| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
This will prevent certmonger failures. On very minimal installs it seems
that messagebus is not always started.
ticket 528
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
|
|
|
|
|
|
|
|
| |
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
|
|
|
|
| |
ticket 599
|
|
|
|
|
|
|
| |
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
|
|
|
|
|
|
|
|
| |
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
|
|
|
|
|
|
|
|
|
|
|
| |
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
|
|
|
|
|
|
|
| |
Also move down some dsinstance related operation close to other dsinstance
operations.
Fixes: https://fedorahosted.org/freeipa/ticket/595
|
|
|
|
|
|
|
| |
Instead of allocating a completely random start between 1M and 2G and a range
of 1M values, give 10000 possible 200k ranges. They all start at a 200k
boundary so they generate more readable IDs, at least until there arent't too
many users/replicas involved.
|
|
|
|
|
|
|
| |
Prompt for creation of reverse zone, with the default for unattended
installations being False.
https://fedorahosted.org/freeipa/ticket/418
|
|
|
|
|
|
|
|
|
| |
There was a corner case where the value of --ip-address was never verified
if you were also setting up DNS.
Added this bit of information to the man page too.
ticket 399
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
|
|
|
|
|
|
| |
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.
https://fedorahosted.org/freeipa/ticket/425
|
| |
|
| |
|
|
|
|
|
| |
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
|
|
|
|
| |
Also use the realm name as nickname for the CA certificate
|
|
|
|
|
|
| |
Also shut down all services before starting uninstall.
ticket 349
|
|
|
|
|
|
|
|
| |
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
|
|
|
|
|
|
|
|
| |
When we uninstall we wipe out the entire LDAP database, so it doesn't really
make mush sense to try to also remove single entries from it.
This avoids the --uninstall procedure to fail because the DM password is not
available or the LDAP server is down, and we are just trying to cleanup
everything.
|
|
|
|
|
|
| |
This was meant to catch the case where the client wasn't configured and
it missed the most obvious one: the client was installed and is now
uninstalled.
|
|
|
|
| |
ticket 125
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
|
|
|
| |
Javascript based ui.
|
|
|
|
|
|
|
|
|
| |
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
|
|
|
| |
I meant to push these along with the original patch but pushed the wrong one.
|
| |
|
|
|
|
|
|
| |
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
|
|
|
|
|
|
|
|
| |
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are now 3 cases:
- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
for the server certs. The installed CA will still be used by the cert
plugin to issue any server certs.
|
|
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
|
|
|
| |
Resolves #529787
|
|
|
|
|
|
|
|
| |
To install IPA without dogtag use the --selfsign option.
The --ca option is now deprecated.
552995
|
|
|
|
| |
Resolves #531455
|
|
|
|
|
| |
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
|
|
|
|
|
| |
We will need these functions in the new upcoming ipa-dns-install
command.
|
|
|
|
|
|
|
| |
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.
Fixes #500238
|
|
|
|
|
| |
We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|
|
|
|
|
|
|
|
|
|
|
| |
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
|
| |
|
|
|
|
|
| |
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
|
|
|
|
|
|
|
| |
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.
This wipes out the last vestiges of the old ipa.conf from v1.
|
|
|
|
|
|
|
|
|
| |
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.
Subject alt names are only allowed if:
- the host for the alt name exists in IPA
- if binding as host principal, the host is in the services managedBy attr
|
|
|
|
|
|
|
|
| |
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.
The DS db wasn't getting a password set on it. Go ahead and set one.
|
|
|
|
|
| |
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
|
|
|
|
|
|
|
|
| |
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
|