summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-2/+14
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* Make mod_nss renegotiation configuration a public functionAdam Young2011-10-071-4/+4
|
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-061-13/+28
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* replica-prepare: anonymous binds may be disallowedSimo Sorce2011-10-061-6/+17
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1900
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-23/+26
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Work around pkisilent bugs.Jan Cholasta2011-10-042-18/+28
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-054-10/+10
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Detect CA installation type in ipa-replica-prepare and ipa-ca-install.Rob Crittenden2011-09-271-0/+13
| | | | | | | | | | ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
* Fix ipa-replica-prepare always warning the user about not using the system ↵Jan Cholasta2011-09-261-5/+15
| | | | | | hostname. ticket 1717
* Remove checks for ds-replication pluginMartin Kosek2011-09-221-15/+0
| | | | | | | The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
* Check that install hostname matches the server hostname.Jan Cholasta2011-09-141-0/+5
| | | | ticket 1717
* Improved handling for ipa-pki-proxy.confRob Crittenden2011-09-131-0/+5
| | | | | | | | | - Remove ipa-pki-proxy.conf when IPA is uninstalled - Move file removal to httpinstance.py and use remove_file() - Add a version stanza - Create the file if it doesn't exist on upgraded installs https://fedorahosted.org/freeipa/ticket/1771
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-123-28/+159
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Convert server install code to platform-independent access to system servicesAlexander Bokovoy2011-09-138-59/+44
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Introduce platform-specific adaptation for services used by FreeIPA.Alexander Bokovoy2011-09-131-48/+20
| | | | | | | | | Refactor FreeIPA code to allow abstracting all calls to external processes and dependencies on modification of system-wide configuration. A platform provider would give its own implementation of those methods and FreeIPA would use it based on what's built in packaging process. https://fedorahosted.org/freeipa/ticket/1605
* Fix configure.jar permissionsMartin Kosek2011-09-071-1/+1
| | | | | | Remove executable bit added by /usr/bin/signtool https://fedorahosted.org/freeipa/ticket/1644
* Fix permissions in installersMartin Kosek2011-09-073-13/+24
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Use the IPA server cert profile in the installer.Rob Crittenden2011-08-301-1/+1
| | | | | | We were still using the caRAserverCert profile during installation. https://fedorahosted.org/freeipa/ticket/1744
* Let Bind track data changesMartin Kosek2011-08-311-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+9
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* enable proxy for dogtagAdam Young2011-08-293-4/+18
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-292-40/+69
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* Remove 389-ds upgrade state during uninstallRob Crittenden2011-08-251-0/+6
| | | | | | | | | | | | | When we perform an upgrade 389-ds is set to listen only on its ldapi port. Theoretically it should be restored to the previous state regardless of whether the upgrades were successful or not. To be sure that a subsequent re-install will be successful go ahead and remove the state for these options. Think of it as wearing a belt and suspenders. Otherwise a re-install could return an error message that IPA is already configured. https://fedorahosted.org/freeipa/ticket/1667
* Remove more 389-ds files/directories on uninstallation.Rob Crittenden2011-08-251-0/+17
| | | | | | | We were orphaning a few files/directories when uninstalling 389-instances both for IPA and dogtag. This should remove everything but the logs. ticket https://fedorahosted.org/freeipa/ticket/1700
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-181-2/+2
| | | | ticket 1570
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-0/+2
| | | | ticket 1580
* Fix idnsUpdatePolicy for reverse zone recordMartin Kosek2011-08-091-1/+2
| | | | | | | Make sure that idnsUpdatePolicy for reverse zone does not contain double trailing "dot" after server installation. https://fedorahosted.org/freeipa/ticket/1591
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-032-35/+18
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Clean up existing DN object usageJohn Dennis2011-07-293-14/+16
|
* Make sure that hostname specified by user is not an IP address.Jan Cholasta2011-07-251-0/+3
| | | | ticket 1375
* Remove wrong kpasswd sysconfigJakub Hrozek2011-07-211-3/+0
|
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-191-11/+2
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate ↵Jr Aquino2011-07-191-2/+1
| | | | https://fedorahosted.org/freeipa/ticket/1472
* Specify the package name when the replication plugin is missing.Rob Crittenden2011-07-181-1/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1155
* Generate a database password by default in all cases.Rob Crittenden2011-07-172-2/+2
| | | | | | | | | | | If the password passed in when creating a NSS certificate database is None then a random password is generated. If it is empty ('') then an empty password is set. Because of this the HTTP instance on replicas were created with an empty password. https://fedorahosted.org/freeipa/ticket/1407
* Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RARob Crittenden2011-07-171-2/+2
| | | | | | | | | | The old nickname was 'RA Subsystem' and this may confuse some users with the dogtag RA subsystem which we do not use. This will only affect new installs. Existing installations will continue to work fine. https://fedorahosted.org/freeipa/ticket/1236
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-172-29/+67
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* Use information from the certificate subject when setting the NSS nickname.Rob Crittenden2011-07-172-12/+30
| | | | | | | | | | | There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
* Check IPA configuration in install toolsMartin Kosek2011-07-181-2/+17
| | | | | | | | | Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
* Fix self-signed replica installationMartin Kosek2011-07-141-2/+2
| | | | | | | | | When a replica for self-signed server is being installed, the installer crashes with "Not a dogtag CA installation". Make sure that installation is handled correctly for both dogtag and self-signed replicas. https://fedorahosted.org/freeipa/ticket/1479
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-151-47/+79
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-141-2/+2
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Remove sensitive information from logsMartin Kosek2011-07-131-3/+4
| | | | | | | | When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-234-2/+170
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-15/+14
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Add backslash escape support for cvs readerJohn Dennis2011-06-221-1/+2
|
* Fix IPA install for secure umaskMartin Kosek2011-06-211-16/+23
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-215-28/+23
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* DNS installation fails when domain and host domain mismatchMartin Kosek2011-06-191-0/+9
| | | | | | | | Create DNS domain for IPA server hostname first so that it's forward record can be added. This results in 2 forward DNS zones created when server hostname doesn't equal server domain. https://fedorahosted.org/freeipa/ticket/1194
* Improve DNS zone creationMartin Kosek2011-06-151-16/+51
| | | | | | | | | | | | | | | When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone. https://fedorahosted.org/freeipa/ticket/1261
generated by cgit (git 2.34.1) at 2024-06-22 11:23:03 +0000