freeipa.git/ipaserver, branch platform FreeIPA project Convert server install code to platform-independent access to system services 2011-09-13T09:35:25+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-09-12T21:10:45+00:00 7059bd195e3901c52920205b1fd9b91a8b2a52ca https://fedorahosted.org/freeipa/ticket/1605 
https://fedorahosted.org/freeipa/ticket/1605
Introduce platform-specific adaptation for services used by FreeIPA. 2011-09-13T09:34:43+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-09-12T21:01:23+00:00 b73b0178971a0547ba72a9fdfaa85ad4cfa1cacf Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605 
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
Fix configure.jar permissions 2011-09-07T11:11:48+00:00 Martin Kosek mkosek@redhat.com 2011-09-07T11:08:44+00:00 8f1eca7c04cbae65de5778a5a28890303439e154 Remove executable bit added by /usr/bin/signtool https://fedorahosted.org/freeipa/ticket/1644 
Remove executable bit added by /usr/bin/signtool

https://fedorahosted.org/freeipa/ticket/1644
Fix permissions in installers 2011-09-07T11:03:09+00:00 Martin Kosek mkosek@redhat.com 2011-09-06T06:39:24+00:00 f2fd7588e4efea1ad41a60930ca969802fb9ca42 Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644 
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.

https://fedorahosted.org/freeipa/ticket/1644
Use the IPA server cert profile in the installer. 2011-08-31T00:18:45+00:00 Rob Crittenden rcritten@redhat.com 2011-08-31T17:22:33+00:00 ef63d2d244c5cca1c5c3004c533573d83b85000f We were still using the caRAserverCert profile during installation. https://fedorahosted.org/freeipa/ticket/1744 
We were still using the caRAserverCert profile during installation.

https://fedorahosted.org/freeipa/ticket/1744
Let Bind track data changes 2011-08-31T14:46:26+00:00 Martin Kosek mkosek@redhat.com 2011-08-31T12:42:57+00:00 5a495b91dea527f9ac051655e2fd26ca3f9deab5 Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826 
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch yes";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31T07:53:11+00:00 Jr Aquino jr.aquino@citrix.com 2011-08-31T00:48:15+00:00 8b27f1ad273ee5420657194d82c021022c069447 Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272 
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272
enable proxy for dogtag 2011-08-29T21:05:44+00:00 Adam Young ayoung@redhat.com 2011-08-17T19:36:18+00:00 d32b44be6a1dd73e514a6063cad2c8c84aaed360 Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com> 
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
Add common is_installed() fn, better uninstall logging, check for errors. 2011-08-29T20:49:52+00:00 Rob Crittenden rcritten@redhat.com 2011-08-29T15:16:52+00:00 91c9e8320932124ff77178383a0531fb2b218f2f The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715 
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.

When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.

Add wrappers for removing files and directories to log failures.

https://fedorahosted.org/freeipa/ticket/1715
Remove 389-ds upgrade state during uninstall 2011-08-26T00:53:37+00:00 Rob Crittenden rcritten@redhat.com 2011-08-24T15:28:20+00:00 c3ee9b32087c2f5778d70d8ada4508db5a56f6bf When we perform an upgrade 389-ds is set to listen only on its ldapi port. Theoretically it should be restored to the previous state regardless of whether the upgrades were successful or not. To be sure that a subsequent re-install will be successful go ahead and remove the state for these options. Think of it as wearing a belt and suspenders. Otherwise a re-install could return an error message that IPA is already configured. https://fedorahosted.org/freeipa/ticket/1667 
When we perform an upgrade 389-ds is set to listen only on its
ldapi port. Theoretically it should be restored to the previous
state regardless of whether the upgrades were successful or not.

To be sure that a subsequent re-install will be successful go ahead
and remove the state for these options. Think of it as wearing a
belt and suspenders. Otherwise a re-install could return an error
message that IPA is already configured.

https://fedorahosted.org/freeipa/ticket/1667