summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-replica-install
Commit message (Collapse)AuthorAgeFilesLines
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-19/+7
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-2/+24
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* Need to restart the dogtag 388-ds instance before using it.Rob Crittenden2011-03-031-0/+17
| | | | | | | | | | | Restart the 389-ds instance to ensure all schema is loaded that dogtag may have installed as files. According to bug https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed on clones. ticket 1024
* IPA replica/server install does not check for a clientMartin Kosek2011-03-031-0/+5
| | | | | | | | | | | When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
* Use a common group for all DS instancesSimo Sorce2011-01-311-7/+29
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-281-0/+1
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Fix assorted bugs found by pylintJakub Hrozek2011-01-251-2/+2
|
* Create DNS records as early as possibleSimo Sorce2011-01-251-4/+15
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/833
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-3/+21
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Use GSSAPI for replicationSimo Sorce2011-01-141-1/+2
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Remove unused random password in replica install scriptSimo Sorce2011-01-141-2/+0
|
* Create the reverse zone by defaultJakub Hrozek2011-01-071-1/+13
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-071-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Clarify ipa-replica-install error messageJakub Hrozek2010-12-201-2/+2
|
* Make the IPA installer IPv6 friendlyJakub Hrozek2010-12-201-6/+13
| | | | | | | | | Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+3
| | | | ticket 502
* Add krb5-pkinit-openssl as a Requires on ipa-server packageRob Crittenden2010-12-161-9/+0
| | | | ticket 599
* Fix Install using dogtag.Simo Sorce2010-12-101-0/+5
| | | | | | | The CA is installed before DS so we need to wait until DS is actually installed to be able to ldap_enable the CA instance. Fixes: https://fedorahosted.org/freeipa/ticket/612
* Move Selfsigned CA creation out of dsinstanceSimo Sorce2010-12-101-1/+1
| | | | | | | | This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
* Split dsinstance configurationSimo Sorce2010-12-101-34/+25
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Make pkinit setup optional in ipa-replica-prepare too.Simo Sorce2010-12-081-5/+10
| | | | | | Also add fixes for ipa-replica-install as that had issues too. Fixes: https://fedorahosted.org/freeipa/ticket/527
* Do not create reverse zone by defaultJakub Hrozek2010-12-021-1/+2
| | | | | | | Prompt for creation of reverse zone, with the default for unattended installations being False. https://fedorahosted.org/freeipa/ticket/418
* id ranges: change DNA configurationSimo Sorce2010-11-221-1/+7
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* pkinit-replica: create certificates for replicas tooSimo Sorce2010-11-181-3/+24
| | | | | altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
* Use Realm as certs subject base nameSimo Sorce2010-11-181-1/+1
| | | | Also use the realm name as nickname for the CA certificate
* Log script options to logfileJakub Hrozek2010-11-091-5/+7
| | | | | | | | Uses a new subclass IPAOptionParser in scripts instead of OptionParser from the standard python library. IPAOptionParser uses its own IPAOption class to store options, which adds a new 'sensitive' attribute. https://fedorahosted.org/freeipa/ticket/393
* Include REPLICA_FILE in usage for ipa-replica-installRob Crittenden2010-10-131-1/+2
| | | | ticket 247
* Add --no-host-dns argument to ipa-replica-installRob Crittenden2010-09-161-3/+6
| | | | | | | The server installer has this option, the replica installer should have it too. ticket 146
* Query the remote server to see if this replica host already exists.Rob Crittenden2010-06-011-13/+23
| | | | | | If it does then the installation will fail trying to set up the keytabs, and not in a way that you say "aha, it's because the host is already enrolled."
* Use correct name for CA PKCS#12 file.Rob Crittenden2010-04-231-2/+2
| | | | I recently renamed this and missed this reference.
* Use ldap2 instead of legacy LDAP code from v1 in installer scripts.Pavel Zuna2010-04-191-11/+11
|
* Get rid of ipapython.config in ipa-replica-prepareMartin Nagy2010-02-091-17/+13
| | | | | | | | | | Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-211-1/+2
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* User-defined certificate subjectsRob Crittenden2010-01-201-2/+6
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-111-1/+5
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Ask the user before overwriting /etc/named.confMartin Nagy2009-12-021-4/+2
|
* Replace /etc/ipa/ipa.conf with /etc/ipa/default.confRob Crittenden2009-12-011-8/+0
| | | | | | | The new framework uses default.conf instead of ipa.conf. This is useful also because Apache uses a configuration file named ipa.conf. This wipes out the last vestiges of the old ipa.conf from v1.
* Only initialize the API once in the installerRob Crittenden2009-09-281-12/+8
| | | | | | Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303
* Add external CA signing and abstract out the RA backendRob Crittenden2009-09-151-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
* Add forgotten chunks from commit 4e5a68397a102f0beMartin Nagy2009-09-081-2/+20
| | | | | I accidentally pushed the older patch that didn't contain bits for ipa-replica-install.
* Add A and PTR records of ourselves during installationMartin Nagy2009-09-021-1/+7
| | | | | | | If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively.
* Setup bind only after restarting kdc and dirsrvMartin Nagy2009-09-021-2/+3
| | | | | | | BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future.
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-0/+1
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Make --setup-dns work on replica installationMartin Nagy2009-07-221-1/+40
| | | | | | | The ipa-replica-install script will setup the DNS if user specifies the --setup-dns option. It will only add the zone into LDAP if the cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add the records.
* Allow replicas of an IPA server using an internal dogtag server as the CARob Crittenden2009-07-151-5/+30
| | | | | | | | This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
* Fix replica installation for self-signed CA (no dogtag)Rob Crittenden2009-05-041-1/+14
|
* Rename ipa-python directory to ipapython so it is a real python libraryRob Crittenden2009-02-091-2/+2
| | | | | We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
* Remove some duplicated code that was moved to ipaserver and use it Remove ↵Rob Crittenden2009-02-061-6/+3
| | | | some unused files
generated by cgit (git 2.34.1) at 2024-06-24 03:02:33 +0000