summaryrefslogtreecommitdiffstats
path: root/install
Commit message (Collapse)AuthorAgeFilesLines
* ipa-custodia-checker now uses python3 shebangChristian Heimes2018-02-161-1/+1
| | | | | | | https://pagure.io/freeipa/issue/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Have all the scripts run in python 3 by defaultStanislav Laznicka2018-02-1537-37/+37
| | | | | | | | | The Python 3 refactoring effort is finishing, it should be safe to turn all scripts to run in Python 3 by default. https://pagure.io/freeipa/issue/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipaplatform, ipa.conf: Use paths variables in ipa.conf.templateTimo Aaltonen2018-02-091-9/+9
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Move config templates from install/conf to install/shareTimo Aaltonen2018-02-097-14/+4
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Check if replication agreement exist before enable/disable itFelipe Barreto2018-02-091-2/+5
| | | | | | | | | If the replication agreement does not exist, a custom exception is raised explaining the problem. https://pagure.io/freeipa/issue/7201 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Replace wsgi package conflict with config fileChristian Heimes2018-02-092-0/+8
| | | | | | | | | | | | | Instead of a package conflict, freeIPA now uses an Apache config file to enforce the correct wsgi module. The workaround only applies to Fedora since it is the only platform that permits parallel installation of Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and Debian doesn't permit installation of both variants. See: https://pagure.io/freeipa/issue/7161 Fixes: https://pagure.io/freeipa/issue/7394 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Replace hard-coded paths with path constantsChristian Heimes2018-02-083-3/+3
| | | | | | | | | | | Several run() calls used hard-coded paths rather than pre-defined paths from ipaplatform.paths. The patch fixes all places that I was able to find with a simple search. The fix simplifies Darix's port of freeIPA on openSuSE. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Documenting kinit_lifetime in /etc/ipa/default.confamitkuma2018-01-121-2/+0
| | | | | | | Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore. Resolves: https://pagure.io/freeipa/issue/7333 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
* LGTM: Fix multiple use before assignmentChristian Heimes2018-01-091-8/+18
| | | | | | | | | | | - Move assignment before try/finally block - Add raise to indicate control flow change - Add default value https://pagure.io/freeipa/issue/7344 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* 10-config.update: remove nsslapd-sasl-max-buffer-size override as ↵François Cami2018-01-041-6/+0
| | | | | | | | | | | | | | | | | | | | | https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server. The patch addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1527020 "nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during install even if another value was provided in an LDIF ( --dirsrv-config-file )" Fixes: https://pagure.io/freeipa/issue/7341 Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter is still 2097152 after this change and the change allows overriding its value using --dirsrv-config-file properly. Fix suggested by Florence Blanc-Renaud. Signed-off-by: François Cami <fcami@fedoraproject.org> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* WebUI: make keytab tables on service and host pages writablePavel Vomacka2018-01-042-0/+16
| | | | | | | | | | | | There is no object class before adding the first item into tables, therefore there are no ACI and WebUI is not able to figure out whether table is writable or not. Adding flag 'w_if_no_aci' tells "make it writable even if we have not ACIs and try to do the API call. https://pagure.io/freeipa/issue/7111 Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
* Include npm related files into Makefile and .gitignorePavel Vomacka2017-12-141-0/+3
| | | | | | | | | Extedned Makefile in install/ui - $ make clean-local removes npm related files in the install/ui directory Add node_modules and package-lock.json into .gitignore Fixes: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update jsl.conf in tests subfolderPavel Vomacka2017-12-141-2/+2
| | | | | | | | - to know QUnit, it is global object provided by QUnit.js library - remove not-existing test navigation_tests.js Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update README about WebUI unit testsPavel Vomacka2017-12-141-7/+17
| | | | | | | Add information how to run tests from command line Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update testsPavel Vomacka2017-12-1415-719/+462
| | | | | | | | | With newer QUnit the API has changed, therefor there are necesary changes in tests. QUnit methods does not pollute global workspace they use global QUnit object or assert object passed as argument to test method. Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Create symlink to qunit.jsPavel Vomacka2017-12-141-0/+1
| | | | | | | | | | | Base path for all unit tests is install/ui/js. This path is also used by PhantomJS when runnig unit tests from command line. PhantomJS then tries to find qunit.js therefor symlink in install/ui/js is needed. This might be automated in the future. Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update jsl to not warn about module in GruntfilePavel Vomacka2017-12-141-1/+2
| | | | | | | | Gruntfile uses module keyword which is not known by our JSLint. Adding it into known keywords fix the warning. Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add Gruntfile and package.json to ui directoryPavel Vomacka2017-12-143-34/+63
| | | | | | | | | | | | Those files are used when running WebUI unit tests from command line. - Gruntfile specifies grunt task which can run the webui tests. - symlink to src/freeipa/package.json where are specified npm packages which are required for running those test. There is only symlink to not duplicite package.json file Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update QUnit CSS file to 2.4.1Pavel Vomacka2017-12-141-57/+338
| | | | | | | Update QUnit CSS to correspond with QUnit JS library Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Update qunit.js to version 2.4.1Pavel Vomacka2017-12-141-1253/+5053
| | | | | | | | | It provides more functions, bug fixes, but mainly better error handling therefore it is easier to debug errors while tests are automatically run. Related: https://pagure.io/freeipa/issue/7278 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ensuring 389-ds plugins are enabled after installAlexander Koksharov2017-12-142-0/+77
| | | | | | | | | To avoid problems caused by desabled plugins on 389-ds side explicitly enable plugins required by IPA https://pagure.io/freeipa/issue/7271 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add uniqueness constraint on CA ACL nameFraser Tweedale2017-12-121-0/+17
| | | | | | | | | | | | It is possible to add caacl entries with same "name" (cn). The command is supposed to prevent this but direct LDAP operations allow it and doing that will cause subsequent errors. Enable the DS uniqueness constraint plugin for the cn attribute in CA ACL entries. Fixes: https://pagure.io/freeipa/issue/7304 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* More log in verbsChristian Heimes2017-12-121-1/+1
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Address more 'to login'Christian Heimes2017-12-123-6/+6
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Fix grammar error: Log outChristian Heimes2017-12-121-1/+1
| | | | | | | https://pagure.io/freeipa/issue/7258 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Fix grammar in login screenChristian Heimes2017-12-121-2/+2
| | | | | | | https://pagure.io/freeipa/issue/7263 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Run server upgrade in ipactl start/restartRob Crittenden2017-12-121-3/+25
| | | | | | | | | | | | | | | | | | | | During a distro upgrade, e.g. F-26 to F-27, networking may not be available which will cause the upgrade to fail. Despite this the IPA service can be subsequently restarted running new code with old data. This patch relies on the existing version-check cdoe to determine when/if an upgrade is required and will do so during an ipactl start or restart. The upgrade is now run implicitly in the spec file and will cause the server to be stopped after the package is installed if the upgrade fails. Fixes: https://pagure.io/freeipa/issue/6968 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* install: report CA Subject DN and subject base to be usedFraser Tweedale2017-12-111-0/+11
| | | | | | | | | | | | | | Currently we do not report what Subject DN or subject base will be used for the CA installation. This leads to situations where the administrator wants a different Subject DN later. Display these data as part of the "summary" prior to the final go/no-go prompt in ipa-server-install and ipa-ca-install. The go/no-go prompt in ipa-ca-install is new. It is suppressed for unattended installations. Fixes: https://pagure.io/freeipa/issue/7246 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa_certupdate: avoid classmethod and staticmethodFraser Tweedale2017-12-111-3/+3
| | | | | | | | | | | | | Because classmethod and staticmethod are just fancy ways of calling plain old functions, turn the classmethods and staticmethods of CertUpdate into plain old functions. This improves readability by making it clear that the behaviour of the routines cannot depend on instance or class variables. Part of: https://pagure.io/freeipa/issue/6577 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Run certupdate after promoting to CA-ful deploymentFraser Tweedale2017-12-111-0/+4
| | | | | | | | | | | | | | After installing a CA in a CA-less installations (using ipa-ca-install), the new CA certificate is not installed in /etc/httpd/alias. This causes communication failure between IPA framework and Dogtag (it cannot verify the Dogtag server certificate). Perform a CertUpdate as the final step when promoting a CA-less deployment to CA-ful. Fixes: https://pagure.io/freeipa/issue/7230 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipa-ca-install: run certupdate as initial stepFraser Tweedale2017-12-111-0/+11
| | | | | | | | | | When installing a CA replica, perform a certupdate to ensure that the relevant CA cert is present. This is necessary if the admin has just promoted the topology from CA-less to CA-ful but didn't manually run ipa-certupdate afterwards. Fixes: https://pagure.io/freeipa/issue/6577 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* renew_ra_cert: fix update of IPA RA user entryFraser Tweedale2017-12-071-5/+1
| | | | | | | | | The post-save hook for the RA Agent certificate invokes cainstance.update_people_entry with the DER certificate instead of a python-cryptograpy Certificate object. Apply to correct type. Fixes: https://pagure.io/freeipa/issue/7282 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Require UTF-8 fs encodingChristian Heimes2017-11-212-1/+3
| | | | | | | | | http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html https://pagure.io/freeipa/issue/5887 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* WebUI: make Domain Resolution Order writablePavel Vomacka2017-11-161-0/+1
| | | | | | | | | | | | | | Objectclass which defines the Domain Resolution Order is added to the object only after modification. Therefore before modification of object the attributelevelrights does not contain the 'domainresolutionorder' attribute and the WebUI evaluates field as not writable. 'w_if_no_aci' flag was designed to make writable those fields for which we don't have attributelevelrights. https://pagure.io/freeipa/issue/7169 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Test script for ipa-custodiaChristian Heimes2017-11-162-0/+287
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Backup ipa-custodia conf and keysChristian Heimes2017-11-131-1/+1
| | | | | | | | https://pagure.io/freeipa/issue/7247 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* manpage: ipa-replica-conncheck - fix minor typoMichal Reznik2017-11-131-1/+1
| | | | | | | | Fixes minor typo "Defaults t" to "Defaults to". https://pagure.io/freeipa/issue/7250 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Warning the user when using a loopback IP as forwarderFelipe Barreto2017-11-091-1/+1
| | | | | | | | | | Changing the --forwarder option to accept a loopback IP. Previously, an error would be raised, now we just show a warning message. Fixes: https://pagure.io/freeipa/issue/5801 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Removing replica-s4u2proxy.ldif since it's not used anymoreFelipe Barreto2017-11-092-15/+0
| | | | | | | | | Since commit 23a0453c4d33271376b2156f2e2b484e8b9708c9, the replica-s4u2proxy.ldif file it's not used anymore. https://pagure.io/freeipa/issue/7174 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add indexing to improve host-find performanceStanislav Laznicka2017-11-072-0/+85
| | | | | | | | | | host-find <host_name> command performance gets deteriorated when there's way too many hosts in the LDAP tree. We're adding indices to try and mitigate this behavior. https://pagure.io/freeipa/issue/6371 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add the sub operation for fqdn index configStanislav Laznicka2017-11-072-2/+4
| | | | | | | | This should improve performance of the host-find command. https://pagure.io/freeipa/issue/6371 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Py3: fix ipa-replica-conncheckFlorence Blanc-Renaud2017-11-031-1/+1
| | | | | | | | | | | ipa-replica-conncheck is using the socket methods sendall() and sendto() with str. Theses methods expect str params in python2 but bytes in python3. Related to https://pagure.io/freeipa/issue/7131 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add a notice to restart ipa services after certs are installedAleksei Slaikovskii2017-11-011-1/+2
| | | | | | | | | | | Adding notice for user to restart services after ipa-server-certinstall. https://pagure.io/freeipa/issue/7016 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove caJarSigningCert profile and related codeFraser Tweedale2017-11-012-89/+0
| | | | | | | | | | | The caJarSigningCert profile was used for issuing the object signing certificate for signing the Firefox auto-configuration extension (XPI). We removed the extension and object signing certificate some time ago, so remove the profile and the related code that sets it up. Fixes: https://pagure.io/freeipa/issue/7226 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Remove XPI and JAR MIME types from httpd configFraser Tweedale2017-11-011-4/+0
| | | | | | | | | | | We added MIME types for JAR and XPI files, which were needed for correct handling of the Firefox auto-configuration plugin. The plugin was removed some time ago, so remove the media type definitions. Part of: https://pagure.io/freeipa/issue/7226 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipa-ca-install: mention REPLICA_FILE as optional in helpRishabh Dave2017-10-301-1/+1
| | | | | | | | | | | As man page already does it, update the help text to show REPLICA_FILE as optional. Fixes https://pagure.io/freeipa/issue/7223 Signed-off-by: Rishabh Dave <rishabhddave@gmail.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Add missing space in ipa-replica-conncheck errorFraser Tweedale2017-10-301-1/+1
| | | | | Fixes: https://pagure.io/freeipa/issue/7224 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix ipa-replica-conncheck when called with --principalFlorence Blanc-Renaud2017-10-261-0/+3
| | | | | | | | | | | | | | | | | | | | | | ipa-replica-conncheck can be called with --principal / --password or with an existing Kerberos credential cache in order to supply the authorized identity logging in to the master machine (in auto-master-check mode). In domain-level 0, the tool is called with --principal and password and tries to obtain a TGT by performing kinit, but does not set the env var KRB5CCNAME. Subsequent calls to IPA API do not use the credential cache and fail. In this case, ipa-replica-conncheck falls back to using SSH to check master connectivity instead of IPA API, and the ssh check is less robust. The code should set the KRB5CCNAME env var for IPA API to use the credential cache. Fixes: https://pagure.io/freeipa/issue/7221 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ldap: limit the retro changelog to dns subtreeTomas Krizek2017-10-261-1/+1
| | | | | | | | | | The content synchronization plugin can be limited to the dns subtree in Directory Server. This increases performance and helps to prevent some potential issues. Fixes: https://pagure.io/freeipa/issue/6515 Signed-off-by: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add debug option to ipa-replica-manage and remove references to api_env var.Thorsten Scherf2017-10-251-10/+3
| | | | | | https://pagure.io/freeipa/issue/7187 Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 09:14:49 +0000