summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-212-19/+43
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-153-28/+20
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-102-3/+39
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* chkconfig the ipa service off when it is uninstalled.Rob Crittenden2011-03-081-0/+2
| | | | ticket 1056
* Improve error handling and return status codes in ipactlMartin Kosek2011-03-071-30/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | There are cases when ipactl returns success even when it fails. Plus, when the error really is detected the status codes are not LSB compliant. This may result in consequent issues. This patch improves error handling in ipactl and adds LSB compliant status codes. Namely: 0 program is running or service is OK 3 program is not running 4 program or service status is unknown for "status" action. Status code 4 is issued when IPA is not configured to distinguish this state from not running IPA. For other actions, the following non-zero status codes are implemented: 1 generic or unspecified error 2 invalid or excess argument(s) 4 user had insufficient privilege 6 program is not configured https://fedorahosted.org/freeipa/ticket/1055
* Skip DNS validation checks if we're setting up DNS in ipa-server-install.Rob Crittenden2011-03-041-0/+4
| | | | | | | If we're going to be authoritative ourselves don't bother with what other DNS servers think. ticket 1036
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-037-33/+28
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
* Need to restart the dogtag 388-ds instance before using it.Rob Crittenden2011-03-031-0/+17
| | | | | | | | | | | Restart the 389-ds instance to ensure all schema is loaded that dogtag may have installed as files. According to bug https://bugzilla.redhat.com/show_bug.cgi?id=680984 this it is only needed on clones. ticket 1024
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+2
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* IPA replica/server install does not check for a clientMartin Kosek2011-03-032-0/+10
| | | | | | | | | | | When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-30/+80
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use wrapper for sasl gssapi binds so it behaves like other bindsSimo Sorce2011-03-011-1/+1
| | | | | | | | | | By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
* Fixed in ipa-server-install help and man pageJan Zeleny2011-02-182-2/+5
| | | | https://fedorahosted.org/freeipa/ticket/831
* Note --ip-address parameter of ipa-replica-prepare in man pageJakub Hrozek2011-02-151-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/615
* Require ipactl be run as root to avoid a lot of misleading error msgs.Rob Crittenden2011-02-151-0/+3
| | | | | | | | Trying to run ipactl as non-root results in a slew of bogus error messages, some of which come because dirsrv can't read certain files as the wrong user, some based on our handling of that fact. ticket 936
* Fix two problems with ipa-replica-prepareRob Crittenden2011-02-141-1/+1
| | | | | | | | | | | 1. Fix a unicode() problem creating the DNS entries 2. Fix a strange NSS error when generating the certificates against a dogtag server. The NSS errors are quite strange. When generating the first certificate nss_shutdown() fails because the database isn't initialized yet but nss_is_initialized() returned True. The second pass fails because something is in use.
* Handle bad DM password in ipa-host-net-manage & ipa-copmat-manage.Rob Crittenden2011-02-142-2/+6
| | | | | | | This was resulting in a traceback because while conn was not None it wasn't connected either. ticket 920
* ipa-dns-install does not exit on errorMartin Kosek2011-02-111-12/+17
| | | | | | | This patch fixes behavior of ipa-dns-install, which does not exit when an invalid configuration of /etc/hosts is detected. https://fedorahosted.org/freeipa/ticket/736
* Fix return codes for ipactlMartin Kosek2011-02-101-14/+10
| | | | | | | This patch fixes ipactl to return non-zero value when something goes wrong. https://fedorahosted.org/freeipa/ticket/894
* Disable replication version plugin by default.Rob Crittenden2011-02-101-1/+3
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Refresh state data before removing the dirsrv user, fixes uninstall.Rob Crittenden2011-02-071-0/+1
| | | | | | | | | The state is read only at initialization time. This works ok when individual services remove their state data but when worked upon again at the top-level it still has the full state in memory, so when the state file is re-written all of the data that was removed is re-added. ticket 916
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-031-3/+3
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* Add support for tracking and counting entitlementsRob Crittenden2011-02-024-1/+241
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-10/+40
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Force sync in both direction before changing replication agreementsSimo Sorce2011-02-011-9/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/887
* Add an address for a nameserver when a new zone is created during installJakub Hrozek2011-01-311-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/881
* Use a common group for all DS instancesSimo Sorce2011-01-313-72/+83
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-282-0/+2
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Make sure all DS instances are managed by ipactlSimo Sorce2011-01-271-20/+18
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/860
* Fix assorted bugs found by pylintJakub Hrozek2011-01-252-3/+3
|
* Create DNS records as early as possibleSimo Sorce2011-01-251-4/+15
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/833
* Always add DNS records when installing a replicaSimo Sorce2011-01-252-4/+43
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Make the -u option optional in unattended modeSimo Sorce2011-01-241-8/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/836
* Remove trailing spaceSimo Sorce2011-01-241-1/+1
|
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-1/+4
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Let ipactl output errors to stderrSimo Sorce2011-01-181-7/+1
| | | | | Init scripts normally do not log to syslog, instead they write errors to the stderr pipe. Do the same.
* Add a way to print output from commandsSimo Sorce2011-01-181-14/+14
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Execute /usr/bin/python directly instead of /usr/bin/env pythonRob Crittenden2011-01-145-5/+5
| | | | ticket 608
* Allow using Kerberos credentials with the 'connect' commandSimo Sorce2011-01-141-1/+1
| | | | | | | | Now that we can setup GSSAPI authenticated replication we are not tied to use the Directory Manager password to set up replication agreements. Fixes: https://fedorahosted.org/freeipa/ticket/644
* Use GSSAPI for replicationSimo Sorce2011-01-142-3/+4
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Remove port argument for ipa-replica-manageSimo Sorce2011-01-142-6/+0
| | | | | We can't use arbitrary ports anyway. And neither AD has any way to use non stadard ports. So remove this unnecessary option.
* Remove unused random password in replica install scriptSimo Sorce2011-01-141-2/+0
|
* Refactor some replication codeSimo Sorce2011-01-141-64/+43
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.Rob Crittenden2011-01-111-0/+22
| | | | | | | | | Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
* Ship the ipa-dns-install man pageRob Crittenden2011-01-101-0/+1
| | | | ticket 734
* Create the reverse zone by defaultJakub Hrozek2011-01-073-4/+33
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-072-21/+31
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
* Allow ipa-dns-install to configure DNS on a replica.Simo Sorce2011-01-073-2/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/645
* Make sure that the messagebus service is started.Rob Crittenden2011-01-041-0/+2
| | | | | | | This will prevent certmonger failures. On very minimal installs it seems that messagebus is not always started. ticket 528
generated by cgit (git 2.34.1) at 2024-04-26 22:24:27 +0000