summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-replica-install
Commit message (Collapse)AuthorAgeFilesLines
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-131-6/+7
| | | | http://fedorahosted.org/freeipa/ticket/1605
* Improve man pages structureMartin Kosek2011-09-071-22/+32
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-181-3/+5
| | | | ticket 1570
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-031-3/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-191-2/+2
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-151-17/+23
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-231-130/+21
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-0/+1
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Fix IPA install for secure umaskMartin Kosek2011-06-211-12/+16
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-1/+1
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Connection check program for replica installationMartin Kosek2011-06-081-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-2/+4
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-1/+5
| | | | ticket 1212
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-271-16/+1
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
* Properly handle --no-reverse being passed on the CLI in interactive modeRob Crittenden2011-05-121-3/+7
| | | | | | | If installing in interactive mode and --no-reverse is passed then the reverse zone was still being created. ticket 1152
* IPA replica is not started after the rebootMartin Kosek2011-04-281-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1191
* Replica installation fails for self-signed serverMartin Kosek2011-03-301-1/+2
| | | | | | | When IPA server was configured as self-signed (--selfsign option) the replica always failed to install. https://fedorahosted.org/freeipa/ticket/1122
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-19/+7
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-2/+24
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* Need to restart the dogtag 388-ds instance before using it.Rob Crittenden2011-03-031-0/+17
| | | | | | | | | | | Restart the 389-ds instance to ensure all schema is loaded that dogtag may have installed as files. According to bug https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed on clones. ticket 1024
* IPA replica/server install does not check for a clientMartin Kosek2011-03-031-0/+5
| | | | | | | | | | | When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
* Use a common group for all DS instancesSimo Sorce2011-01-311-7/+29
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-281-0/+1
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Fix assorted bugs found by pylintJakub Hrozek2011-01-251-2/+2
|
* Create DNS records as early as possibleSimo Sorce2011-01-251-4/+15
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/833
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-3/+21
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Use GSSAPI for replicationSimo Sorce2011-01-141-1/+2
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Remove unused random password in replica install scriptSimo Sorce2011-01-141-2/+0
|
* Create the reverse zone by defaultJakub Hrozek2011-01-071-1/+13
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-071-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Clarify ipa-replica-install error messageJakub Hrozek2010-12-201-2/+2
|
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-201-6/+13
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+3
| | | | ticket 502
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-9/+0
| | | | ticket 599
* Fix Install using dogtag.Simo Sorce2010-12-101-0/+5
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-101-1/+1
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Split dsinstance configurationSimo Sorce2010-12-101-34/+25
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Make pkinit setup optional in ipa-replica-prepare too.Simo Sorce2010-12-081-5/+10
| | | | | | Also add fixes for ipa-replica-install as that had issues too. Fixes: https://fedorahosted.org/freeipa/ticket/527
* Do not create reverse zone by defaultJakub Hrozek2010-12-021-1/+2
| | | | | | | Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418
* id ranges: change DNA configurationSimo Sorce2010-11-221-1/+7
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* pkinit-replica: create certificates for replicas tooSimo Sorce2010-11-181-3/+24
| | | | | altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
* Use Realm as certs subject base nameSimo Sorce2010-11-181-1/+1
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-5/+7
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Include REPLICA_FILE in usage for ipa-replica-installRob Crittenden2010-10-131-1/+2
| | | | ticket 247
* Add --no-host-dns argument to ipa-replica-installRob Crittenden2010-09-161-3/+6
| | | | | | | The server installer has this option, the replica installer should have it too. ticket 146
* Query the remote server to see if this replica host already exists.Rob Crittenden2010-06-011-13/+23
| | | | | | If it does then the installation will fail trying to set up the keytabs, and not in a way that you say "aha, it's because the host is already enrolled."
* Use correct name for CA PKCS#12 file.Rob Crittenden2010-04-231-2/+2
| | | | I recently renamed this and missed this reference.
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-191-11/+11
|
generated by cgit (git 2.34.1) at 2024-04-27 23:29:21 +0000