summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/dsinstance.py
Commit message (Collapse)AuthorAgeFilesLines
* Convert server install code to platform-independent access to system servicesAlexander Bokovoy2011-09-131-17/+6
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-7/+8
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+9
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-291-40/+20
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* Remove 389-ds upgrade state during uninstallRob Crittenden2011-08-251-0/+6
| | | | | | | | | | | | | When we perform an upgrade 389-ds is set to listen only on its ldapi port. Theoretically it should be restored to the previous state regardless of whether the upgrades were successful or not. To be sure that a subsequent re-install will be successful go ahead and remove the state for these options. Think of it as wearing a belt and suspenders. Otherwise a re-install could return an error message that IPA is already configured. https://fedorahosted.org/freeipa/ticket/1667
* Remove more 389-ds files/directories on uninstallation.Rob Crittenden2011-08-251-0/+17
| | | | | | | We were orphaning a few files/directories when uninstalling 389-instances both for IPA and dogtag. This should remove everything but the logs. ticket https://fedorahosted.org/freeipa/ticket/1700
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-171-2/+2
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* Fix IPA install for secure umaskMartin Kosek2011-06-211-16/+23
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-211-2/+2
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* Support initializing memberof during replication re-init using GSSAPIRob Crittenden2011-06-131-1/+4
| | | | | | | | | | | | | The last step of a replication re-initiailization is to run the memberof task. The current function would only authenticate using simple auth to monitor the task but we may be doing this using admin GSSAPI credentials so support that type of bind as well. In short this fixes: # kinit admin # ipa-replica-manage re-initialize --from=master.example.com https://fedorahosted.org/freeipa/ticket/1248
* Configure Managed Entries on replicas.Rob Crittenden2011-05-251-0/+2
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-201-2/+1
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* Improve Directory Service open port checkerMartin Kosek2011-04-281-5/+16
| | | | | | | | Wait for DS ports to open after _every_ DS service restart. Several restarts were missed by the current open port checker implementation. https://fedorahosted.org/freeipa/ticket/1182
* Wait for memberof task and DS to start before proceeding in installation.Rob Crittenden2011-04-221-0/+7
| | | | | | | | | | | | | This was causing a replica DS instance to crash if the task was not completed when we attempted a shutdown to do a restart. In replication.py we were restarting the DS instance without waiting for the ports to become available. It is unlikely that the dn of the memberof task will change but just in case I noted it in the two places it is referenced. ticket 1188
* Wait for Directory Server ports to openMartin Kosek2011-03-211-0/+1
| | | | | | | | | | | When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-0/+1
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+5
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-1/+1
| | | | ticket 1005
* Set SuiteSpotGroup when setting up our 389-ds instances.Rob Crittenden2011-02-241-0/+2
| | | | | | | | The group is now required because 389-ds has tightened the permissions on /var/run/dirsrv. We use the same group for both our LDAP instances and /var/run/dirsrv ends up as root:dirsrv mode 0770. ticket 1010
* Create default disabled sudo bind userJr Aquino2011-02-231-0/+8
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Disable replication version plugin by default.Rob Crittenden2011-02-101-0/+4
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-031-1/+1
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* Use a common group for all DS instancesSimo Sorce2011-01-311-25/+18
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-251-0/+1
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+22
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Update kerberos password policy values on LDAP binds.Rob Crittenden2011-01-211-0/+4
| | | | | | | | | | | | | | | On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-0/+5
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Fix replica installation warningsSimo Sorce2011-01-141-2/+2
| | | | | We were attempting to re-add these entries on the replicas too. Which were failing because these containers, obviously, already existed there.
* Remove radius options completely.Simo Sorce2011-01-141-2/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-141-2/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Refactor some replication codeSimo Sorce2011-01-141-8/+6
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* Add replication related acis to all replicasSimo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/543
* Fix Install using dogtag.Simo Sorce2010-12-101-1/+1
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-101-5/+4
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Introduce ipa control script that reads configuration off ldapSimo Sorce2010-12-101-1/+4
| | | | | | | | | | | This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
* Split dsinstance configurationSimo Sorce2010-12-101-31/+81
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-301-0/+4
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+1
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-221-4/+66
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* Save and restore on uninstall ds related config filesSimo Sorce2010-11-221-0/+14
|
* id ranges: change DNA configurationSimo Sorce2010-11-221-17/+19
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Use Realm as certs subject base nameSimo Sorce2010-11-181-4/+4
| | | | Also use the realm name as nickname for the CA certificate
* Set CACERTDIR during install to work around openldap bugJakub Hrozek2010-11-111-1/+3
| | | | | | | | Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around the issue by setting both into the environment. https://fedorahosted.org/freeipa/ticket/467
* Rename 60sudo.ldif to 60ipasudo.ldif to not overwrite the 389-ds version.Rob Crittenden2010-11-091-2/+2
| | | | | | This meant that the compat sudo schema was not available. ticket 439
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-281-3/+1
| | | | merge in remove uuid
* ipa-modrdn: Enable plugin to handle krbPrincipalName on renamesSimo Sorce2010-10-281-0/+5
|
* ipa-uuid: enable plugin in IPASimo Sorce2010-10-221-0/+5
|
* dsinstance: Fix ldappasswd invocation to specify the server nameSimo Sorce2010-10-181-1/+1
| | | | | Apparently on some machines if this is not done SSL validation will fail. Fixes bug #394
generated by cgit (git 2.34.1) at 2024-04-27 01:55:29 +0000