summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/server
Commit message (Collapse)AuthorAgeFilesLines
...
* py3: Remove py3 incompatible exception handlingTomas Babej2016-01-131-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5585 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* fix Py3 incompatible exception instantiation in replica install codeMartin Babinsky2016-01-131-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5585 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* prevent crash of CA-less server upgrade due to absent certmongerMartin Babinsky2016-01-111-2/+28
| | | | | | | | | | | | | ipa-server-upgrade tests whether certmonger service is running before attempting to upgrade IPA master. This causes the upgrader to always fail when there is no CA installer and certmonger is not needed, effectively preventing CA-less IPA master to upgrade succefuly. This test is now skipped if CA is not enabled. https://fedorahosted.org/freeipa/ticket/5519 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix DNS zone overlap check to allow ipa-replica-install to workPetr Spacek2016-01-081-15/+19
| | | | | | https://fedorahosted.org/freeipa/ticket/5564 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-1/+1
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-233-4/+2
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-dns-install: Do not check for zone overlap when DNS installed.David Kupka2015-12-222-3/+3
| | | | | | | | | | | When DNS is already installed somewhere in topology we should not check for zone overlap because it would always say that we are overlapping our own domain. ipa-replica-install already does that but ipa-dns-install did not. https://fedorahosted.org/freeipa/ticket/5564 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove unused code in server installer related to KRAMartin Basti2015-12-221-21/+3
| | | | | | The first instance of KRA system should be allowed to install only by ipa-kra-install. This commit removes TODO and unneeded parts in code. Reviewed-By: David Kupka <dkupka@redhat.com>
* installer: Fix logic of reading option values from cache.David Kupka2015-12-211-4/+3
| | | | | | | | | | Only options explicitly set must be stored before installer exits first step of external CA setup. When installer continues all stored option values must be restored. https://fedorahosted.org/freeipa/ticket/5556 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* installer: Propagate option values from components instead of copying them.David Kupka2015-12-211-31/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5556 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* dns: Add --auto-reverse option.David Kupka2015-12-141-0/+14
| | | | | | | | Introducing '--auto-reverse' option. When specified reverse records for all server's IP addresses are checked and when record nor reverse zone does not exist reverse zone is created. Reviewed-By: Petr Spacek <pspacek@redhat.com>
* dns: Check if domain already exists.David Kupka2015-12-141-0/+19
| | | | | | | | | Raise an error when the domain already exists. This can be overriden using --force or --allow-zone-overlap options. https://fedorahosted.org/freeipa/ticket/3681 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* replica promotion: let ipa-client-install validate enrollment optionsJan Cholasta2015-12-141-9/+0
| | | | | | | | | ipa-client-install output is redirected to standard output, so let it print its own error message for missing options. https://fedorahosted.org/freeipa/ticket/5542 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* server install: redirect ipa-client-install output to standard outputJan Cholasta2015-12-142-16/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/5527 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica promotion: notify user about ignoring client enrollment optionsJan Cholasta2015-12-141-0/+6
| | | | | | | | | When IPA client is already installed, notify the user that the enrollment options are ignored in ipa-replica-install. https://fedorahosted.org/freeipa/ticket/5530 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Install RA cert during replica promotionMartin Basti2015-12-141-0/+8
| | | | | | | | This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka <dkupka@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-141-7/+6
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* prevent crashes of server uninstall check caused by failed LDAP connectionsMartin Babinsky2015-12-111-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica promotion: use host credentials for connection checkJan Cholasta2015-12-111-17/+8
| | | | | | | https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-112-2/+5
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-install prints incorrect error message when replica is already ↵Gabe2015-12-111-3/+12
| | | | | | | | | | installed https://fedorahosted.org/freeipa/ticket/5022 https://fedorahosted.org/freeipa/ticket/5320 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replicainstall: Make sure the enrollment state is preservedTomas Babej2015-12-111-0/+32
| | | | | | | | | | | | | | | During the promote_check phase, the subsequent checks after the machine is enrolled may cause the installation to abort, hence leaving it enrolled even though it might not have been prior to the execution of the ipa-replica-install command. Make sure that ipa-client-install --uninstall is called on the machine that has not been enrolled before in case of failure during the promote_check phase. https://fedorahosted.org/freeipa/ticket/5529 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: Add check for domain if server is specifiedTomas Babej2015-12-111-0/+6
| | | | | | | Avoids failing in the later stages during the ipa-client-install command. Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* server uninstall: ignore --ignore-topology-disconnect in domain level 0Jan Cholasta2015-12-111-5/+0
| | | | | | | | | Topology disconnect is always ignored in domain level 0, so the option can be safely ignored. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica promotion: check domain level before ipaservers membershipJan Cholasta2015-12-111-14/+14
| | | | | | | | | Check domain level before checking ipaservers membership to prevent "not found" error when attempting replica promotion in domain level 0. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica: Fix ipa-replica-install with replica file (domain level 0).David Kupka2015-12-101-4/+6
| | | | | | | | | | Attribute _ca_enabled is set in promote_check() and is not available in install(). When installing replica in domain level 0 we can determine existence of CA service based on existence of cacert.p12 file in provided replica-file. https://fedorahosted.org/freeipa/ticket/5531 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* replica promotion: allow OTP bulk client enrollmentJan Cholasta2015-12-091-14/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/5498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Force creation of services during replica installMartin Basti2015-12-071-1/+2
| | | | | | Missing A record should not prevent replica to be installed. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replicainstall: Admin password should not conflict with replica fileTomas Babej2015-12-071-1/+0
| | | | | | | | The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica promotion: automatically add the local host to ipaserversJan Cholasta2015-12-071-2/+46
| | | | | | | | | | If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-071-11/+45
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica install: improvements in the handling of CA-related IPA config entriesMartin Babinsky2015-12-041-0/+7
| | | | | | | | | | | | When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-install support caless install with promotion.David Kupka2015-12-033-39/+193
| | | | | | https://fedorahosted.org/freeipa/ticket/5441 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* implement domain level 1 specific topology checks into IPA server uninstallerMartin Babinsky2015-12-021-27/+166
| | | | | | | | | | | | | When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: Add possiblity to install client in one commandTomas Babej2015-12-012-10/+86
| | | | | | https://fedorahosted.org/freeipa/ticket/5310 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove global variable dns_forwarders from ipaserver.install.dnsPetr Spacek2015-12-011-3/+2
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-dns-install offer IP addresses from resolv.conf as default forwardersPetr Spacek2015-12-013-6/+22
| | | | | | | | | In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* perform IPA client uninstallation as a last step of server uninstallMartin Babinsky2015-12-011-13/+13
| | | | | | | | | | | | With the ability to promote replicas from an enrolled client the uninstallation procedure has to be changed slightly. If the client-side components are not removed last during replica uninstallation, we can end up with leftover ipa default.conf preventing future client re-enrollment. https://fedorahosted.org/freeipa/ticket/5410 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica promotion: modify default.conf even if DS configuration failsMartin Babinsky2015-11-271-25/+30
| | | | | | | | | | | When we promote an IPA client to replica, we need to write master-like default.conf once we start configuring directory server instance. This way even if DS configuration fails for some reason the server uninstall code can work properly and clean up partially configured replica. https://fedorahosted.org/freeipa/ticket/5417 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-253-80/+115
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add profiles and default CA ACL on migrationFraser Tweedale2015-11-242-12/+4
| | | | | | | | | | | | | | | | | | | | Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert renewal: make renewal of ipaCert atomicJan Cholasta2015-11-191-2/+2
| | | | | | | | | This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com>
* Drop configure.jarMartin Basti2015-11-131-12/+0
| | | | | | | | | Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* remove an unneccesary check from IPA server uninstallerMartin Babinsky2015-11-121-7/+0
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Domain levels: use constants rather than hardcoded valuesMartin Basti2015-10-271-4/+4
| | | | | | | | | | | Added constants for domain levels DOMAIN_LEVEL_0 = 0 DOMAIN_LEVEL_1 = 1 This allows to search for domain level easier in code. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow to install the KRA on a promoted serverSimo Sorce2015-10-221-8/+21
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Warn if no installation found when running ipa-server-install --uninstallGabe2015-10-221-0/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5341 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Rename option --dirsrv-config-mods to --dirsrv-config-fileMartin Basti2015-10-193-6/+6
| | | | | | | | | | | Option is renamed to be consistent with other options. Affected tickets: https://fedorahosted.org/freeipa/ticket/4949 https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add option to specify LDIF file that contains DS configuration changesMartin Basti2015-10-153-6/+23
| | | | | | | | | | | | | This allows to user modify configuration changes of the directory server instance during installation of DS https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make checks for existing credentials reusableSimo Sorce2015-10-151-73/+2
| | | | | | | move the in installutils so they can be reused by multiple scripts Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 21:36:24 +0000