summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-135-34/+50
| | | | http://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-17/+17
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve man pages structureMartin Kosek2011-09-0717-163/+206
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* conncheck: Fix List of ports to checkSimo Sorce2011-09-011-6/+6
| | | | | | | | | We need to check all Kerberos ports both TCP and UDP transports. Since we have the PKI proxy configuration all communication with the CA happens on the standard 80/443 ports so we need to check them always. We do not need to leave the old CA ports open. These ports are still used locally but not over the network.
* Let Bind track data changesMartin Kosek2011-08-314-2/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* enable proxy for dogtagAdam Young2011-08-291-0/+4
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-292-3/+27
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* Suppress 389-ds debug output when starting servicesRob Crittenden2011-08-241-12/+49
| | | | | | If the user wants the output they can pass the --debug flag to ipactl. https://fedorahosted.org/freeipa/ticket/1402
* Verify that the external CA certificate files are correct.Jan Cholasta2011-08-231-6/+41
| | | | ticket 1572
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-184-5/+15
| | | | ticket 1570
* Verify that passwords specified through command line options of ↵Jan Cholasta2011-08-181-0/+5
| | | | | | ipa-server-install meet the length requirement. ticket 1621
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-2/+0
| | | | ticket 1580
* Add information on setting api.env.host in the ipactl.8 man pageRob Crittenden2011-08-191-0/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1390
* Ask for reverse DNS zone information in attended install right after asking ↵Jan Cholasta2011-08-092-34/+33
| | | | | | for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-033-9/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Improve error message in ipactlMartin Kosek2011-08-041-1/+22
| | | | | | | | | | | | If a hostname configured in /etc/ipa/default.conf is changed and is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX ipactl gives an unintelligible error. This patch improves the error message and also offers a list of configured master so that the hostname setting in IPA configuration can be easily fixed. https://fedorahosted.org/freeipa/ticket/1558
* Clean up existing DN object usageJohn Dennis2011-07-291-3/+3
|
* Fix external CA install.Jan Cholasta2011-07-261-25/+34
| | | | ticket 1523
* Fix man page ipa-csreplica-manageMartin Kosek2011-07-251-3/+3
| | | | | | Fix references to ipa-replica-manage in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/1519
* Fix ipa-compat-manage not working after recent ipa-nis-manage change.Jan Cholasta2011-07-222-42/+68
| | | | ticket 1147
* Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'.Jan Cholasta2011-07-191-15/+0
| | | | ticket 1469
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-193-27/+11
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-174-0/+547
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* Use information from the certificate subject when setting the NSS nickname.Rob Crittenden2011-07-171-1/+1
| | | | | | | | | | | There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
* Validate that the certificate subject base is in valid DN format.Rob Crittenden2011-07-171-1/+26
| | | | https://fedorahosted.org/freeipa/ticket/1176
* Fix typo in ipa-replica-prepareMartin Kosek2011-07-181-1/+0
| | | | | https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
* Check IPA configuration in install toolsMartin Kosek2011-07-187-9/+41
| | | | | | | | | Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
* Fix exit status of ipa-nis-manage enable.Jan Cholasta2011-07-151-8/+5
| | | | ticket 1247
* Fix self-signed replica installationMartin Kosek2011-07-141-0/+4
| | | | | | | | | When a replica for self-signed server is being installed, the installer crashes with "Not a dogtag CA installation". Make sure that installation is handled correctly for both dogtag and self-signed replicas. https://fedorahosted.org/freeipa/ticket/1479
* Fix ipa-dns-installMartin Kosek2011-07-151-19/+13
| | | | | | | | | | | | | When DNS plugin is installed via ipa-dns-install and user has a valid Kerberos ticket at the time, the DNS installation is corrupt and named won't start, reporting Preauthentication error. When the non-DM identity is used for authentication, krbprincipalkey attribute in DNS service LDAP record is not created, thus leading to the error. This patch makes sure that authentication with Directory Manager password is used every time. https://fedorahosted.org/freeipa/ticket/1483
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-158-77/+117
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Verify that the hostname is fully-qualified before accessing the service ↵Jan Cholasta2011-06-242-8/+10
| | | | | | | | | information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-236-131/+260
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Let the framework be able to override the hostname.Rob Crittenden2011-06-233-2/+4
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Fix IPA install for secure umaskMartin Kosek2011-06-213-25/+37
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-211-1/+1
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-1/+1
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-194-6/+8
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Add port 9443 to replica port checkingMartin Kosek2011-06-151-6/+7
| | | | | | | Port 9443 (Agent secure port on PKI-CA) was missing. Additionaly, checked port descriptions case consistency fixed. https://fedorahosted.org/freeipa/ticket/1321
* Improve DNS zone creationMartin Kosek2011-06-151-5/+3
| | | | | | | | | | | | | | | When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone. https://fedorahosted.org/freeipa/ticket/1261
* Do better detection on status of CA DS instance when installing.Rob Crittenden2011-06-131-4/+4
| | | | | | | | | The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
* Fix directory manager password validation in ipa-nis-manage.Jan Cholasta2011-06-131-2/+8
| | | | ticket 1283, 1284
* Remove root autobind search restriction, fix upgrade logging & error handling.Rob Crittenden2011-06-131-7/+14
| | | | | | | | | | | | | | | There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
* IPA installation with --no-host-dns failsMartin Kosek2011-06-103-12/+23
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
* Fix external CA installationRob Crittenden2011-06-091-2/+2
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
* Skip know_host check for ipa-replica-conncheckMartin Kosek2011-06-081-1/+3
| | | | | | | | | | | | When IPA replica is installed and the master machine record is not in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer a question about adding a host to this file. This has, however, a potential to break automatic tests. ipa-replica-conncheck should not require any further user interaction when all mandatory options are filled. https://fedorahosted.org/freeipa/ticket/1305
* Connection check program for replica installationMartin Kosek2011-06-086-0/+507
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Fix forward zone creation in ipa-replica-prepareMartin Kosek2011-06-081-2/+3
| | | | | | | When a new forward zone is created in ipa-replica-prepare the master DNS address gets corrupted by invalid A/AAAA record. https://fedorahosted.org/freeipa/ticket/1260
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-304-10/+36
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-304-31/+37
| | | | ticket 1212
generated by cgit (git 2.34.1) at 2024-04-19 04:52:34 +0000