summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
...
* Include REPLICA_FILE in usage for ipa-replica-installRob Crittenden2010-10-131-1/+2
| | | | ticket 247
* Detect if DNS is already configured in IPA, or if IPA is not yet installed.Rob Crittenden2010-10-081-0/+5
| | | | | | | ipa-dns-manage could fail in very odd ways depending on the current configuration of the server. Handle things a bit better. ticket 210
* install-script: Do not ask to remove DNS dataSimo Sorce2010-10-071-19/+3
| | | | | | | | When we uninstall we wipe out the entire LDAP database, so it doesn't really make mush sense to try to also remove single entries from it. This avoids the --uninstall procedure to fail because the DM password is not available or the LDAP server is down, and we are just trying to cleanup everything.
* Remove spurious error in server uninstaller about client uninstall failure.Rob Crittenden2010-09-241-1/+2
| | | | | | This was meant to catch the case where the client wasn't configured and it missed the most obvious one: the client was installed and is now uninstalled.
* Properly handle CertificateOperationErrors in replication prepration.Rob Crittenden2010-09-241-2/+10
| | | | | | | The problem here was two-fold: the certs manager was raising an error it didn't know about and ipa-replica-prepare wasn't catching it. ticket 249
* Add new DNS install argument for setting the zone mgr e-mail addr.Rob Crittenden2010-09-234-4/+14
| | | | ticket 125
* Add missing man pageas for ipa-dns-install and ipa-upgradeconfig.Rob Crittenden2010-09-202-0/+81
| | | | tickets 130 and 131
* Have ipactl start named after the KDC, otherwise it will fail.Rob Crittenden2010-09-161-1/+1
|
* Add --no-host-dns argument to ipa-replica-installRob Crittenden2010-09-162-13/+19
| | | | | | | The server installer has this option, the replica installer should have it too. ticket 146
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-2/+3
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Make ipactl a lot smarter and have it manage named as well.Rob Crittenden2010-09-071-26/+71
| | | | ticket 138
* Enable compat plugin by default and configure netgroupsRob Crittenden2010-08-192-3/+16
| | | | | | | | | Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91
* Correct CA options in ipa-server-install manpageRob Crittenden2010-08-101-3/+3
|
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-14/+0
| | | | Javascript based ui.
* Fix ipa-compat-manage and ipa-nis-manageRob Crittenden2010-07-152-54/+100
| | | | | | | | | | | | | | | Neither of these was working properly, I assume due to changes in the ldap backend. The normalizer now appends the basedn if it isn't included and this was causing havoc with these utilities. After fixing the basics I found a few corner cases that I also addressed: - you can't/shouldn't disable compat if the nis plugin is enabled - we always want to load the nis LDAP update so we get the netgroup config - LDAPupdate.update() returns True/False, not an integer I took some time and fixed up some things pylint complained about too. Ticket #83
* Fall back to DM password if GSSAPI fails and make deleting more user-friendlyRob Crittenden2010-06-011-8/+38
| | | | | Try to be a bit more descriptive about why a deletion fails and generate a prettier error message.
* Query the remote server to see if this replica host already exists.Rob Crittenden2010-06-011-13/+23
| | | | | | If it does then the installation will fail trying to set up the keytabs, and not in a way that you say "aha, it's because the host is already enrolled."
* Add LDAP upgrade over ldapi support.Rob Crittenden2010-06-011-17/+25
| | | | | | | | | This disables all but the ldapi listener in DS so it will be quiet when we perform our upgrades. It is expected that any other clients that also use ldapi will be shut down by other already (krb5 and dns). Add ldapi as an option in ipaldap and add the beginning of pure offline support (e.g. direct editing of LDIF files).
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-052-2/+8
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-031-8/+6
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
* Fix a couple of syntax errors in the installer.Rob Crittenden2010-04-271-2/+5
| | | | I meant to push these along with the original patch but pushed the wrong one.
* Replace a new instance of IPAdmin use in ipa-server-install.Pavel Zuna2010-04-271-8/+11
|
* Connect to the ldap during the uninstallationMartin Nagy2010-04-231-8/+28
| | | | | | We need to ask the user for a password and connect to the ldap so the bind uninstallation procedure can remove old records. This is of course only helpful if one has more than one IPA server configured.
* Fix installing IPA with an external CARob Crittenden2010-04-231-4/+18
| | | | | | | | - cache all interactive answers - set non-interactive to True for the second run so nothing is asked - convert boolean values that are read in - require absolute paths for the external CA and signed cert files - fix the invocation message for the second ipa-server-install run
* Use correct name for CA PKCS#12 file.Rob Crittenden2010-04-231-2/+2
| | | | I recently renamed this and missed this reference.
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-1910-135/+135
|
* Remove incorrect option -U for --uninstall. -U is short for --unattended.Rob Crittenden2010-04-161-1/+1
|
* Use GSSAPI auth for the ipa-replica-manage list and del commands.Rob Crittenden2010-03-191-4/+18
| | | | | | | | | | | | This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the ipaldap.py module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
* Better customize the message regarding the CA based on the install options.Rob Crittenden2010-03-191-5/+10
| | | | | | | | | | There are now 3 cases: - Install a dogtag CA and issue server certs using that - Install a selfsign CA and issue server certs using that - Install using either dogtag or selfsign and use the provided PKCS#12 files for the server certs. The installed CA will still be used by the cert plugin to issue any server certs.
* Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12Rob Crittenden2010-03-191-3/+5
| | | | | pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12.
* Initialize the api so imports work, trust all CAs included in the PKCS#12.Rob Crittenden2010-03-191-1/+9
|
* Retrieve the LDAP schema using kerberos credentials.Rob Crittenden2010-03-171-0/+1
| | | | This is required so we can disable anonymous access in 389-ds.
* Proper use of set up vs setup (verb vs noun)Rob Crittenden2010-03-161-3/+3
| | | | Resolves #529787
* Make the CA a required component and configured by default.Rob Crittenden2010-03-021-26/+11
| | | | | | | | To install IPA without dogtag use the --selfsign option. The --ca option is now deprecated. 552995
* Add A and PTR records during ipa-replica-prepareMartin Nagy2010-02-092-1/+25
| | | | Fixes #528996
* Get rid of ipapython.config in ipa-replica-prepareMartin Nagy2010-02-092-80/+36
| | | | | | | | | | Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
* Add ipa-dns-install scriptMartin Nagy2010-02-092-0/+185
| | | | Unfortunately, for now there is no --uninstall option.
* Add status option to ipactlRob Crittenden2010-02-091-1/+16
| | | | Resolves #503437
* Set default log level in the *-manage utilities to ERROR and not NOTSETRob Crittenden2010-02-042-2/+2
|
* Fix sample IPA command example at end of installationRob Crittenden2010-02-031-1/+1
| | | | Resolves #531455
* Bring ipa-server-install man page up-to-date, fix some syntax errorsRob Crittenden2010-02-031-20/+30
| | | | | | | | | | | Remove a bunch of trailing spaces Add the --ca option Add the --no-host-dns option Add the --subject option Fix the one-character option for --no-ntp, should be -N not -n Add missing line break between --no-ntp and --uninstall Resolves #545260
* Remove some configuration files we create upon un-installationRob Crittenden2010-01-281-1/+6
| | | | | This is particularly important for Apache since we'd leave the web server handling unconfigured locations.
* Move some functions from ipa-server-install into installutilsMartin Nagy2010-01-211-54/+1
| | | | | We will need these functions in the new upcoming ipa-dns-install command.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-212-2/+3
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Move api finalization in ipa-server-install after writing default.confMartin Nagy2010-01-211-23/+22
| | | | | We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns.
* User-defined certificate subjectsRob Crittenden2010-01-203-17/+61
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Add start/stop for the CARob Crittenden2010-01-111-0/+8
|
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-112-3/+11
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Add force option to ipa-replica-manage to allow forcing deletion of a replicaRob Crittenden2009-12-111-5/+13
| | | | | | If a replica is not up for some reason (e.g. you've already deleted it) this used to quit and not let you delete the replica, generating errors in the DS logs. This will let you force a deletion.
* Ask the user before overwriting /etc/named.confMartin Nagy2009-12-022-8/+4
|
generated by cgit (git 2.34.1) at 2024-09-28 12:06:10 +0000