summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-upgradeconfig
Commit message (Collapse)AuthorAgeFilesLines
* Import included profiles during install or upgradeFraser Tweedale2015-06-041-1/+0
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Server Upgrade: Move code from ipa-upgradeconfig to separate moduleMartin Basti2015-05-251-1410/+2
| | | | | | | | | This also prevent the script ipa-upgradeconfig execute upgrading. Upgrade of services is called from ipa-server-upgrade https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-3/+3
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make certificate renewal process synchronizedJan Cholasta2015-01-131-0/+3
| | | | | | | | Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Restart dogtag when its server certificate is renewedJan Cholasta2015-01-131-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove the removal of the ccacheSimo Sorce2015-01-081-1/+0
| | | | | | | | | | | | | | It is not necessary to remove the ccache on upgrades on modern IPA servers, even if the ccache contains stale data either it is re-initialized by mod_auth_kerb or a new ccache collection is created (if completely unrelated credentials were present), at least when using DIR or keyring ccaches. This line causes wrong SELinux labels to be set in the kernel keyring on uprades, which the cause the apache server to fail to use th ccache. https://fedorahosted.org/freeipa/ticket/4815 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Using wget to get status of CAMartin Basti2014-12-101-4/+0
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upgrade fix: masking named should be executed only onceMartin Basti2014-12-091-14/+16
| | | | | | | | | There was error in code, masking was executed more times, even it was succesful https://fedorahosted.org/freeipa/ticket/4755 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add TLS 1.2 to the protocol list in mod_nss configJan Cholasta2014-11-251-0/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Show warning instead of error if CA did not startMartin Basti2014-11-201-0/+4
| | | | | | | | This is just workaround, checking if CA is working raises false positive exception during upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix named working directory permissionsMartin Basti2014-11-181-0/+14
| | | | | | | | Just adding dir to specfile doesnt work, because is not guarantee the named is installed, during RPM installation. Ticket: https://fedorahosted.org/freeipa/ticket/4716 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNSSEC: upgradingMartin Basti2014-10-211-0/+67
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-9/+18
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not fix trust flags in the DS NSS DB in ipa-upgradeconfigJan Cholasta2014-10-171-6/+5
| | | | | | | | | It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as a source in the upload_cacrt update plugin. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfigJan Cholasta2014-10-171-1/+5
| | | | | | | | This fixes upgrade from CA-less to CA-full after IPA upgrade. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Stop dogtag when updating its configuration in ipa-upgradeconfig.David Kupka2014-10-151-23/+27
| | | | | | | | | Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add missing attributes to named.confMartin Basti2014-10-141-0/+120
| | | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix certmonger configuration in installer codeJan Cholasta2014-10-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4619 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix typo causing ipa-upgradeconfig to fail.David Kupka2014-09-111-1/+1
| | | | | | | | Replace 'post-certsave-command' by 'cert-postsave-command'. https://fedorahosted.org/freeipa/ticket/4529 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Backup CS.cfg before modifying itJan Cholasta2014-09-051-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-8/+8
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-73/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+18
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-301-3/+28
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not treat the IPA RA cert as CA cert in DS NSS database.Jan Cholasta2014-07-301-9/+26
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Track CA certificate using dogtag-ipa-ca-renew-agent.Jan Cholasta2014-07-301-2/+17
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* FIX: named_enable_dnssec should verify if DNS is installedMartin Basti2014-07-281-0/+5
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC: Add experimental support for DNSSECMartin Basti2014-07-021-0/+21
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-261-23/+24
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-1/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-2/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-271-0/+1
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Update certmonger configuration in ipa-upgradeconfig.Jan Cholasta2014-03-251-57/+90
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-10/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-2/+2
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-4/+1
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
* Switch httpd to use default CCACHEMartin Kosek2014-01-221-1/+6
| | | | | | | | | | | | | Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
* Enable Retro Changelog and Content Synchronization DS pluginsAna Krivokapic2014-01-141-1/+4
| | | | | | | | | Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Remove mod_ssl port workaround.Jan Cholasta2013-11-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4021
* Remove mod_ssl conflictMartin Kosek2013-10-251-0/+1
| | | | | | | | | | | Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974
* ipa-upgradeconfig: Remove backed up smb.confTomas Babej2013-10-141-0/+14
| | | | | | | | | | | Since we are not able to properly restore the Samba server to the working state after running ipa-adtrust-install, we should not keep the smb.conf in the fstore. This patch makes sure that any backed up smb.conf is removed from the backup and that this file is not backed up anymore. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-58/+79
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-2/+94
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Add 'ipa_server_mode' option to SSSD configurationAna Krivokapic2013-07-181-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/3652
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-3/+4
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Manage ipa-otpd.socket by IPATomas Babej2013-06-061-11/+18
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-141-0/+1
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-serverRob Crittenden2013-05-091-0/+1
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607
generated by cgit (git 2.34.1) at 2024-05-22 00:10:37 +0000