summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/ipa_replica_prepare.py
Commit message (Collapse)AuthorAgeFilesLines
* replica-prepare: do not add PTR records if there is no IPA managed reverse zoneMartin Babinsky2016-04-191-0/+5
| | | | | | | | | | | ipa-replica-prepare could crash during addition of replica's PTR records if there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone' returns an unhandled None. The code will now issue a warning and skip the PTR record addition in this case. https://fedorahosted.org/freeipa/ticket/5740 Reviewed-By: Martin Basti <mbasti@redhat.com>
* logger: Use warning instead of warnTomas Babej2016-01-181-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' optionsDavid Kupka2016-01-111-0/+5
| | | | | | | | | Opiton should be added to ipa-replica-prepare when it was added to ipa-{server,replica,dns}-install but was forgotten. https://fedorahosted.org/freeipa/ticket/5563 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Explicitly call chmod on newly created directoriesMartin Basti2015-12-141-1/+2
| | | | | | | | | Without calling os.chmod(), umask is effective and may cause that directory is created with permission that causes failure. This can be related to https://fedorahosted.org/freeipa/ticket/5520 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-4/+3
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Drop configure.jarMartin Basti2015-11-131-6/+0
| | | | | | | | | Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-replica-prepare: domain level check improvementsMartin Babinsky2015-11-051-4/+17
| | | | | | | | | | | | ipa-replica-prepare command is disabled in non-zero domain-level. Instead of raising and exception with the whole message instructing the user to promote replicas from enrolled clients in level 1+ topologies, the exception itself contains only a brief informative message and the rest is logged at error level. https://fedorahosted.org/freeipa/ticket/5175 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Domain levels: use constants rather than hardcoded valuesMartin Basti2015-10-271-4/+4
| | | | | | | | | | | Added constants for domain levels DOMAIN_LEVEL_0 = 0 DOMAIN_LEVEL_1 = 1 This allows to search for domain level easier in code. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* disable ipa-replica-prepare in non-zero IPA domain levelMartin Babinsky2015-10-201-1/+27
| | | | | | | | | | | | the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.configparser instead of ConfigParserPetr Viktorin2015-10-071-1/+1
| | | | | | | | The module name was lowercased in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-1/+2
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-7/+7
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-2/+2
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Clarify error messages in ipa-replica-prepare: add_dns_records()Petr Spacek2015-06-181-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify recommendation about --ip-address option in ipa-replica-prepaprePetr Spacek2015-06-181-2/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS install: extract DNS installer into one moduleMartin Basti2015-05-191-0/+2
| | | | | | | | | | | | This is required modification to be able move to new installers. DNS subsystem will be installed by functions in this module in each of ipa-server-install, ipa-dns-install, ipa-replica-install install scripts. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-1/+1
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use singular in help metavars + update man pages.David Kupka2014-11-261-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4695 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-7/+8
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow choosing CA-less server certificates by nameJan Cholasta2014-09-301-3/+15
| | | | | | | | | | | Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare and --cert-name option to ipa-server-certinstall. The options allows choosing a particular certificate and private key from PKCS#12 files by its friendly name. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* CA-less installer options usability fixesJan Cholasta2014-09-301-63/+87
| | | | | | | | | | | | | | | | | | | The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have been replaced by --*-cert-file options which accept multiple files. ipa-server-certinstall now accepts multiple files as well. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. The --root-ca-file option of ipa-server-install has been replaced by --ca-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. The --*_pin options of ipa-server-install and ipa-replica-prepare have been renamed to --*-pin. https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Detect and configure all usable IP addresses.David Kupka2014-09-261-39/+43
| | | | | | | | | | | Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-prepare: Wait for the DNS entry to be resolvablePetr Viktorin2014-09-251-0/+53
| | | | | | | | | | | | | | | | | | | It takes some time after the DNS record is added until it propagates to Bind. In automated installations, it might happen that replica-install is attempted before the hostname is resolvable; in that case the connection check would fail. Wait for the name to be resolvable at the end of replica-prepare. Mention that this can be interrupted (Ctrl+C). Provide an option to skip the wait. In case DNS is not managed by IPA, this reminds the admin of the necessary configuration and checks their work, but it's possible to skip (either by interrupting it interactively, or by the option). https://fedorahosted.org/freeipa/ticket/4551 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* install: create ff krb extension on every install, replica install and upgradePetr Vobornik2014-09-111-3/+0
| | | | | | | | | | We don't want to copy the extension from master to replica because the replica may use newer version of FreeIPA and therefore the extension code might be obsolete. Same reason for upgrades. https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-051-3/+11
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-11/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-2/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Clarify error message about missing DNS component in ipa-replica-prepare.Petr Spacek2014-02-211-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4188 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-241-1/+1
|
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-041-2/+1
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Remove redundant shebangsTomas Babej2013-08-261-1/+0
| | | | | | Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853
* Ask for PKCS#12 password interactively in ipa-replica-prepare.Jan Cholasta2013-07-241-15/+34
| | | | https://fedorahosted.org/freeipa/ticket/3717
* Make sure replication works after DM password is changedAna Krivokapic2013-07-111-0/+36
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-271-2/+3
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-25/+11
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-021-1/+1
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-021-6/+22
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-0/+504
Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
generated by cgit (git 2.34.1) at 2024-06-13 03:43:30 +0000