summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* aci: merge domain and CA suffix replication agreement ACIsJan Cholasta2015-12-143-9/+13
| | | | | | | | | | | | | Merge the two identical sets of replication agreement permission ACIs for the domain and CA suffixes into a single set suitable for replication agreements for both suffixes. This makes the replication agreement permissions behave correctly during CA replica install, so that any non-admin user with the proper permissions (such as members of the ipaservers host group) can set up replication for the CA suffix. https://fedorahosted.org/freeipa/ticket/5399 Reviewed-By: Martin Basti <mbasti@redhat.com>
* dogtaginstance: remove unused function 'check_inst'Fraser Tweedale2015-12-142-18/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica promotion: notify user about ignoring client enrollment optionsJan Cholasta2015-12-141-0/+6
| | | | | | | | | When IPA client is already installed, notify the user that the enrollment options are ignored in ipa-replica-install. https://fedorahosted.org/freeipa/ticket/5530 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Tests: test_ipagetkeytab: fix assert that is always trueMartin Basti2015-12-141-2/+2
| | | | | | | Fixes: /usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_ipagetkeytab.py:116: SyntaxWarning: assertion is always true, perhaps remove parentheses? Reviewed-By: Tomas Babej <tbabej@redhat.com>
* spec file: Add dbus-python to BuildRequiresDavid Kupka2015-12-141-0/+1
| | | | | | Commit 8d7f67e introduced the need for dbus-python during build time. https://fedorahosted.org/freeipa/ticket/5497
* Makefile: disable parallel buildPetr Spacek2015-12-141-0/+3
| | | | | | | | IPA build system cannot cope with parallel build anyway, so this patch disables parallel build explicitly so it does not blow up when user has -j specified in default MAKEOPTS. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test: Temporarily increase timeout in vault test.David Kupka2015-12-141-1/+1
| | | | | | Remove this change when vault is fixed. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Install RA cert during replica promotionMartin Basti2015-12-142-4/+8
| | | | | | | | This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka <dkupka@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-1428-245/+476
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* prevent crashes of server uninstall check caused by failed LDAP connectionsMartin Babinsky2015-12-111-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Migrate wget references and usage to curlGabe2015-12-116-20/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica promotion: use host credentials for connection checkJan Cholasta2015-12-111-17/+8
| | | | | | | https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-1120-78/+300
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* build: put oddjob scripts into separate directoryJan Cholasta2015-12-112-1/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-install prints incorrect error message when replica is already ↵Gabe2015-12-111-3/+12
| | | | | | | | | | installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replicainstall: Make sure the enrollment state is preservedTomas Babej2015-12-111-0/+32
| | | | | | | | | | | | | | | During the promote_check phase, the subsequent checks after the machine is enrolled may cause the installation to abort, hence leaving it enrolled even though it might not have been prior to the execution of the ipa-replica-install command. Make sure that ipa-client-install --uninstall is called on the machine that has not been enrolled before in case of failure during the promote_check phase. https://fedorahosted.org/freeipa/ticket/5529 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: Add check for domain if server is specifiedTomas Babej2015-12-111-0/+6
| | | | | | | Avoids failing in the later stages during the ipa-client-install command. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* spec file: put Python modules into standalone packagesJan Cholasta2015-12-113-95/+311
| | | | | | | | | | | | | | | | | | Make the following changes in packaging: * freeipa-server - split off python2-ipaserver and freeipa-server-common, * freeipa-server-dns - build as noarch, * freeipa-client - split off python2-ipaclient and freeipa-client-common, * freeipa-admintools - build as noarch, * freeipa-python - split into python2-ipalib and freeipa-common, provide freeipa-python-compat for upgrades, * freeipa-tests - rename to python2-ipatests and build as noarch. Bump version to 4.2.91. https://fedorahosted.org/freeipa/ticket/3197 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* spec file: remove config files from freeipa-pythonJan Cholasta2015-12-111-11/+13
| | | | | | | | | /etc/ipa/dnssec is now owned by freeipa-server. The remaining files are now owned by freeipa-client. https://fedorahosted.org/freeipa/ticket/3197 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* CI: fix ipa-kra-install on domain level 1Martin Basti2015-12-111-6/+1
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* tests: Add hostmask detection for sudo rules validating on hostmaskTomas Babej2015-12-112-6/+43
| | | | | | | | | | | | | | | IPA sudo tests worked under the assumption that the clients that are executing the sudo commands have their IPs assigned within 255.255.255.0 hostmask. Removes this (invalid) assumption and adds a dynamic detection of the hostmask of the IPA client. https://fedorahosted.org/freeipa/ticket/5501 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com> Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* fix error message assertion in negative forced client reenrollment testsMartin Babinsky2015-12-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5511 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Adding descriptive IDs to stageuser testsLenka Doudova2015-12-113-39/+56
| | | | | | Adding descriptive IDs to parametrized stageuser test for better identification of test cases. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* add ACIs for custodia container to its parent during IPA upgradeMartin Babinsky2015-12-111-1/+1
| | | | | | | | | | | This fixes the situation when LDAPUpdater tries to add ACIs for storing secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually created leading to creation of container without any ACI and subsequent erroneous behavior. https://fedorahosted.org/freeipa/ticket/5524 Reviewed-By: David Kupka <dkupka@redhat.com>
* server uninstall: ignore --ignore-topology-disconnect in domain level 0Jan Cholasta2015-12-111-5/+0
| | | | | | | | | Topology disconnect is always ignored in domain level 0, so the option can be safely ignored. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: check domain level before ipaservers membershipJan Cholasta2015-12-111-14/+14
| | | | | | | | | Check domain level before checking ipaservers membership to prevent "not found" error when attempting replica promotion in domain level 0. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica install: add ipaservers if it does not existJan Cholasta2015-12-111-5/+4
| | | | | | | | | This prevents crash when adding the host entry to ipaservers when installing replica of a 4.2 or older server. https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica: Fix ipa-replica-install with replica file (domain level 0).David Kupka2015-12-101-4/+6
| | | | | | | | | | Attribute _ca_enabled is set in promote_check() and is not available in install(). When installing replica in domain level 0 we can determine existence of CA service based on existence of cacert.p12 file in provided replica-file. https://fedorahosted.org/freeipa/ticket/5531 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* topology: Fix: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+1
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, howver, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, whic was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: allow OTP bulk client enrollmentJan Cholasta2015-12-091-14/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/5498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* topology: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+3
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, however, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, which was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI tests: ignore disconnected domain level 1 topology on IPA master teardownMartin Babinsky2015-12-091-5/+10
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* add missing /ipaplatform/constants.py to .gitignorePetr Spacek2015-12-081-0/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* CI: fix function that prepare the hosts file before CI runMartin Basti2015-12-081-2/+4
| | | | | | Without this fix function removed 2 lines from hosts file. Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* CI: installation testsMartin Basti2015-12-082-0/+232
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* install: Run all validators at once.David Kupka2015-12-081-12/+19
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Force creation of services during replica installMartin Basti2015-12-071-1/+2
| | | | | | Missing A record should not prevent replica to be installed. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI: test various topologies with multiple replicasMartin Basti2015-12-071-0/+87
| | | | | | | | | Test tests topologies listed bellow with and without CA on replicas: star topology: 3 replicas line topology: 3 replicas complete topology: 3 replicas Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* replicainstall: Admin password should not conflict with replica fileTomas Babej2015-12-071-1/+0
| | | | | | | | The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix minor typosYuri Chornoivan2015-12-072-2/+2
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* tests: Fix incorrect uninstall method invocationTomas Babej2015-12-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5516 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* custodia: do not modify memberPrincipal on key updateJan Cholasta2015-12-071-2/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: automatically add the local host to ipaserversJan Cholasta2015-12-071-2/+46
| | | | | | | | | | If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-072-12/+45
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipautil: use file in a temporary dir as ccache in private_ccacheJan Cholasta2015-12-071-2/+9
| | | | | | | | | | | python-gssapi chokes on empty ccache files, so instead of creating an empty temporary ccache file in private_ccache, create a temporary directory and use a non-existent file in that directory as the ccache. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: allow members of ipaservers to set up replicationJan Cholasta2015-12-072-0/+26
| | | | | | | | | | | | | | | Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-073-128/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: add IPA servers host group 'ipaservers'Jan Cholasta2015-12-077-2/+66
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* check whether replica exists before executing the domain level 1 deletion codeMartin Babinsky2015-12-041-7/+11
| | | | | | | | | | | Move this check before the parts that check topology suffix connectivity, wait for removed segments etc. If the hostname does not exist, it should really be one of the first errors user encounters during ipa-replica-manage del. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add '--auto-forwarders' description to server/replica/DNS installer man pagesMartin Babinsky2015-12-043-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2024-11-17 23:17:51 +0000