freeipa.git/install/tools/ipa-ca-install, branch ad-work FreeIPA project Fix CA-less check in ipa-replica-install and ipa-ca-install. 2013-06-26T09:00:20+00:00 Jan Cholasta jcholast@redhat.com 2013-06-25T08:31:56+00:00 76dc2176f9e53fc7da760a516359f7cb2eb62035 https://fedorahosted.org/freeipa/ticket/3750 
https://fedorahosted.org/freeipa/ticket/3750
Do not allow installing CA replicas in CA-less setup. 2013-06-12T10:59:54+00:00 Jan Cholasta jcholast@redhat.com 2013-06-03T08:20:52+00:00 5ae8515c20d1963a371210e47982beec5dd6ea00 https://fedorahosted.org/freeipa/ticket/3673 https://fedorahosted.org/freeipa/ticket/3674 
https://fedorahosted.org/freeipa/ticket/3673
https://fedorahosted.org/freeipa/ticket/3674
Use private ccache in ipa install tools 2013-06-05T10:27:45+00:00 Tomas Babej tbabej@redhat.com 2013-06-03T10:06:06+00:00 6f51f92138ff12eff732bf028751dcfa8ef9b442 All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666 
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.

https://fedorahosted.org/freeipa/ticket/3666
Remove code to install Dogtag 9 2013-05-31T08:26:07+00:00 Petr Viktorin pviktori@redhat.com 2012-11-15T14:38:24+00:00 34ba1b7060a9f5271c4f59bca7bfb689335e1c47 Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529 
Since we depend on Dogtag 10 now, there is no need to keep code
that installs a Dogtag 9 CA.

Support for upgraded Dogtag-9-style instances is left in.

https://fedorahosted.org/freeipa/ticket/3529
Drop --selfsign server functionality 2013-04-15T20:56:12+00:00 Petr Viktorin pviktori@redhat.com 2013-03-27T13:25:18+00:00 e736e75ce9724ae8298a5b69d093313cd6e62b60 Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494 
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
Use A/AAAA records instead of CNAME records in ipa-ca. 2013-04-15T19:12:36+00:00 Jan Cholasta jcholast@redhat.com 2013-04-15T10:19:11+00:00 f684c6d6f8f8cde5689a92cf2b06914c3e3da34c https://fedorahosted.org/freeipa/ticket/3547 
https://fedorahosted.org/freeipa/ticket/3547
Add OCSP and CRL URIs to certificates 2012-12-07T16:00:17+00:00 Martin Kosek mkosek@redhat.com 2012-11-19T15:32:28+00:00 867f7691e9e8d4dc101d227ca56a94f9b947897f Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431 
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
Fix schema replication from old masters 2012-11-23T11:19:19+00:00 Petr Viktorin pviktori@redhat.com 2012-10-24T08:37:16+00:00 1d3ddeff54d91111d7f4f3042a22af76275ef361 The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213 
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
Changes to use a single database for dogtag and IPA 2012-11-23T11:19:19+00:00 Ade Lee alee@redhat.com 2012-09-20T03:35:42+00:00 18a210996dc47dbc9979e5ee0bb9f184c22eb173 New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. 
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
Use Dogtag 10 only when it is available 2012-09-17T22:43:59+00:00 Petr Viktorin pviktori@redhat.com 2012-08-23T16:38:45+00:00 4f76c143d2f2036af02677469c542f563a10158d Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846 
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846