| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
| |
|
|
|
|
|
| |
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.
https://fedorahosted.org/freeipa/ticket/425
|
| | |
|
| | |
|
| |
|
|
|
| |
altough the kdc certificate name is not tied to the fqdn we create separate
certs for each KDC so that renewal of each of them is done separately.
|
| |
|
|
|
| |
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
|
| |
|
|
| |
Also use the realm name as nickname for the CA certificate
|
| |
|
|
|
|
| |
Also shut down all services before starting uninstall.
ticket 349
|
| | |
|
| |
|
|
|
|
|
|
| |
The signature of ldap2.get_entry() changed so normalize wasn't being
handled properly so the basedn was always being appended causing our
entry in cn=config to be not found.
ticket 414
|
| |
|
|
| |
ticket 290
|
| |
|
|
|
|
|
|
| |
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
|
| |
|
|
| |
ticket 331
|
| |
|
|
|
| |
Reference was removed from ipa-server-install(1) man page.
Ticket: #330
|
| |
|
|
| |
ticket 247
|
| |
|
|
|
|
|
| |
ipa-dns-manage could fail in very odd ways depending on the current
configuration of the server. Handle things a bit better.
ticket 210
|
| |
|
|
|
|
|
|
| |
When we uninstall we wipe out the entire LDAP database, so it doesn't really
make mush sense to try to also remove single entries from it.
This avoids the --uninstall procedure to fail because the DM password is not
available or the LDAP server is down, and we are just trying to cleanup
everything.
|
| |
|
|
|
|
| |
This was meant to catch the case where the client wasn't configured and
it missed the most obvious one: the client was installed and is now
uninstalled.
|
| |
|
|
|
|
|
| |
The problem here was two-fold: the certs manager was raising an
error it didn't know about and ipa-replica-prepare wasn't catching it.
ticket 249
|
| |
|
|
| |
ticket 125
|
| |
|
|
| |
tickets 130 and 131
|
| | |
|
| |
|
|
|
|
|
| |
The server installer has this option, the replica installer should have
it too.
ticket 146
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
|
| |
|
|
| |
ticket 138
|
| |
|
|
|
|
|
|
|
| |
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
|
| | |
|
| |
|
|
| |
Javascript based ui.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.
After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer
I took some time and fixed up some things pylint complained about too.
Ticket #83
|
| |
|
|
|
| |
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
|
| |
|
|
|
|
| |
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
|
| |
|
|
|
|
|
|
|
| |
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).
Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
|
| |
|
|
|
|
|
|
|
| |
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
|
| |
|
|
| |
I meant to push these along with the original patch but pushed the wrong one.
|
| | |
|
| |
|
|
|
|
| |
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
|
| |
|
|
|
|
|
|
| |
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
|
| |
|
|
| |
I recently renamed this and missed this reference.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
|
| |
|
|
|
|
|
|
|
|
| |
There are now 3 cases:
- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
for the server certs. The installed CA will still be used by the cert
plugin to issue any server certs.
|
| |
|
|
|
| |
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
|
| | |
|
| |
|
|
| |
This is required so we can disable anonymous access in 389-ds.
|
| |
|
|
| |
Resolves #529787
|
| |
|
|
|
|
|
|
| |
To install IPA without dogtag use the --selfsign option.
The --ca option is now deprecated.
552995
|
| |
|
|
| |
Fixes #528996
|
| |
|
|
|
|
|
|
|
|
| |
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.
Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
|
