| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let ipa-replica-prepare and ipa-replica-install work without
proper DNS records as records in /etc/hosts are sufficient for
DS replication.
1) ipa-replica-prepare now just checks if the replica hostname
is resolvable (DNS records are not required). It is now able
to prepare a replica file even when the replica IP address is
present in /etc/hosts only.
2) ipa-replica-install is now able to proceed when the hostname
is not resolvable. It uses an IP address passed in a new
option --ip-address to create a record in /etc/hosts in the
same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2139
|
|
|
|
|
|
|
|
| |
ipalib API needs to be bootstrapped in 'installer' context otherwise
LDAP update plugins don't get initialized and ipa-replica-install
crashes.
https://fedorahosted.org/freeipa/ticket/2139
|
|
|
|
|
|
|
|
|
|
| |
Call restart() methods of appropriate services instead of calling
the system service restart command directly as service() method
has a capability to wait until the service is fully up. Without
this patch ipa-replica-install crashed on F-16 because krb5kdc
service was started before dirsrv service was fully up.
https://fedorahosted.org/freeipa/ticket/2139
|
|
|
|
|
|
|
|
|
|
|
|
| |
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
|
|
|
|
|
|
|
|
|
|
| |
We no longer need to enforce that no 389-ds instances exist on an IPA
server. Checking that the ports exist should be enough.
This used to be one mechanism we used to check to see if IPA was already
installed. We have a better mechanism now.
https://fedorahosted.org/freeipa/ticket/1735
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
computations
https://fedorahosted.org/freeipa/ticket/1794
If the master does not yet support the total update list feature we still
run the memberof fixup task and not fail to replicate due to the new
attribute not being settable.
Jointly-developed-with: Simo Sorce <ssorce@redhat.com>
Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1900
|
|
|
|
|
|
|
|
|
| |
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
|
|
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
|
|
|
|
|
|
| |
The replication plugin is no longer shipped as a separate package.
Remove the code checking its existence.
https://fedorahosted.org/freeipa/ticket/1815
|
|
|
|
| |
http://fedorahosted.org/freeipa/ticket/1605
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
|
|
|
|
|
|
| |
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
|
|
|
|
|
|
|
| |
Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.
Fixes: https://fedorahosted.org/freeipa/ticket/1743
|
|
|
|
| |
ticket 1570
|
|
|
|
|
|
|
|
| |
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
|
|
|
|
|
|
| |
Fixes ipa-dns-install incorrect warning.
ticket 1486
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.
Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.
The reverse DNS zone name is printed to the user during the install.
ticket 1398
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
|
|
|
|
|
|
|
|
| |
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
|
|
|
|
|
|
|
|
|
|
|
| |
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.
Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.
https://fedorahosted.org/freeipa/ticket/1333
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
|
|
|
|
| |
ticket 910
|
|
|
|
| |
ticket 1212
|
|
|
|
|
|
|
|
|
| |
When a new reverse zone was created in ipa-replica-prepare (this
may happen when a new replica is from different subnet), the master
DNS address was corrupted by invalid A/AAAA record. This caused
problems for example in installing replica.
https://fedorahosted.org/freeipa/ticket/1223
|
|
|
|
|
|
|
| |
If installing in interactive mode and --no-reverse is passed then the
reverse zone was still being created.
ticket 1152
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1191
|
|
|
|
|
|
|
| |
When IPA server was configured as self-signed (--selfsign option)
the replica always failed to install.
https://fedorahosted.org/freeipa/ticket/1122
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
|
|
|
|
|
|
|
|
| |
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
|
|
|
|
|
|
|
|
|
|
|
| |
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
https://fedorahosted.org/freeipa/ticket/1002
|
|
|
|
|
|
|
|
| |
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.
Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.
ticket 751
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/833
|
|
|
|
|
|
|
| |
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/820
|
|
|
|
|
|
|
| |
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
|
| |
|
|
|
|
|
|
| |
A new option to specify reverse zone creation for unattended installs
https://fedorahosted.org/freeipa/ticket/678
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/645
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
|
|
|
| |
ticket 502
|
|
|
|
| |
ticket 599
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|