summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
...
* Save and restore on uninstall ds related config filesSimo Sorce2010-11-222-1/+14
|
* id ranges: change DNA configurationSimo Sorce2010-11-221-17/+19
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Configure KDC to use multiple workersSimo Sorce2010-11-221-0/+34
| | | | | Only if more than one CPU is available Only if supported by the installed krb5kdc
* Exclude Krb lockout attributes from replicationSimo Sorce2010-11-181-1/+8
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/440
* pkinit-replica: create certificates for replicas tooSimo Sorce2010-11-182-5/+27
| | | | | altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
* anon-pkinit: add well known principalSimo Sorce2010-11-181-0/+18
| | | | | | leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
* Add support for configuring KDC certs for PKINITSimo Sorce2010-11-182-5/+129
| | | | | This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
* Use Realm as certs subject base nameSimo Sorce2010-11-184-22/+31
| | | | Also use the realm name as nickname for the CA certificate
* Set CACERTDIR during install to work around openldap bugJakub Hrozek2010-11-111-1/+3
| | | | | | | | Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around the issue by setting both into the environment. https://fedorahosted.org/freeipa/ticket/467
* Rename 60sudo.ldif to 60ipasudo.ldif to not overwrite the 389-ds version.Rob Crittenden2010-11-091-2/+2
| | | | | | This meant that the compat sudo schema was not available. ticket 439
* Use kerberos password policy.Rob Crittenden2010-11-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-284-10/+5
| | | | merge in remove uuid
* ipa-modrdn: Enable plugin to handle krbPrincipalName on renamesSimo Sorce2010-10-281-0/+5
|
* ipa-uuid: enable plugin in IPASimo Sorce2010-10-221-0/+5
|
* Handle cases where ntpd options are scattered on multiple linesSimo Sorce2010-10-221-29/+33
|
* ntpdinstance: Do not replace the config files, just add needed optionsSimo Sorce2010-10-181-19/+86
|
* dsinstance: Fix ldappasswd invocation to specify the server nameSimo Sorce2010-10-181-1/+1
| | | | | Apparently on some machines if this is not done SSL validation will fail. Fixes bug #394
* Remove the directory server ldapi socket on uninstall.Rob Crittenden2010-10-151-0/+4
| | | | ticket 350
* Compare resolver IP address with DNS IP addressRob Crittenden2010-10-152-1/+4
| | | | | | | | | | | We check the resolver against the resolver and DNS against DNS but not the resolver against DNS so if something is wrong in /etc/hosts we don't catch it and nasty connection messages occur. Also fix a problem where a bogus error message was being displayed because we were trying to close an unconnected LDAP connection. ticket 327
* Avoid writing customized perl scripts in /usrSimo Sorce2010-10-141-0/+1
| | | | Keep instance specific data in /var/lib/dirsrv
* dsinstance: avoid exposing passwords when invoking ldappaswdSimo Sorce2010-10-141-13/+29
| | | | | Pass passwords to ldappasswd by using files. Replace use of mozldap's ldappaswd with openldap's one.
* Detect if DNS is already configured in IPA, or if IPA is not yet installed.Rob Crittenden2010-10-081-2/+5
| | | | | | | ipa-dns-manage could fail in very odd ways depending on the current configuration of the server. Handle things a bit better. ticket 210
* Include time duration hints when configuring services in ipa-server-install.Rob Crittenden2010-10-085-8/+26
| | | | | | | Give a better heads-up on how long the installation will take. Particularly important when configuring dogtag. ticket 139
* Quote passwords when calling pkisilentRob Crittenden2010-10-011-6/+7
| | | | ticket 243
* Use consistent, specific nickname for the IPA CA certificate.Rob Crittenden2010-10-013-11/+8
| | | | | | Also fix some imports for sha. We have a compat module for it, use it. ticket 181
* Automatically convert a v1-style ca_serialno to the v2 config style.Rob Crittenden2010-09-241-1/+13
| | | | | | | This has been annoying for developers who switch back and forth. It will still break v1 but at least going from v1 to v2 will work seemlessly. ticket 240
* Properly handle CertificateOperationErrors in replication prepration.Rob Crittenden2010-09-241-0/+1
| | | | | | | The problem here was two-fold: the certs manager was raising an error it didn't know about and ipa-replica-prepare wasn't catching it. ticket 249
* Add new DNS install argument for setting the zone mgr e-mail addr.Rob Crittenden2010-09-231-4/+11
| | | | ticket 125
* Show all missing packages when setting up bind, not one at a time.Rob Crittenden2010-09-161-4/+8
| | | | | | | | We used to check for these one at a time so you'd run it once and find out you're missing the bind package. Install that and run the installer again and you'd discover you're missing bind-dyndb-ldap. ticket 140
* Enabling SUDO supportDmitri Pal2010-09-161-0/+2
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-093-169/+14
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Have certmonger track the initial Apache and 389-ds server certs.Rob Crittenden2010-09-096-17/+227
| | | | | | | | | | | | | | | We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
* Make ldap2 class work as a client library as well.Rob Crittenden2010-09-071-1/+1
| | | | | | | | | | | | | | | | | | Move the user-private group caching code out of the global config and determine the value the first time it is needed. Renamed global_init() back to get_schema() and make it take an optional connection. This solves the problem of being able to do all operations with a simple bind instead of GSSAPI. Moved the global get_syntax() into a class method so that a schema can be passed in. If a schema wasn't loaded during the module import then it is loaded when the connection is created (so we have the credntials needed for binding). ticket 63
* Changes to fix compatibility with Fedora 14Rob Crittenden2010-08-312-4/+5
| | | | | | | | | | | | Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
* Remove passwords when running commands including stdout and stderrRob Crittenden2010-08-311-12/+3
| | | | | | | | | | | This replaces the old no logging mechanism that only handled not logging passwords passed on the command-line. The dogtag installer was including passwords in the output. This also adds no password logging to the sslget invocations and removes a couple of extraneous log commands. ticket 156
* Break out install into more steps, add -key_algorithm to pkisilentRob Crittenden2010-08-191-20/+9
| | | | | | | | | | | | | Installing dogtag is quite slow and it isn't always clear that things are working. This breaks out some restart calls into separate steps to show some amount of progress. There are still some steps that take more than a minute (pkicreate and pkisilent). Add new argument to pkisilent, -key_algorithm Update a bunch of minimum required versions in the spec file. tickets 139 (time) and 144 (key_algorithm)
* Enable compat plugin by default and configure netgroupsRob Crittenden2010-08-191-1/+9
| | | | | | | | | Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-291-1/+1
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* Add support for User-Private GroupsRob Crittenden2010-07-061-2/+32
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Fix indentation problem causing build breakageRob Crittenden2010-06-241-2/+2
|
* Replication version checking.Rob Crittenden2010-06-241-0/+4
| | | | | | | | Whenever we upgrade IPA such that any data incompatibilities might occur then we need to bump the DATA_VERSION value so that data will not replicate to other servers. The idea is that you can do an in-place upgrade of each IPA server and the different versions own't pollute each other with bad data.
* use NSS for SSL operationsJohn Dennis2010-06-152-48/+0
|
* Catch the condition where dogtag is already configured (no preop.pin)Rob Crittenden2010-06-011-0/+3
| | | | | | | | This causes the installation to blow up badly otherwise. To remove an existing instance run: # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
* Add LDAP upgrade over ldapi support.Rob Crittenden2010-06-013-14/+155
| | | | | | | | | This disables all but the ldapi listener in DS so it will be quiet when we perform our upgrades. It is expected that any other clients that also use ldapi will be shut down by other already (krb5 and dns). Add ldapi as an option in ipaldap and add the beginning of pure offline support (e.g. direct editing of LDIF files).
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-271-2/+0
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Move the dogtag SELinux rules loading into the spec fileRob Crittenden2010-05-271-24/+0
| | | | | | I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing.
* Include -clone_uri argument to pkisilent setting the clone URI.Rob Crittenden2010-05-271-0/+2
| | | | This makes creating a clone from a clone work as expected.
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-051-2/+9
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Handle CSRs whether they have NEW in the header or notRob Crittenden2010-05-032-15/+5
| | | | Also consolidate some duplicate code
* Make the installer/uninstaller more aware of its stateRob Crittenden2010-05-037-3/+45
| | | | | | | | | | | | | | We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
generated by cgit (git 2.34.1) at 2024-05-23 13:31:18 +0000