summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
...
* install: remove dirman_pw from servicesTomas Krizek2016-11-072-6/+4
| | | | | | | | | Remove directory manager's password from service's constructors https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge IPAdmin to LDAPClientTomas Krizek2016-11-075-13/+17
| | | | | | | | | | | | | | | | * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge gssapi_bind to LDAPClientTomas Krizek2016-11-072-2/+2
| | | | | | | | | * Rename do_sasl_gssapi_bind to gssapi_bind https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-1/+1
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge simple_bind into LDAPClientTomas Krizek2016-11-073-7/+14
| | | | | | | | | | | | * Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind * Rename binddn to bind_dn * Rename bindpw to bind_password * Explicitly specify bind_dn in all calls https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: remove wait/timeout during bindsTomas Krizek2016-11-071-1/+1
| | | | | | | | | | Testing whether it is possible to connect to directory server is already done in RedHatDirectoryService.restart(). https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: enable the import-error checkJan Cholasta2016-10-241-1/+3
| | | | | | | | | | Check for import errors with pylint to make sure new python package dependencies are not overlooked. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add fix for no-hbac-allow option in server installAbhijeet Kasurde2016-10-181-1/+1
| | | | | | | | | | | | This PR brings uniformity in option provided by no-hbac-allow and other options present in IPA server install script Fixes https://fedorahosted.org/freeipa/ticket/6357 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* remove trailing newlines form python modulesMartin Babinsky2016-10-121-1/+0
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order to build FreeIPA with this version https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix ipa-cacert-manage man pageFlorence Blanc-Renaud2016-10-111-1/+3
| | | | | | | | | | | | | | When the admin runs ipa-cacert-manage install, he should also run ipa-certupdate on master/replicas/clients in order to update the certificates databases. The man page should mention this requirement, and also clarify that "install" command does not replace IPA CA but rather installs an additional trusted CA. https://fedorahosted.org/freeipa/ticket/6381 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Pylint: remove unused variables from installers and scriptsMartin Basti2016-10-063-24/+19
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-273-0/+6
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove unused variables in the codeMartin Basti2016-09-273-6/+2
| | | | | | | | | | | This commit removes unused variables or rename variables as "expected to be unused" by using "_" prefix. This covers only cases where fix was easy or only one unused variable was in a module Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable global-variable-not-assigned checkMartin Basti2016-09-231-1/+0
| | | | | | | the global keyword should be used only when variable from outside is assigned inside, otherwise it has no effect and just confuses developers Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* pylint: fix redefine-in-handlerJan Barta2016-09-221-7/+7
| | | | | Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Updated help/man information about hostnameStanislav Laznicka2016-09-222-2/+3
| | | | | | | | | The man page and help of ipa-client-install and ipa-replica-conncheck had an outdated information about what is used as a hostname. https://fedorahosted.org/freeipa/ticket/5754 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Update ipa-server-install man page for hostnameTomas Krizek2016-09-211-1/+1
| | | | | | | | | | | Hostname is always set, remove the text that says hostname is set only if it does not match the current hostname. https://fedorahosted.org/freeipa/ticket/6330 Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Raise error when running ipa-adtrust-install with empty netbios--nameLenka Doudova2016-08-301-5/+5
| | | | | | | | | | | | | | | When running ipa-adtrust-install, a netbios-name option must be specified. Currently if an invalid netbios name in form of empty string is specified, the installation proceeds, but changes the invalid value to a netbios name determined from domain name without any notification. Fixing this so that any attempt to supply empty string as netbios name fails with error in case of unattended installation, or to request input of valid netbios name from command line during normal installation. https://fedorahosted.org/freeipa/ticket/6120 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookupPetr Spacek2016-08-221-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/6233 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Corrected minor spell check in AD Trust information doc messagesAbhijeet Kasurde2016-08-221-1/+1
| | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrust-install: Mention AD GC port 3286 in list of required ports.Petr Spacek2016-08-222-0/+3
| | | | | | | | | Port name "msft-gc" is taken form /etc/services file provided by package setup-2.10.1-1.fc24.noarch. https://fedorahosted.org/freeipa/ticket/6235 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Improvements for the ipa-cacert-manage man and helpStanislav Laznicka2016-08-091-13/+25
| | | | | | | | | | | | The man page for ipa-cacert-manage didn't mention that some options are only applicable to the install some to the renew subcommand. Also fixed a few missing articles. https://fedorahosted.org/freeipa/ticket/6013 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Update ipa-replica-install documentationTomas Krizek2016-08-052-2/+2
| | | | | | | | | Update the ipa-replica-install man page and help to reflect that replica_file is optional instead of mandatory. https://fedorahosted.org/freeipa/ticket/6164 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Minor fix in ipa-replica-manage MAN pageAbhijeet Kasurde2016-07-281-7/+7
| | | | | | | Fixes: https://fedorahosted.org/freeipa/ticket/6058 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* unite log file name of ipa-ca-installPetr Vobornik2016-07-211-1/+1
| | | | | | | | | | | | | | | | | | | ipa-ca-install said that it used /var/log/ipareplica-ca-install.log but in fact it used /var/log/ipaserver-ca-install.log This patch unites it to ipareplica-ca-install.log It was chosen because of backwards compatibility - ipareplica-ca-install was more commonly used. ipaserver-ca-install.log was used only in rare CA less -> CA installation. https://fedorahosted.org/freeipa/ticket/6086 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* ipa-compat-manage: use server API to retrieve plugin statusMartin Babinsky2016-07-121-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6033 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-nis-manage: Use server API to retrieve plugin statusMartin Babinsky2016-07-121-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/6027 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Add option --no-log for ipa-replica-conncheck scriptMartin Basti2016-07-011-1/+3
| | | | | | | | When option is sued, ipa-replica-conncheck will not log into file https://fedorahosted.org/freeipa/ticket/5757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix replica install with CAMartin Basti2016-06-301-1/+6
| | | | | | | | The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-1/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* DNS Locations: hide option --no-msdcs in adtrust-installMartin Basti2016-06-271-3/+7
| | | | | | | | | Since DNS location mechanism is active, this option has no effect, because records are generate dynamically. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix to ipa-ca-install asking for host principal passwordStanislav Laznicka2016-06-231-4/+3
| | | | | | | | | | | With a ca_cert_file specified in options, the nss_db was used before the certificates from the file were added to it, which caused an exception that led to fallback to ssh which is broken. https://fedorahosted.org/freeipa/ticket/5965 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-replica-manage: use `server_del` when removing domain level 1 replicaMartin Babinsky2016-06-171-131/+8
| | | | | | | | | | | `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* delegate removal of master DNS record and replica keys to separate functionsMartin Babinsky2016-06-171-6/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always qualify requests for admin in ipa-replica-conncheckFlorence Blanc-Renaud2016-06-171-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes <principal>@<master hostname> \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal admin@EXAMPLE.COM). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes -o User=<principal> \ <master hostname> echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: adtrustinstance simplify dns managementMartin Basti2016-06-171-1/+1
| | | | | | | | | | The path how to get IPA domain in code was somehow obfuscated, this patch simplifies and make clear what happened there with domain name. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS Locations: use dns_update_service_records in installersMartin Basti2016-06-172-2/+1
| | | | | | | | | use the dns_update_system_records command to set proper DNS records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* installer: positional_arguments must be tuple or list of stringsDavid Kupka2016-06-131-1/+1
| | | | | | | | | Setting string here was causing search for substring instead of search for value in tuple or list. https://fedorahosted.org/freeipa/ticket/5945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Setup lightweight CA key retrieval on install/upgradeFraser Tweedale2016-06-092-0/+33
| | | | | | | | | | | | | | | | | | Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Also bump the minimum version of Dogtag to 10.3.2. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-4/+0
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* fixes premature sys.exit in ipa-replica-manage delStanislav Laznicka2016-06-031-6/+5
| | | | | | | | | | | | Deletion of a replica would fail should there be no RUVs on the server. Also removed some dead code in del_master_managed which might cause premature exit if RuntimeError occurs. https://fedorahosted.org/freeipa/ticket/5307 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipactl: use server APIJan Cholasta2016-06-031-1/+1
| | | | | | | | | Initialize API in ipactl with in_server=True, as this is a server-side script. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* rpc: specify connection options in API configJan Cholasta2016-06-031-3/+5
| | | | | | | | | Specify RPC connection options once in API.bootstrap rather than in each invocation of rpcclient.connect. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-2/+4
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use root_logger for verify_host_resolvable()Petr Spacek2016-05-301-1/+1
| | | | | | | | | | After discussion with Martin Basti we decided to standardize on root_logger with hope that one day we will use root_logger.getLogger('module') to make logging prettier and tunable per module. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add missing CA options to the manpage for ipa-replica-installFlorence Blanc-Renaud2016-05-281-1/+34
| | | | | | | | | | CA-less options were missing, as well as --allow-zone-overlap and --auto-reverse. Fix short option for --realm which was displayed as -d instead of -r. https://fedorahosted.org/freeipa/ticket/5835 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-nis-manage: add status optionPetr Spacek2016-05-242-6/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/5856 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
* ipactl: advertise --ignore-service-failure optionMartin Basti2016-05-121-0/+10
| | | | | | | | | | | For non-critical services which are failing may be beneficial for users to ignore them and let IPA critical services start. For this a hint to use --ignore-service-failue option should be shown. https://fedorahosted.org/freeipa/ticket/5820 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS installer: accept --auto-forwarders option in unattended modePetr Spacek2016-05-111-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5869 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix to clean-dangling-ruv for single CA topologiesStanislav Laznicka2016-05-101-21/+33
| | | | | | | | | clean-dangling-ruv would fail in topologies with only one CA or when only one IPA server is present https://fedorahosted.org/freeipa/ticket/5840 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 14:39:44 +0000