summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/dsinstance.py
Commit message (Collapse)AuthorAgeFilesLines
* handle multiple managed suffixescstopologyLudwig Krispenz2015-08-101-0/+3
| | | | | trigger topology updaet if suffix entry is added trigger topology update if managedSuffix is modified in host entry
* Fix upgrade of sidgen and extdom pluginsMartin Basti2015-08-101-3/+25
| | | | | | | | | If configuration entries already exist, upgrade will not add them again. https://fedorahosted.org/freeipa/ticket/5151 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-3/+3
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Revert "Hide topology and domainlevel features"Tomas Babej2015-07-101-2/+1
| | | | | | | | | This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-081-0/+16
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-081-1/+2
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-111-0/+4
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add schema for certificate profilesFraser Tweedale2015-06-041-0/+1
| | | | | | | | | The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add Domain Level featureTomas Babej2015-05-261-2/+14
| | | | | | | https://fedorahosted.org/freeipa/ticket/5018 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* install part - manage topology in shared treeLudwig Krispenz2015-05-261-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Server Upgrade: handle errors betterMartin Basti2015-05-191-1/+5
| | | | | | | | | * Prevent to continue with upgrade if a fatal error happened * Use exceptions to handle failures https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: enable DS global lock during upgradeMartin Basti2015-05-051-4/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-6/+3
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: Verify version and platformMartin Basti2015-05-041-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Verify version and platform before upgrade or ipactl start|restart Upgrade: * do not allow upgrade on different platforms * do not allow upgrade data with higher version than build has Start: * do not start services if platform mismatch * do not start services if upgrade is needed * do not start services if data with higher version than build has New ipactl options: --skip-version-check: do not validate IPA version --ignore-service-failures (was --force): ignore if a service start fail and continue with starting other services --force: combine --skip-version-check and --ignore-service-failures https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: specify order of plugins in update filesMartin Basti2015-04-141-1/+2
| | | | | | | | | | | | * add 'plugin' directive * specify plugins order in update files * remove 'run plugins' options * use ldapupdater API instance in plugins * add update files representing former PreUpdate and PostUpdate order of plugins https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: order update files by defaultMartin Basti2015-03-191-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix restoring services status during uninstallMartin Basti2015-02-181-2/+3
| | | | | | | | | Services hasn't been restored correctly, which causes disabling already disabled services, or some service did not start. This patch fix these issues. Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use 'remove-ds.pl' to remove DS instanceMartin Babinsky2015-01-271-27/+35
| | | | | | | | | | | The patch adds a function which calls 'remove-ds.pl' during DS instance removal. This should allow for a more thorough removal of DS related data during server uninstallation (such as closing custom ports, cleaning up slapd-* entries etc.) This patch is related to https://fedorahosted.org/freeipa/ticket/4487. Reviewed-By: Martin Basti <mbasti@redhat.com>
* certs: Fix incorrect flag handling in load_cacertTomas Babej2014-12-021-1/+1
| | | | | | | | | | | | | For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make it a required argument. https://fedorahosted.org/freeipa/ticket/4779 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Respect UID and GID soft static allocation.David Kupka2014-11-051-1/+1
| | | | | | | | https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove trivial path constants from modulesGabe2014-11-041-6/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4399 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC: DNS key synchronization daemonMartin Basti2014-10-211-1/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* DNSSEC: schemaMartin Basti2014-10-211-0/+1
| | | | | | | | | | | | Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Configure IPA OTP Last Token plugin on upgradeNathaniel McCallum2014-10-201-4/+0
| | | | Reviewed-By: Martin Kosek <mkosek@redhat.com>
* idviews: Add necessary schema for the ID viewsTomas Babej2014-09-301-0/+1
| | | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Refactoring of autobind, object_existsMartin Basti2014-09-261-1/+1
| | | | | | | | | Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaserver.install: Consolidate system user creationPetr Viktorin2014-09-231-43/+7
| | | | | | | | | | | | | | Sytem users and their groups are always created together. Also, users & groups should never be removed once they exist on the system (see comit a5a55ce). Use a single function for generic user creation, and specific funtions in dsinstance and cainstance. Remove code left over from when we used to delete the DS user. Preparation for: https://fedorahosted.org/freeipa/ticket/3866 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Update SSL ciphers configured in 389-ds-baseLudwig Krispenz2014-09-121-5/+2
| | | | | | | | | | use configuration parameters to enable ciphers provided by NSS and not considered weak. This requires 389-ds version 1.3.3.2 or later https://fedorahosted.org/freeipa/ticket/4395 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-051-8/+7
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-2/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Import CA certs from certificate store to DS NSS database on replica install.Jan Cholasta2014-07-301-0/+13
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Upload CA chain from DS NSS database to certificate store on server install.Jan Cholasta2014-07-301-19/+17
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add LDAP schema for certificate store.Jan Cholasta2014-07-301-0/+1
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-301-1/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-33/+34
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix upload of CA certificate to LDAP in CA-less install.Jan Cholasta2014-04-081-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4300 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-3/+12
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove unused method export_ca_cert of dsinstance.Jan Cholasta2014-03-251-5/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+4
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use LDAP API to upload CA certificate instead of ldapmodify command.Jan Cholasta2014-03-251-5/+18
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-211-0/+4
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add formerly update-only schemaPetr Viktorin2013-11-181-1/+3
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* dsinstance: Move the list of schema filenames to a constantPetr Viktorin2013-11-181-9/+14
| | | | Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-1/+1
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Track DS certificate with certmonger on replicas.Jan Cholasta2013-10-291-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3975
* Use consistent realm name in cainstance and dsinstanceMartin Kosek2013-10-111-17/+16
| | | | | | | | The installers used custom self.realm_name instead of standard self.realm defined in Service class. It caused crashes in some cases when Service class methods expected the self.realm to be filled. https://fedorahosted.org/freeipa/ticket/3854
generated by cgit (git 2.34.1) at 2025-08-28 14:02:25 +0000