freeipa.git/install/tools/man, branch network-fixes FreeIPA project Fix man page ipa-csreplica-manage 2011-07-25T08:55:33+00:00 Martin Kosek mkosek@redhat.com 2011-07-25T07:45:34+00:00 1897f12bc22a5e211710149fa1ff6d417a0e7bcc Fix references to ipa-replica-manage in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/1519 
Fix references to ipa-replica-manage in ipa-csreplica-manage.

https://fedorahosted.org/freeipa/ticket/1519
Create tool to manage dogtag replication agreements 2011-07-18T02:16:32+00:00 Rob Crittenden rcritten@redhat.com 2011-07-15T03:35:01+00:00 3fdca99c48f19d6af7182b69bea0ee11100a9dd7 For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250 
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
Fix creation of reverse DNS zones. 2011-07-15T14:42:16+00:00 Jan Cholasta jcholast@redhat.com 2011-07-11T08:14:53+00:00 881df73568a9638bba6a6d0ae2e715cf249f6fa4 Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398 
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.

Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.

The reverse DNS zone name is printed to the user during the install.

ticket 1398
Make dogtag an optional (and default un-) installed component in a replica. 2011-06-23T23:04:33+00:00 Rob Crittenden rcritten@redhat.com 2011-06-17T20:47:39+00:00 8a32bb3746802a29b2655e4ad2cbbba8481e1eaf A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251 
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.

https://fedorahosted.org/freeipa/ticket/1251
Connection check program for replica installation 2011-06-08T07:29:52+00:00 Martin Kosek mkosek@redhat.com 2011-05-22T17:17:07+00:00 241ee334defda108e22855331d5d9a14f261ce16 When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107 
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
     a) kinit to master as default admin user with given password
     b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
Document that deleting and re-adding a replica requires a dirsrv restart. 2011-05-26T13:48:54+00:00 Rob Crittenden rcritten@redhat.com 2011-05-24T20:13:44+00:00 5288bdb79ae7602cb72a735fad0c8b6e62a48df0 If you install a replica, delete the replica, then re-add it and then try to re-initialize the agreement it will fail because the remote master has the old service principals cached. It needs to be restarted to work. ticket 1077 
If you install a replica, delete the replica, then re-add it and then
try to re-initialize the agreement it will fail because the remote master
has the old service principals cached. It needs to be restarted to work.

ticket 1077
Consolidate man pages and IPA tools help 2011-05-12T20:55:27+00:00 Martin Kosek mkosek@redhat.com 2011-05-04T08:09:44+00:00 9de10f3674078ef8c423522e30fe704a2d09a7c2 IPA tools options are not consistent with information in man pages. https://fedorahosted.org/freeipa/ticket/1163 https://fedorahosted.org/freeipa/ticket/1178 
IPA tools options are not consistent with information in man
pages.

https://fedorahosted.org/freeipa/ticket/1163
https://fedorahosted.org/freeipa/ticket/1178
The default groups we create should have ipaUniqueId set 2011-04-15T11:02:17+00:00 Rob Crittenden rcritten@redhat.com 2011-04-14T18:37:45+00:00 fe67680da5c3d7799884bdbd4d900070394dc5d0 This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177 
This adds a new directive to ipa-ldap-updater: addifnew. This will add
a new attribute only if it doesn't exist in the current entry. We can't
compare values because the value we are adding is automatically generated.

ticket 1177
Fix traceback in ipa-nis-manage. 2011-04-11T19:33:03+00:00 Rob Crittenden rcritten@redhat.com 2011-04-11T19:30:11+00:00 d42bf3f530759824586bba0df52f9bd8a6f20df7 The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message. This also gives priority to the DM password if it is passed in. Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root. Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade. Ticket 1157 
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.

This also gives priority to the DM password if it is passed in.

Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.

Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.

Ticket 1157
Add note about ipa-dns-install to ipa-server-install man page. 2011-03-31T20:38:43+00:00 Jan Cholasta jcholast@redhat.com 2011-03-30T10:13:38+00:00 7515fd556329a15008d53a3e6a049f2255d21b3b ticket 1082 
ticket 1082