summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/cainstance.py
Commit message (Collapse)AuthorAgeFilesLines
* topology: manage ca replication agreementsPetr Vobornik2015-08-101-2/+78
| | | | | | | | | | | | | | | | Configure IPA so that topology plugin will manage also CA replication agreements. If domain level > 0, ipa-replica-install: - ipa replica install prepares DB for PKI - setups replications agreements (o=ipaca) with simple bind method - re-initializes the suffix - calls pkispawn - changes agreements to use GSSAPI upgrades if CA is congigured: - ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX - ipaReplTopoManagedSuffix: o=ipaca is added to master entry - binddngroup is added to o=ipaca replica entry
* Modernize number literalsPetr Viktorin2015-07-311-5/+5
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Migrate CA profiles after enabling LDAPProfileSubsystemFraser Tweedale2015-07-011-26/+108
| | | | | | | After enabling LDAPProfileSubsystem in Dogtag, migrate the file-based profiles into the LDAP database. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import profiles earlier during installFraser Tweedale2015-06-051-0/+5
| | | | | | | | | | | | | | | | | Currently, IPA certificate profile import happens at end of install. Certificates issuance during the install process does work but uses an un-customised caIPAserviceCert profile, resulting in incorrect subject DNs and missing extensions. Furthermore, the caIPAserviceCert profile shipped with Dogtag will eventually be removed. Move the import of included certificate profiles to the end of the cainstance deployment phase, prior to the issuance of DS and HTTP certificates. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix certificate subject baseFraser Tweedale2015-06-051-1/+1
| | | | | | | | | | Profile management patches introduced a regression where a custom certificate subject base (if configured) is not used in the default profile. Use the configured subject base. Part of: https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import included profiles during install or upgradeFraser Tweedale2015-06-041-194/+59
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ACL to allow CA agent to modify profilesFraser Tweedale2015-06-041-0/+29
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Install CA with LDAP profiles backendFraser Tweedale2015-06-041-0/+1
| | | | | | | | | Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not store state if CA is enabledDavid Kupka2015-05-191-7/+2
| | | | | | | IPA creates own instance of CA, so there is no need to check if previous instance was enabled, because there could not be any. Reviewed-By: Martin Basti <mbasti@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-1/+1
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* point the users to PKI-related logs when CA configuration failsMartin Babinsky2015-04-291-2/+1
| | | | | | | | | | This patch adds an error handler which prints out the paths to logs related to configuration and installation of Dogtag/CA in the case of failure. https://fedorahosted.org/freeipa/ticket/4900 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cainstance: Use LDAPClient instead of IPASimpleLDAPObjectJan Cholasta2015-04-161-7/+8
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix restoring services status during uninstallMartin Basti2015-02-181-2/+4
| | | | | | | | | Services hasn't been restored correctly, which causes disabling already disabled services, or some service did not start. This patch fix these issues. Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use 'remove-ds.pl' to remove DS instanceMartin Babinsky2015-01-271-2/+6
| | | | | | | | | | | The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Make certificate renewal process synchronizedJan Cholasta2015-01-131-0/+42
| | | | | | | | Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use correct service name in cainstance.backup_configJan Cholasta2014-11-211-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4754 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-051-1/+1
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fixed KRA backend.Endi S. Dewata2014-11-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Stop dogtag when updating its configuration in ipa-upgradeconfig.David Kupka2014-10-151-0/+3
| | | | | | | | | Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Support MS CS as the external CA in ipa-server-install and ipa-ca-installJan Cholasta2014-10-131-1/+13
| | | | | | | | | | | Added a new option --external-ca-type which specifies the type of the external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs" is selected, the CSR generated for the IPA CA will include MS template name extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA". https://fedorahosted.org/freeipa/ticket/4496 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Check that port 8443 is available when installing PKI.David Kupka2014-10-101-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4564 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix certmonger configuration in installer codeJan Cholasta2014-10-101-75/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4619 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not crash in CAInstance.__init__ when default argument values are usedJan Cholasta2014-09-301-2/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* External CA installer options usability fixesJan Cholasta2014-09-301-2/+2
| | | | | | | | | | | The --external_cert_file and --external_ca_file options of ipa-server-install and ipa-ca-install have been replaced by --external-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. https://fedorahosted.org/freeipa/ticket/4480 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.Jan Cholasta2014-09-291-2/+10
| | | | | | | | | This is especially useful for external CA install, as the algorithm is also used for the CSR signature. https://fedorahosted.org/freeipa/ticket/4447 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Refactoring of autobind, object_existsMartin Basti2014-09-261-1/+1
| | | | | | | | | Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaserver.install: Consolidate system user creationPetr Viktorin2014-09-231-17/+11
| | | | | | | | | | | | | | Sytem users and their groups are always created together. Also, users & groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use autobind when updating CA people entries during certificate renewalJan Cholasta2014-09-091-11/+3
| | | | | | | | | Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump selinux-policy in the spec file. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Backup CS.cfg before modifying itJan Cholasta2014-09-051-0/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-3/+3
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Normalize external CA cert before passing it to pkispawnJan Cholasta2014-09-041-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4019 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-347/+214
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert external CA chain to PKCS#7 before passing it to pkispawn.Jan Cholasta2014-08-141-1/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+6
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow upgrading CA-less to CA-full using ipa-ca-install.Jan Cholasta2014-07-301-4/+4
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-301-1/+3
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not use ldapi in certificate renewal scripts.Jan Cholasta2014-07-301-8/+13
| | | | | | This prevents SELinux denials when accessing the ldapi socket. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for setting CA renewal master in LDAP to CAInstance.Jan Cholasta2014-07-301-3/+38
| | | | | | Allow checking and setting CA renewal master for non-local CA instances. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Track CA certificate using dogtag-ipa-ca-renew-agent.Jan Cholasta2014-07-301-7/+13
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Always record that pkicreate has been executed.David Kupka2014-07-221-3/+10
| | | | | | | | | Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-35/+36
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-9/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove unused method is_master of CAInstance.Jan Cholasta2014-03-251-15/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-92/+44
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_httpd functionality to renew_ra_cert.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-28 21:59:06 +0000