else { print "f", d "/" $$4, $$1 } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-nodist_appSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(SCRIPTS) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(appdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-nodist_appSCRIPTS
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-nodist_appSCRIPTS
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-nodist_appSCRIPTS install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-nodist_appSCRIPTS
.PRECIOUS: Makefile
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

8
install/custodia/ipa-custodia-dmldap.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
#
from ipaserver.secrets.handlers.dmldap import main
main()

8
install/custodia/ipa-custodia-pki-tomcat-wrapped.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
#
from ipaserver.secrets.handlers.nsswrappedcert import main, pki_tomcat_parser
main(pki_tomcat_parser())

8
install/custodia/ipa-custodia-pki-tomcat.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
#
from ipaserver.secrets.handlers.nsscert import main, pki_tomcat_parser
main(pki_tomcat_parser())

8
install/custodia/ipa-custodia-ra-agent.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
#
from ipaserver.secrets.handlers.pemfile import main, ra_agent_parser
main(ra_agent_parser())

13
install/html/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -214,8 +214,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -258,10 +256,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -282,6 +281,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -369,9 +370,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

6
install/html/ssbrowser.html
View File

@@ -105,7 +105,7 @@
Double-click the <code>network.negotiate-auth.trusted-uris</code> entry to display the Enter string value dialog box.
</li>
<li>
Enter the name of the domain against which you want to authenticate, for example, <code class="example-domain">.example.com</code>.
Enter the name of the domain against which you want to authenticate, for example, <code class="example-domain">.example.com.</code>
</li>
<li><a href="../ui/index.html" id="return-link" class="btn btn-default">Return to Web UI</a></li>
</ol>
@@ -147,13 +147,13 @@
<li>
Create a new <code>/etc/opt/chrome/policies/managed/mydomain.json</code> file with write privileges limited to the system administrator or root, and include the following line:
<div><code>
{ "AuthServerWhitelist": "*<span class="example-domain">.example.com</span>" }
{ "AuthServerWhitelist": "*<span class="example-domain">.example.com.</span>" }
</code></div>
<div>
You can do this by running:
</div>
<div><code>
[root@server]# echo '{ "AuthServerWhitelist": "*<span class="example-domain">.example.com</span>" }' > /etc/opt/chrome/policies/managed/mydomain.json
[root@server]# echo '{ "AuthServerWhitelist": "*<span class="example-domain">.example.com.</span>" }' > /etc/opt/chrome/policies/managed/mydomain.json
</code></div>
</li>
</ol>

13
install/migration/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -214,8 +214,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -258,10 +256,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -282,6 +281,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -369,9 +370,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

5
install/migration/migration.py
View File

@@ -54,11 +54,8 @@ def bind(ldap_uri, base_dn, username, password):
logger.error('migration unable to get base dn')
raise IOError(errno.EIO, 'Cannot get Base DN')
bind_dn = DN(('uid', username), ('cn', 'users'), ('cn', 'accounts'), base_dn)
# ldap_uri should be ldapi:// in all common cases. Enforce start_tls just
# in case it's a plain LDAP connection.
start_tls = ldap_uri.startswith('ldap://')
try:
conn = ipaldap.LDAPClient(ldap_uri, start_tls=start_tls)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn, password)
except (errors.ACIError, errors.DatabaseError, errors.NotFound) as e:
logger.error(

7
install/oddjob/Makefile.am
View File

@@ -6,9 +6,6 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
dist_noinst_DATA = \
com.redhat.idm.trust-fetch-domains.in \
org.freeipa.server.trust-enable-agent.in \
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in \
etc/oddjobd.conf.d/ipa-server.conf.in \
$(NULL)
dist_oddjob_SCRIPTS = \
@@ -17,7 +14,6 @@ dist_oddjob_SCRIPTS = \
nodist_oddjob_SCRIPTS = \
com.redhat.idm.trust-fetch-domains \
org.freeipa.server.trust-enable-agent \
$(NULL)
@@ -31,9 +27,6 @@ dist_oddjobconf_DATA = \
etc/oddjobd.conf.d/ipa-server.conf \
$(NULL)
$(dist_oddjobconf_DATA):%: %.in Makefile
$(AM_V_GEN)sed -e 's|@ODDJOBDIR[@]|$(oddjobdir)|g' $< > $@
PYTHON_SHEBANG = $(nodist_oddjob_SCRIPTS)
CLEANFILES = $(PYTHON_SHEBANG)

25
install/oddjob/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -221,8 +221,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -265,10 +263,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -289,6 +288,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -376,9 +377,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -395,9 +394,6 @@ oddjobconfdir = $(sysconfdir)/oddjobd.conf.d
dbusconfdir = $(sysconfdir)/dbus-1/system.d
dist_noinst_DATA = \
com.redhat.idm.trust-fetch-domains.in \
org.freeipa.server.trust-enable-agent.in \
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in \
etc/oddjobd.conf.d/ipa-server.conf.in \
$(NULL)
dist_oddjob_SCRIPTS = \
@@ -406,7 +402,6 @@ dist_oddjob_SCRIPTS = \
nodist_oddjob_SCRIPTS = \
com.redhat.idm.trust-fetch-domains \
org.freeipa.server.trust-enable-agent \
$(NULL)
dist_dbusconf_DATA = \
@@ -740,17 +735,11 @@ uninstall-am: uninstall-dist_dbusconfDATA uninstall-dist_oddjobSCRIPTS \
.PRECIOUS: Makefile
$(dist_oddjobconf_DATA):%: %.in Makefile
$(AM_V_GEN)sed -e 's|@ODDJOBDIR[@]|$(oddjobdir)|g' $< > $@
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

288
install/oddjob/com.redhat.idm.trust-fetch-domains.in
View File

@@ -1,100 +1,35 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
from ipaserver import dcerpc
from ipaserver.install.installutils import ScriptError
from ipaserver.install.installutils import is_ipa_configured, ScriptError
from ipapython import config, ipautil
from ipalib import api
from ipalib.facts import is_ipa_configured
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
from ipaplatform.constants import constants
from ipaplatform.paths import paths
import io
import sys
import os
import pwd
import tempfile
import textwrap
import six
import gssapi
from ipalib.install.kinit import kinit_keytab, kinit_password
from ipalib.install.kinit import kinit_keytab
if six.PY3:
unicode = str
def parse_options():
usage = "%prog <trusted domain name>\n"
parser = config.IPAOptionParser(
usage=usage, formatter=config.IPAFormatter()
)
parser.add_option(
"-d",
"--debug",
action="store_true",
dest="debug",
help="Display debugging information",
)
parser.add_option(
"-s",
"--server",
action="store",
dest="server",
help="Domain controller for the Active Directory domain (optional)",
)
parser.add_option(
"-a",
"--admin",
action="store",
dest="admin",
help="Active Directory administrator (optional)",
)
parser.add_option(
"-p",
"--password",
action="store",
dest="password",
help="Display debugging information",
)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
# We only use first argument of the passed args but as D-BUS interface
# in oddjobd cannot expose optional, we fill in empty slots from IPA side
# and filter them here.
trusted_domain = ipautil.fsdecode(args[0]).lower()
# Accept domain names that at least have two labels. We do not support
# single label Active Directory domains. This also catches empty args.
if len(DNSName(trusted_domain).labels) < 2:
# LSB status code 2: invalid or excess argument(s)
raise ScriptError("You must specify a valid trusted domain name", 2)
return safe_options, options, trusted_domain
def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
getkeytab_args = [
"/usr/sbin/ipa-getkeytab",
"-s",
api.env.host,
"-p",
oneway_principal,
"-k",
oneway_keytab_name,
"-r",
]
getkeytab_args = ["/usr/sbin/ipa-getkeytab",
"-s", api.env.host,
"-p", oneway_principal,
"-k", oneway_keytab_name,
"-r"]
if os.path.isfile(oneway_keytab_name):
os.unlink(oneway_keytab_name)
ipautil.run(
getkeytab_args,
env={"KRB5CCNAME": ccache_name, "LANG": "C"},
raiseonerr=False,
)
ipautil.run(getkeytab_args, env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
raiseonerr=False)
# Make sure SSSD is able to read the keytab
try:
sssd = pwd.getpwnam(constants.SSSD_USER)
@@ -105,8 +40,9 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
pass
def get_forest_root_domain(api_instance, trusted_domain, server=None):
"""Retrieve trusted forest root domain for given domain name
def get_forest_root_domain(api_instance, trusted_domain):
"""
retrieve trusted forest root domain for given domain name
:param api_instance: IPA API instance
:param trusted_domain: trusted domain name
@@ -114,61 +50,47 @@ def get_forest_root_domain(api_instance, trusted_domain, server=None):
:returns: forest root domain DNS name
"""
trustconfig_show = api_instance.Command.trustconfig_show
flatname = trustconfig_show()["result"]["ipantflatname"][0]
flatname = trustconfig_show()['result']['ipantflatname'][0]
remote_domain = dcerpc.retrieve_remote_domain(
api_instance.env.host, flatname, trusted_domain, realm_server=server
)
api_instance.env.host, flatname, trusted_domain)
return remote_domain.info["dns_forest"]
return remote_domain.info['dns_forest']
def generate_krb5_config(realm, server):
"""Generate override krb5 config file for trusted domain DC access
def parse_options():
usage = "%prog <trusted domain name>\n"
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
:param realm: realm of the trusted AD domain
:param server: server to override KDC to
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information")
:returns: tuple (temporary config file name, KRB5_CONFIG string)
"""
cfg = paths.KRB5_CONF
tcfg = None
if server:
content = textwrap.dedent(u"""
[realms]
%s = {
kdc = %s
}
""") % (
realm.upper(),
server,
)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
(fd, tcfg) = tempfile.mkstemp(dir="/run/ipa",
prefix="krb5conf", text=True)
with io.open(fd, mode='w', encoding='utf-8') as o:
o.write(content)
cfg = ":".join([tcfg, cfg])
return (tcfg, cfg)
return safe_options, options, args
if not is_ipa_configured():
# LSB status code 6: program is not configured
raise ScriptError(
"IPA is not configured "
+ "(see man pages of ipa-server-install for help)",
6,
)
raise ScriptError("IPA is not configured " +
"(see man pages of ipa-server-install for help)", 6)
if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise ScriptError("You must be root to run ipactl.", 4)
safe_options, options, trusted_domain = parse_options()
safe_options, options, args = parse_options()
api.bootstrap(
in_server=True, log=None, context="server", confdir=paths.ETC_IPA
)
if len(args) != 1:
# LSB status code 2: invalid or excess argument(s)
raise ScriptError("You must specify trusted domain name", 2)
trusted_domain = ipautil.fsdecode(args[0]).lower()
api.bootstrap(in_server=True, log=None,
context='server', confdir=paths.ETC_IPA)
api.finalize()
# Only import trust plugin after api is initialized or internal imports
@@ -188,12 +110,12 @@ from ipaserver.plugins import trust
# and retrieve our own NetBIOS domain name and use cifs/ipa.master@IPA.REALM to
# retrieve the keys to oneway_keytab_name.
keytab_name = "/etc/samba/samba.keytab"
keytab_name = '/etc/samba/samba.keytab'
principal = str("cifs/" + api.env.host)
principal = str('cifs/' + api.env.host)
oneway_ccache_name = "/run/ipa/krb5cc_oddjob_trusts_fetch"
ccache_name = "/run/ipa/krb5cc_oddjob_trusts"
oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch'
ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts'
# Standard sequence:
# - check if ccache exists
@@ -207,126 +129,70 @@ try:
cred = kinit_keytab(principal, keytab_name, ccache_name)
if cred.lifetime > 0:
have_ccache = True
except (gssapi.exceptions.ExpiredCredentialsError, gssapi.raw.misc.GSSError):
except gssapi.exceptions.ExpiredCredentialsError:
pass
if not have_ccache:
# delete stale ccache and try again
if os.path.exists(ccache_name):
if os.path.exists(oneway_ccache_name):
os.unlink(ccache_name)
cred = kinit_keytab(principal, keytab_name, ccache_name)
old_ccache = os.environ.get("KRB5CCNAME")
old_config = os.environ.get("KRB5_CONFIG")
old_ccache = os.environ.get('KRB5CCNAME')
api.Backend.ldap2.connect(ccache_name)
# Retrieve own NetBIOS name and trusted forest's name.
# We use script's input to retrieve the trusted forest's name to sanitize input
# for file-level access as we might need to wipe out keytab in /var/lib/sss/keytabs
own_trust_dn = DN(
("cn", api.env.domain), ("cn", "ad"), ("cn", "etc"), api.env.basedn
)
own_trust_entry = api.Backend.ldap2.get_entry(own_trust_dn, ["ipantflatname"])
own_trust_flatname = own_trust_entry.single_value.get("ipantflatname").upper()
trusted_domain_dn = DN(
("cn", trusted_domain.lower()), api.env.container_adtrusts, api.env.basedn
)
trusted_domain_entry = api.Backend.ldap2.get_entry(trusted_domain_dn, ["cn"])
trusted_domain = trusted_domain_entry.single_value.get("cn").lower()
own_trust_dn = DN(('cn', api.env.domain),('cn','ad'), ('cn', 'etc'), api.env.basedn)
own_trust_entry = api.Backend.ldap2.get_entry(own_trust_dn, ['ipantflatname'])
own_trust_flatname = own_trust_entry.single_value.get('ipantflatname').upper()
trusted_domain_dn = DN(('cn', trusted_domain.lower()), api.env.container_adtrusts, api.env.basedn)
trusted_domain_entry = api.Backend.ldap2.get_entry(trusted_domain_dn, ['cn'])
trusted_domain = trusted_domain_entry.single_value.get('cn').lower()
# At this point if we didn't find trusted forest name, an exception will be raised
# and script will quit. This is actually intended.
# Generate MIT Kerberos configuration file that potentially overlays
# the KDC to connect to for a trusted domain to allow --server option
# to take precedence.
cfg_file, cfg = generate_krb5_config(trusted_domain, options.server)
oneway_keytab_name = '/var/lib/sss/keytabs/' + trusted_domain + '.keytab'
oneway_principal = str('%s$@%s' % (own_trust_flatname, trusted_domain.upper()))
if not (options.admin and options.password):
oneway_keytab_name = "/var/lib/sss/keytabs/" + trusted_domain + ".keytab"
oneway_principal = str(
"%s$@%s" % (own_trust_flatname, trusted_domain.upper())
)
# If keytab does not exist, retrieve it
if not os.path.isfile(oneway_keytab_name):
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
# If keytab does not exist, retrieve it
if not os.path.isfile(oneway_keytab_name):
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
try:
have_ccache = False
try:
have_ccache = False
try:
# The keytab may have stale key material (from older trust-add run)
cred = kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
config=cfg,
)
if cred.lifetime > 0:
have_ccache = True
except (gssapi.exceptions.ExpiredCredentialsError, gssapi.raw.misc.GSSError):
pass
if not have_ccache:
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
config=cfg,
)
except (gssapi.exceptions.GSSError, gssapi.raw.misc.GSSError):
# If there was failure on using keytab, assume it is stale and retrieve again
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
# The keytab may have stale key material (from older trust-add run)
cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
if cred.lifetime > 0:
have_ccache = True
except gssapi.exceptions.ExpiredCredentialsError:
pass
if not have_ccache:
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
cred = kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
config=cfg,
)
else:
cred = kinit_password(
options.admin,
options.password,
oneway_ccache_name,
canonicalize=True,
enterprise=True,
config=cfg,
)
if cred and cred.lifetime > 0:
have_ccache = True
if not have_ccache:
sys.exit(1)
kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
except gssapi.exceptions.GSSError:
# If there was failure on using keytab, assume it is stale and retrieve again
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
# We are done: we have ccache with TDO credentials and can fetch domains
ipa_domain = api.env.domain
os.environ["KRB5CCNAME"] = oneway_ccache_name
os.environ["KRB5_CONFIG"] = cfg
os.environ['KRB5CCNAME'] = oneway_ccache_name
# retrieve the forest root domain name and contact it to retrieve trust
# topology info
forest_root = get_forest_root_domain(
api, trusted_domain, server=options.server
)
domains = dcerpc.fetch_domains(
api, ipa_domain, forest_root, creds=True, server=options.server
)
forest_root = get_forest_root_domain(api, trusted_domain)
if old_ccache:
os.environ["KRB5CCNAME"] = old_ccache
if old_config:
os.environ["KRB5_CONFIG"] = old_config
if cfg_file:
os.remove(cfg_file)
trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)[
"result"
]
domains = dcerpc.fetch_domains(api, ipa_domain, forest_root, creds=True)
trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result']
trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
if old_ccache:
os.environ['KRB5CCNAME'] = old_ccache
sys.exit(0)

8
install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
View File

@@ -6,13 +6,7 @@
<object name="/">
<interface name="org.freeipa.server">
<method name="conncheck">
<helper exec="/usr/local/libexec/ipa/oddjob/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
<method name="trust_enable_agent">
<helper exec="/usr/local/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent"
<helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>

26
install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
View File

@@ -1,26 +0,0 @@
<?xml version="1.0"?>
<oddjobconfig>
<service name="org.freeipa.server">
<allow user="root"/>
<allow user="ipaapi"/>
<object name="/">
<interface name="org.freeipa.server">
<method name="conncheck">
<helper exec="@ODDJOBDIR@/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
<method name="trust_enable_agent">
<helper exec="@ODDJOBDIR@/org.freeipa.server.trust-enable-agent"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>
</interface>
</object>
</service>
</oddjobconfig>

4
install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
View File

@@ -10,8 +10,8 @@
</interface>
<interface name="com.redhat.idm.trust">
<method name="fetch_domains">
<helper exec="/usr/local/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
arguments="30"
<helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
arguments="1"
argument_passing_method="cmdline"
prepend_user_name="no"/>
</method>

21
install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in
View File

@@ -1,21 +0,0 @@
<?xml version="1.0"?>
<oddjobconfig>
<service name="com.redhat.idm.trust">
<allow user="root"/>
<allow user="ipaapi"/>
<object name="/">
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>
<!-- <method name="Introspect"/> -->
</interface>
<interface name="com.redhat.idm.trust">
<method name="fetch_domains">
<helper exec="@ODDJOBDIR@/com.redhat.idm.trust-fetch-domains"
arguments="30"
argument_passing_method="cmdline"
prepend_user_name="no"/>
</method>
</interface>
</object>
</service>
</oddjobconfig>

8
install/oddjob/org.freeipa.server.trust-enable-agent.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_trust_enable_agent import IPATrustEnableAgent
IPATrustEnableAgent.run_cli()

18
install/restart_scripts/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -215,8 +215,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -259,10 +257,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -283,6 +282,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -370,9 +371,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -631,12 +630,9 @@ uninstall-am: uninstall-appDATA
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

6
install/restart_scripts/renew_ca_cert.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
@@ -43,9 +43,7 @@ from ipapython.certdb import TrustFlags
def _main():
nickname = sys.argv[1]
api.bootstrap(
in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
)
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
api.finalize()
dogtag_service = services.knownservices['pki_tomcatd']

2
install/restart_scripts/renew_kdc_cert.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#

6
install/restart_scripts/renew_ra_cert.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
@@ -34,9 +34,7 @@ from ipaplatform.paths import paths
def _main():
api.bootstrap(
in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
)
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
api.finalize()
tmpdir = tempfile.mkdtemp(prefix="tmp-")

2
install/restart_scripts/renew_ra_cert_pre.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#

6
install/restart_scripts/restart_dirsrv.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
@@ -34,9 +34,7 @@ def _main():
except IndexError:
instance = ""
api.bootstrap(
in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
)
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
api.finalize()
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)

2
install/restart_scripts/restart_httpd.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>

6
install/restart_scripts/stop_pkicad.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
@@ -28,9 +28,7 @@ from ipaserver.install import certs
def main():
api.bootstrap(
in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
)
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
api.finalize()
dogtag_service = services.knownservices['pki_tomcatd']

7
install/share/60basev2.ldif
View File

@@ -2,7 +2,6 @@
##
## Attributes: 2.16.840.1.113730.3.8.3 - V2 base attributres
## ObjectClasses: 2.16.840.1.113730.3.8.4 - V2 base objectclasses
## Attributes: 2.16.840.1.113730.3.8.23 - V4 base attributes
##
dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
@@ -22,10 +21,8 @@ objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entit
objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
# Same for memberManager except it's actually v4 attribute
attributeTypes: (2.16.840.1.113730.3.8.23.1 NAME 'memberManager' DESC 'DNs of entries allowed to manage group membership' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4')
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL MAY memberManager X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL MAY memberManager X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.5 NAME 'memberUser' DESC 'Reference to a principal that performs an action (usually user).' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.6 NAME 'userCategory' DESC 'Additional classification for users' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to a device where the operation takes place (usually host).' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )

4
install/share/60ipaconfig.ldif
View File

@@ -43,13 +43,11 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.23 NAME 'ipaCertificateSubjectBase' SY
attributeTypes: (2.16.840.1.113730.3.8.3.16 NAME 'ipaConfigString' DESC 'Generic configuration stirng' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' DESC 'Default SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
## ipaMaxHostnameLength - maximum hostname length to allow
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
###############################################
##
## ObjectClasses
##
## ipaGuiConfig - GUI config parameters objectclass
objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength) )
objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData ) )
## ipaConfigObject - Generic config strings object holder
objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )

6
install/share/60kerberos.ldif
View File

@@ -269,10 +269,6 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY
##### A list of authentication indicator strings, one of which must be satisfied
##### to authenticate to the principal as a service.
attributetypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### The maximum ticket lifetime for a principal based on authentication indicator in seconds. Indicator is specified as an attribute option
attributetypes: ( 2.16.840.1.113730.3.8.15.2.2 NAME 'krbAuthIndMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
##### Maximum renewable lifetime for a principal's ticket based on authentication indicator in seconds. Indicator is specified as an attribute option
attributetypes: ( 2.16.840.1.113730.3.8.15.2.3 NAME 'krbAuthIndMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
########################################################################
# Object Class Definitions #
########################################################################
@@ -316,6 +312,6 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbSe
objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
##### This class can be attached to a principal object or realm object.
objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge $ krbAuthIndMaxTicketLife $ krbAuthIndMaxRenewableAge ) )
objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )

3
install/share/73certmap.ldif
View File

@@ -12,6 +12,3 @@ attributeTypes: (2.16.840.1.113730.3.8.22.1.5 NAME 'ipaCertMapPriority' DESC 'Ru
objectClasses: (2.16.840.1.113730.3.8.22.2.1 NAME 'ipaCertMapConfigObject' DESC 'IPA Certificate Mapping global config options' AUXILIARY MAY ipaCertMapPromptUsername X-ORIGIN 'IPA v4.5' )
objectClasses: (2.16.840.1.113730.3.8.22.2.2 NAME 'ipaCertMapRule' DESC 'IPA Certificate Mapping rule' SUP top STRUCTURAL MUST cn MAY ( description $ ipaCertMapMapRule $ ipaCertMapMatchRule $ associatedDomain $ ipaCertMapPriority $ ipaEnabledFlag ) X-ORIGIN 'IPA v4.5' )
objectClasses: (2.16.840.1.113730.3.8.22.2.3 NAME 'ipaCertMapObject' DESC 'IPA Object for Certificate Mapping' AUXILIARY MAY ipaCertMapData X-ORIGIN 'IPA v4.5' )
# altSecurityIdentities attribute is from MS-WSPP AD schema
# we define it here to have proper indexed searches
attributeTypes: (1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' DESC 'Alt-Security-Identities' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'MS-WSPP')

11
install/share/Makefile.am
View File

@@ -39,26 +39,21 @@ dist_app_DATA = \
replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
kerberos.ldif \
indices.ldif \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.named.conf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
kdc_req.conf.template \
krb5.conf.template \
freeipa-server.template \
krb5.ini.template \
krb.con.template \
krbrealm.con.template \
smb.conf.template \
smb.conf.registry.template \
smb.conf.empty \
referint-conf.ldif \
dna.ldif \
@@ -70,6 +65,7 @@ dist_app_DATA = \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
ldapi.ldif \
wsgi.py \
repoint-managed-entries.ldif \
managed-entries.ldif \
@@ -80,7 +76,6 @@ dist_app_DATA = \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
pw-logging-conf.ldif \
sudobind.ldif \
automember.ldif \
replica-automember.ldif \
@@ -99,10 +94,6 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
ldbm-tuning.ldif \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

24
install/share/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -275,8 +275,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -319,10 +317,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -343,6 +342,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -430,9 +431,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -483,26 +482,21 @@ dist_app_DATA = \
replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
kerberos.ldif \
indices.ldif \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.named.conf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
kdc_req.conf.template \
krb5.conf.template \
freeipa-server.template \
krb5.ini.template \
krb.con.template \
krbrealm.con.template \
smb.conf.template \
smb.conf.registry.template \
smb.conf.empty \
referint-conf.ldif \
dna.ldif \
@@ -514,6 +508,7 @@ dist_app_DATA = \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
ldapi.ldif \
wsgi.py \
repoint-managed-entries.ldif \
managed-entries.ldif \
@@ -524,7 +519,6 @@ dist_app_DATA = \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
pw-logging-conf.ldif \
sudobind.ldif \
automember.ldif \
replica-automember.ldif \
@@ -543,10 +537,6 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
ldbm-tuning.ldif \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

13
install/share/advise/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -274,8 +274,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -318,10 +316,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -342,6 +341,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -429,9 +430,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
install/share/advise/legacy/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -214,8 +214,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -258,10 +256,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -282,6 +281,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -369,9 +370,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

16
install/share/bind.ipa-ext.conf.template
View File

@@ -1,16 +0,0 @@
/* User customization for BIND named
*
* This file is included in $NAMED_CONF and is not modified during IPA
* upgrades.
*
* "options" settings must be configured in $NAMED_CUSTOM_OPTIONS_CONF.
*
* Example: ACL for recursion access:
*
* acl "trusted_network" {
* localnets;
* localhost;
* 234.234.234.0/24;
* 2001::co:ffee:babe:1/48;
* };
*/

18
install/share/bind.ipa-options-ext.conf.template
View File

@@ -1,18 +0,0 @@
/* User customization for BIND named
*
* This file is included in $NAMED_CONF and is not modified during IPA
* upgrades.
*
* It must only contain "options" settings. Any other setting must be
* configured in $NAMED_CUSTOM_CONF.
*
* Examples:
* allow-recursion { trusted_network; };
* allow-query-cache { trusted_network; };
*/
/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
listen-on-v6 { any; };
/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation $NAMED_DNSSEC_VALIDATION;

34
install/share/bind.named.conf.template
View File

@@ -1,27 +1,26 @@
/* WARNING: This config file is managed by IPA.
*
* DO NOT MODIFY! Any modification will be overwritten by upgrades.
*
*
* - $NAMED_CUSTOM_OPTIONS_CONF (for options)
* - $NAMED_CUSTOM_CONF (all other settings)
*/
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
dump-file "${NAMED_DATA_DIR}cache_dump.db";
statistics-file "${NAMED_DATA_DIR}named_stats.txt";
memstatistics-file "${NAMED_DATA_DIR}named_mem_stats.txt";
tkey-gssapi-keytab "$NAMED_KEYTAB";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "$NAMED_KEYTAB";
pid-file "$NAMED_PID";
managed-keys-directory "$MANAGED_KEYS_DIR";
dnssec-enable yes;
dnssec-validation yes;
/* user customizations of options */
include "$NAMED_CUSTOM_OPTIONS_CONF";
/* Path to ISC DLV key */
bindkeys-file "$BINDKEYS_FILE";
managed-keys-directory "$MANAGED_KEYS_DIR";
/* crypto policy snippet on platforms with system-wide policy. */
$INCLUDE_CRYPTO_POLICY
@@ -47,14 +46,15 @@ ${NAMED_ZONE_COMMENT}};
include "$RFC1912_ZONES";
include "$ROOT_KEY";
/* user customization */
include "$NAMED_CUSTOM_CONF";
/* WARNING: This part of the config file is IPA-managed.
* Modifications may break IPA setup or upgrades.
*/
dyndb "ipa" "$BIND_LDAP_SO" {
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
base "cn=dns,$SUFFIX";
base "cn=dns, $SUFFIX";
server_id "$FQDN";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
};
/* End of IPA-managed part. */

24
install/share/bootstrap-template.ldif
View File

@@ -34,12 +34,6 @@ objectClass: top
objectClass: nsContainer
cn: hostgroups
dn: cn=ipservices,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: ipservices
dn: cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
@@ -232,13 +226,12 @@ objectClass: ipaobject
objectClass: ipasshuser
uid: admin
krbPrincipalName: admin@$REALM
krbPrincipalName: root@$REALM
cn: Administrator
sn: Administrator
uidNumber: $IDSTART
gidNumber: $IDSTART
homeDirectory: /home/admin
loginShell: $DEFAULT_ADMIN_SHELL
loginShell: /bin/bash
gecos: Administrator
nsAccountLock: FALSE
ipaUniqueID: autogenerate
@@ -347,14 +340,6 @@ cn: sudo-i
description: sudo-i
ipauniqueid:autogenerate
dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: systemd-user
description: pam_systemd and systemd user@.service
ipauniqueid:autogenerate
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
@@ -403,10 +388,9 @@ ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 100
ipaHomesRootDir: /home
ipaDefaultLoginShell: $DEFAULT_SHELL
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 32
ipaMaxHostnameLength: 64
ipaPwdExpAdvNotify: 4
ipaGroupObjectClasses: top
ipaGroupObjectClasses: groupofnames
@@ -427,8 +411,8 @@ ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash
ipaConfigString: KDC:Disable Last Success
ipaSELinuxUserMapOrder: $SELINUX_USERMAP_ORDER
ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$sysadm_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add

13
install/share/default-aci.ldif
View File

@@ -70,19 +70,6 @@ changetype: modify
add: aci
aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of a host group
dn: cn=hostgroups,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX

13
install/share/default-hbac.ldif
View File

@@ -12,16 +12,3 @@ ipaenabledflag: TRUE
description: Allow all users to access any host from any host
ipauniqueid: autogenerate
# default HBAC policy for pam_systemd
dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
changetype: add
objectclass: ipaassociation
objectclass: ipahbacrule
cn: allow_systemd-user
accessruletype: allow
usercategory: all
hostcategory: all
memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
ipaenabledflag: TRUE
description: Allow pam_systemd to run user@.service to create a system user session
ipauniqueid: autogenerate

1
install/share/dns.ldif
View File

@@ -12,7 +12,6 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
dn: cn=servers,cn=dns,$SUFFIX
changetype: add

5
install/share/ds-ipa-env.conf.template
View File

@@ -1,5 +0,0 @@
# Installed and maintained by ipa update tools, please do not modify
[Service]
Environment=KRB5_KTNAME=$KRB5_KTNAME
Environment=KRB5CCNAME=$KRB5CCNAME

9
install/share/freeipa-server.template
View File

@@ -1,9 +0,0 @@
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
kdcpolicy = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}

94
install/share/indices.ldif
View File

@@ -6,7 +6,6 @@ cn:krbPrincipalName
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
nsIndexType:pres
nsMatchingRule:caseIgnoreIA5Match
nsMatchingRule:caseExactIA5Match
@@ -217,40 +216,6 @@ ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: automountMapName
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaConfigString
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaEnabledFlag
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaKrbAuthzData
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: sub
dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
@@ -368,62 +333,3 @@ objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
# NOTE: There is no index on ipServiceProtocol because the index would have
# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol.
dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipServicePort
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: accessRuleType
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: hostCategory
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: idnsName
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaCertmapData
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: altSecurityIdentities
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberManager
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres

22
install/share/ipa-pki-proxy.conf.template
View File

@@ -1,4 +1,4 @@
# VERSION 15 - DO NOT REMOVE THIS LINE
# VERSION 13 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -6,7 +6,7 @@ ProxyRequests Off
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
@@ -14,7 +14,7 @@ ProxyRequests Off
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
@@ -22,15 +22,23 @@ ProxyRequests Off
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient require
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
# matches for REST API of CA, KRA, and PKI
<LocationMatch "^/(ca|kra|pki)/rest/">
# matches for CA REST API
<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
# matches for KRA REST API
<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>

18
install/share/ipa.conf.template
View File

@@ -1,5 +1,5 @@
#
# VERSION 31 - DO NOT REMOVE THIS LINE
# VERSION 30 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -164,7 +164,7 @@ Alias /ipa/config "/usr/share/ipa/html"
SetHandler None
AllowOverride None
Satisfy Any
Require all granted
Allow from all
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
</Directory>
@@ -177,18 +177,18 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Require all granted
Allow from all
</Directory>
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "${FONTS_OPENSANS_DIR}"
Alias /ipa/ui/fonts/fontawesome "${FONTS_FONTAWESOME_DIR}"
Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
<Directory "${FONTS_DIR}">
SetHandler None
AllowOverride None
Satisfy Any
Require all granted
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Directory>
@@ -200,7 +200,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
SetHandler None
AllowOverride None
Satisfy Any
Require all granted
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
@@ -213,7 +213,7 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
AllowOverride None
Satisfy Any
Require all granted
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
@@ -223,7 +223,7 @@ Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Require all granted
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>

119
install/share/ipaca_customize.ini
View File

@@ -1,119 +0,0 @@
#
# Dogtag PKI configuration file
#
# Notes:
# - "%" must be quoted as "%%".
# - options in the [CA] and [KRA] section cannot be overriden from options
# in the [DEFAULT] section
# - pki_*_token options are hard-coded to pki_token_name
# - pki_sslserver_token is hard-coded to 'internal'
# - pki_backup_keys is automatically disabled when HSM support is enabled,
# as HSM backup is not possible with the default mechanism.
#
# Predefined variables
# - ipa_ca_subject
# - ipa_ajp_secret
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password
# - pki_dns_domainname
# - softhsm2_so
[DEFAULT]
# default algorithms for all certificates
ipa_key_algorithm=SHA256withRSA
ipa_key_size=2048
ipa_key_type=rsa
ipa_signing_algorithm=SHA256withRSA
# Used for IPA CA
# signing algorithm can be overriden on command line
ipa_ca_key_algorithm=%(ipa_key_algorithm)s
ipa_ca_key_size=3072
ipa_ca_key_type=%(ipa_key_type)s
ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
# HSM support
pki_hsm_enable=False
pki_hsm_libfile=
pki_hsm_modulename=
pki_token_name=internal
# backup is automatically disabled when HSM support is enabled
pki_backup_keys=True
pki_backup_password=%(pki_admin_password)s
pki_admin_email=root@localhost
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
pki_audit_signing_key_size=%(ipa_key_size)s
pki_audit_signing_key_type=%(ipa_key_type)s
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_audit_signing_token=%(pki_token_name)s
# Configures the status request timeout, i.e. the connect/data
# timeout on the HTTP request to get the status of Dogtag.
#
# This configuration is needed in "multiple IP address" scenarios
# where this server's hostname has multiple IP addresses but the
# HTTP server is only listening on one of them. Without a timeout,
# if a "wrong" IP address is tried first, it will take a long time
# to timeout, exceeding the overall timeout hence the request will
# not be re-tried. Setting a shorter timeout allows the request
# to be re-tried.
#
# Note that HSMs cause different behaviour so this value might
# not be suitable for when we implement HSM support. It is
# known that a value of 5s is too short in HSM environment.
#
pki_status_request_timeout=15
# for supporting server cert SAN injection
pki_san_inject=False
pki_san_for_server_cert=
## Server-Cert cert-pki-ca
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
pki_sslserver_key_size=%(ipa_key_size)s
pki_sslserver_key_type=%(ipa_key_type)s
## subsystemCert cert-pki-ca
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
pki_subsystem_key_size=%(ipa_key_size)s
pki_subsystem_key_type=%(ipa_key_type)s
pki_subsystem_token=%(pki_token_name)s
[CA]
pki_random_serial_numbers_enable=False
## caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
pki_ca_signing_key_size=%(ipa_ca_key_size)s
pki_ca_signing_key_type=%(ipa_ca_key_type)s
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_token=%(pki_token_name)s
## ocspSigningCert cert-pki-ca
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s
pki_ocsp_signing_key_type=%(ipa_key_type)s
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_ocsp_signing_token=%(pki_token_name)s
[KRA]
pki_kra_ephemeral_requests=True
## storageCert cert-pki-kra
pki_storage_key_algorithm=%(ipa_key_algorithm)s
pki_storage_key_size=%(ipa_key_size)s
pki_storage_key_type=%(ipa_key_type)s
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
pki_storage_token=%(pki_token_name)s
## transportCert cert-pki-kra
pki_transport_key_algorithm=%(ipa_key_algorithm)s
pki_transport_key_size=%(ipa_key_size)s
pki_transport_key_type=%(ipa_key_type)s
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
pki_transport_token=%(pki_token_name)s

169
install/share/ipaca_default.ini
View File

@@ -1,169 +0,0 @@
#
# Dogtag PKI configuration file
#
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
# by a user without breaking FreeIPA internals.
#
# Note: "%" must be quoted as "%%".
#
[DEFAULT]
ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
# ipa_admin_cert_p12=
# ipa_admin_user=
# sensitive dynamic values
# pki_admin_password=
# pki_ds_password=
# Dogtag defaults
pki_instance_name=pki-tomcat
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
pki_admin_cert_request_type=pkcs10
pki_admin_dualkey=False
pki_admin_name=%(ipa_admin_user)s
pki_admin_nickname=ipa-ca-agent
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
pki_admin_uid=%(ipa_admin_user)s
pki_ca_hostname=%(pki_security_domain_hostname)s
pki_ca_port=%(pki_security_domain_https_port)s
# nickname and subject are hard-coded
pki_ca_signing_nickname=caSigningCert cert-pki-ca
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
pki_client_pkcs12_password=%(pki_admin_password)s
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
# CA: o=ipaca, KRA: o=kra,o=ipaca
pki_ds_base_dn=o=ipaca
pki_ds_database=ipaca
pki_ds_hostname=%(ipa_fqdn)s
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
pki_security_domain_name=IPA
pki_security_domain_password=%(pki_admin_password)s
pki_security_domain_user=%(ipa_admin_user)s
pki_self_signed_token=internal
pki_skip_configuration=False
pki_skip_ds_verify=False
pki_skip_installation=False
pki_skip_sd_verify=False
pki_sslserver_token=internal
pki_ssl_server_token=%(pki_sslserver_token)s
pki_sslserver_nickname=Server-Cert cert-pki-ca
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
# nickname and subject are hard-coded
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
pki_theme_enable=True
pki_theme_server_dir=/usr/share/pki/common-ui
pki_audit_group=pkiaudit
pki_group=pkiuser
pki_user=pkiuser
pki_existing=False
pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
pki_cert_chain_nickname=caSigningCert External CA
pki_pkcs12_path=
pki_pkcs12_password=
[CA]
pki_ds_base_dn=o=ipaca
pki_ca_signing_record_create=True
pki_ca_signing_serial_number=1
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
pki_ca_signing_csr_path=/root/ipa.csr
pki_ca_starting_crl_number=0
pki_external=False
pki_external_step_two=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s
pki_import_admin_cert=False
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
pki_profiles_in_ldap=True
pki_subordinate=False
pki_subordinate_create_new_security_domain=False
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
pki_share_db=False
pki_master_crl_enable=True
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
pki_serial_number_range_start=1
pki_serial_number_range_end=10000000
pki_request_number_range_start=1
pki_request_number_range_end=10000000
pki_replica_number_range_start=1
pki_replica_number_range_end=100
[KRA]
pki_ds_base_dn=o=kra,o=ipaca
pki_ds_create_new_db=False
pki_ds_secure_connection=True
pki_import_admin_cert=True
pki_standalone=False
pki_external_step_two=False
pki_storage_nickname=storageCert cert-pki-kra
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
pki_transport_nickname=transportCert cert-pki-kra
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca

9
install/share/ipaca_softhsm2.ini
View File

@@ -1,9 +0,0 @@
#
# Example config for softhsm2
#
[DEFAULT]
pki_hsm_enable=True
pki_hsm_libfile=%(softhsm2_so)s
pki_hsm_modulename=softhsm2
pki_token_name=softhsm_token

3
install/share/kdc.conf.template
View File

@@ -17,7 +17,4 @@
pkinit_anchors = FILE:$KDC_CERT
pkinit_anchors = FILE:$CACERT_PEM
pkinit_pool = FILE:$CA_BUNDLE_PEM
pkinit_indicator = pkinit
spake_preauth_indicator = hardened
encrypted_challenge_indicator = hardened
}

16
install/share/kerberos.ldif
View File

@@ -18,14 +18,14 @@ krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: aes128-sha2:normal
krbSupportedEncSaltTypes: aes128-sha2:special
krbSupportedEncSaltTypes: aes256-sha2:normal
krbSupportedEncSaltTypes: aes256-sha2:special
${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special
krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
krbSupportedEncSaltTypes: camellia128-cts-cmac:special
krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special

6
install/share/ldapi.ldif Normal file
View File

@@ -0,0 +1,6 @@
# Enable the ldapi listener
dn: cn=config
changetype: modify
replace: nsslapd-ldapilisten
nsslapd-ldapilisten: on

4
install/share/ldbm-tuning.ldif
View File

@@ -1,4 +0,0 @@
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
nsslapd-db-locks: 50000

2
install/share/opendnssec_conf.template
View File

@@ -33,7 +33,7 @@
</Privileges>
<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
$INTERVAL
<Interval>PT3600S</Interval>
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->

13
install/share/profiles/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -214,8 +214,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -258,10 +256,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -282,6 +281,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -369,9 +370,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

5
install/share/pw-logging-conf.ldif
View File

@@ -1,5 +0,0 @@
dn: cn=config
changetype: modify
replace: nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: nolog

12
install/share/replica-acis.ldif
View File

@@ -8,29 +8,29 @@ aci: (targetattr = "cn || createtimestamp || description || entryusn || modifyti
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr = "nsslapd-readonly")(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)

13
install/share/schema.d/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -274,8 +274,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -318,10 +316,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -342,6 +341,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -429,9 +430,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

35
install/share/smb.conf.registry.template
View File

@@ -1,35 +0,0 @@
[global]
workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://$LDAPI_SOCKET
disable spoolss = yes
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = $SUFFIX
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
idmap config * : backend = tdb
idmap config * : range = 0 - 0
idmap config $NETBIOS_NAME : backend = sss
idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
max smbd processes = 1000

35
install/share/smb.conf.template
View File

@@ -1,7 +1,30 @@
### Added by IPA Installer ###
# DO NOT EDIT #
[global]
debug pid = yes
state directory = $SAMBA_DIR
cache directory = $SAMBA_DIR
include = registry
workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://$LDAPI_SOCKET
disable spoolss = yes
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = $SUFFIX
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork

12
install/tools/Makefile.am
View File

@@ -28,14 +28,10 @@ dist_noinst_DATA = \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -62,8 +58,6 @@ nodist_sbin_SCRIPTS = \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
appdir = $(libexecdir)/ipa/
@@ -71,9 +65,11 @@ nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
dist_app_SCRIPTS = \
ipa-httpd-pwdreader \
$(NULL)
PYTHON_SHEBANG = \

92
install/tools/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -102,8 +102,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_app_SCRIPTS) \
$(dist_noinst_DATA) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -135,8 +135,10 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"
SCRIPTS = $(nodist_app_SCRIPTS) $(nodist_sbin_SCRIPTS)
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(appdir)" \
"$(DESTDIR)$(sbindir)"
SCRIPTS = $(dist_app_SCRIPTS) $(nodist_app_SCRIPTS) \
$(nodist_sbin_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -278,8 +280,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -322,10 +322,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -346,6 +347,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -433,9 +436,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -475,14 +476,10 @@ dist_noinst_DATA = \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -509,8 +506,6 @@ nodist_sbin_SCRIPTS = \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
appdir = $(libexecdir)/ipa/
@@ -518,9 +513,11 @@ nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
dist_app_SCRIPTS = \
ipa-httpd-pwdreader \
$(NULL)
PYTHON_SHEBANG = \
@@ -562,6 +559,41 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-dist_appSCRIPTS: $(dist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(dist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n' \
-e 'h;s|.*|.|' \
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
if (++n[d] == $(am__install_max)) { \
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
else { print "f", d "/" $$4, $$1 } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-dist_appSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(dist_app_SCRIPTS)'; test -n "$(appdir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
install-nodist_appSCRIPTS: $(nodist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
@@ -801,7 +833,7 @@ check: check-recursive
all-am: Makefile $(SCRIPTS) $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"; do \
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
@@ -855,7 +887,7 @@ info: info-recursive
info-am:
install-data-am: install-nodist_appSCRIPTS
install-data-am: install-dist_appSCRIPTS install-nodist_appSCRIPTS
install-dvi: install-dvi-recursive
@@ -899,7 +931,8 @@ ps: ps-recursive
ps-am:
uninstall-am: uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
uninstall-am: uninstall-dist_appSCRIPTS uninstall-nodist_appSCRIPTS \
uninstall-nodist_sbinSCRIPTS
.MAKE: $(am__recursive_targets) install-am install-strip
@@ -907,28 +940,27 @@ uninstall-am: uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
check-am clean clean-generic clean-libtool cscopelist-am ctags \
ctags-am distclean distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install install-am install-data install-data-am \
install-dist_appSCRIPTS install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man \
install-nodist_appSCRIPTS install-nodist_sbinSCRIPTS \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am \
uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
uninstall-dist_appSCRIPTS uninstall-nodist_appSCRIPTS \
uninstall-nodist_sbinSCRIPTS
.PRECIOUS: Makefile
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

12
install/tools/ipa-adtrust-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors: Sumit Bose <sbose@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
@@ -213,14 +213,8 @@ def main():
adtrust.install(True, options, fstore, api)
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
dns_help = adtrust.generate_dns_service_records_help(api)
if dns_help:
for line in dns_help:
service.print_msg(line, sys.stdout)
else:
api.Command.dns_update_system_records()
service.enable_services(api.env.host)
api.Command.dns_update_system_records()
print("""
=============================================================================

2
install/tools/ipa-advise.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-backup.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

24
install/tools/ipa-ca-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
@@ -35,9 +35,8 @@ from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, service
from ipaserver.install import custodiainstance
from ipaserver.masters import find_providing_server
from ipapython import version
from ipalib import api, x509
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
@@ -68,13 +67,13 @@ def parse_options():
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
ext_cas = tuple(x.value for x in x509.ExternalCAType)
ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=ext_cas,
metavar="{{{0}}}".format(",".join(ext_cas)),
help="Type of the external CA. Default: generic")
parser.add_option("--external-ca-profile", dest="external_ca_profile",
type='constructor', constructor=x509.ExternalCAProfile,
type='constructor', constructor=cainstance.ExternalCAProfile,
default=None, metavar="PROFILE-SPEC",
help="Specify the certificate profile/template to use "
"at the external CA")
@@ -86,7 +85,6 @@ def parse_options():
type="choice", choices=ca_algos,
metavar="{{{0}}}".format(",".join(ca_algos)),
help="Signing algorithm of the IPA CA certificate")
parser.add_option("-P", "--principal", dest="principal", sensitive=True,
default=None, help="User allowed to manage replicas")
parser.add_option("--subject-base", dest="subject_base",
@@ -102,10 +100,6 @@ def parse_options():
"(default CN=Certificate Authority,O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--pki-config-override", dest="pki_config_override",
default=None,
help="Path to ini file with config overrides.")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -189,9 +183,8 @@ def install_replica(safe_options, options):
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.ca_host_name is None:
config.ca_host_name = find_providing_server(
'CA', api.Backend.ldap2, [api.env.ca_host]
)
config.ca_host_name = \
service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host)
options.realm_name = config.realm_name
options.domain_name = config.domain_name
@@ -265,8 +258,7 @@ def install(safe_options, options):
paths.KRB5_KEYTAB,
ccache)
ca_host = find_providing_server('CA', api.Backend.ldap2)
ca_host = service.find_providing_server('CA', api.Backend.ldap2)
if ca_host is None:
install_master(safe_options, options)
else:
@@ -311,7 +303,7 @@ def main():
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
service.enable_services(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()

2
install/tools/ipa-cacert-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat

8
install/tools/ipa-cert-fix.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_cert_fix import IPACertFix
IPACertFix.run_cli()

2
install/tools/ipa-compat-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#

8
install/tools/ipa-crlgen-manage.in
View File

@@ -1,8 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_crlgen_manage import CRLGenManage
CRLGenManage.run_cli()

14
install/tools/ipa-csreplica-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Based on ipa-replica-manage by Karl MacMillan <kmacmillan@mentalrootkit.com>
@@ -134,19 +134,17 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
print('%s' % entry.single_value.get('nsds5replicahost'))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last init status: %s" % entry.single_value.get(
'nsds5replicalastinitstatus'))
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
repl2 = None

8
install/tools/ipa-custodia-check.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
"""Test client for ipa-custodia
The test script is expected to be executed on an IPA server with existing
@@ -18,9 +18,9 @@ from jwcrypto.common import json_decode
from jwcrypto.jwk import JWK
from ipalib import api
from ipalib.facts import is_ipa_configured
from ipaplatform.paths import paths
import ipapython.version
from ipaserver.install.installutils import is_ipa_configured
try:
# FreeIPA >= 4.5
@@ -89,7 +89,7 @@ parser.add_argument(
)
class IPACustodiaTester:
class IPACustodiaTester(object):
files = [
paths.IPA_DEFAULT_CONF,
paths.KRB5_KEYTAB,
@@ -102,7 +102,7 @@ class IPACustodiaTester:
self.args = args
if not api.isdone('bootstrap'):
# bootstrap to initialize api.env
api.bootstrap(log=None)
api.bootstrap()
self.debug("IPA API bootstrapped")
self.realm = api.env.realm
self.host = api.env.host

2
install/tools/ipa-custodia.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Copyright (C) 2017 IPA Project Contributors, see COPYING for license
from ipaserver.secrets.service import main

2
install/tools/ipa-dns-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#

10
install/tools/ipa-httpd-kdcproxy.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors:
# Christian Heimes <cheimes@redhat.com>
#
@@ -63,7 +63,7 @@ class FatalError(Error):
"""
class KDCProxyConfig:
class KDCProxyConfig(object):
ipaconfig_flag = 'ipaKDCProxyEnabled'
def __init__(self, time_limit=TIME_LIMIT):
@@ -186,10 +186,8 @@ class KDCProxyConfig:
def main(debug=DEBUG, time_limit=TIME_LIMIT):
# initialize API without file logging
if not api.isdone('bootstrap'):
api.bootstrap(
context='server', confdir=paths.ETC_IPA, log=None,
debug=debug
)
api.bootstrap(context='server', confdir=paths.ETC_IPA,
log=None, debug=debug)
standard_logging_setup(verbose=True, debug=debug)
try:

25
install/tools/ipa-httpd-pwdreader Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
#
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
if [ "$#" -ne 2 ]; then
echo "Wrong number of arguments!" 1>&2
echo "$USAGE" 1>&2
exit 1
fi
fname=${1/:/-}-$2
pwdpath=/var/lib/ipa/passwds/$fname
# Make sure the values passed in do not contain path information
checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
if [ $pwdpath == "${checkpath}" ]; then
cat $pwdpath
else
echo "Invalid path ${pwdpath}" 1>&2
fi

43
install/tools/ipa-httpd-pwdreader.in
View File

@@ -1,43 +0,0 @@
#!/usr/bin/python3
"""mod_ssl password reader
This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
If you'd like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
"""
import argparse
import os
from ipaplatform.paths import paths
HTTPD_PASSWD_DIR = os.path.realpath(
os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT)
)
parser = argparse.ArgumentParser(description="mod_ssl password reader")
parser.add_argument(
"host_port", help="host:port",
)
parser.add_argument(
"keytype", help="RSA|DSA|ECC|number",
)
def main():
args = parser.parse_args()
host_port = args.host_port.replace(":", "-")
keytype = args.keytype
pwdpath = os.path.realpath(
os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}")
)
if not pwdpath.startswith(HTTPD_PASSWD_DIR):
parser.error(f"Invalid path {pwdpath}\n")
try:
with open(pwdpath) as f:
print(f.read(), end="")
except OSError as e:
parser.error(str(e))
if __name__ == "__main__":
main()

2
install/tools/ipa-kra-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Ade Lee <alee@redhat.com>
#
# Copyright (C) 2014 Red Hat

2
install/tools/ipa-ldap-updater.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat

2
install/tools/ipa-managed-entries.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Jr Aquino <jr.aquino@citrix.com>
#
# Copyright (C) 2011 Red Hat

2
install/tools/ipa-nis-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#

2
install/tools/ipa-otptoken-import.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat

67
install/tools/ipa-pki-retrieve-key.in
View File

@@ -1,11 +1,10 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
from __future__ import print_function
import argparse
import os
from requests import HTTPError
import sys
import traceback
from ipalib import constants
from ipalib.config import Env
@@ -17,65 +16,27 @@ def main():
env = Env()
env._finalize()
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
parser.add_argument("keyname", type=str)
parser.add_argument("servername", type=str)
args = parser.parse_args()
keyname = "ca_wrapped/{}".format(args.keyname)
keyname = "ca_wrapped/" + sys.argv[1]
servername = sys.argv[2]
service = constants.PKI_GSSAPI_SERVICE_NAME
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
for filename in [client_keyfile, client_keytab]:
if not os.access(filename, os.R_OK):
parser.error(
"File '{}' missing or not readable.\n".format(filename)
)
# pylint: disable=no-member
client = CustodiaClient(
client_service="{}@{}".format(service, env.host),
server=args.servername,
realm=env.realm,
ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile,
keytab=client_keytab,
)
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
try:
# Initially request a key wrapped using AES128-CBC.
# This uses the recent ability to specify additional
# parameters to a Custodia resource.
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
resp = client.fetch_key(path, store=False)
except HTTPError as e:
if e.response.status_code == 404:
# The 404 indicates one of two conditions:
#
# a) The server is an older version that does not support
# extra Custodia parameters. We should retry without
# specifying an algorithm.
#
# b) The key does not exist. At this point we cannot
# distinguish (a) and (b) but if we retry without
# specifying an algorithm, the second attempt will
# also fail with status 404.
#
# So the correct way to handle both scenarios is to
# retry without the algorithm parameter.
#
resp = client.fetch_key(keyname, store=False)
else:
raise # something else went wrong; re-raise
client_service='%s@%s' % (service, env.host), server=servername,
realm=env.realm, ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile, keytab=client_keytab,
)
# Print the response JSON to stdout; it is already in the format
# that Dogtag's ExternalProcessKeyRetriever expects
print(resp)
print(client.fetch_key(keyname, store=False))
if __name__ == '__main__':
try:
main()
except BaseException:
traceback.print_exc()
sys.exit(1)

132
install/tools/ipa-pki-wait-running.in
View File

@@ -1,132 +0,0 @@
#!/usr/bin/python3
"""Wait until pki-tomcatd is up
The script polls on Dogtag's HTTP port and wait until the admin interface
reports status 'running' for the CA sub system.
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
[Service]
ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running
"""
import os
import logging
import sys
import time
from xml.etree import ElementTree
from ipalib import api
from ipaplatform.paths import paths
from pki.client import PKIConnection
from pki.system import SystemStatusClient
from requests.exceptions import ConnectionError, Timeout, RequestException
logger = logging.getLogger('ipa-pki-wait-running')
# check the CA subsystem. All pki-tomcatd instances in IPA have a CA
SUBSYSTEM = 'ca'
# time out for TCP connection attempts
CONNECTION_TIMEOUT = 1.0
EXIT_SUCCESS = 0
EXIT_FAILURE = 1
if hasattr(time, 'monotonic'):
curtime = time.monotonic
else:
curtime = time.time
def check_installed(subsystem):
"""Check if the subsystem is configured
"""
catalina_base = os.environ.get(
'CATALINA_BASE', '/var/lib/pki/pki-tomcat'
)
# /var/lib/pki/pki-tomcat/conf -> /etc/pki/pki-tomcat
cs_cfg = os.path.join(catalina_base, 'conf', subsystem, 'CS.cfg')
if os.path.isfile(cs_cfg):
logger.debug("File %s exists.", cs_cfg)
return True
else:
logger.info("File %s does not exist.", cs_cfg)
return False
def get_conn(hostname, subsystem):
"""Create a connection object
"""
conn = PKIConnection(
hostname=hostname,
subsystem=subsystem,
cert_paths=paths.IPA_CA_CRT
)
logger.info(
"Created connection %s://%s:%s/%s",
conn.protocol, conn.hostname, conn.port, conn.subsystem
)
return conn
def get_status(conn, timeout):
"""Get status from subsystem and return parsed (status, error)
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logging.debug("Got status '%s', error '%s'", status, error)
return status, error
def main():
if not check_installed(SUBSYSTEM):
logger.info(
"subsystem %s is not installed, exiting", SUBSYSTEM
)
sys.exit(EXIT_SUCCESS)
# bootstrap ipalib.api to parse config file
api.bootstrap(confdir=paths.ETC_IPA, log=None)
timeout = api.env.startup_timeout
conn = get_conn(api.env.host, subsystem=SUBSYSTEM)
end = curtime() + timeout
while curtime() < end:
try:
status, error = get_status(conn, CONNECTION_TIMEOUT)
except (ConnectionError, Timeout) as e:
logger.info("Connection failed: %s", e)
except RequestException as e:
logger.error("Request failed unexpectedly, %s ", e)
else:
if status == 'running':
logger.info("Success, subsystem %s is running!", SUBSYSTEM)
sys.exit(EXIT_SUCCESS)
elif error is not None:
logger.info(
"Subsystem %s failed with error '%s', giving up!",
SUBSYSTEM, error
)
sys.exit(EXIT_FAILURE)
else:
logger.info("Status is '%s', waiting...", status)
# wait and try again
time.sleep(1)
# giving up
logger.error(
"Reached end of wait timeout %s, giving up", timeout
)
sys.exit(EXIT_FAILURE)
if __name__ == '__main__':
logging.basicConfig(
format='%(name)s: %(message)s',
level=logging.INFO
)
main()

2
install/tools/ipa-pkinit-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#

10
install/tools/ipa-replica-conncheck.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011 Red Hat
@@ -22,7 +22,7 @@ from __future__ import print_function
import logging
from ipapython import ipachangeconf
import ipaclient.install.ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.dn import DN
from ipapython import version
@@ -57,7 +57,7 @@ CCACHE_FILE = None
KRB5_CONFIG = None
class SshExec:
class SshExec(object):
def __init__(self, user, addr):
self.user = user
self.addr = addr
@@ -95,7 +95,7 @@ class SshExec:
capture_output=True, capture_error=True)
class CheckedPort:
class CheckedPort(object):
def __init__(self, port, port_type, description):
self.port = port
self.port_type = port_type
@@ -229,7 +229,7 @@ def sigterm_handler(signum, frame):
def configure_krb5_conf(realm, kdc, filename):
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment((" = ", " "))
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))

2
install/tools/ipa-replica-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat

27
install/tools/ipa-replica-manage.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
@@ -23,13 +23,16 @@ from __future__ import print_function
import logging
import sys
import os
import re
import ldap
import socket
import traceback
from urllib.parse import urlparse
from xmlrpc.client import MAXINT
import ldap
# pylint: disable=import-error
from six.moves.urllib.parse import urlparse
from six.moves.xmlrpc_client import MAXINT
# pylint: enable=import-error
from ipaclient.install import ipadiscovery
from ipapython import ipautil
@@ -236,19 +239,16 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
print('%s: %s' % (entry.single_value.get('nsds5replicahost'), ent_type))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last init status: %s" % entry.single_value.get(
'nsds5replicalastinitstatus'))
print(" last init ended: %s" % str(ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
"""
Delete a replication agreement from host A to host B.
@@ -279,7 +279,6 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
return False
except Exception as e:
print("Failed to determine agreement type for '%s': %s" % (replica2, e))
return False
if type1 == replication.IPA_REPLICA and managed_topology:
exit_on_managed_topology(what)
@@ -1222,6 +1221,7 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False):
# we did not replicate memberOf, do so now.
if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'):
ds = dsinstance.DsInstance(realm_name=realm)
ds.ldapi = os.getegid() == 0
ds.init_memberof()
def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
@@ -1241,11 +1241,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
ds.ldapi = os.getegid() == 0
ds.replica_manage_time_skew(prevent=False)
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_update(repl.conn, agreement.dn)
repl.wait_for_repl_init(repl.conn, agreement.dn)
ds.replica_manage_time_skew(prevent=True)
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,

2
install/tools/ipa-restore.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-server-certinstall.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-server-install.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>

2
install/tools/ipa-server-upgrade.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#

2
install/tools/ipa-winsync-migrate.in
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2015 Red Hat

587
install/tools/ipactl.in
View File

@@ -1,7 +1,7 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008, 2019 Red Hat
# Copyright (C) 2008-2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -18,8 +18,587 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install import installutils
from ipaserver.install.ipactl import main
from __future__ import print_function
import sys
import os
import json
import ldapurl
from ipaserver.install import service, installutils
from ipaserver.install.dsinstance import config_dirname
from ipaserver.install.installutils import is_ipa_configured, ScriptError
from ipalib import api, errors
from ipapython.ipaldap import LDAPClient
from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
from ipapython.ipautil import run
from ipapython import config
from ipaplatform.tasks import tasks
from ipapython.dn import DN
from ipaplatform import services
from ipaplatform.paths import paths
MSG_HINT_IGNORE_SERVICE_FAILURE = (
"Hint: You can use --ignore-service-failure option for forced start in "
"case that a non-critical service failed"
)
class IpactlError(ScriptError):
pass
def check_IPA_configuration():
if not is_ipa_configured():
# LSB status code 6: program is not configured
raise IpactlError("IPA is not configured " +
"(see man pages of ipa-server-install for help)", 6)
def deduplicate(lst):
"""Remove duplicates and preserve order.
Returns copy of list with preserved order and removed duplicates.
"""
new_lst = []
s = set(lst)
for i in lst:
if i in s:
s.remove(i)
new_lst.append(i)
return new_lst
def is_dirsrv_debugging_enabled():
"""
Check the 389-ds instance to see if debugging is enabled.
If so we suppress that in our output.
returns True or False
"""
debugging = False
serverid = installutils.realm_to_serverid(api.env.realm)
dselist = [config_dirname(serverid)]
for dse in dselist:
try:
fd = open(dse + 'dse.ldif', 'r')
except IOError:
continue
lines = fd.readlines()
fd.close()
for line in lines:
if line.lower().startswith('nsslapd-errorlog-level'):
_option, value = line.split(':')
if int(value) > 0:
debugging = True
return debugging
def get_capture_output(service, debug):
"""
We want to display any output of a start/stop command with the
exception of 389-ds when debugging is enabled because it outputs
tons and tons of information.
"""
if service == 'dirsrv' and not debug and is_dirsrv_debugging_enabled():
print(' debugging enabled, suppressing output.')
return True
else:
return False
def parse_options():
usage = "%prog start|stop|restart|status\n"
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information")
parser.add_option("-f", "--force", action="store_true", dest="force",
help="Force IPA to start. Combine options "
"--skip-version-check and --ignore-service-failures")
parser.add_option("--ignore-service-failures", action="store_true",
dest="ignore_service_failures",
help="If any service start fails, do not rollback the "
"services, continue with the operation")
parser.add_option("--skip-version-check", action="store_true",
dest="skip_version_check", default=False,
help="skip version check")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.force:
options.ignore_service_failures = True
options.skip_version_check = True
return safe_options, options, args
def emit_err(err):
sys.stderr.write(err + '\n')
def version_check():
try:
installutils.check_version()
except (installutils.UpgradeMissingVersionError,
installutils.UpgradeDataOlderVersionError) as exc:
emit_err("IPA version error: %s" % exc)
except installutils.UpgradeVersionError as e:
emit_err("IPA version error: %s" % e)
else:
return
emit_err("Automatically running upgrade, for details see {}".format(
paths.IPAUPGRADE_LOG))
emit_err("Be patient, this may take a few minutes.")
# Fork out to call ipa-server-upgrade so that logging is sane.
result = run([paths.IPA_SERVER_UPGRADE], raiseonerr=False,
capture_error=True)
if result.returncode != 0:
emit_err("Automatic upgrade failed: %s" % result.error_output)
emit_err("See the upgrade log for more details and/or run {} again".
format(paths.IPA_SERVER_UPGRADE))
raise IpactlError("Aborting ipactl")
def get_config(dirsrv):
base = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
srcfilter = '(ipaConfigString=enabledService)'
attrs = ['cn', 'ipaConfigString']
if not dirsrv.is_running():
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
try:
# The start/restart functions already wait for the server to be
# started. What we are doing with this wait is really checking to see
# if the server is listening at all.
lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
if lurl.urlscheme == 'ldapi':
wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout)
else:
(host, port) = lurl.hostport.split(':')
wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout)
con = LDAPClient(api.env.ldap_uri)
con.external_bind()
res = con.get_entries(
base,
filter=srcfilter,
attrs_list=attrs,
scope=con.SCOPE_SUBTREE,
time_limit=10)
except errors.NetworkError:
# LSB status code 3: program is not running
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
except errors.NotFound:
masters_list = []
dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
attrs = ['cn']
try:
entries = con.get_entries(dn, con.SCOPE_ONELEVEL, attrs_list=attrs)
except Exception as e:
masters_list.append("No master found because of error: %s" % str(e))
else:
for master_entry in entries:
masters_list.append(master_entry.single_value['cn'])
masters = "\n".join(masters_list)
raise IpactlError("Failed to get list of services to probe status!\n"
"Configured hostname '%s' does not match any master server in LDAP:\n%s"
% (api.env.host, masters))
except Exception as e:
raise IpactlError("Unknown error when retrieving list of services from LDAP: " + str(e))
svc_list = []
for entry in res:
name = entry.single_value['cn']
for p in entry['ipaConfigString']:
if p.startswith('startOrder '):
try:
order = int(p.split()[1])
except ValueError:
raise IpactlError("Expected order as integer in: %s:%s" % (
name, p))
svc_list.append([order, name])
ordered_list = []
for (order, svc) in sorted(svc_list):
if svc in service.SERVICE_LIST:
ordered_list.append(service.SERVICE_LIST[svc][0])
return ordered_list
def get_config_from_file():
svc_list = []
try:
f = open(tasks.get_svc_list_file(), 'r')
svc_list = json.load(f)
except Exception as e:
raise IpactlError("Unknown error when retrieving list of services from file: " + str(e))
# the framework can start/stop a number of related services we are not
# authoritative for, so filter the list through SERVICES_LIST and order it
# accordingly too.
def_svc_list = []
for svc in service.SERVICE_LIST:
s = service.SERVICE_LIST[svc]
def_svc_list.append([s[1], s[0]])
ordered_list = []
for _order, svc in sorted(def_svc_list):
if svc in svc_list:
ordered_list.append(svc)
return ordered_list
def stop_services(svc_list):
for svc in svc_list:
svc_off = services.service(svc, api=api)
try:
svc_off.stop(capture_output=False)
except Exception:
pass
def stop_dirsrv(dirsrv):
try:
dirsrv.stop(capture_output=False)
except Exception:
pass
def ipa_start(options):
if not options.skip_version_check:
version_check()
else:
print("Skipping version check")
if os.path.isfile(tasks.get_svc_list_file()):
emit_err("Existing service file detected!")
emit_err("Assuming stale, cleaning and proceeding")
# remove file with list of started services
# This is ok as systemd will just skip services
# that are already running and just return, so that the
# stop() method of the base class will simply fill in the
# service file again
os.unlink(paths.SVC_LIST_FILE)
dirsrv = services.knownservices.dirsrv
try:
print("Starting Directory Service")
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
except Exception as e:
raise IpactlError("Failed to start Directory Service: " + str(e))
try:
svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from service file: " + str(e))
emit_err("Shutting down")
if not options.ignore_service_failures:
stop_dirsrv(dirsrv)
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval) # pylint: disable=no-member
else:
raise IpactlError()
if len(svc_list) == 0:
# no service to start
return
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
print("Starting %s Service" % svc)
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
# if ignore_service_failures is specified, skip rollback and
# continue with the next service
if options.ignore_service_failures:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
def ipa_stop(options):
dirsrv = services.knownservices.dirsrv
try:
svc_list = get_config_from_file()
except Exception as e:
# Issue reading the file ? Let's try to get data from LDAP as a
# fallback
try:
dirsrv.start(capture_output=False)
svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
# just try to stop it, do not read a result
dirsrv.stop()
finally:
raise IpactlError()
svc_list = deduplicate(svc_list)
for svc in reversed(svc_list):
svchandle = services.service(svc, api=api)
try:
print("Stopping %s Service" % svc)
svchandle.stop(capture_output=False)
except Exception:
emit_err("Failed to stop %s Service" % svc)
try:
print("Stopping Directory Service")
dirsrv.stop(capture_output=False)
except Exception:
raise IpactlError("Failed to stop Directory Service")
# remove file with list of started services
try:
os.unlink(paths.SVC_LIST_FILE)
except OSError:
pass
def ipa_restart(options):
if not options.skip_version_check:
try:
version_check()
except Exception as e:
try:
ipa_stop(options)
except Exception:
# We don't care about errors that happened while stopping.
# We need to raise the upgrade error.
pass
raise e
else:
print("Skipping version check")
dirsrv = services.knownservices.dirsrv
new_svc_list = []
dirsrv_restart = True
if not dirsrv.is_running():
try:
print("Starting Directory Service")
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
dirsrv_restart = False
except Exception as e:
raise IpactlError("Failed to start Directory Service: " + str(e))
try:
new_svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
dirsrv.stop(capture_output=False)
except Exception:
pass
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval) # pylint: disable=no-member
else:
raise IpactlError()
old_svc_list = []
try:
old_svc_list = get_config_from_file()
except Exception as e:
emit_err("Failed to get service list from file: " + str(e))
# fallback to what's in LDAP
old_svc_list = new_svc_list
# match service to start/stop
svc_list = []
for s in new_svc_list:
if s in old_svc_list:
svc_list.append(s)
#remove commons
for s in svc_list:
if s in old_svc_list:
old_svc_list.remove(s)
for s in svc_list:
if s in new_svc_list:
new_svc_list.remove(s)
if len(old_svc_list) != 0:
# we need to definitely stop some services
old_svc_list = deduplicate(old_svc_list)
for svc in reversed(old_svc_list):
svchandle = services.service(svc, api=api)
try:
print("Stopping %s Service" % svc)
svchandle.stop(capture_output=False)
except Exception:
emit_err("Failed to stop %s Service" % svc)
try:
if dirsrv_restart:
print("Restarting Directory Service")
dirsrv.restart(capture_output=get_capture_output('dirsrv', options.debug))
except Exception as e:
emit_err("Failed to restart Directory Service: " + str(e))
emit_err("Shutting down")
if not options.ignore_service_failures:
stop_services(reversed(svc_list))
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
if len(svc_list) != 0:
# there are services to restart
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
print("Restarting %s Service" % svc)
svchandle.restart(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to restart %s Service" % svc)
# if ignore_service_failures is specified,
# skip rollback and continue with the next service
if options.ignore_service_failures:
emit_err("Forced restart, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
if len(new_svc_list) != 0:
# we still need to start some services
new_svc_list = deduplicate(new_svc_list)
for svc in new_svc_list:
svchandle = services.service(svc, api=api)
try:
print("Starting %s Service" % svc)
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
# if ignore_service_failures is specified, skip rollback and
# continue with the next service
if options.ignore_service_failures:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
def ipa_status(options):
try:
dirsrv = services.knownservices.dirsrv
if dirsrv.is_running():
svc_list = get_config(dirsrv)
else:
svc_list = get_config_from_file()
except IpactlError as e:
if os.path.exists(tasks.get_svc_list_file()):
raise e
else:
svc_list = []
except Exception as e:
raise IpactlError("Failed to get list of services to probe status: " + str(e))
dirsrv = services.knownservices.dirsrv
try:
if dirsrv.is_running():
print("Directory Service: RUNNING")
else:
print("Directory Service: STOPPED")
if len(svc_list) == 0:
print(("Directory Service must be running in order to " +
"obtain status of other services"))
except:
raise IpactlError("Failed to get Directory Service status")
if len(svc_list) == 0:
return
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
if svchandle.is_running():
print("%s Service: RUNNING" % svc)
else:
print("%s Service: STOPPED" % svc)
except Exception:
emit_err("Failed to get %s Service status" % svc)
def main():
if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise IpactlError("You must be root to run ipactl.", 4)
_safe_options, options, args = parse_options()
if len(args) != 1:
# LSB status code 2: invalid or excess argument(s)
raise IpactlError("You must specify one action", 2)
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
# check if IPA is configured at all
try:
check_IPA_configuration()
except IpactlError as e:
if args[0].lower() == "status":
# Different LSB return code for status command:
# 4 - program or service status is unknown
# This should differentiate uninstalled IPA from status
# code 3 - program is not running
e.rval = 4
raise e
else:
raise e
api.bootstrap(in_server=True,
context='ipactl',
confdir=paths.ETC_IPA,
debug=options.debug)
api.finalize()
if '.' not in api.env.host:
raise IpactlError("Invalid hostname '%s' in IPA configuration!\n"
"The hostname must be fully-qualified" % api.env.host)
if args[0].lower() == "start":
ipa_start(options)
elif args[0].lower() == "stop":
ipa_stop(options)
elif args[0].lower() == "restart":
ipa_restart(options)
elif args[0].lower() == "status":
ipa_status(options)
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipactl')

2
install/tools/man/Makefile.am
View File

@@ -27,8 +27,6 @@ dist_man1_MANS = \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
dist_man8_MANS = \

Some files were not shown because too many files have changed in this diff Show More