summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/server
Commit message (Collapse)AuthorAgeFilesLines
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-071-0/+21
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4951
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-072-2/+51
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-2/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-011-3/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Migrate CA profiles after enabling LDAPProfileSubsystemFraser Tweedale2015-07-011-3/+4
| | | | | | | After enabling LDAPProfileSubsystem in Dogtag, migrate the file-based profiles into the LDAP database. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade CA schema during upgradeFraser Tweedale2015-07-011-0/+23
| | | | | | | | | | | | New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Sanitize CA replica installMartin Basti2015-06-301-12/+10
| | | | | | | | Check if cafile exist first. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix upgrade of HTTPInstance for KDC ProxyChristian Heimes2015-06-291-0/+6
| | | | | | | HTTPInstance needs a LDAP connection for KDC Proxy upgrade. The patch ensures that an admin_conn is available. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-291-7/+1
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
* upgrade: Raise error when certmonger is not running.David Kupka2015-06-291-0/+3
| | | | | | | | | | Certmonger should be running (should be started on system boot). Either user decided to stop it or it crashed. We should just error out and let user check & fix it. https://fedorahosted.org/freeipa/ticket/5080 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Replicas cannot define their own master password.Simo Sorce2015-06-241-8/+0
| | | | | | | | | Seem like this slipped in during the refactoring of the install tools. https://fedorahosted.org/freeipa/ticket/4468 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: Fix ipa-replica-install not installing RA certJan Cholasta2015-06-181-2/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: disconnect ldap2 connection before DS restartMartin Basti2015-06-151-0/+5
| | | | | | | | Without this patch, the invalid api.Backend.ldap2 connection was used to communicate with DS and it raises network error after DS restart. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-111-0/+25
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-102-22/+18
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Initialize API early in server and replica installJan Cholasta2015-06-102-177/+191
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Migrate ipa-replica-install to the install frameworkJan Cholasta2015-06-102-61/+264
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Handle Knob cli_name and cli_aliases values consistentlyJan Cholasta2015-06-101-18/+18
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Migrate ipa-server-install to the install frameworkJan Cholasta2015-06-083-138/+650
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move private_ccache from ipaserver to ipapythonJan Cholasta2015-06-081-2/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Fix external CA server installJan Cholasta2015-06-081-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Fix CA-less server installJan Cholasta2015-06-081-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Fix missing variable initialization in replica installJan Cholasta2015-06-081-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/4468
* Move CA installation code into single module.David Kupka2015-06-082-118/+36
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Import profiles earlier during installFraser Tweedale2015-06-051-3/+0
| | | | | | | | | | | | | | | | | Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import included profiles during install or upgradeFraser Tweedale2015-06-042-20/+28
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enable LDAP-based profiles in CA on upgradeFraser Tweedale2015-06-041-0/+40
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4560 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ACL to allow CA agent to modify profilesFraser Tweedale2015-06-041-0/+11
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Installers fix: remove temporal ccacheMartin Basti2015-06-021-6/+11
| | | | | | | | | Environ variable may be changed outside, so store path into global variable. https://fedorahosted.org/freeipa/ticket/5042 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: Move ipa-server-upgrade code into a moduleJan Cholasta2015-05-292-8/+68
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move ipa-replica-install code into a moduleJan Cholasta2015-05-292-0/+642
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Move ipa-server-install code into a moduleJan Cholasta2015-05-292-0/+1212
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Make a package out of ipaserver.install.serverJan Cholasta2015-05-292-0/+1381
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged into a single code base, keep their respective bits in separate modules in the package. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-19 04:13:19 +0000