| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
The old perl DS code for detection didn't set this so was often confused
about port availability. We had to match their behavior so the installation
didn't blow up. They fixed this a while ago, this catches us up.
|
| | |
|
| |
|
|
| |
583023
|
| | |
|
| |
|
|
|
|
|
|
| |
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
|
| |
|
|
| |
Based on initial patch from Pavel Zuna.
|
| |
|
|
|
|
|
| |
We set a new port to be used with dogtag but IPA doesn't utilize it.
This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
|
| | |
|
| |
|
|
|
|
| |
Also print out a restart message after applying the custom subject.
It takes a while to restart dogtag and this lets the user know things
are moving forward.
|
| |
|
|
|
|
| |
This error could result in things not working properly but it should be
relatively easy to fix from the command-line. There is no point in
not installing at all due to this.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
|
| |
|
|
|
|
|
| |
This is primarily designed to not log passwords but it could have other
uses.
567867
|
| |
|
|
|
| |
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
|
| |
|
|
|
|
|
|
| |
If the group exists but the user doesn't then useradd blows up
trying to create the user and group. So test to see if the group
exists and if it does pass along the -g argument to useradd.
Resolves #502960
|
| |
|
|
|
|
|
|
| |
certutil writes to the local directory when issuing a certificate.
Change to the security database directory when issuing the self-signed CA.
Also handle the case where a user is in a non-existent directory when doing
the install.
|
| |
|
|
| |
Fixes #558984
|
| |
|
|
|
|
|
|
|
|
| |
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
|
| |
|
|
|
|
|
|
| |
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.
These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
|
| |
|
|
|
| |
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
|
| |
|
|
|
|
|
|
| |
NSS is going to disallow all SSL renegotiation by default. Because of
this we need to always use the agent port of the dogtag server which
always requires SSL client authentication. The end user port will
prompt for a certificate if required but will attempt to re-do the
handshake to make this happen which will fail with newer versions of NSS.
|
| |
|
|
|
|
| |
The fake_mname for now doesn't exists but is a feature that will be
added in the near future. Since any unknown arguments to bind-dyndb-ldap
are ignored, we are safe to use it now.
|
| |
|
|
|
| |
We will need these functions in the new upcoming ipa-dns-install
command.
|
| |
|
|
|
|
| |
This will be handy in the future if we will want to install or uninstall
only single IPA components and want to append to the installation logs.
This will be used by the upcoming ipa-dns-install script.
|
| |
|
|
|
|
|
| |
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.
Fixes #500238
|
| |
|
|
| |
Fixes #528943
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Also properly use the instance name where appropriate. There were a
couple of places where the service name was used and this worked because
they were the same.
|
| |
|
|
| |
'existant' mispelling
|
| |
|
|
|
| |
This patch should make joining a client to the domain and using certmonger
to get an initial certificate work.
|
| |
|
|
|
|
|
|
|
|
|
| |
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.
This also lets the caller get the contents of stdout and stderr.
|
| |
|
|
|
|
|
|
|
|
| |
This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.
To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
|
| |
|
|
|
|
|
|
| |
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.
The DS db wasn't getting a password set on it. Go ahead and set one.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM
on Fedora) is created in the regular keytab format instead of the older
less-portable one. Based from comments and code in kt_file.c, here's a
change to try to recognize that case (the file starts with a magic
number) and read the master key from Python.
The KDC will still read either format, so I left the bits that set
things up on replicas alone (advice appreciated). The patch works as
expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional
stash file) and on Raw Hide (krb5 1.7 with a keytab).
|
| |
|
|
|
|
|
|
| |
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
|
| | |
|
| |
|
|
|
|
| |
We were seeing a rare deadlock of DS when creating the memberOf task because
one thread was adding memberOf in a postop while another was trying to
create an index and this was causing a PRLock deadlock.
|
| |
|
|
|
|
|
| |
We have to replace 05rfc2247.ldif because it contains some conflicting
attributes with DNS in some older versions of 389-DS/RHDS. This fails on
some newer versions of 389-DS/RHDS so this lets it continue installing
if the new file is not needed.
|
| |
|
|
|
|
|
|
| |
Password policy entries must be a child of the entry protected by this
ACI.
Also change the format of this because in DS it was stored as:
\n(target)\n so was base64-encoded when it was retrieved.
|
| | |
|
| |
|
|
|
|
|
|
| |
In order to run the tests you must put your DM password into
~/.ipa/.dmpw
Some tests are expected to generate errors. Don't let any ERROR
messages from the updater fool you, watch the pass/fail of the nosetests.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.
A run would look like:
# ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
# ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com
This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.
To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.
One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.
Lots of general fixes were also made in ipaserver.install.certs including:
- better handling when multiple CA certificates are in a single file
- A temporary directory for request certs is not always created when the
class is instantiated (you have to call setup_cert_request())
|
| |
|
|
|
|
|
| |
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
|
| |
|
|
|
|
|
|
|
| |
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
|
| |
|
|
| |
514027
|
