freeipa.git/install/tools/ipa-ca-install, branch my-master FreeIPA patches Drop --selfsign server functionality 2013-04-15T20:56:12+00:00 Petr Viktorin pviktori@redhat.com 2013-03-27T13:25:18+00:00 e736e75ce9724ae8298a5b69d093313cd6e62b60 Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494 
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
Use A/AAAA records instead of CNAME records in ipa-ca. 2013-04-15T19:12:36+00:00 Jan Cholasta jcholast@redhat.com 2013-04-15T10:19:11+00:00 f684c6d6f8f8cde5689a92cf2b06914c3e3da34c https://fedorahosted.org/freeipa/ticket/3547 
https://fedorahosted.org/freeipa/ticket/3547
Add OCSP and CRL URIs to certificates 2012-12-07T16:00:17+00:00 Martin Kosek mkosek@redhat.com 2012-11-19T15:32:28+00:00 867f7691e9e8d4dc101d227ca56a94f9b947897f Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431 
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
Fix schema replication from old masters 2012-11-23T11:19:19+00:00 Petr Viktorin pviktori@redhat.com 2012-10-24T08:37:16+00:00 1d3ddeff54d91111d7f4f3042a22af76275ef361 The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213 
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
Changes to use a single database for dogtag and IPA 2012-11-23T11:19:19+00:00 Ade Lee alee@redhat.com 2012-09-20T03:35:42+00:00 18a210996dc47dbc9979e5ee0bb9f184c22eb173 New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. 
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
Use Dogtag 10 only when it is available 2012-09-17T22:43:59+00:00 Petr Viktorin pviktori@redhat.com 2012-08-23T16:38:45+00:00 4f76c143d2f2036af02677469c542f563a10158d Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846 
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Modifications to install scripts for dogtag 10 2012-09-17T22:43:36+00:00 Ade Lee alee@redhat.com 2012-08-16T02:53:51+00:00 3dd31a875650c7fe7c67ca6b47f2058c1181dafb Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846 
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
Move install script error handling to a common function 2012-05-31T12:37:27+00:00 Petr Viktorin pviktori@redhat.com 2012-05-31T12:34:09+00:00 0ca29fac9af4cd437a8536f28ffd25923ec3f8cd All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071 
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.

Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.

https://fedorahosted.org/freeipa/ticket/2071
Remove duplicate and unused utility code 2012-05-09T09:54:20+00:00 Petr Viktorin pviktori@redhat.com 2012-04-18T15:22:35+00:00 f19218f7d87f5847d51f79b5d2850f90b0ae8407 IPA has some unused code from abandoned features (Radius, ipa 1.x user input, commant-line tab completion), as well as some duplicate utilities. This patch cleans up the utility modules. Duplicate code consolidated into ipapython.ipautil: {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix {ipaserver,ipapython}.ipautil.CIDict (with style improvements from the ipaserver version) {ipapython.entity,ipaserver.ipautil}.utf8_encode_value {ipapython.entity,ipaserver.ipautil}.utf8_encode_values ipalib.util.get_fqdn was removed in favor of the same function in ipaserver.install.installutils Removed unused code: ipalib.util: load_plugins_in_dir import_plugins_subpackage make_repr (was imported but unused; also removed from tests) ipapython.ipautil: format_list parse_key_value_pairs read_pairs_file read_items_file user_input_plain AttributeValueCompleter ItemCompleter ipaserver.ipautil: get_gsserror (a different version exists in ipapython.ipautil) ipaserver.ipautil ended up empty and is removed entirely. https://fedorahosted.org/freeipa/ticket/2650 
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging 2011-11-23T08:36:18+00:00 John Dennis jdennis@redhat.com 2011-11-15T19:39:31+00:00 56401c1abe7d4c78650acfcd9bbe8c8edc1dac57 change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level() 
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()