summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
...
* Replace getList by a get_entries methodPetr Viktorin2013-03-013-14/+15
| | | | | | | | | | | The find_entries method is cumbersome to use: it requires keyword arguments for simple uses, and callers are tempted to ignore the 'truncated' flag it returns. Introduce a simpler method, get_entries, that returns the found list directly, and raises an errors if the list is truncated. Replace the getList method by get_entries. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-013-28/+40
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.get_dns_sorted_by_lengthPetr Viktorin2013-03-011-6/+4
| | | | | | | A simple sort(key=len) is simpler both implementation-wise and semantics-wise. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove some unused importsPetr Viktorin2013-03-013-4/+0
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Check SSH connection in ipa-replica-conncheckPetr Viktorin2013-02-191-8/+35
| | | | | | | | | | | | | Since it is not really possible to separate SSH errors from errors of the called program, add a SSH check before calling replica-conncheck on the master. The check also adds the master to a temporary known_hosts file, so suppressing SSH's warning about unknown host is no longer necessary. If the "real" connection fails despite the check, any SSH errors will be included in the output. https://fedorahosted.org/freeipa/ticket/3402
* Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedirJakub Hrozek2013-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3132
* ipa-adtrust-install should ask for SID generationMartin Kosek2013-02-121-6/+42
| | | | | | | | When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195
* Add LDAP server fallback to client installerRob Crittenden2013-02-071-1/+1
| | | | | | | | | | | | | | Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388
* Take into consideration services when deleting replicasAna Krivokapic2013-02-061-0/+23
| | | | | | | | When deleting a replica from IPA domain: * Abort if the installation is about to be left without CA * Warn if the installation is about to be left without DNS Ticket: https://fedorahosted.org/freeipa/ticket/2879
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-488/+4
| | | | | | | | | | | | | Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
* Use fully qualified CCACHE namesMartin Kosek2013-02-013-3/+3
| | | | | | | | | | | | | | Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381
* Remove unused krbV importsMartin Kosek2013-02-011-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/3381
* Fix a typo in ipa-adtrust-install helpTomas Babej2013-01-311-1/+1
| | | | | "Add SIDs for existing users andgroups as the final step" changed to "Add SIDs for existing users and groups as the final step".
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-1/+53
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Add the CA cert to LDAP after the CA installPetr Viktorin2013-01-291-0/+3
| | | | | | | | | | | | | The DS is installed before the CA cert is generated. Trying to add the cert to LDAP before it exists resulted in a nasty-looking error message. This moves the cert upload to after the CA cert is ready and the certdb is created. Move the cert upload to after thecertdb is generated. https://fedorahosted.org/freeipa/ticket/3375
* Upgrade process should not crash on named restartMartin Kosek2013-01-151-2/+9
| | | | | | | | | | | | When either dirsrv or krb5kdc is down, named service restart in ipa-upgradeconfig will fail and cause a crash of the whole upgrade process. Rather only report a failure to restart the service and continue with the upgrade as it does not need the named service running. Do the same precaution for pki-ca service restart. https://fedorahosted.org/freeipa/ticket/3350
* Avoid CRL migration error messageMartin Kosek2013-01-111-3/+7
| | | | | | | | | | | | | | When CRL files are being migrated to a new directory, the upgrade log may contain an error message raised during MasterCRL.bin symlink migration. This is actually being caused by `chown' operation which tried to chown a symlinked file that was not migrated yet. Sort migrated files before the migration process and put symlinks at the end of the list. Also do not run chown on the symlinks as it is a redundant operation since the symlinked file will be chown'ed on its own. https://fedorahosted.org/freeipa/ticket/3336
* Fixed the catch of the hostname option during ipa-server-installLynn Root2012-12-111-1/+1
| | | | | | Originally ipa-server-install would still prompt for the hostname even if it's supplied in the initial installation command. Ticket: https://fedorahosted.org/freeipa/ticket/2692
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-072-0/+30
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Add OCSP and CRL URIs to certificatesMartin Kosek2012-12-074-14/+67
| | | | | | | | | | | | | | | | | Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
* Improve ipa-replica-prepare error messageMartin Kosek2012-12-061-4/+17
| | | | | | | | | When DNS zone/record manipulation commands fails for example due to a ValidationError, ipa-replica-prepapre reports a whole traceback which is difficult to read. Make sure our error error is more readable. https://fedorahosted.org/freeipa/ticket/3283
* Only update the list of running services in the installer or ipactl.Rob Crittenden2012-12-051-2/+8
| | | | | | | | The file is only present in the case of a server installation. It should only be touched by the server installer and ipactl. https://fedorahosted.org/freeipa/ticket/3277
* Change network configuration fileMartin Kosek2012-12-051-7/+2
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Make ipa-csreplica-manage work with both merged and non-merged DBsPetr Viktorin2012-11-231-21/+72
| | | | | | | | | | | | The ipa-csreplica-manage tool often assumed that the port numbers are the same on both sides of a replication agreement. This assumption doesn't hold in a cluster with both old-style hosts and ones with merged DBs. When managing agreements, determine the port with the PKI (or merged) DS on each master, and use it. Also, in CSReplicationManager, always use starttls rather than ldaps://.
* Filter suffix in replication management toolsMartin Kosek2012-11-231-1/+1
| | | | | | | | | With the new unified Dogtag10 LDAP database, PKI-CA data and the agreements themselves are now in the main LDAP instance. Replication management tools now need to properly filter replication agreements based on the suffix to avoid clashing of agreements of different types.
* Properly stop tracking certificates on uninstallPetr Viktorin2012-11-231-2/+3
| | | | | | | | | | Stopping certificate tracking was done as part of the PKI DS uninstall. Since with the merged DB, thePKI DS is not used any more, this step was skipped. Move certificate untracking to a separate step and call it separately. Also, the post-uninstall check for tracked certificates used the wrong set of Dogtag constants. Fix the issue.
* Update certmap.conf on IPA upgradesPetr Viktorin2012-11-231-1/+16
| | | | | | | | This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control. The file is overwritten on upgrades. This ensures that the cert for the ipaca user is recognized when ipa-ca-install is run on older masters.
* Fix schema replication from old mastersPetr Viktorin2012-11-234-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213
* Changes to use a single database for dogtag and IPAAde Lee2012-11-237-66/+114
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* ipa-adtrust-install: allow to reset te NetBIOS domain nameSumit Bose2012-11-082-19/+96
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3192
* Handle the case where there are no replicas with list-ruvRob Crittenden2012-11-071-10/+11
| | | | | | | This assumed that at least was returned by LDAP. This is not the case if no replicas have ever been created. https://fedorahosted.org/freeipa/ticket/3229
* Reword description of the --passsync option of ipa-replica-manage.Jan Cholasta2012-11-022-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/3208
* Get list of service from LDAP only at startupSimo Sorce2012-11-011-55/+158
| | | | | | | | | | We check (possibly different) data from LDAP only at (re)start. This way we always shutdown exactly the services we started even if the list changed in the meanwhile (we avoid leaving a service running even if it was removed from LDAP as the admin decided it should not be started in future). This should also fix a problematic deadlock with systemd when we try to read the list of service from LDAP at shutdown.
* After unininstall see if certmonger is still tracking any of our certs.Rob Crittenden2012-11-011-1/+9
| | | | | | | | | | | | | | Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702
* IPA Server check in ipa-replica-manageTomas Babej2012-10-311-1/+49
| | | | | | | | | | When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105
* ipa-replica-install: Use configured IPA DNS servers in forward/reverse ↵Petr Viktorin2012-10-231-8/+22
| | | | | | | | | | | | | | resolution check Previously, ipa-replica-install tried to check DNS resolution on the master being cloned. If that master was not a DNS server, the check failed. Change the check to query the first available configured DNS server. Log about the check before actually running it. Log in the case the check is skipped (no IPA DNS servers installed). https://fedorahosted.org/freeipa/ticket/3194
* Improve error messages in ipa-replica-manage.Rob Crittenden2012-10-231-8/+14
| | | | | | | | | | | | | Correctly handle case where we bind using GSSAPI with an unauthorized user. Remove extraneous except clause. We now have handle for LDAP errors. Make it explicit in a few places what server we can't connect to. When the remote replica is down and we are forcing its removal, remove a duplicate entry from the list of servers to remove. https://fedorahosted.org/freeipa/ticket/2871
* Report ipa-upgradeconfig errors during RPM upgradeMartin Kosek2012-10-182-3/+16
| | | | | | | | | | | | | Report errors just like with ipa-ldap-updater. These messages should warn user that some parts of the upgrades may have not been successful and he should follow up on them. Otherwise, user may not notice them at all. ipa-upgradeconfig now has a new --quiet option to make it output only error level log messages or higher. ipa-upgradeconfig run without options still pring INFO log messages as it can provide a clean overview about its actions (unlike ipa-ldap-updater). https://fedorahosted.org/freeipa/ticket/3157
* Create reverse zone in unattended modeMartin Kosek2012-10-192-2/+6
| | | | | | | | | Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure that reverse zone is created also in unattended mode (unless --no-reverse is specified). https://fedorahosted.org/freeipa/ticket/3161
* Don't configure a reverse zone if not desired in interactive installer.Rob Crittenden2012-10-172-3/+3
| | | | | | | | A reverse zone was always configured in the interactive installer even if you answered "no" to the reverse zone question. The only way to not confiugre it was the --no-reverse option. https://fedorahosted.org/freeipa/ticket/3161
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-162-6/+9
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Configure the initial CA as the CRL generator.Rob Crittenden2012-10-091-1/+8
| | | | | | | | Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-102-0/+14
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* replica-install: Don't copy Firefox config extension files if they're not in ↵Petr Viktorin2012-10-101-2/+6
| | | | | | | | the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux functionPetr Viktorin2012-10-101-8/+0
| | | | This function was never called from anywhere.
* Fix CS replication management.Rob Crittenden2012-10-091-18/+40
| | | | | | | | | | | | | | | | | The master side should be on the local side, replica1, not the remote. This required reversing a few master variables. This impacts the naming of the replication agreements. When deleting an agreement pass in the DN of that agreement rather than trying to calculate what it is on-the-fly. We cannot be sure which side is the master/clone and since we search for it anyway to determine if the agreement exists it is more correct to use what we find. The force flag wasn't being passed into del_link so there was no way to force a deletion. https://fedorahosted.org/freeipa/ticket/2858
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-101-14/+29
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Set renewal time for the CA audit certificate to 720 days.Rob Crittenden2012-10-091-7/+14
| | | | | | | | The initial certificate is issued for two years but renewals are for six months for some reason. This fixes it for new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/2951
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-091-10/+93
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
generated by cgit (git 2.34.1) at 2024-06-23 11:54:42 +0000