summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-server-install
Commit message (Collapse)AuthorAgeFilesLines
* Verify that the hostname is fully-qualified before accessing the service ↵Jan Cholasta2011-06-241-8/+7
| | | | | | | | | information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-1/+2
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Fix IPA install for secure umaskMartin Kosek2011-06-211-12/+16
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-1/+1
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-2/+3
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Do better detection on status of CA DS instance when installing.Rob Crittenden2011-06-131-4/+4
| | | | | | | | | The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
* IPA installation with --no-host-dns failsMartin Kosek2011-06-101-6/+15
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
* Fix external CA installationRob Crittenden2011-06-091-2/+2
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-1/+2
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-19/+17
| | | | ticket 1212
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-271-22/+7
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
* Properly handle --no-reverse being passed on the CLI in interactive modeRob Crittenden2011-05-121-3/+7
| | | | | | | If installing in interactive mode and --no-reverse is passed then the reverse zone was still being created. ticket 1152
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-1/+2
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Ensure that the zonemgr passed to the installer conforms to IA5String.Rob Crittenden2011-04-261-1/+12
| | | | ticket 1164
* Fix lint false positives.Jan Cholasta2011-04-131-1/+1
|
* Fix typo in ipa-server-install.Jan Cholasta2011-04-081-1/+1
|
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-9/+5
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-1/+15
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* chkconfig the ipa service off when it is uninstalled.Rob Crittenden2011-03-081-0/+2
| | | | ticket 1056
* Skip DNS validation checks if we're setting up DNS in ipa-server-install.Rob Crittenden2011-03-041-0/+4
| | | | | | | If we're going to be authoritative ourselves don't bother with what other DNS servers think. ticket 1036
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-4/+6
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+2
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* IPA replica/server install does not check for a clientMartin Kosek2011-03-031-0/+5
| | | | | | | | | | | When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
* Fixed in ipa-server-install help and man pageJan Zeleny2011-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/831
* Refresh state data before removing the dirsrv user, fixes uninstall.Rob Crittenden2011-02-071-0/+1
| | | | | | | | | The state is read only at initialization time. This works ok when individual services remove their state data but when worked upon again at the top-level it still has the full state in memory, so when the state file is re-written all of the data that was removed is re-added. ticket 916
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-031-3/+3
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-10/+40
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Use a common group for all DS instancesSimo Sorce2011-01-311-53/+49
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-281-0/+1
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Make the -u option optional in unattended modeSimo Sorce2011-01-241-8/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/836
* Remove trailing spaceSimo Sorce2011-01-241-1/+1
|
* Create the reverse zone by defaultJakub Hrozek2011-01-071-2/+12
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-071-1/+0
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Make sure that the messagebus service is started.Rob Crittenden2011-01-041-0/+2
| | | | | | | This will prevent certmonger failures. On very minimal installs it seems that messagebus is not always started. ticket 528
* Ask for reverse zone creation only when --setup-bind is specifiedJakub Hrozek2010-12-221-1/+3
|
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-201-12/+15
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-5/+0
| | | | ticket 599
* Fix Install using dogtag.Simo Sorce2010-12-101-2/+9
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-101-4/+9
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Introduce ipa control script that reads configuration off ldapSimo Sorce2010-12-101-0/+4
| | | | | | | | | | | This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
* Move ntp configuration up top.Simo Sorce2010-12-091-9/+10
| | | | | | | Also move down some dsinstance related operation close to other dsinstance operations. Fixes: https://fedorahosted.org/freeipa/ticket/595
* Give back smaller and more readable ranges by default.Simo Sorce2010-12-071-5/+6
| | | | | | | Instead of allocating a completely random start between 1M and 2G and a range of 1M values, give 10000 possible 200k ranges. They all start at a 200k boundary so they generate more readable IDs, at least until there arent't too many users/replicas involved.
* Do not create reverse zone by defaultJakub Hrozek2010-12-021-1/+2
| | | | | | | Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418
* Verify the --ip-address option when setting up DNS.Rob Crittenden2010-11-241-0/+2
| | | | | | | | | There was a corner case where the value of --ip-address was never verified if you were also setting up DNS. Added this bit of information to the man page too. ticket 399
* id ranges: change DNA configurationSimo Sorce2010-11-221-5/+16
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Use sys.exit to quit scriptsJakub Hrozek2010-11-221-20/+12
| | | | | | | Instead of print and return, use sys.exit() to quit scripts with an error message and a non zero return code. https://fedorahosted.org/freeipa/ticket/425
* Automatically disable pkinit when not supportedSimo Sorce2010-11-191-0/+4
|
* Log interactive options in install scriptsJakub Hrozek2010-11-191-0/+7
|
* Add support for configuring KDC certs for PKINITSimo Sorce2010-11-181-1/+35
| | | | | This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
generated by cgit (git 2.34.1) at 2024-05-21 07:38:42 +0000