summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/cainstance.py
Commit message (Collapse)AuthorAgeFilesLines
* Always record that pkicreate has been executed.David Kupka2014-07-221-3/+10
| | | | | | | | | Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow SAN in IPA certificate profile.Jan Cholasta2014-06-241-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-35/+36
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-9/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove unused method is_master of CAInstance.Jan Cholasta2014-03-251-15/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-92/+44
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_httpd functionality to renew_ra_cert.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.Jan Cholasta2014-03-251-4/+2
| | | | | | | On CA masters, a certificate is requested and stored to LDAP. On CA clones, the certificate is retrieved from LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-251-0/+15
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-14/+23
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.Jan Cholasta2014-03-251-10/+24
| | | | | | Before, this was done by dogtag-ipa-retrieve-agent-submit. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API to configure certmonger in CA install.Jan Cholasta2014-03-251-14/+24
| | | | | | Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix certificate renewal scripts to work with separate CA DS instance.Jan Cholasta2014-03-251-18/+42
| | | | | | https://fedorahosted.org/freeipa/ticket/3805 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-111-7/+5
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-241-17/+18
|
* PKI service restart after CA renewal failedJan Cholasta2014-01-081-2/+2
| | | | | | | | | | Fix both the service restart procedure and registration of old pki-cad well known service name. This patch was adapted from original patch of Jan Cholasta 178 to fix ticket 4092. https://fedorahosted.org/freeipa/ticket/4092
* Use consistent realm name in cainstance and dsinstanceMartin Kosek2013-10-111-2/+2
| | | | | | | | The installers used custom self.realm_name instead of standard self.realm defined in Service class. It caused crashes in some cases when Service class methods expected the self.realm to be filled. https://fedorahosted.org/freeipa/ticket/3854
* PKI installation on replica failing due to missing proxy confMartin Kosek2013-10-111-1/+3
| | | | | | | | Proxy configuration was not detected correctly. Both ipa-pki-proxy.conf and ipa.conf need to be in place and httpd restarted to be able to check it's status. https://fedorahosted.org/freeipa/ticket/3964
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-261-37/+59
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-0/+13
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-173/+10
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Specify the location for the agent PKCS#12 file so we don't have to move it.Rob Crittenden2013-05-061-3/+1
| | | | | | | Dogtag 10.0.2 changed the default location for this file from /root/.pki to /root/.dogtag which broke our install. https://fedorahosted.org/freeipa/ticket/3599
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-3/+2
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-151-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Normalize RA agent certificateMartin Kosek2013-03-291-1/+4
| | | | | | Certificate parsed out of sslget request to pki-ca was not always properly formatted and it may still contain DOS line ending. Make sure that the certificate is printed with correct line ending.
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-131-2/+1
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Fix installing server with external CAPetr Viktorin2013-03-081-8/+10
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-3/+2
|
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-011-1/+1
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.simple_bind_sPetr Viktorin2013-03-011-2/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace addEntry with add_entryPetr Viktorin2013-03-011-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused imports from ipaserver/installPetr Viktorin2013-03-011-7/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace add_s and delete_s by their newer equivalentsPetr Viktorin2013-03-011-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace setValue by keyword arguments when creating entriesPetr Viktorin2013-03-011-8/+8
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Add make_entry factory method to LDAPConnection.Jan Cholasta2013-03-011-1/+1
| | | | Replace all occurences of Entry instantiation with calls to make_entry.
* Move the decision to force schema updates out of IPASimpleLDAPObjectPetr Viktorin2013-03-011-1/+2
| | | | | | | This decision used the api object, which might not be available in installer code. Move the decision to callers. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-13/+100
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Installer should not connect to 127.0.0.1Martin Kosek2013-01-211-1/+1
| | | | | | | | | | | | | IPA installer sometimes tries to connect to the Directory Server via loopback address 127.0.0.1. However, the Directory Server on pure IPv6 systems may not be listening on this address. This address may not even be available. Rather use the FQDN of the server when connecting to the DS to fix this issue and make the connection consistent ldapmodify calls which also use FQDN instead of IP address. https://fedorahosted.org/freeipa/ticket/3355
* Allow PKI-CA Replica Installs when CRL exceeds default maxber valueJR Aquino2013-01-081-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3314
* Use DN objects for Dogtag configurationPetr Viktorin2012-12-101-6/+12
| | | | | Use our DN objects for generating DNs, instead of relying on string operations.
* Configuring CA with ConfigParser.Endi Sukma Dewata2012-12-101-78/+82
| | | | | | | | | The configuration code has been modified to use the ConfigParser to set the parameters in the CA section in the deployment configuration. This allows IPA to define additional PKI subsystems in the same configuration file. PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
* Add OCSP and CRL URIs to certificatesMartin Kosek2012-12-071-15/+135
| | | | | | | | | | | | | | | | | Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
* Properly stop tracking certificates on uninstallPetr Viktorin2012-11-231-15/+23
| | | | | | | | | | Stopping certificate tracking was done as part of the PKI DS uninstall. Since with the merged DB, thePKI DS is not used any more, this step was skipped. Move certificate untracking to a separate step and call it separately. Also, the post-uninstall check for tracked certificates used the wrong set of Dogtag constants. Fix the issue.
* Use correct Dogtag configuration in get_pin and get_ca_certchainPetr Viktorin2012-11-231-12/+12
| | | | | | Some install utilities used Dogtag configuration before Dogtag was configured. Fix by passing the relevant dogtag_constants where they're needed.
* Fix schema replication from old mastersPetr Viktorin2012-11-231-0/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-16/+89
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
generated by cgit (git 2.34.1) at 2025-08-28 02:06:25 +0000