freeipa.git/install/tools, branch platform-master FreeIPA project Convert installation tools to platform-independent access to system services 2011-09-13T09:15:50+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-09-12T21:11:54+00:00 bbbb550aaa13eb2ebdb113ff8738ed5c8f5277aa http://fedorahosted.org/freeipa/ticket/1605 
http://fedorahosted.org/freeipa/ticket/1605
Fix permissions in installers 2011-09-07T11:02:43+00:00 Martin Kosek mkosek@redhat.com 2011-08-30T14:32:40+00:00 d0ce604b4d69d7f6fa5e0bb81647f839abd6291d Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644 
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.

https://fedorahosted.org/freeipa/ticket/1644
Improve man pages structure 2011-09-07T10:55:12+00:00 Martin Kosek mkosek@redhat.com 2011-09-05T09:04:17+00:00 dc3d0f387918b3de2f8e7898408e04e11cc30363 There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687 
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.

To further improve man pages:

1) All man pages were changed to have the same header and top-center
   title to provide united look.

2) Few typos in man pages have been fixed

https://fedorahosted.org/freeipa/ticket/1687
conncheck: Fix List of ports to check 2011-09-01T14:10:18+00:00 Simo Sorce ssorce@redhat.com 2011-08-31T18:07:56+00:00 15cada3733046d4407df5d1269c040a6a7872ca9 We need to check all Kerberos ports both TCP and UDP transports. Since we have the PKI proxy configuration all communication with the CA happens on the standard 80/443 ports so we need to check them always. We do not need to leave the old CA ports open. These ports are still used locally but not over the network. 
We need to check all Kerberos ports both TCP and UDP transports.

Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
install: We do not need a kpasswd keytab anymore 2011-08-31T20:27:20+00:00 Simo Sorce ssorce@redhat.com 2011-08-31T15:45:07+00:00 801dc97adbf9eacd16c67c188500f148d9507b12 We now use MIT's kadmin instead of our old ipa_kpasswd daemon. kadmind knows how to fetch the keys directly from the database and doesn't need a keytab on the filesystem. 
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
install: We do not need a ldap password anymore 2011-08-31T20:27:20+00:00 Simo Sorce ssorce@redhat.com 2011-08-31T15:39:53+00:00 096cc43fe604f9145578d6e5ab32a778563b9737 Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't need a bind password anymore. Fixes: https://fedorahosted.org/freeipa/ticket/1743 
Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.

Fixes: https://fedorahosted.org/freeipa/ticket/1743
Let Bind track data changes 2011-08-31T14:46:12+00:00 Martin Kosek mkosek@redhat.com 2011-08-31T12:42:57+00:00 6a2dfde086bdda62964a9737a300818d2ab24a4b Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826 
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch yes";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
Add common is_installed() fn, better uninstall logging, check for errors. 2011-08-29T20:50:43+00:00 Rob Crittenden rcritten@redhat.com 2011-08-29T15:16:52+00:00 d7618acb73f57a63aca0a9fcfa8bf5edb1cffdda The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715 
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.

When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.

Add wrappers for removing files and directories to log failures.

https://fedorahosted.org/freeipa/ticket/1715
enable proxy for dogtag 2011-08-29T21:54:49+00:00 Adam Young ayoung@redhat.com 2011-08-17T19:36:18+00:00 5ee93349f6700d024fa4db68c960951d9964504b Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com> 
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
daemons: Remove ipa_kpasswd 2011-08-26T12:26:08+00:00 Simo Sorce ssorce@redhat.com 2011-07-20T22:11:05+00:00 dfa944da247f71f4ccf8a18eee30459e6c25caa5 Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon. 
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.