summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-0/+1
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-032-3/+3
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Deprecated the domain-level option in ipa-server-installStanislav Laznicka2016-06-021-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5907 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix: topologysuffix_find doesn't have no_members optionMartin Basti2016-06-021-1/+1
| | | | | | | | | Remove no_members=False from because topologysuffix_attribute doesn't have no_members option, and this causes errors in replication.py https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-312-2/+4
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNS upgrade: change global forwarding policy in named.conf to "only" if ↵Petr Spacek2016-05-303-3/+57
| | | | | | | | | | | | | private IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This upgrade has to be done on each IPA DNS server independently. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: change global forwarding policy in LDAP to "only" if private ↵Petr Spacek2016-05-301-0/+16
| | | | | | | | | | | | | | IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: change forwarding policy to = only for conflicting forward zonesPetr Spacek2016-05-301-0/+78
| | | | | | | | | | | | This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders too (in LDAP and in named.conf on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS upgrade: separate backup logic to make it reusablePetr Spacek2016-05-301-72/+73
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add ipaDNSVersion option to dnsconfig* commands and use new attributePetr Spacek2016-05-301-17/+60
| | | | | | | | | | | | | | | | | | | | Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and ipaConfigString was bad idea from the very beginning as it was hard to manipulate the number in it. To avoid problems in future we are introducing new ipaDNSVersion attribute which is used on cn=dns instead of ipaConfigString. Original value of ipaConfigString is kept in the tree for now so older upgraders see it and do not execute the upgrade procedure again. The attribute can be changed only by installer/upgrade so it is not exposed in dnsconfig_mod API. Command dnsconfig_show displays it only if --all option was used. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-302-25/+17
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use root_logger for verify_host_resolvable()Petr Spacek2016-05-301-1/+1
| | | | | | | | | | After discussion with Martin Basti we decided to standardize on root_logger with hope that one day we will use root_logger.getLogger('module') to make logging prettier and tunable per module. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutilPetr Spacek2016-05-303-6/+7
| | | | | | | | | This is preparatory work to avoid (future) cyclic import between ipapython.dnsutil and ipapython.ipautil. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade: always start CAMartin Basti2016-05-251-0/+11
| | | | | | | | | | | Some CA upgrade steps in upgrader requires running CA. We have to always start CA and wait for running status using http, because systemd may return false positive result that CA is running even if CA is just starting and unable to serve. https://fedorahosted.org/freeipa/ticket/5868 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib, ipaserver: migrate all plugins to Registry-based registrationJan Cholasta2016-05-2512-47/+60
| | | | | | | | Do not use the deprecated API.register method. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* replica install: do not set CA renewal master flagJan Cholasta2016-05-243-4/+28
| | | | | | | | | | | | | The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Incorrect message when KRA already installedPatrice Duc-Jacquet2016-05-201-0/+5
| | | | | | | | | | | | | | | | | When trying to install a second time KRA, in case domain-level=0 the error lessage is not correct. It mentions : "ipa-kra-install: error: A replica file is required." Note that this behavior is not observed if domain-level=1 The subject of the fix consist in checking that KRA is not already installed before going ahead in the installation process. Tests done: I have made the following tests in bot domain-level=0 and domain-level=1 : - Install KRA (check it is correctly installed), - Install KRA a second time (check that the correct error message is raised) - uninstall KRA (check that it is correctly uninstalled) - Install KRA again (check that it is correctly installed) Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Detect and repair incorrect caIPAserviceCert configFraser Tweedale2016-05-192-3/+49
| | | | | | | | | | | A regression caused replica installation to replace the FreeIPA version of caIPAserviceCert with the version shipped by Dogtag. During upgrade, detect and repair occurrences of this problem. Part of: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Prevent replica install from overwriting cert profilesFraser Tweedale2016-05-191-6/+12
| | | | | | | | | | | | | | An earlier change that unconditionally triggers import of file-based profiles to LDAP during server or replica install results in replicas overwriting FreeIPA-managed profiles with profiles of the same name shipped with Dogtag. ('caIPAserviceCert' is the affected profile). Avoid this situation by never overwriting existing profiles during the LDAP import. Fixes: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replaced find_hostname with api.env.hostAbhijeet Kasurde2016-05-101-21/+1
| | | | | | | Fixes: https://fedorahosted.org/freeipa/ticket/5841 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix remaining relative import and enable Pylint checkPetr Viktorin2016-05-101-1/+1
| | | | | | | | Relative imports are not supported in Python 3. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: Fix upgrade - master to forward zone transformationPetr Spacek2016-05-101-1/+3
| | | | | | | | | | | | | | | This happens when upgrading from IPA <= 4.0 to versions 4.3+. DNS caching might cause false positive in code which replaces master zone with forward zone. This will effectivelly delete the master zone without adding a replacement forward zone. Solution is to use skip_overlap_check option for dnsforwardzone_add command so zone existence check is skipped and the upgrade can proceed. https://fedorahosted.org/freeipa/ticket/5851 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Auto-detect default value for --forward-policy option in installersPetr Spacek2016-04-282-1/+12
| | | | | | | | | | | | | Forward policy defaults to 'first' if no IP address belonging to a private or reserved ranges is detected on local interfaces (RFC 6303). Defaults to only if a private IP address is detected. This prevents problems with BIND automatic empty zones because conflicting zones cannot be disabled unless forwarding policy == only. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Extend installers with --forward-policy optionPetr Spacek2016-04-284-6/+19
| | | | | | | | | This option specified forward policy for global forwarders. The value is put inside /etc/named.conf. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused hostname variablesMartin Basti2016-04-261-3/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Always set hostnameMartin Basti2016-04-261-17/+6
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Configure httpd service from installer instead of directly from RPMMartin Basti2016-04-222-0/+11
| | | | | | | | | | | | | | File httpd.service was created by RPM, what causes that httpd service may fail due IPA specific configuration even if IPA wasn't installed or was uninstalled (without erasing RPMs). With this patch httpd service is configured by httpd.d/ipa.conf during IPA installation and this config is removed by uninstaller, so no residual http configuration related to IPA should stay there. https://fedorahosted.org/freeipa/ticket/5681 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* replica-prepare: do not add PTR records if there is no IPA managed reverse zoneMartin Babinsky2016-04-191-0/+5
| | | | | | | | | | | ipa-replica-prepare could crash during addition of replica's PTR records if there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone' returns an unhandled None. The code will now issue a warning and skip the PTR record addition in this case. https://fedorahosted.org/freeipa/ticket/5740 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Look up HTTPD_USER's UID and GID during installation.David Kupka2016-03-231-1/+5
| | | | | | | | | Those values differ among distributions and there is no guarantee that they're reserved. It's better to look them up based on HTTPD_USER's name. https://fedorahosted.org/freeipa/ticket/5712 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix kdc.conf.template to use ipaplatform.paths.Timo Aaltonen2016-03-231-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use ODS_USER/ODS_GROUP in opendnssec_conf.templateTimo Aaltonen2016-03-231-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaplatform: Move remaining user/group constants to ipaplatform.constants.Timo Aaltonen2016-03-237-18/+20
| | | | | | | | | Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa_restore: Import only FQDN from ipalib.constantsTimo Aaltonen2016-03-231-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move user/group constants for PKI and DS into ipaplatformChristian Heimes2016-03-228-29/+35
| | | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-221-1/+2
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: enable reimported checkMartin Basti2016-03-222-3/+1
| | | | | | | Fixes current reimports and enables pylint check for them Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: fix definition of global variablesMartin Basti2016-03-221-0/+3
| | | | | | | | | | Global variables should be defined in the outer space, not just marked as global inside functions. Removes unused global variables Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-227-11/+11
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Remove redundant parameters from CS.cfg in dogtaginstanceMartin Basti2016-03-161-8/+0
| | | | | | | | | | Bind DN is not used for client certificate authentication so they can be safely removed. https://fedorahosted.org/freeipa/ticket/5298 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure 389ds with "default" cipher suiteMartin Basti2016-03-091-2/+2
| | | | | | | | | nsSSLCiphers: "default" provides only secure ciphers that should be used when connecting to DS https://fedorahosted.org/freeipa/ticket/5684 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* adtrustinstance: Make sure smb.conf existsTomas Babej2016-03-031-0/+5
| | | | | | | | | | The 'net' command fails unless smb.conf exists. Touch the file prior to any 'net' call to make sure we do not crash for this very reason. https://fedorahosted.org/freeipa/ticket/5687 Reviewed-By: Martin Basti <mbasti@redhat.com>
* configure DNA plugin shared config entries to allow connection with GSSAPIThierry Bordaz2016-03-024-0/+117
| | | | | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/4026 When a replica needs to extend its DNA range, it selects the remote replica with the larger available range. If there is no replica agreement to that remote replica, the shared config entry needs to contain the connection method/protocol. This fix requires 389-ds * https://fedorahosted.org/389/ticket/47779 * https://fedorahosted.org/389/ticket/48362 That are both fixed in 1.3.4.6 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-024-6/+14
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* fix incorrect name of ipa-winsync-migrate command in helpPetr Vobornik2016-03-021-3/+3
| | | | | | | | Help and status text used incorrect name "ipa-migrate-winsync" https://fedorahosted.org/freeipa/ticket/5713 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix connections to DS during installationMartin Basti2016-03-021-0/+6
| | | | | | | | | Regression caused by commit 9818e463f5d0a91b300801ee7c8f31f25de402b2, admin_conn should be connected in method if there is no connection. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* use LDAPS during standalone CA/KRA subsystem deploymentMartin Babinsky2016-03-013-0/+11
| | | | | | | | | | The deployment descriptor used during CA/KRA install was modified to use LDAPS to communicate with DS backend. This will enable standalone CA/KRA installation on top of hardened directory server configuration. https://fedorahosted.org/freeipa/ticket/5570 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: Allow dash in the NETBIOS nameTomas Babej2016-02-291-6/+12
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make PTR records check optional for IPA installationMartin Basti2016-02-291-8/+9
| | | | | | | | | PTR records are not mandratory for IPA, result fo checks should be only warning not hard error. https://fedorahosted.org/freeipa/ticket/5686 Reviewed-By: Oleg Fayans <ofayans@redhat.com>
* Move freeipa certmonger helpers to libexecdir.Timo Aaltonen2016-02-262-11/+3
| | | | | | | | | | | The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com>
* httpinstance: add start_tracking_certificates methodDavid Kupka2016-02-262-4/+20
| | | | | | | | Configure certmonger to start tracking certificate for httpd. https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-31 11:32:05 +0000