summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Fix replica install with CAMartin Basti2016-06-301-1/+6
| | | | | | | | The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-1/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* DNS Locations: hide option --no-msdcs in adtrust-installMartin Basti2016-06-271-3/+7
| | | | | | | | | Since DNS location mechanism is active, this option has no effect, because records are generate dynamically. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix to ipa-ca-install asking for host principal passwordStanislav Laznicka2016-06-231-4/+3
| | | | | | | | | | | With a ca_cert_file specified in options, the nss_db was used before the certificates from the file were added to it, which caused an exception that led to fallback to ssh which is broken. https://fedorahosted.org/freeipa/ticket/5965 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-replica-manage: use `server_del` when removing domain level 1 replicaMartin Babinsky2016-06-171-131/+8
| | | | | | | | | | | `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* delegate removal of master DNS record and replica keys to separate functionsMartin Babinsky2016-06-171-6/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always qualify requests for admin in ipa-replica-conncheckFlorence Blanc-Renaud2016-06-171-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | ipa-replica-conncheck connects to the master using an SSH command: ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes <principal>@<master hostname> \ echo OK The issue is that the principal name is not fully qualified (for instance 'admin' is used, even if ipa-replica-conncheck was called with --principal admin@EXAMPLE.COM). When the FreeIPA server is running with a /etc/sssd/sssd.conf containing [sssd] default_domain_suffix = ad.domain.com this leads to the SSH connection failure because admin is not defined in the default domain. The fix uses the fully qualified principal name, and calls ssh with ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \ -o GSSAPIAuthentication=yes -o User=<principal> \ <master hostname> echo OK to avoid syntax issues with admin@DOMAIN@master https://fedorahosted.org/freeipa/ticket/5812 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: adtrustinstance simplify dns managementMartin Basti2016-06-171-1/+1
| | | | | | | | | | The path how to get IPA domain in code was somehow obfuscated, this patch simplifies and make clear what happened there with domain name. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS Locations: use dns_update_service_records in installersMartin Basti2016-06-172-2/+1
| | | | | | | | | use the dns_update_system_records command to set proper DNS records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* installer: positional_arguments must be tuple or list of stringsDavid Kupka2016-06-131-1/+1
| | | | | | | | | Setting string here was causing search for substring instead of search for value in tuple or list. https://fedorahosted.org/freeipa/ticket/5945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Setup lightweight CA key retrieval on install/upgradeFraser Tweedale2016-06-092-0/+33
| | | | | | | | | | | | | | | | | | Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Also bump the minimum version of Dogtag to 10.3.2. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-4/+0
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* fixes premature sys.exit in ipa-replica-manage delStanislav Laznicka2016-06-031-6/+5
| | | | | | | | | | | | Deletion of a replica would fail should there be no RUVs on the server. Also removed some dead code in del_master_managed which might cause premature exit if RuntimeError occurs. https://fedorahosted.org/freeipa/ticket/5307 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipactl: use server APIJan Cholasta2016-06-031-1/+1
| | | | | | | | | Initialize API in ipactl with in_server=True, as this is a server-side script. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* rpc: specify connection options in API configJan Cholasta2016-06-031-3/+5
| | | | | | | | | Specify RPC connection options once in API.bootstrap rather than in each invocation of rpcclient.connect. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-2/+4
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use root_logger for verify_host_resolvable()Petr Spacek2016-05-301-1/+1
| | | | | | | | | | After discussion with Martin Basti we decided to standardize on root_logger with hope that one day we will use root_logger.getLogger('module') to make logging prettier and tunable per module. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add missing CA options to the manpage for ipa-replica-installFlorence Blanc-Renaud2016-05-281-1/+34
| | | | | | | | | | CA-less options were missing, as well as --allow-zone-overlap and --auto-reverse. Fix short option for --realm which was displayed as -d instead of -r. https://fedorahosted.org/freeipa/ticket/5835 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-nis-manage: add status optionPetr Spacek2016-05-242-6/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/5856 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
* ipactl: advertise --ignore-service-failure optionMartin Basti2016-05-121-0/+10
| | | | | | | | | | | For non-critical services which are failing may be beneficial for users to ignore them and let IPA critical services start. For this a hint to use --ignore-service-failue option should be shown. https://fedorahosted.org/freeipa/ticket/5820 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNS installer: accept --auto-forwarders option in unattended modePetr Spacek2016-05-111-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5869 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix to clean-dangling-ruv for single CA topologiesStanislav Laznicka2016-05-101-21/+33
| | | | | | | | | clean-dangling-ruv would fail in topologies with only one CA or when only one IPA server is present https://fedorahosted.org/freeipa/ticket/5840 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'Gabe2016-05-101-11/+10
| | | | | | | https://fedorahosted.org/freeipa/ticket/5857 Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix added to ipa-compat-manage command line helpAbhijeet Kasurde2016-05-051-3/+3
| | | | | | | Minor fix in ipa-compat-manage command help message. Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-nis-manage: mention return code 3 in man pagePetr Spacek2016-04-291-0/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-nis-manage: Replace text references to compat plugin with NISPetr Spacek2016-04-291-2/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Auto-detect default value for --forward-policy option in installersPetr Spacek2016-04-284-4/+13
| | | | | | | | | | | | | Forward policy defaults to 'first' if no IP address belonging to a private or reserved ranges is detected on local interfaces (RFC 6303). Defaults to only if a private IP address is detected. This prevents problems with BIND automatic empty zones because conflicting zones cannot be disabled unless forwarding policy == only. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend installers with --forward-policy optionPetr Spacek2016-04-284-0/+12
| | | | | | | | | This option specified forward policy for global forwarders. The value is put inside /etc/named.conf. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove function ipapython.ipautil.host_exists()Petr Spacek2016-04-281-4/+8
| | | | | | | The function duplicated ipalib.util.verify_host_resolvable() in slightly incompatible way because it used NSS while rest of IPA is using only DNS. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Moved password check from clean_dangling_ruvStanislav Laznicka2016-04-281-10/+2
| | | | | | | | The proper password check is now done elsewhere https://fedorahosted.org/freeipa/ticket/4987 Reviewed-By: Martin Basti <mbasti@redhat.com>
* abort-clean/list/clean-ruv now work for both suffixesStanislav Laznicka2016-04-282-29/+100
| | | | | | | | | | The rid passed to abort-clean-ruv and clean-ruv is now searched for in both ipaca and domain trees as well as list-ruv now displays both RUVs and CS-RUVs https://fedorahosted.org/freeipa/ticket/4987 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-manage refactoringStanislav Laznicka2016-04-281-28/+38
| | | | | | | | | | | get_ruv does not call sys.exit anymore, instead it raises RuntimeError for better error handling Also removed duplicit code from abort_clean_ruv https://fedorahosted.org/freeipa/ticket/4987 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica-manage: fail nicely when DM psswd requiredStanislav Laznicka2016-04-281-1/+5
| | | | | | | | | Some commands do not allow anonymous bind and would fail with misleading message. https://fedorahosted.org/freeipa/ticket/4987 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added description related to 'status' in ipactl man pageAbhijeet Kasurde2016-04-201-0/+3
| | | | | | | Fixes : https://fedorahosted.org/freeipa/ticket/5768 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-132-8/+4
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-replica-manage: print traceback on unexpected error when in verbose modeMartin Babinsky2016-03-221-5/+13
| | | | | | | | Print the traceback to stdout to maintain backwards compatibility. https://fedorahosted.org/freeipa/ticket/5380 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Pylint: fix definition of global variablesMartin Basti2016-03-221-1/+0
| | | | | | | | | | Global variables should be defined in the outer space, not just marked as global inside functions. Removes unused global variables Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-222-6/+6
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* krb5conf: use 'true' instead of 'yes' for forwardable optionMartin Basti2016-03-091-1/+1
| | | | | | | | | 'yes' is also valid value in krb5.conf but we should be consistent and use only 'true' as we do for other options. https://fedorahosted.org/freeipa/ticket/5518 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-021-2/+2
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-adtrust-install: Allow dash in the NETBIOS nameTomas Babej2016-02-291-2/+4
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Automatically detect and remove dangling RUVsStanislav Laznicka2016-02-022-0/+163
| | | | | | https://fedorahosted.org/freeipa/ticket/5411 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Listing and cleaning RUV extended for CA suffixStanislav Laznicka2016-02-021-15/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/5411 Reviewed-By: Martin Basti <mbasti@redhat.com>
* fix standalone installation of externally signed CA on IPA masterMartin Babinsky2016-01-281-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5636 Reviewed-By: Martin Basti <mbasti@redhat.com>
* logger: Use warning instead of warnTomas Babej2016-01-181-5/+5
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporterMartin Basti2016-01-182-0/+7
| | | | | | | | | | | ipactl is not aware of new services installed later, if ipactl restart or start has not been executed. This commit is workaround, proper fix may need to improve ipactl. https://fedorahosted.org/freeipa/ticket/5262 Reviewed-By: David Kupka <dkupka@redhat.com>
* Enable pylint unbalanced-tuple-unpacking checkMartin Basti2016-01-141-2/+1
| | | | | | | | Enables check and fixes one issue. get_entries can be replaced by get_entry, filter is not needed because check of 'originfilter' attribute is done later. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-csreplica-manage: remove extraneous ldap2 connectionMartin Babinsky2016-01-131-2/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5583 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enable pylint expression-not-assigned checkMartin Basti2015-12-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables check and fixes: ************* Module ipa-replica-conncheck install/tools/ipa-replica-conncheck:150: [W0106(expression-not-assigned), parse_options] Expression "(replica_group.add_option('-w', '--password', dest='password', sensitive=True, help='Password for the principal'), )" is assigned to nothing) ************* Module ipatests.test_xmlrpc.test_automount_plugin ipatests/test_xmlrpc/test_automount_plugin.py:437: [W0106(expression-not-assigned), test_automount_indirect.test_1a_automountmap_add_indirect] Expression "api.Command['automountmap_add_indirect'](self.locname, self.mapname, **self.map_kw)['result']" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_otptoken_import ipatests/test_ipaserver/test_otptoken_import.py:128: [W0106(expression-not-assigned), test_otptoken_import.test_mini] Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is assigned to nothing) ************* Module ipatests.test_ipaserver.test_ldap ipatests/test_ipaserver/test_ldap.py:221: [W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression "list(e) == []" is assigned to nothing) ************* Module ipa-client-install ipa-client/ipa-install/ipa-client-install:114: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-p', '--principal', dest='principal', help='principal to use to join the IPA realm'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:116: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-w', '--password', dest='password', sensitive=True, help='password to join the IPA realm (assumes bulk password unless principal is also set)'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:118: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to backed up keytab from previous enrollment'), )" is assigned to nothing) ipa-client/ipa-install/ipa-client-install:120: [W0106(expression-not-assigned), parse_options] Expression "(basic_group.add_option('-W', dest='prompt_password', action='store_true', default=False, help='Prompt for a password to join the IPA realm'), )" is assigned to nothing) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove wildcard importsMartin Basti2015-12-239-10/+22
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-29 00:40:34 +0000