freeipa.git/install/tools, branch WIP Unnamed repository; edit this file 'description' to name the repository. Configure SELinux for httpd during upgrades 2012-04-03T22:20:51+00:00 Martin Kosek mkosek@redhat.com 2012-04-03T08:47:40+00:00 17a0738d2d352f9c3d73167b3fb22cd566fd98d4 SELinux configuration for httpd instance was set for new installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x upgrade) missed the configuration. This lead to AVCs when httpd tries to contact ipa_memcached and user not being able to log in. This patch updates ipa-upgradeconfig to configure SELinux in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2603 
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603
Tolerate UDP port failures in conncheck 2012-03-27T21:05:22+00:00 Martin Kosek mkosek@redhat.com 2012-03-16T09:26:56+00:00 159e848d85779e8fb3a9b2ed84490423014bf609 UDP port checks in ipa-replica-conncheck are too strict. The entire conncheck fails when UDP ports cannot be verified as open. However, UDP protocol is unrealiable by its nature and the port can also not be checked if there is an application already bound to it. This can happen for example when ipa-replica-conncheck is run as a part of ipa-ca-install and the replica services are thus already running. This patch changes the behavior of UDP port checks. The conncheck script now rather reports a warning that UDP port cannot be verified but does not fail the entire test. https://fedorahosted.org/freeipa/ticket/2514 
UDP port checks in ipa-replica-conncheck are too strict. The entire
conncheck fails when UDP ports cannot be verified as open. However,
UDP protocol is unrealiable by its nature and the port can also not
be checked if there is an application already bound to it. This can
happen for example when ipa-replica-conncheck is run as a part of
ipa-ca-install and the replica services are thus already running.

This patch changes the behavior of UDP port checks. The conncheck
script now rather reports a warning that UDP port cannot be verified
but does not fail the entire test.

https://fedorahosted.org/freeipa/ticket/2514
Improve user awareness about dnsconfig 2012-03-26T04:33:45+00:00 Martin Kosek mkosek@redhat.com 2012-03-15T12:51:59+00:00 52aa008b8719f4ea678efa8957794bb6dcd13893 Global DNS configuration is a nice tool to maintain a common DNS settings stored in LDAP which are then used for all enrolled IPA servers. However, the settings stored in LDAP override local settings in named.conf on DNS servers. This patch adds more information about global DNS configuration options in install scripts and DNS module help. https://fedorahosted.org/freeipa/ticket/2525 
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.

This patch adds more information about global DNS configuration
options in install scripts and DNS module help.

https://fedorahosted.org/freeipa/ticket/2525
Wait for child process to terminate after receiving SIGINT in ipautil.run. 2012-03-23T09:53:02+00:00 Jan Cholasta jcholast@redhat.com 2012-03-20T16:29:36+00:00 d9e8b9a3ed7b26e9cb6bb891cf0d5bb4fcd66dbf Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in ipa-replica-conncheck. https://fedorahosted.org/freeipa/ticket/2127 
Do cleanup on KeyboardInterrupt rather than in custom SIGINT handler in
ipa-replica-conncheck.

https://fedorahosted.org/freeipa/ticket/2127
Add subject key identifier to the dogtag server cert profile. 2012-03-15T08:55:03+00:00 Rob Crittenden rcritten@redhat.com 2012-03-07T22:46:33+00:00 1584807e022540af7ca1a89031f18f45194c31ab This will add it on upgrades too and any new certs issued will have a subject key identifier set. If the user has customized the profile themselves then this won't be applied. https://fedorahosted.org/freeipa/ticket/2446 
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.

If the user has customized the profile themselves then this won't be
applied.

https://fedorahosted.org/freeipa/ticket/2446
Refresh resolvers after DNS install 2012-03-12T02:11:41+00:00 Martin Kosek mkosek@redhat.com 2012-03-06T12:26:45+00:00 c956b3cd2ba12d87054909af3dce7d231f034240 Server framework calls acutil.res_send() to send DNS queries used for various DNS tests. However, once acutil is imported it does not change its list of configured resolvers even when /etc/resolv.conf is changed. This may lead to unexpected resolution issues. We should at least reload httpd when we change /etc/resolv.conf to point to FreeIPA nameserver to force a new import of acutil and thus workaround this bug until it is resolved in authconfig. https://fedorahosted.org/freeipa/ticket/2481 
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.

We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.

https://fedorahosted.org/freeipa/ticket/2481
Fix typos in ipa-replica-manage man page 2012-03-02T13:38:45+00:00 Martin Kosek mkosek@redhat.com 2012-03-02T13:36:33+00:00 1cc761353bad6d279cd7d14939f67baef784433f Based on contribution by Brian Harrington. https://fedorahosted.org/freeipa/ticket/2428 
Based on contribution by Brian Harrington.

https://fedorahosted.org/freeipa/ticket/2428
Don't delete system users that are added during installation. 2012-02-29T21:36:13+00:00 Rob Crittenden rcritten@redhat.com 2012-02-29T04:05:06+00:00 a5a55ceff3822ede55ad817ede0da5712fb75651 We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423 
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.

https://fedorahosted.org/freeipa/ticket/2423
Warn that deleting replica is irreversible, try to detect reconnection. 2012-02-29T15:20:49+00:00 Rob Crittenden rcritten@redhat.com 2012-02-24T23:17:47+00:00 2d555256526827564f89d941c2d2b31815378a6b Using ipa-replica-manage del <replica> is irreversible. You can't turn around and do a connect to it, all heck will break loose. This is because we clean up all references to the replica when we delete so if we connect to it again we'll end up deleting all of its principals. When a connection is deleted then the agreement is removed on both sides. What isn't removed is the nsDS5ReplicaBindDN so we can use that to determine if we previously had a connection. https://fedorahosted.org/freeipa/ticket/2126 
Using ipa-replica-manage del <replica> is irreversible. You can't
turn around and do a connect to it, all heck will break loose. This is
because we clean up all references to the replica when we delete so if
we connect to it again we'll end up deleting all of its principals.

When a connection is deleted then the agreement is removed on both sides.
What isn't removed is the nsDS5ReplicaBindDN so we can use that to
determine if we previously had a connection.

https://fedorahosted.org/freeipa/ticket/2126
Fix bad merge of not calling memberof task when re-initializing a replica 2012-02-28T01:23:10+00:00 Rob Crittenden rcritten@redhat.com 2012-02-28T18:28:14+00:00 a6a83ec168a439949bc24c4fea7cdfdb6d276d0d https://fedorahosted.org/freeipa/ticket/2199 
https://fedorahosted.org/freeipa/ticket/2199