| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
There may already be a record in /etc/hosts for chosen IP address
which may not be detected under some circumstances. Make sure
that /etc/hosts is checked properly.
https://fedorahosted.org/freeipa/ticket/1923
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.
This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.
https://fedorahosted.org/freeipa/ticket/1931
|
|
|
|
|
|
|
|
|
| |
Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.
https://fedorahosted.org/freeipa/ticket/1923
|
|
|
|
|
|
|
| |
In checking to see if the dogtag proxy configuration needed to be updated
we didn't handle the case where dogtag isn't installed at all.
https://fedorahosted.org/freeipa/ticket/1951
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/1900
|
|
|
|
|
|
|
|
|
| |
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
|
|
|
|
| |
options refer to the KDC's credentials
|
|
|
|
|
|
|
|
|
|
|
| |
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
|
|
|
|
|
|
|
|
|
| |
use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).
ticket 1869
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
|
|
|
|
|
|
|
|
|
|
| |
ipa-ca-install can only add a dogtag CA to an IPA install.
ipa-replica-prepare can only be run on the initial master with a
selfsign backend.
https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
|
|
|
|
|
|
|
| |
This patch broke installation of a new master. Reverting until
we develop a better solution.
This reverts commit f42da4357eac7e64e803b53c78d6cff9175d20a4.
|
|
|
|
|
|
| |
hostname.
ticket 1717
|
|
|
|
|
|
|
| |
This also corrects a slight bug where if add is True then we always
re-update the file.
https://fedorahosted.org/freeipa/ticket/1755
|
|
|
|
|
|
|
| |
The replication plugin is no longer shipped as a separate package.
Remove the code checking its existence.
https://fedorahosted.org/freeipa/ticket/1815
|
|
|
|
|
|
| |
If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).
|
|
|
|
|
|
|
|
| |
Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool
https://fedorahosted.org/freeipa/ticket/1181
|
|
|
|
|
|
|
| |
The previous patch fixed ipactl stop command. However, the dirsrv
stop in the ipactl start command fallback was not right either.
https://fedorahosted.org/freeipa/ticket/1800
|
|
|
|
|
|
|
| |
Remove an invalid instance name passed to dirsrv service so that
it is correctly stopped.
https://fedorahosted.org/freeipa/ticket/1800
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1619
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1792
|
|
|
|
|
|
|
|
|
| |
- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs
https://fedorahosted.org/freeipa/ticket/1771
|
| |
|
|
|
|
| |
http://fedorahosted.org/freeipa/ticket/1605
|
|
|
|
|
|
|
|
| |
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
|
|
|
|
|
|
|
|
|
| |
We need to check all Kerberos ports both TCP and UDP transports.
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
|
|
|
|
|
|
| |
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
|
|
|
|
|
|
|
| |
Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.
Fixes: https://fedorahosted.org/freeipa/ticket/1743
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
| |
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
|
|
|
|
|
|
| |
If the user wants the output they can pass the --debug flag to ipactl.
https://fedorahosted.org/freeipa/ticket/1402
|
|
|
|
| |
ticket 1572
|
|
|
|
| |
ticket 1570
|
|
|
|
|
|
| |
ipa-server-install meet the length requirement.
ticket 1621
|
|
|
|
| |
ticket 1580
|
|
|
|
| |
ticket https://fedorahosted.org/freeipa/ticket/1390
|
|
|
|
|
|
| |
for DNS forwarders, so that DNS configuration is done in one place.
ticket 1522
|
|
|
|
|
|
|
|
| |
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a hostname configured in /etc/ipa/default.conf is changed and
is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX
ipactl gives an unintelligible error.
This patch improves the error message and also offers a list of
configured master so that the hostname setting in IPA configuration
can be easily fixed.
https://fedorahosted.org/freeipa/ticket/1558
|
| |
|
|
|
|
| |
ticket 1523
|
|
|
|
|
|
| |
Fix references to ipa-replica-manage in ipa-csreplica-manage.
https://fedorahosted.org/freeipa/ticket/1519
|
|
|
|
| |
ticket 1147
|
|
|
|
| |
ticket 1469
|