| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
We will update any/all of /etc/ldap.conf, /etc/nss_ldap.conf,
/etc/libnss-ldap.conf and /etc/pam_ldap.conf.
nslcd is the replacement for nss_ldap.
ticket 50
|
|
|
|
|
| |
We need the CA certificate so we can use SSL when binding with a
one-time password (bulk enrollment)
|
|
|
|
|
|
| |
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
|
|
|
|
| |
Allow the --force flag to override on both install and uninstall
|
|
|
|
|
|
|
|
|
|
|
|
| |
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.
One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
|
|
|
|
|
| |
For example, if nscd is not installed this would throw lots of errors about
not being able to disable it, stop it, etc.
|
|
|
|
|
|
|
|
|
| |
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
|
|
|
|
|
| |
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
|
|
|
|
|
|
| |
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This does a number of things under the hood:
- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
*must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
|
|
|
|
|
| |
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
|
| |
|
|
|
|
|
|
|
| |
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
|
|
|
|
| |
This will fetch a keytab on installation and remove it upon uninstallation.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
| |
|
|
|
|
|
| |
We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.
|
|
|
|
|
|
|
|
|
|
|
| |
rest of the krb5.conf configuration were. This clearly breaks
with the default EXAMPLE.COM realm configuratrion. Furthermore
it makes it not possible to try to 'fix' an installation by
rerruninng ipa-client-install
This patch removes the special case and avoids krb5.conf only
if the on_master flag is passed.
Fix also one inner 'if' statement to be simpler to understand.
|
| |
|
|
|
|
|
|
| |
it can be used by the client tool.
Fix the client tool imports to fail more gracefully.
|
|
|
|
| |
discovery fails to find them.
|
|
|
|
|
| |
configuration look at the specific tree where users are and
not search the full server.
|
|
|
|
|
| |
add the domain to the ipa.conf file for apps that need to know
This should fix a bug in the replica setup
|
|
|
|
| |
446869
|
|
|
|
|
|
|
|
|
| |
We were just shutting down the KDC if it had been started prior to IPA
installation. We need to stop it in all cases.
And we should restart nscd as it may have made an LDAP connection.
440322
|
|
|
|
| |
thanks Nalin for spotting this.
|
|
|
|
|
| |
and avoid searching for KDC servers via DNS, we just connect
to ourselves.
|
| |
|
|
|
|
| |
with discovered options, just verified.
|
|
|
|
| |
It makes a huge difference on clients, if we cache lookups
|
|
|
|
|
|
|
|
| |
- Make sure timeouts are not too high, so that machine does not hang if remote
servers are not reachable
- Make sure root can always login no matter what the status of the ldap
servers
- use rfc2307bis schema directive
|
|
|
|
| |
(including RHEL4 contrib setup script)
|
| |
|
|
|
|
|
|
|
| |
Improve LDAP error reporting
Don't return the str() of discovery values because it can return "None"
436130
|
|
|
|
|
|
| |
Put installation log files into /var/log.
430024
|
|
|
|
|
| |
Move imports into try/except so that ctrl-C can always be caught
Fix typo
|
|
|
|
|
|
|
| |
Don't allow empty responses to domain and realm name
Handle ctrl-C
434982
|
|
|
|
| |
429541
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Removing shebangs (#!) from a bunch of python libraries
- Don't use a variable name in init scripts for the lock file
- Keep the init script name consistent with the binary name, so renamed
ipa-kpasswd.init to ipa_kpasswd.init
- Add status option to the init scripts
- Move most python scripts out of /usr/share/ipa and into the python
site-packages directories (ipaserver and ipaclient)
- Remove unnecessary sys.path.append("/usr/share/ipa")
- Fix the license string in the spec files
- Rename ipa-webgui to ipa_webgui everywhere
- Fix a couple of issues reported by pychecker in ipa-python
|
|
|
|
|
| |
Catch permission errors on install.
Initialize srv so the error message works if the user presses enter
|
| |
|
| |
|
| |
|