summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Fix typo causing ipa-upgradeconfig to fail.David Kupka2014-09-111-1/+1
| | | | | | | | Replace 'post-certsave-command' by 'cert-postsave-command'. https://fedorahosted.org/freeipa/ticket/4529 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: create ff krb extension on every install, replica install and upgradePetr Vobornik2014-09-111-5/+0
| | | | | | | | | | We don't want to copy the extension from master to replica because the replica may use newer version of FreeIPA and therefore the extension code might be obsolete. Same reason for upgrades. https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Backup CS.cfg before modifying itJan Cholasta2014-09-051-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-052-11/+14
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not restart apache server when not necessary.David Kupka2014-09-051-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4352 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-8/+8
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow changing CA renewal master in ipa-csreplica-manage.Jan Cholasta2014-09-022-9/+33
| | | | | | https://fedorahosted.org/freeipa/ticket/4039 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add man page for ipa-kra-installAde Lee2014-08-262-0/+57
| | | | | | https://fedorahosted.org/freeipa/ticket/4504 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-227-178/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert external CA chain to PKCS#7 before passing it to pkispawn.Jan Cholasta2014-08-142-6/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+18
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow upgrading CA-less to CA-full using ipa-ca-install.Jan Cholasta2014-07-302-17/+222
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow adding CA certificates to certificate store in ipa-cacert-manage.Jan Cholasta2014-07-301-0/+23
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.Jan Cholasta2014-07-301-0/+6
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.Jan Cholasta2014-07-301-0/+5
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Get up-to-date CA certificates from certificate store in ipa-replica-install.Jan Cholasta2014-07-301-10/+18
| | | | | | | | | Previously it used CA certificate from the replica info file directly. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-301-3/+28
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not treat the IPA RA cert as CA cert in DS NSS database.Jan Cholasta2014-07-301-9/+26
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Pick new CA renewal master when deleting a replica.Jan Cholasta2014-07-302-3/+20
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add CA certificate management tool ipa-cacert-manage.Jan Cholasta2014-07-304-0/+87
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move external cert validation from ipa-server-install to installutils.Jan Cholasta2014-07-301-41/+4
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Track CA certificate using dogtag-ipa-ca-renew-agent.Jan Cholasta2014-07-301-2/+17
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Check if /root/ipa.csr exists when installing server with external CA.Jan Cholasta2014-07-281-2/+14
| | | | | | | | Remove the file on uninstall. https://fedorahosted.org/freeipa/ticket/4303 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* FIX: named_enable_dnssec should verify if DNS is installedMartin Basti2014-07-281-0/+5
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Improve password validity check.David Kupka2014-07-241-4/+31
| | | | | | | Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: Add experimental support for DNSSECMartin Basti2014-07-021-0/+21
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-2610-62/+72
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Implement OTP token importingNathaniel McCallum2014-06-254-0/+63
| | | | | | | | | | | | | | | | | | | | This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-166-9/+4
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change paths dependant on ipaservices to use ipaplatform.pathsTomas Babej2014-06-161-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-165-20/+25
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-164-10/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-277-0/+7
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fixed typo in ipa-replica-manage man pageThorsten Scherf2014-05-121-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Adding verb to error message to make it less confusing.Jan Pazdziora2014-05-061-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Update certmonger configuration in ipa-upgradeconfig.Jan Cholasta2014-03-251-57/+90
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-10/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-2/+2
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-4/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+3
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not create CA certificate files in CA-less server install.Jan Cholasta2014-03-251-15/+4
| | | | | | | | | | The files are created later by ipa-client-install, there's no need to do it twice. This also fixes a bug in CA-less, where the CA certificate is not removed from /etc/pki/nssdb after client uninstall, because it has a different nickname. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-255-9/+7
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update Dogtag 9 database during replica installationMartin Kosek2014-03-142-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9 based master, the PKI database is not updated and miss several ACLs which prevent some of the PKI functions, e.g. an ability to create other clones. Add an update file to do the database update. Content is based on recommendation from PKI team: * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9 This update file can be removed when Dogtag database upgrades are done in PKI component. Upstream tickets: * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) * https://fedorahosted.org/pki/ticket/906 (checking database version) Also make sure that PKI service is restarted in the end of the installation as the other services to make sure it picks changes done during LDAP updates. https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-112-24/+11
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Typo in warning message where IPA realm and domain name differGabe2014-03-051-1/+1
| | | | | | | | Removed 'y' from warning message. https://fedorahosted.org/freeipa/ticket/4211 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add --force option to ipactlAdam Misnyovszki2014-02-202-48/+67
| | | | | | | | | | | | | | | | If an error occurs in the start up sequence in ipactl start/restart, all the services are stopped. Using the --force option prevents stopping of services that have successfully started, just skips the services which can not be started. ipactl status now shows stopped services also, if the directory server is running. With the contribution of Ana Krivokapic https://fedorahosted.org/freeipa/ticket/3509 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipactl can not restart ipa services if current status is stoppedMisnyovszki Adam2014-02-191-2/+12
| | | | | | | | | | | | | | fixed by starting the directory server when restarting if it is not currently running to enable fetching running services later restart didn't check that also added a check, that if the directory server started at the beginning, there is no need to restart it https://fedorahosted.org/freeipa/ticket/4050 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-4/+1
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
generated by cgit (git 2.34.1) at 2024-05-31 06:52:47 +0000