summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-30/+80
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use wrapper for sasl gssapi binds so it behaves like other bindsSimo Sorce2011-03-011-1/+1
| | | | | | | | | | By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
* Fixed in ipa-server-install help and man pageJan Zeleny2011-02-182-2/+5
| | | | https://fedorahosted.org/freeipa/ticket/831
* Note --ip-address parameter of ipa-replica-prepare in man pageJakub Hrozek2011-02-151-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/615
* Require ipactl be run as root to avoid a lot of misleading error msgs.Rob Crittenden2011-02-151-0/+3
| | | | | | | | Trying to run ipactl as non-root results in a slew of bogus error messages, some of which come because dirsrv can't read certain files as the wrong user, some based on our handling of that fact. ticket 936
* Fix two problems with ipa-replica-prepareRob Crittenden2011-02-141-1/+1
| | | | | | | | | | | 1. Fix a unicode() problem creating the DNS entries 2. Fix a strange NSS error when generating the certificates against a dogtag server. The NSS errors are quite strange. When generating the first certificate nss_shutdown() fails because the database isn't initialized yet but nss_is_initialized() returned True. The second pass fails because something is in use.
* Handle bad DM password in ipa-host-net-manage & ipa-copmat-manage.Rob Crittenden2011-02-142-2/+6
| | | | | | | This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920
* ipa-dns-install does not exit on errorMartin Kosek2011-02-111-12/+17
| | | | | | | This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736
* Fix return codes for ipactlMartin Kosek2011-02-101-14/+10
| | | | | | | This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894
* Disable replication version plugin by default.Rob Crittenden2011-02-101-1/+3
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Refresh state data before removing the dirsrv user, fixes uninstall.Rob Crittenden2011-02-071-0/+1
| | | | | | | | | The state is read only at initialization time. This works ok when individual services remove their state data but when worked upon again at the top-level it still has the full state in memory, so when the state file is re-written all of the data that was removed is re-added. ticket 916
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-031-3/+3
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* Add support for tracking and counting entitlementsRob Crittenden2011-02-024-1/+241
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-10/+40
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Force sync in both direction before changing replication agreementsSimo Sorce2011-02-011-9/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/887
* Add an address for a nameserver when a new zone is created during installJakub Hrozek2011-01-311-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/881
* Use a common group for all DS instancesSimo Sorce2011-01-313-72/+83
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-282-0/+2
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Make sure all DS instances are managed by ipactlSimo Sorce2011-01-271-20/+18
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/860
* Fix assorted bugs found by pylintJakub Hrozek2011-01-252-3/+3
|
* Create DNS records as early as possibleSimo Sorce2011-01-251-4/+15
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/833
* Always add DNS records when installing a replicaSimo Sorce2011-01-252-4/+43
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Make the -u option optional in unattended modeSimo Sorce2011-01-241-8/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/836
* Remove trailing spaceSimo Sorce2011-01-241-1/+1
|
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-1/+4
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Let ipactl output errors to stderrSimo Sorce2011-01-181-7/+1
| | | | | Init scripts normally do not log to syslog, instead they write errors to the stderr pipe. Do the same.
* Add a way to print output from commandsSimo Sorce2011-01-181-14/+14
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Execute /usr/bin/python directly instead of /usr/bin/env pythonRob Crittenden2011-01-145-5/+5
| | | | ticket 608
* Allow using Kerberos credentials with the 'connect' commandSimo Sorce2011-01-141-1/+1
| | | | | | | | Now that we can setup GSSAPI authenticated replication we are not tied to use the Directory Manager password to set up replication agreements. Fixes: https://fedorahosted.org/freeipa/ticket/644
* Use GSSAPI for replicationSimo Sorce2011-01-142-3/+4
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Remove port argument for ipa-replica-manageSimo Sorce2011-01-142-6/+0
| | | | | We can't use arbitrary ports anyway. And neither AD has any way to use non stadard ports. So remove this unnecessary option.
* Remove unused random password in replica install scriptSimo Sorce2011-01-141-2/+0
|
* Refactor some replication codeSimo Sorce2011-01-141-64/+43
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.Rob Crittenden2011-01-111-0/+22
| | | | | | | | | Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
* Ship the ipa-dns-install man pageRob Crittenden2011-01-101-0/+1
| | | | ticket 734
* Create the reverse zone by defaultJakub Hrozek2011-01-073-4/+33
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-072-21/+31
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-073-2/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* Make sure that the messagebus service is started.Rob Crittenden2011-01-041-0/+2
| | | | | | | This will prevent certmonger failures. On very minimal installs it seems that messagebus is not always started. ticket 528
* Ask for reverse zone creation only when --setup-bind is specifiedJakub Hrozek2010-12-221-1/+3
|
* dbe instead of lde One line bug fix for compat and nis toolsJr Aquino2010-12-222-2/+2
|
* Fix ipa-replica-manage man page to reflect current statusSimo Sorce2010-12-221-27/+47
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/627
* Temporary fix for 'connect' operationsSimo Sorce2010-12-211-1/+1
| | | | | | | Currently the code depends on using a password to create replication agreements. so this patch forces the request of the dirmgr password until we can fix the internal issues that prevent using the amdin user with SASL/GSSAPI to create replication agreements.
* Make ipa-replica-manage del actually remove all replication agreementsSimo Sorce2010-12-211-53/+48
| | | | | | | | The previous code was removing only one agreement, leaving all other in place. This would leave dangling replication agreements once the replica is uninstalled. Fixes: https://fedorahosted.org/freeipa/ticket/624
* Fix to man page for ipa-compat-manage There was a typo for the manpage, this ↵Jr Aquino2010-12-211-1/+1
| | | | is a one liner to fix.
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-23/+47
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-211-0/+2
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-17/+46
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Rename add command to connect in ipa-replica-manageSimo Sorce2010-12-211-35/+71
| | | | | | This change also improves command syntax parsing Fixes: https://fedorahosted.org/freeipa/ticket/623