summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/dsinstance.py
Commit message (Collapse)AuthorAgeFilesLines
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-33/+34
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-2/+1
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasksTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix upload of CA certificate to LDAP in CA-less install.Jan Cholasta2014-04-081-1/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4300 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-3/+12
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove unused method export_ca_cert of dsinstance.Jan Cholasta2014-03-251-5/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+4
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use LDAP API to upload CA certificate instead of ldapmodify command.Jan Cholasta2014-03-251-5/+18
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add OTP last token pluginNathaniel McCallum2014-02-211-0/+4
| | | | | | | | | | This plugin prevents the deletion or deactivation of the last valid token for a user. This prevents the user from migrating back to single factor authentication once OTP has been enabled. Thanks to Mark Reynolds for helping me with this patch. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add formerly update-only schemaPetr Viktorin2013-11-181-1/+3
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* dsinstance: Move the list of schema filenames to a constantPetr Viktorin2013-11-181-9/+14
| | | | Preparation for: https://fedorahosted.org/freeipa/ticket/3454
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-1/+1
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Track DS certificate with certmonger on replicas.Jan Cholasta2013-10-291-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3975
* Use consistent realm name in cainstance and dsinstanceMartin Kosek2013-10-111-17/+16
| | | | | | | | The installers used custom self.realm_name instead of standard self.realm defined in Service class. It caused crashes in some cases when Service class methods expected the self.realm to be filled. https://fedorahosted.org/freeipa/ticket/3854
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-101-0/+5
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-021-18/+48
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Perform dirsrv tuning at platform levelTomas Babej2013-08-261-51/+12
| | | | | | | | | | | | | | | | When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823
* Fix broken replica installationAna Krivokapic2013-08-201-4/+12
| | | | | | | Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-1/+7
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Enable SASL mapping fallback.Jan Cholasta2013-06-271-0/+4
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Do not track DS certificate in CA-less setup.Jan Cholasta2013-06-121-2/+0
| | | | https://fedorahosted.org/freeipa/ticket/3675
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-1/+1
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-171-1/+2
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-141-0/+18
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-28/+17
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-151-5/+11
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-121-1/+1
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-021-6/+10
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-021-5/+23
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-021-8/+14
|
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-221-0/+6
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-2/+1
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-131-7/+3
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Fix installing server with external CAPetr Viktorin2013-03-081-23/+22
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* Remove IPAdmin.simple_bind_sPetr Viktorin2013-03-011-2/+3
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)Petr Viktorin2013-03-011-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace addEntry with add_entryPetr Viktorin2013-03-011-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-011-1/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace IPAdmin.checkTask by replication.wait_for_taskPetr Viktorin2013-03-011-1/+1
| | | | | | The method was only used for waiting, not actual checking. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace setValue by keyword arguments when creating entriesPetr Viktorin2013-03-011-8/+8
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Add make_entry factory method to LDAPConnection.Jan Cholasta2013-03-011-1/+1
| | | | Replace all occurences of Entry instantiation with calls to make_entry.
* Remove some unused importsPetr Viktorin2013-03-011-4/+1
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Add the CA cert to LDAP after the CA installPetr Viktorin2013-01-291-2/+1
| | | | | | | | | | | | | The DS is installed before the CA cert is generated. Trying to add the cert to LDAP before it exists resulted in a nasty-looking error message. This moves the cert upload to after the CA cert is ready and the certdb is created. Move the cert upload to after thecertdb is generated. https://fedorahosted.org/freeipa/ticket/3375
* Upload CA cert in the directory on installSimo Sorce2013-01-231-0/+15
| | | | | This will later allow clients to securely download the CA cert by performaing mutual auth using LDAP with GSSAPI
* Installer should not connect to 127.0.0.1Martin Kosek2013-01-211-2/+2
| | | | | | | | | | | | | IPA installer sometimes tries to connect to the Directory Server via loopback address 127.0.0.1. However, the Directory Server on pure IPv6 systems may not be listening on this address. This address may not even be available. Rather use the FQDN of the server when connecting to the DS to fix this issue and make the connection consistent ldapmodify calls which also use FQDN instead of IP address. https://fedorahosted.org/freeipa/ticket/3355
* Update certmap.conf on IPA upgradesPetr Viktorin2012-11-231-1/+1
| | | | | | | | This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control. The file is overwritten on upgrades. This ensures that the cert for the ipaca user is recognized when ipa-ca-install is run on older masters.
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-4/+10
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
generated by cgit (git 2.34.1) at 2025-08-27 23:37:28 +0000