summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Check /etc/hosts file in ipa-server-installMartin Kosek2011-10-131-0/+22
| | | | | | | | There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-132-1/+24
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Check hostname resolution sanityMartin Kosek2011-10-131-1/+1
| | | | | | | | | Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
* Fix upgrades of selfsign serverRob Crittenden2011-10-111-0/+3
| | | | | | | In checking to see if the dogtag proxy configuration needed to be updated we didn't handle the case where dogtag isn't installed at all. https://fedorahosted.org/freeipa/ticket/1951
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-0/+1
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Execute pki proxy setup when server is upgraded if neededAdam Young2011-10-091-2/+21
|
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-064-17/+12
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* replica-prepare: anonymous binds may be disallowedSimo Sorce2011-10-063-26/+31
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1900
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-0613-9/+44
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* - note that PKCS#12 files also contain private keys, and that the "pkinit" ↵Nalin Dahyabhai2011-10-041-3/+6
| | | | options refer to the KDC's credentials
* Work around pkisilent bugs.Jan Cholasta2011-10-041-6/+25
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-054-10/+10
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Be more clear about selfsign optionMartin Kosek2011-10-042-5/+13
| | | | | | | | | | | | | | Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
* Detect CA installation type in ipa-replica-prepare and ipa-ca-install.Rob Crittenden2011-09-272-7/+9
| | | | | | | | | | ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
* Revert "Always require SSL in the Kerberos authorization block."Martin Kosek2011-09-271-1/+1
| | | | | | | This patch broke installation of a new master. Reverting until we develop a better solution. This reverts commit f42da4357eac7e64e803b53c78d6cff9175d20a4.
* Fix ipa-replica-prepare always warning the user about not using the system ↵Jan Cholasta2011-09-261-1/+1
| | | | | | hostname. ticket 1717
* Always require SSL in the Kerberos authorization block.Rob Crittenden2011-09-231-1/+1
| | | | | | | This also corrects a slight bug where if add is True then we always re-update the file. https://fedorahosted.org/freeipa/ticket/1755
* Remove checks for ds-replication pluginMartin Kosek2011-09-222-6/+2
| | | | | | | The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
* conncheck: Additional check to verify the admin password is okSimo Sorce2011-09-211-0/+9
| | | | | | If we can get a ticket for the master then we know we got all right. This should avoid being prompted again by ssh if the kinit failed and for some reason the error was not caught (seen in live tests).
* 25 Create Tool for Enabling/Disabling Managed Entry PluginsJR Aquino2011-09-215-233/+272
| | | | | | | | Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool https://fedorahosted.org/freeipa/ticket/1181
* dirsrv is not stopped correctly in the fallbackMartin Kosek2011-09-201-1/+1
| | | | | | | The previous patch fixed ipactl stop command. However, the dirsrv stop in the ipactl start command fallback was not right either. https://fedorahosted.org/freeipa/ticket/1800
* ipactl does not stop dirsrvMartin Kosek2011-09-201-1/+1
| | | | | | | Remove an invalid instance name passed to dirsrv service so that it is correctly stopped. https://fedorahosted.org/freeipa/ticket/1800
* Add ipa-adtrust-install utilitySumit Bose2011-09-144-0/+298
| | | | https://fedorahosted.org/freeipa/ticket/1619
* Update ipa-ldap-updater man page saying it is not an end-user utilityRob Crittenden2011-09-141-4/+8
| | | | https://fedorahosted.org/freeipa/ticket/1792
* Improved handling for ipa-pki-proxy.confRob Crittenden2011-09-132-9/+18
| | | | | | | | | - Remove ipa-pki-proxy.conf when IPA is uninstalled - Move file removal to httpinstance.py and use remove_file() - Add a version stanza - Create the file if it doesn't exist on upgraded installs https://fedorahosted.org/freeipa/ticket/1771
* Call standard_logging_setup() before any logging is doneSumit Bose2011-09-131-2/+2
|
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-135-34/+50
| | | | http://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-17/+17
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve man pages structureMartin Kosek2011-09-0717-163/+207
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* conncheck: Fix List of ports to checkSimo Sorce2011-09-011-6/+6
| | | | | | | | | We need to check all Kerberos ports both TCP and UDP transports. Since we have the PKI proxy configuration all communication with the CA happens on the standard 80/443 ports so we need to check them always. We do not need to leave the old CA ports open. These ports are still used locally but not over the network.
* install: We do not need a kpasswd keytab anymoreSimo Sorce2011-08-312-3/+0
| | | | | | We now use MIT's kadmin instead of our old ipa_kpasswd daemon. kadmind knows how to fetch the keys directly from the database and doesn't need a keytab on the filesystem.
* install: We do not need a ldap password anymoreSimo Sorce2011-08-312-3/+1
| | | | | | | Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't need a bind password anymore. Fixes: https://fedorahosted.org/freeipa/ticket/1743
* Let Bind track data changesMartin Kosek2011-08-314-2/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-292-3/+27
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* enable proxy for dogtagAdam Young2011-08-291-0/+4
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* daemons: Remove ipa_kpasswdSimo Sorce2011-08-263-38/+1
| | | | | | Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
* Suppress 389-ds debug output when starting servicesRob Crittenden2011-08-241-12/+49
| | | | | | If the user wants the output they can pass the --debug flag to ipactl. https://fedorahosted.org/freeipa/ticket/1402
* Verify that the external CA certificate files are correct.Jan Cholasta2011-08-231-6/+41
| | | | ticket 1572
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-184-5/+15
| | | | ticket 1570
* Verify that passwords specified through command line options of ↵Jan Cholasta2011-08-181-0/+5
| | | | | | ipa-server-install meet the length requirement. ticket 1621
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-2/+0
| | | | ticket 1580
* Add information on setting api.env.host in the ipactl.8 man pageRob Crittenden2011-08-191-0/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1390
* Ask for reverse DNS zone information in attended install right after asking ↵Jan Cholasta2011-08-092-34/+33
| | | | | | for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-033-9/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Improve error message in ipactlMartin Kosek2011-08-041-1/+22
| | | | | | | | | | | | If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558
* Clean up existing DN object usageJohn Dennis2011-07-291-3/+3
|
* Fix external CA install.Jan Cholasta2011-07-261-25/+34
| | | | ticket 1523
* Fix man page ipa-csreplica-manageMartin Kosek2011-07-251-3/+3
| | | | | | Fix references to ipa-replica-manage in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/1519
* Fix ipa-compat-manage not working after recent ipa-nis-manage change.Jan Cholasta2011-07-222-42/+68
| | | | ticket 1147
* Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'.Jan Cholasta2011-07-191-15/+0
| | | | ticket 1469
generated by cgit (git 2.34.1) at 2024-05-20 17:48:08 +0000