summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* test: Temporarily increase timeout in vault test.David Kupka2015-12-141-1/+1
| | | | | | Remove this change when vault is fixed. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Install RA cert during replica promotionMartin Basti2015-12-142-4/+8
| | | | | | | | This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka <dkupka@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-1428-245/+476
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* prevent crashes of server uninstall check caused by failed LDAP connectionsMartin Babinsky2015-12-111-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Migrate wget references and usage to curlGabe2015-12-116-20/+20
| | | | | | https://fedorahosted.org/freeipa/ticket/5458 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica promotion: use host credentials for connection checkJan Cholasta2015-12-111-17/+8
| | | | | | | https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-1120-78/+300
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* build: put oddjob scripts into separate directoryJan Cholasta2015-12-112-1/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-install prints incorrect error message when replica is already ↵Gabe2015-12-111-3/+12
| | | | | | | | | | installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replicainstall: Make sure the enrollment state is preservedTomas Babej2015-12-111-0/+32
| | | | | | | | | | | | | | | During the promote_check phase, the subsequent checks after the machine is enrolled may cause the installation to abort, hence leaving it enrolled even though it might not have been prior to the execution of the ipa-replica-install command. Make sure that ipa-client-install --uninstall is called on the machine that has not been enrolled before in case of failure during the promote_check phase. https://fedorahosted.org/freeipa/ticket/5529 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: Add check for domain if server is specifiedTomas Babej2015-12-111-0/+6
| | | | | | | Avoids failing in the later stages during the ipa-client-install command. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* spec file: put Python modules into standalone packagesJan Cholasta2015-12-113-95/+311
| | | | | | | | | | | | | | | | | | Make the following changes in packaging: * freeipa-server - split off python2-ipaserver and freeipa-server-common, * freeipa-server-dns - build as noarch, * freeipa-client - split off python2-ipaclient and freeipa-client-common, * freeipa-admintools - build as noarch, * freeipa-python - split into python2-ipalib and freeipa-common, provide freeipa-python-compat for upgrades, * freeipa-tests - rename to python2-ipatests and build as noarch. Bump version to 4.2.91. https://fedorahosted.org/freeipa/ticket/3197 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* spec file: remove config files from freeipa-pythonJan Cholasta2015-12-111-11/+13
| | | | | | | | | /etc/ipa/dnssec is now owned by freeipa-server. The remaining files are now owned by freeipa-client. https://fedorahosted.org/freeipa/ticket/3197 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* CI: fix ipa-kra-install on domain level 1Martin Basti2015-12-111-6/+1
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* tests: Add hostmask detection for sudo rules validating on hostmaskTomas Babej2015-12-112-6/+43
| | | | | | | | | | | | | | | IPA sudo tests worked under the assumption that the clients that are executing the sudo commands have their IPs assigned within 255.255.255.0 hostmask. Removes this (invalid) assumption and adds a dynamic detection of the hostmask of the IPA client. https://fedorahosted.org/freeipa/ticket/5501 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Oleg Fayans <ofayans@redhat.com> Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* fix error message assertion in negative forced client reenrollment testsMartin Babinsky2015-12-111-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5511 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Adding descriptive IDs to stageuser testsLenka Doudova2015-12-113-39/+56
| | | | | | Adding descriptive IDs to parametrized stageuser test for better identification of test cases. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* add ACIs for custodia container to its parent during IPA upgradeMartin Babinsky2015-12-111-1/+1
| | | | | | | | | | | This fixes the situation when LDAPUpdater tries to add ACIs for storing secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually created leading to creation of container without any ACI and subsequent erroneous behavior. https://fedorahosted.org/freeipa/ticket/5524 Reviewed-By: David Kupka <dkupka@redhat.com>
* server uninstall: ignore --ignore-topology-disconnect in domain level 0Jan Cholasta2015-12-111-5/+0
| | | | | | | | | Topology disconnect is always ignored in domain level 0, so the option can be safely ignored. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: check domain level before ipaservers membershipJan Cholasta2015-12-111-14/+14
| | | | | | | | | Check domain level before checking ipaservers membership to prevent "not found" error when attempting replica promotion in domain level 0. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica install: add ipaservers if it does not existJan Cholasta2015-12-111-5/+4
| | | | | | | | | This prevents crash when adding the host entry to ipaservers when installing replica of a 4.2 or older server. https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica: Fix ipa-replica-install with replica file (domain level 0).David Kupka2015-12-101-4/+6
| | | | | | | | | | Attribute _ca_enabled is set in promote_check() and is not available in install(). When installing replica in domain level 0 we can determine existence of CA service based on existence of cacert.p12 file in provided replica-file. https://fedorahosted.org/freeipa/ticket/5531 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* topology: Fix: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+1
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, howver, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, whic was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: allow OTP bulk client enrollmentJan Cholasta2015-12-091-14/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/5498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* topology: Make sure the old 'realm' topology suffix is not usedTomas Babej2015-12-091-0/+3
| | | | | | | | | | | | | The old 'realm' topology suffix is no longer used, however, it was being created on masters with version 4.2.3 and later. Make sure it's properly removed. Note that this is not the case for the 'ipaca' suffix, which was later removed to 'ca'. https://fedorahosted.org/freeipa/ticket/5526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI tests: ignore disconnected domain level 1 topology on IPA master teardownMartin Babinsky2015-12-091-5/+10
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* add missing /ipaplatform/constants.py to .gitignorePetr Spacek2015-12-081-0/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* CI: fix function that prepare the hosts file before CI runMartin Basti2015-12-081-2/+4
| | | | | | Without this fix function removed 2 lines from hosts file. Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* CI: installation testsMartin Basti2015-12-082-0/+232
| | | | Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* install: Run all validators at once.David Kupka2015-12-081-12/+19
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Force creation of services during replica installMartin Basti2015-12-071-1/+2
| | | | | | Missing A record should not prevent replica to be installed. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* CI: test various topologies with multiple replicasMartin Basti2015-12-071-0/+87
| | | | | | | | | Test tests topologies listed bellow with and without CA on replicas: star topology: 3 replicas line topology: 3 replicas complete topology: 3 replicas Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* replicainstall: Admin password should not conflict with replica fileTomas Babej2015-12-071-1/+0
| | | | | | | | The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix minor typosYuri Chornoivan2015-12-072-2/+2
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* tests: Fix incorrect uninstall method invocationTomas Babej2015-12-071-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5516 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* custodia: do not modify memberPrincipal on key updateJan Cholasta2015-12-071-2/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: automatically add the local host to ipaserversJan Cholasta2015-12-071-2/+46
| | | | | | | | | | If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-072-12/+45
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipautil: use file in a temporary dir as ccache in private_ccacheJan Cholasta2015-12-071-2/+9
| | | | | | | | | | | python-gssapi chokes on empty ccache files, so instead of creating an empty temporary ccache file in private_ccache, create a temporary directory and use a non-existent file in that directory as the ccache. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: allow members of ipaservers to set up replicationJan Cholasta2015-12-072-0/+26
| | | | | | | | | | | | | | | Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-073-128/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: add IPA servers host group 'ipaservers'Jan Cholasta2015-12-077-2/+66
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* check whether replica exists before executing the domain level 1 deletion codeMartin Babinsky2015-12-041-7/+11
| | | | | | | | | | | Move this check before the parts that check topology suffix connectivity, wait for removed segments etc. If the hostname does not exist, it should really be one of the first errors user encounters during ipa-replica-manage del. https://fedorahosted.org/freeipa/ticket/5424 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* add '--auto-forwarders' description to server/replica/DNS installer man pagesMartin Babinsky2015-12-043-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add auto-forwarders option to standalone DNS installerMartin Babinsky2015-12-041-0/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend topology helpPetr Vobornik2015-12-041-3/+52
| | | | | | | `ipa help topology` is improved. Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica install: improvements in the handling of CA-related IPA config entriesMartin Babinsky2015-12-043-17/+25
| | | | | | | | | | | | When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Update ipa-(cs)replica-manage man pagesPetr Vobornik2015-12-042-9/+21
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* man: Update the ipa-replica-install manpage with promotion related infoTomas Babej2015-12-041-12/+57
| | | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* rename topology suffixes to "domain" and "ca"Petr Vobornik2015-12-046-15/+20
| | | | | | | https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-29 21:46:36 +0000