summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Improve password validity check.David Kupka2014-07-241-4/+31
| | | | | | | Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: Add experimental support for DNSSECMartin Basti2014-07-021-0/+21
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4408 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-2610-62/+72
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Implement OTP token importingNathaniel McCallum2014-06-254-0/+63
| | | | | | | | | | | | | | | | | | | | This patch adds support for importing tokens using RFC 6030 key container files. This includes decryption support. For sysadmin sanity, any tokens which fail to add will be written to the output file for examination. The main use case here is where a small subset of a large set of tokens fails to validate or add. Using the output file, the sysadmin can attempt to recover these specific tokens. This code is implemented as a server-side script. However, it doesn't actually need to run on the server. This was done because importing is an odd fit for the IPA command framework: 1. We need to write an output file. 2. The operation may be long-running (thousands of tokens). 3. Only admins need to perform this task and it only happens infrequently. https://fedorahosted.org/freeipa/ticket/4261 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-166-9/+4
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change paths dependant on ipaservices to use ipaplatform.pathsTomas Babej2014-06-161-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-165-20/+25
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-164-10/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-277-0/+7
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fixed typo in ipa-replica-manage man pageThorsten Scherf2014-05-121-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Adding verb to error message to make it less confusing.Jan Pazdziora2014-05-061-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Update certmonger configuration in ipa-upgradeconfig.Jan Cholasta2014-03-251-57/+90
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-10/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-2/+2
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-4/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+3
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not create CA certificate files in CA-less server install.Jan Cholasta2014-03-251-15/+4
| | | | | | | | | | The files are created later by ipa-client-install, there's no need to do it twice. This also fixes a bug in CA-less, where the CA certificate is not removed from /etc/pki/nssdb after client uninstall, because it has a different nickname. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-255-9/+7
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update Dogtag 9 database during replica installationMartin Kosek2014-03-142-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9 based master, the PKI database is not updated and miss several ACLs which prevent some of the PKI functions, e.g. an ability to create other clones. Add an update file to do the database update. Content is based on recommendation from PKI team: * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9 This update file can be removed when Dogtag database upgrades are done in PKI component. Upstream tickets: * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) * https://fedorahosted.org/pki/ticket/906 (checking database version) Also make sure that PKI service is restarted in the end of the installation as the other services to make sure it picks changes done during LDAP updates. https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-112-24/+11
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Typo in warning message where IPA realm and domain name differGabe2014-03-051-1/+1
| | | | | | | | Removed 'y' from warning message. https://fedorahosted.org/freeipa/ticket/4211 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add --force option to ipactlAdam Misnyovszki2014-02-202-48/+67
| | | | | | | | | | | | | | | | If an error occurs in the start up sequence in ipactl start/restart, all the services are stopped. Using the --force option prevents stopping of services that have successfully started, just skips the services which can not be started. ipactl status now shows stopped services also, if the directory server is running. With the contribution of Ana Krivokapic https://fedorahosted.org/freeipa/ticket/3509 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipactl can not restart ipa services if current status is stoppedMisnyovszki Adam2014-02-191-2/+12
| | | | | | | | | | | | | | fixed by starting the directory server when restarting if it is not currently running to enable fetching running services later restart didn't check that also added a check, that if the directory server started at the beginning, there is no need to restart it https://fedorahosted.org/freeipa/ticket/4050 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-4/+1
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-245-24/+22
|
* ipa-replica-install: Move check for existing host before DNS resolution checkPetr Viktorin2014-01-231-15/+24
| | | | | | | | | | | | | | | | | | | The checks for existing host and existing replication agreement set a flag that caused an exit() if any of them failed. Between these checks there was an unrelated check, DNS resolution. If the host and DNS checks both failed, this made it look like the DNS check was the cause of failed install. Especially if the user ignored the DNS check in unattended mode, the output was confusing. Remove the flag and fail directly. Do the replication agreement check first; fixing this with ipa-replica-manage del will also remove the host entry. Also, use the logger for error messages so they appear in the log file as well as on the console. https://fedorahosted.org/freeipa/ticket/3889
* Switch httpd to use default CCACHEMartin Kosek2014-01-221-1/+6
| | | | | | | | | | | | | Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
* Enable Retro Changelog and Content Synchronization DS pluginsAna Krivokapic2014-01-141-1/+4
| | | | | | | | | Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
* Use /usr/bin/python2Xiao-Long Chen2014-01-0319-19/+19
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Fix incorrect path in error message on sysrestore failureTomas Babej2013-12-201-5/+10
| | | | | | | | On sysrestore failure, user is prompted out to remove the sysrestore file. However, the path to the sysrestore file mentioned in the sentence is not correct. https://fedorahosted.org/freeipa/ticket/4080
* Remove mod_ssl port workaround.Jan Cholasta2013-11-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4021
* Update the man page for ipa-ldap-updaterPetr Viktorin2013-11-181-8/+20
|
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-054-48/+48
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Guard import of adtrustinstance for case without trustsAlexander Bokovoy2013-11-041-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/4011
* Track DS certificate with certmonger on replicas.Jan Cholasta2013-10-291-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3975
* Remove mod_ssl conflictMartin Kosek2013-10-253-0/+9
| | | | | | | | | | | Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974
* adtrustinstance: Properly handle uninstall of AD trust instanceTomas Babej2013-10-142-2/+5
| | | | | | | | | | | | | | | | | | The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-adtrust-install: Add warning that we will break existing samba configurationTomas Babej2013-10-141-3/+15
| | | | | | | | In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install, print a warning that we will break existing samba configuration and ask for a confirmation in the interactive mode. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-upgradeconfig: Remove backed up smb.confTomas Babej2013-10-141-0/+14
| | | | | | | | | | | Since we are not able to properly restore the Samba server to the working state after running ipa-adtrust-install, we should not keep the smb.conf in the fstore. This patch makes sure that any backed up smb.conf is removed from the backup and that this file is not backed up anymore. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Winsync re-initialize should not run memberOf fixup taskMartin Kosek2013-10-111-5/+6
| | | | | | | Change re-initialize command to consider memberOf fixup task only for non-winsync replication agreements. https://fedorahosted.org/freeipa/ticket/3854
* Remove --no-serial-autoincrementMartin Kosek2013-10-114-15/+1
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Do not allow '%' in DM passwordMartin Kosek2013-10-041-1/+1
| | | | | | | Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-042-18/+25
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Warn user about realm-domain mismatch in install scriptsTomas Babej2013-10-034-1/+31
| | | | | | | | | | | | | | If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924
* Do not crash if DS is down during server uninstallAna Krivokapic2013-09-091-23/+41
| | | | | | | | DS is contacted during server uninstallation, in order to obtain information about replication agreements. If DS is unavailable, warn and continue with uninstallation. https://fedorahosted.org/freeipa/ticket/3867
* Fix RUV search scope in ipa-replica-managePetr Vobornik2013-09-041-1/+1
| | | | | | | | The search had an incorrect scope and therefore it didn't find any RUV. This issue prevented removing of replica. https://fedorahosted.org/freeipa/ticket/3876
* Add warning when uninstalling active replicaAna Krivokapic2013-09-041-5/+31
| | | | | | | Add a warning when trying to uninstall a replica that has active replication agreements. https://fedorahosted.org/freeipa/ticket/3867
generated by cgit (git 2.34.1) at 2025-08-28 14:03:54 +0000