| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Fixes ipa-dns-install incorrect warning.
ticket 1486
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.
Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.
The reverse DNS zone name is printed to the user during the install.
ticket 1398
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
|
|
|
|
|
|
|
|
| |
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
|
|
|
|
|
|
|
|
|
|
|
| |
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.
Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.
https://fedorahosted.org/freeipa/ticket/1333
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
|
|
|
|
| |
ticket 910
|
|
|
|
| |
ticket 1212
|
|
|
|
|
|
|
|
|
| |
When a new reverse zone was created in ipa-replica-prepare (this
may happen when a new replica is from different subnet), the master
DNS address was corrupted by invalid A/AAAA record. This caused
problems for example in installing replica.
https://fedorahosted.org/freeipa/ticket/1223
|
|
|
|
|
|
|
| |
If installing in interactive mode and --no-reverse is passed then the
reverse zone was still being created.
ticket 1152
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1191
|
|
|
|
|
|
|
| |
When IPA server was configured as self-signed (--selfsign option)
the replica always failed to install.
https://fedorahosted.org/freeipa/ticket/1122
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
|
|
|
|
|
|
|
|
| |
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
|
|
|
|
|
|
|
|
|
|
|
| |
Restart the 389-ds instance to ensure all schema is loaded that
dogtag may have installed as files.
According to bug
https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed
on clones.
ticket 1024
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.
This patch adds a check for already configured client and suggests
removing it before server/replica installation.
https://fedorahosted.org/freeipa/ticket/1002
|
|
|
|
|
|
|
|
| |
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.
Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.
ticket 751
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/833
|
|
|
|
|
|
|
| |
Even if the replica is not running a DNS server other replicas might.
So if the DNS container is present, then try to add DNS records.
Fixes: https://fedorahosted.org/freeipa/ticket/824
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/820
|
|
|
|
|
|
|
| |
Uses a temporary simple replication agreement over SSL to init the tree.
Then once all principals have been created switches replication to GSSAPI.
Fixes: https://fedorahosted.org/freeipa/ticket/690
|
| |
|
|
|
|
|
|
| |
A new option to specify reverse zone creation for unattended installs
https://fedorahosted.org/freeipa/ticket/678
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/645
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
|
|
|
| |
ticket 502
|
|
|
|
| |
ticket 599
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
|
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
|
|
|
|
| |
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
|
|
|
|
|
|
| |
Also add fixes for ipa-replica-install as that had issues too.
Fixes: https://fedorahosted.org/freeipa/ticket/527
|
|
|
|
|
|
|
| |
Prompt for creation of reverse zone, with the default for unattended
installations being False.
https://fedorahosted.org/freeipa/ticket/418
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
|
|
|
|
| |
altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
|
|
|
|
| |
Also use the realm name as nickname for the CA certificate
|
|
|
|
|
|
|
|
| |
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
|
|
|
|
| |
ticket 247
|
|
|
|
|
|
|
| |
The server installer has this option, the replica installer should have
it too.
ticket 146
|
|
|
|
|
|
| |
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
|
|
|
|
| |
I recently renamed this and missed this reference.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
|
|
|
|
|
|
|
| |
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.
Fixes #500238
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|
|
|
|
|
|
|
|
|
|
|
| |
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
|