summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* Use a common group for all DS instancesSimo Sorce2011-01-313-65/+58
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Fix assorted bugs found by pylintJakub Hrozek2011-01-252-3/+3
|
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-252-3/+6
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-0/+58
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-252-0/+51
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Do not set a replication dn when using SASL/GSSAPI replicationSimo Sorce2011-01-241-23/+16
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/817
* Update kerberos password policy values on LDAP binds.Rob Crittenden2011-01-211-0/+4
| | | | | | | | | | | | | | | On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-0/+5
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Add a way to print output from commandsSimo Sorce2011-01-181-12/+15
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-182-2/+7
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Fix replica installation warningsSimo Sorce2011-01-141-2/+2
| | | | | We were attempting to re-add these entries on the replicas too. Which were failing because these containers, obviously, already existed there.
* Port installer and host plugin to the new DNS pluginJakub Hrozek2011-01-141-15/+15
| | | | | | * move ipa dns-resolve to the new plugin * port the installer and the host plugin to the new interface * remove the old plugin
* Remove radius options completely.Simo Sorce2011-01-141-2/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-141-2/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Use GSSAPI for replicationSimo Sorce2011-01-142-13/+141
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Refactor some replication codeSimo Sorce2011-01-142-94/+97
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.Rob Crittenden2011-01-111-2/+2
| | | | | | | | | Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
* Temporarily work around SSL connection issue causing installation to fail.Rob Crittenden2011-01-071-1/+2
| | | | | Not sure if this is an openldap-client, pem-nss or python-ldap problem yet but the installation is failing.
* Create the reverse zone by defaultJakub Hrozek2011-01-071-5/+3
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-074-68/+50
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-071-6/+31
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* fixes CA install problem in trac ticket 682John Dennis2011-01-051-18/+24
| | | | | | Do not call status after pkisilent, it will return non-zero. Instead restart server after pkisilent so configuration changes take effect, the check the status.
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-1/+1
| | | | ticket 638
* Make ipa-replica-manage del actually remove all replication agreementsSimo Sorce2010-12-211-2/+4
| | | | | | | | The previous code was removing only one agreement, leaving all other in place. This would leave dangling replication agreements once the replica is uninstalled. Fixes: https://fedorahosted.org/freeipa/ticket/624
* Do not require DNS record, just warn if one is missingJakub Hrozek2010-12-211-9/+8
|
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-7/+14
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-211-0/+13
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-4/+4
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Add disconnect command to ipa-replica-manageSimo Sorce2010-12-211-0/+22
| | | | | | | | Can remove replication agreements between 2 replicas as long as it is not the last agreement (except for Ad replication agreements, which can always be removed). Fixes: https://fedorahosted.org/freeipa/ticket/551
* Remove common entries when deleting a master.Simo Sorce2010-12-211-0/+73
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Add replication related acis to all replicasSimo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* Fix race condition in installation due to use of asynchronous search.Simo Sorce2010-12-211-19/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/640
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2013-65/+65
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-202-43/+68
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+14
| | | | ticket 502
* Properly quote passwords sent to pkisilent so special characters work.Rob Crittenden2010-12-171-7/+7
| | | | | | Also check for url-encoded passwords before logging them. ticket 324
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-10/+0
| | | | ticket 599
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-131-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/543
* Save exception so it can be passed along.Rob Crittenden2010-12-111-1/+1
|
* Fix Install using dogtag.Simo Sorce2010-12-103-7/+15
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-105-47/+47
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Introduce ipa control script that reads configuration off ldapSimo Sorce2010-12-106-18/+72
| | | | | | | | | | | This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
* Split dsinstance configurationSimo Sorce2010-12-102-33/+82
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Do not create reverse zone by defaultJakub Hrozek2010-12-021-2/+10
| | | | | | | Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-1/+1
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-302-1/+5
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+1
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Don't use full pathnames for kerberos binaries, let PATH find them.Rob Crittenden2010-11-221-1/+1
| | | | | Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out.
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-221-4/+66
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
generated by cgit (git 2.34.1) at 2024-05-13 11:00:40 +0000