summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* DNS: check if DNS package is installedMartin Basti2015-07-214-37/+7
| | | | | | | | | | | Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-171-1/+2
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-ca-install: print more specific errors when CA is already installedMartin Babinsky2015-07-161-2/+10
| | | | | | | | | | | This patch implements a more thorough checking for already installed CAs during standalone CA installation using ipa-ca-install. The installer now differentiates between CA that is already installed locally and CA installed on one or more masters in topology and prints an appropriate error message. https://fedorahosted.org/freeipa/ticket/4492 Reviewed-By: Martin Basti <mbasti@redhat.com>
* selinux: enable httpd_run_ipa to allow communicating with oddjobd servicesAlexander Bokovoy2015-07-161-0/+1
| | | | | | | | | | | | | A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix DNS records installation for replicasSimo Sorce2015-07-141-3/+3
| | | | | | | Ticket: https:/fedorahosted.org/freeipa/ticket/5116 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Start dirsrv for kdcproxy upgradeChristian Heimes2015-07-141-16/+19
| | | | | | | | | | The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Revert "Hide topology and domainlevel features"Tomas Babej2015-07-101-2/+1
| | | | | | | | | This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* upgrade: Enable and start oddjobd if adtrust is availableTomas Babej2015-07-081-0/+24
| | | | | | | If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-082-0/+30
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-081-0/+5
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-084-30/+78
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-081-1/+2
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-071-7/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-075-22/+295
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-037-39/+39
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* winsync_migrate: Generalize membership migrationTomas Babej2015-07-021-21/+78
| | | | | | https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync_migrate: Migrate memberships of the winsynced usersTomas Babej2015-07-021-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the tool under ipaserver.install packageTomas Babej2015-07-021-0/+237
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* KRA Install: check replica file if contains req. certificatesMartin Basti2015-07-021-0/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-016-10/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-016-8/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Migrate CA profiles after enabling LDAPProfileSubsystemFraser Tweedale2015-07-012-29/+112
| | | | | | | After enabling LDAPProfileSubsystem in Dogtag, migrate the file-based profiles into the LDAP database. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade CA schema during upgradeFraser Tweedale2015-07-011-0/+23
| | | | | | | | | | | | New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Sanitize CA replica installMartin Basti2015-06-301-12/+10
| | | | | | | | Check if cafile exist first. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix upgrade of HTTPInstance for KDC ProxyChristian Heimes2015-06-291-0/+6
| | | | | | | HTTPInstance needs a LDAP connection for KDC Proxy upgrade. The patch ensures that an admin_conn is available. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Fix removal of ipa-kdc-proxy.conf symlinkChristian Heimes2015-06-292-2/+2
| | | | | | | installutils.remove_file() ignored broken symlinks. Now it uses os.path.lexists() to detect and also remove dangling symlinks. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-292-16/+4
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
* upgrade: Raise error when certmonger is not running.David Kupka2015-06-291-0/+3
| | | | | | | | | | Certmonger should be running (should be started on system boot). Either user decided to stop it or it crashed. We should just error out and let user check & fix it. https://fedorahosted.org/freeipa/ticket/5080 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix handling of ldap.LDAPError in installerPetr Vobornik2015-06-291-3/+7
| | | | | | | | 'info' is optional component in LDAPError http://www.python-ldap.org/doc/html/ldap.html#exceptions Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-243-1/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Replicas cannot define their own master password.Simo Sorce2015-06-241-8/+0
| | | | | | | | | Seem like this slipped in during the refactoring of the install tools. https://fedorahosted.org/freeipa/ticket/4468 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-ca-install fix: reconnect ldap2 after DS restartMartin Basti2015-06-181-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5064 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Clarify error messages in ipa-replica-prepare: add_dns_records()Petr Spacek2015-06-181-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify recommendation about --ip-address option in ipa-replica-prepaprePetr Spacek2015-06-181-2/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error messages about reverse address resolution in ipa-replica-preparePetr Spacek2015-06-181-2/+8
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Fix ipa-replica-install not installing RA certJan Cholasta2015-06-182-9/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: disconnect ldap2 connection before DS restartMartin Basti2015-06-151-0/+5
| | | | | | | | Without this patch, the invalid api.Backend.ldap2 connection was used to communicate with DS and it raises network error after DS restart. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use 389-ds centralized scripts.David Kupka2015-06-112-4/+12
| | | | | | | | | Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Improve global forwarders validationMartin Basti2015-06-111-11/+21
| | | | | | | | | | Validation now provides more detailed information and less false positives failures. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-112-0/+29
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* move replications managers group to cn=sysaccounts,cn=etc,$SUFFIXPetr Vobornik2015-06-111-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* vault: Fix ipa-kra-installJan Cholasta2015-06-106-82/+62
| | | | | | | | | Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Initialize API early in server and replica installJan Cholasta2015-06-102-177/+191
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-102-6/+19
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Migrate ipa-replica-install to the install frameworkJan Cholasta2015-06-102-61/+264
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-24 22:27:44 +0000