summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-server-install
Commit message (Collapse)AuthorAgeFilesLines
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Fix incorrect path in error message on sysrestore failureTomas Babej2013-12-201-5/+10
| | | | | | | | On sysrestore failure, user is prompted out to remove the sysrestore file. However, the path to the sysrestore file mentioned in the sentence is not correct. https://fedorahosted.org/freeipa/ticket/4080
* Guard import of adtrustinstance for case without trustsAlexander Bokovoy2013-11-041-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/4011
* Remove mod_ssl conflictMartin Kosek2013-10-251-0/+4
| | | | | | | | | | | Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974
* adtrustinstance: Properly handle uninstall of AD trust instanceTomas Babej2013-10-141-0/+2
| | | | | | | | | | | | | | | | | | The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Remove --no-serial-autoincrementMartin Kosek2013-10-111-4/+0
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Do not allow '%' in DM passwordMartin Kosek2013-10-041-1/+1
| | | | | | | Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-041-6/+3
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Warn user about realm-domain mismatch in install scriptsTomas Babej2013-10-031-0/+11
| | | | | | | | | | | | | | If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924
* Do not crash if DS is down during server uninstallAna Krivokapic2013-09-091-23/+41
| | | | | | | | DS is contacted during server uninstallation, in order to obtain information about replication agreements. If DS is unavailable, warn and continue with uninstallation. https://fedorahosted.org/freeipa/ticket/3867
* Add warning when uninstalling active replicaAna Krivokapic2013-09-041-5/+31
| | | | | | | Add a warning when trying to uninstall a replica that has active replication agreements. https://fedorahosted.org/freeipa/ticket/3867
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-021-10/+1
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-261-1/+2
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-24/+0
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Free NSS objects in --external-ca scenarioMartin Kosek2013-07-261-0/+5
| | | | | | | | | | In external CA installation, ipa-server-install leaked NSS objects which caused an installation crash later when a subsequent call of NSSConnection tried to free them. Properly freeing the NSS objects avoid this crash. https://fedorahosted.org/freeipa/ticket/3773
* Print newline after receiving EOF in installutils.read_password.Jan Cholasta2013-07-241-3/+3
|
* Ask for PKCS#12 password interactively in ipa-server-install.Jan Cholasta2013-07-241-26/+50
| | | | https://fedorahosted.org/freeipa/ticket/3717
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-271-2/+2
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Remove stray error condition in ipa-server-install.Jan Cholasta2013-06-121-3/+0
|
* Use the correct PKCS#12 file for HTTP server.Jan Cholasta2013-06-121-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3665
* Manage ipa-otpd.socket by IPATomas Babej2013-06-061-3/+9
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Use private ccache in ipa install toolsTomas Babej2013-06-051-2/+5
| | | | | | | | All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-18/+2
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Do not display an interactive mode message in unattended modeAna Krivokapic2013-04-241-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/3576
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-7/+1
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* ipa-server-install: correct help text for --external_{cert,ca}_filePetr Viktorin2013-04-151-5/+5
| | | | | | | The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-021-2/+3
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-021-9/+52
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* ipa-server-install: Remove the --selfsign optionPetr Viktorin2013-04-021-39/+33
| | | | | | | | | Instead, certificates in pkcs12 files can be given to set up IPA with no CA at all. Use a flag, setup_ca, to signal if a CA is being installed. Design: http://freeipa.org/page/V3/Drop_selfsign Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* ipa-server-install: Make temporary pin files available for the whole ↵Petr Viktorin2013-04-021-37/+21
| | | | | | | | | | | | | | | installation We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
* Add mkhomedir option to ipa-server-install and ipa-replica-installAna Krivokapic2013-03-281-0/+8
| | | | | | | Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515
* Add DNS Setup Prompt to InstallBrian Cook2013-03-211-0/+5
| | | | | | | | | Currently the only way to setup integrated DNS is by passing --setup-dns to ipa-server-install. This patch modifies install so that if --setup-dns is not passed, the user is asked if they want to configure integrated dns. http://fedorahosted.org/freeipa/ticket/2575
* Fix installing server with external CAPetr Viktorin2013-03-081-34/+42
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Add the CA cert to LDAP after the CA installPetr Viktorin2013-01-291-0/+3
| | | | | | | | | | | | | The DS is installed before the CA cert is generated. Trying to add the cert to LDAP before it exists resulted in a nasty-looking error message. This moves the cert upload to after the CA cert is ready and the certdb is created. Move the cert upload to after thecertdb is generated. https://fedorahosted.org/freeipa/ticket/3375
* Fixed the catch of the hostname option during ipa-server-installLynn Root2012-12-111-1/+1
| | | | | | Originally ipa-server-install would still prompt for the hostname even if it's supplied in the initial installation command. Ticket: https://fedorahosted.org/freeipa/ticket/2692
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-071-0/+17
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Add OCSP and CRL URIs to certificatesMartin Kosek2012-12-071-6/+8
| | | | | | | | | | | | | | | | | Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
* Change network configuration fileMartin Kosek2012-12-051-7/+2
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Properly stop tracking certificates on uninstallPetr Viktorin2012-11-231-2/+3
| | | | | | | | | | Stopping certificate tracking was done as part of the PKI DS uninstall. Since with the merged DB, thePKI DS is not used any more, this step was skipped. Move certificate untracking to a separate step and call it separately. Also, the post-uninstall check for tracked certificates used the wrong set of Dogtag constants. Fix the issue.
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-39/+52
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* After unininstall see if certmonger is still tracking any of our certs.Rob Crittenden2012-11-011-1/+9
| | | | | | | | | | | | | | Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702
* Create reverse zone in unattended modeMartin Kosek2012-10-191-1/+3
| | | | | | | | | Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure that reverse zone is created also in unattended mode (unless --no-reverse is specified). https://fedorahosted.org/freeipa/ticket/3161
* Don't configure a reverse zone if not desired in interactive installer.Rob Crittenden2012-10-171-2/+2
| | | | | | | | A reverse zone was always configured in the interactive installer even if you answered "no" to the reverse zone question. The only way to not confiugre it was the --no-reverse option. https://fedorahosted.org/freeipa/ticket/3161
* Add uninstall command hints to ipa-*-installNikolai Kondrashov2012-10-161-4/+6
| | | | | | | | Add uninstall command to the uninstall instructions in the "already installed" responses of ipa-server-install, ipa-client-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3065
* Use default reverse zone consistentlyMartin Kosek2012-09-191-1/+1
| | | | | | | | | | | | When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. Test case has been added to cover the new default. https://fedorahosted.org/freeipa/ticket/2461
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-6/+15
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-0/+1
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-131-0/+4
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Read DM password from option in external CA installMartin Kosek2012-08-171-1/+4
| | | | | | | | ipa-server-install with external CA could not be run in an unattended mode as DM password was required to decipher answer cache. https://fedorahosted.org/freeipa/ticket/2793
generated by cgit (git 2.34.1) at 2024-09-21 23:21:02 +0000