summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/ipa_replica_prepare.py
Commit message (Collapse)AuthorAgeFilesLines
* Modernize number literalsPetr Viktorin2015-07-311-2/+2
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Clarify error messages in ipa-replica-prepare: add_dns_records()Petr Spacek2015-06-181-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify recommendation about --ip-address option in ipa-replica-prepaprePetr Spacek2015-06-181-2/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS install: extract DNS installer into one moduleMartin Basti2015-05-191-0/+2
| | | | | | | | | | | | This is required modification to be able move to new installers. DNS subsystem will be installed by functions in this module in each of ipa-server-install, ipa-dns-install, ipa-replica-install install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-1/+1
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-261-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-7/+8
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow choosing CA-less server certificates by nameJan Cholasta2014-09-301-3/+15
| | | | | | | | | | | Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare and --cert-name option to ipa-server-certinstall. The options allows choosing a particular certificate and private key from PKCS#12 files by its friendly name. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* CA-less installer options usability fixesJan Cholasta2014-09-301-63/+87
| | | | | | | | | | | | | | | | | | | The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have been replaced by --*-cert-file options which accept multiple files. ipa-server-certinstall now accepts multiple files as well. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. The --root-ca-file option of ipa-server-install has been replaced by --ca-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. The --*_pin options of ipa-server-install and ipa-replica-prepare have been renamed to --*-pin. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Detect and configure all usable IP addresses.David Kupka2014-09-261-39/+43
| | | | | | | | | | | Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-prepare: Wait for the DNS entry to be resolvablePetr Viktorin2014-09-251-0/+53
| | | | | | | | | | | | | | | | | | | It takes some time after the DNS record is added until it propagates to Bind. In automated installations, it might happen that replica-install is attempted before the hostname is resolvable; in that case the connection check would fail. Wait for the name to be resolvable at the end of replica-prepare. Mention that this can be interrupted (Ctrl+C). Provide an option to skip the wait. In case DNS is not managed by IPA, this reminds the admin of the necessary configuration and checks their work, but it's possible to skip (either by interrupting it interactively, or by the option). https://fedorahosted.org/freeipa/ticket/4551 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* install: create ff krb extension on every install, replica install and upgradePetr Vobornik2014-09-111-3/+0
| | | | | | | | | | We don't want to copy the extension from master to replica because the replica may use newer version of FreeIPA and therefore the extension code might be obsolete. Same reason for upgrades. https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-051-3/+11
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-11/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-2/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-241-1/+1
|
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-041-2/+1
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Remove redundant shebangsTomas Babej2013-08-261-1/+0
| | | | | | Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853
* Ask for PKCS#12 password interactively in ipa-replica-prepare.Jan Cholasta2013-07-241-15/+34
| | | | https://fedorahosted.org/freeipa/ticket/3717
* Make sure replication works after DM password is changedAna Krivokapic2013-07-111-0/+36
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-271-2/+3
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-25/+11
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-021-1/+1
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-021-6/+22
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-0/+504
Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
generated by cgit (git 2.34.1) at 2024-05-21 23:32:34 +0000