summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
...
* Add status option to ipactlRob Crittenden2010-02-091-1/+16
| | | | Resolves #503437
* - also ensure that krbCanonicalName is uniqueNalin Dahyabhai2010-02-051-0/+18
|
* - allow the KDC to read krbCanonicalNameNalin Dahyabhai2010-02-051-2/+2
|
* Set default log level in the *-manage utilities to ERROR and not NOTSETRob Crittenden2010-02-042-2/+2
|
* - pull in updated schema which adds the krbCanonicalName attributeNalin Dahyabhai2010-02-041-1/+15
|
* Fix sample IPA command example at end of installationRob Crittenden2010-02-031-1/+1
| | | | Resolves #531455
* Bring ipa-server-install man page up-to-date, fix some syntax errorsRob Crittenden2010-02-031-20/+30
| | | | | | | | | | | Remove a bunch of trailing spaces Add the --ca option Add the --no-host-dns option Add the --subject option Fix the one-character option for --no-ntp, should be -N not -n Add missing line break between --no-ntp and --uninstall Resolves #545260
* Remove some configuration files we create upon un-installationRob Crittenden2010-01-281-1/+6
| | | | | This is particularly important for Apache since we'd leave the web server handling unconfigured locations.
* Set BIND to use ldapi and use fake mnameMartin Nagy2010-01-211-1/+2
| | | | | | The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now.
* Move some functions from ipa-server-install into installutilsMartin Nagy2010-01-211-54/+1
| | | | | We will need these functions in the new upcoming ipa-dns-install command.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-213-5/+4
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-213-113/+0
| | | | Fixes #528943
* Move api finalization in ipa-server-install after writing default.confMartin Nagy2010-01-211-23/+22
| | | | | We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns.
* Fix merge issue, cut-and-paste errorRob Crittenden2010-01-211-2/+1
|
* User-defined certificate subjectsRob Crittenden2010-01-204-18/+64
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Add DS migration plugin and password migration page.Pavel Zuna2010-01-209-0/+257
|
* Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin.Pavel Zuna2010-01-202-3/+6
|
* Add default values for krb ticket policy attributes during installation.Pavel Zuna2010-01-132-0/+8
|
* Add start/stop for the CARob Crittenden2010-01-111-0/+8
|
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-161-0/+6
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-113-4/+12
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Add force option to ipa-replica-manage to allow forcing deletion of a replicaRob Crittenden2009-12-111-5/+13
| | | | | | If a replica is not up for some reason (e.g. you've already deleted it) this used to quit and not let you delete the replica, generating errors in the DS logs. This will let you force a deletion.
* Ask the user before overwriting /etc/named.confMartin Nagy2009-12-022-8/+4
|
* Remove unnecessary "error: " prefixesMartin Nagy2009-12-022-6/+6
| | | | | The parser.error() method prepends the "error: " prefix itself. Adding it to the error string is not necessary and doesn't look good.
* Replace /etc/ipa/ipa.conf with /etc/ipa/default.confRob Crittenden2009-12-012-17/+0
| | | | | | | The new framework uses default.conf instead of ipa.conf. This is useful also because Apache uses a configuration file named ipa.conf. This wipes out the last vestiges of the old ipa.conf from v1.
* Add ipaUserGroup objectClass to default groups where missing.Pavel Zuna2009-12-011-0/+2
|
* Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.Rob Crittenden2009-11-301-0/+4
| | | | | | | | | The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
* Point to correct location of self-signed CA and set pw on 389-DS cert dbRob Crittenden2009-11-251-2/+2
| | | | | | | | The CA was moved from residing in the DS NSS database into the Apache database to support a self-signed CA certificate plugin. This was not updated in the installer boilerplate. The DS db wasn't getting a password set on it. Go ahead and set one.
* respect debug arg during server installJohn Dennis2009-11-191-0/+1
| | | | | The debug flag (e.g. -d) was not being respected during server install. This patch corrects that.
* Cache installer questions for the 2-step process of an externally-signed CARob Crittenden2009-11-181-6/+62
| | | | | | | | Installing a CA that is signed by another CA is a 2-step process. The first step is to generate a CSR for the CA and the second step is to install the certificate issued by the external CA. To avoid asking questions over and over (and potentially getting different answers) the answers are cached.
* Add SELinux policy for UI assetsRob Crittenden2009-11-042-5/+5
| | | | | | | | This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
* ipa-server-install now renders UI assetsJason Gerard DeRose2009-11-043-8/+38
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-032-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Use Directory String sytnax for the fqdn attribute, not DN syntax.Rob Crittenden2009-10-281-1/+1
|
* Add mod_python adapter and some UI tuningJason Gerard DeRose2009-10-271-28/+25
|
* Auto-detect whether dogtag needs to be uninstalledRob Crittenden2009-10-211-5/+8
|
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-211-5/+37
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Fix ACI for host delegationRob Crittenden2009-10-171-2/+2
| | | | | We had changed the DN format, I must have missed these ACIs the first go around.
* Fix an oops where I forgot to replace a string with a templateRob Crittenden2009-10-171-6/+6
|
* Use nestedgroup instead of groupofnames for rolegroups so we have memberofRob Crittenden2009-10-121-50/+50
|
* No longer use the IPA-specific memberof plugin. Use the DS-supplied one.Rob Crittenden2009-10-122-0/+6
|
* Add HBAC plugin and introduce GeneralizedTime parameter type.Pavel Zuna2009-10-051-0/+6
|
* Add support for per-group kerberos password policy.Rob Crittenden2009-10-051-0/+13
| | | | | | | | | | Use a Class of Service template to do per-group password policy. The design calls for non-overlapping groups but with cospriority we can still make sense of things. The password policy entries stored under the REALM are keyed only on the group name because the MIT ldap plugin can't handle quotes in the DN. It also can't handle spaces between elements in the DN.
* Only initialize the API once in the installerRob Crittenden2009-09-282-24/+16
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-5/+26
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Better upgrade detection so we don't print spurious errorsRob Crittenden2009-09-151-17/+42
| | | | | | Also add copyright 519414
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-153-19/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Fix incorrect imports in ipa-server-certinstall.Pavel Zuna2009-09-111-1/+3
|
* Ensure that dnaMaxValue is higher than dnaNextValue at install timeRob Crittenden2009-09-091-2/+2
| | | | Resolves 522179
* Add forgotten chunks from commit 4e5a68397a102f0beMartin Nagy2009-09-082-3/+31
| | | | | I accidentally pushed the older patch that didn't contain bits for ipa-replica-install.
generated by cgit (git 2.34.1) at 2024-06-08 16:12:04 +0000