freeipa.git/install, branch pwdpolicy FreeIPA patches Remove deprecated ipa-upgradeconfig command 2017-01-24T08:51:39+00:00 Abhijeet Kasurde akasurde@redhat.com 2017-01-24T07:15:15+00:00 c56e02b3c5257edbfd3709848ca7eda07e271e38 Fixes https://fedorahosted.org/freeipa/ticket/6620 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Coverity: removed useless semicolon which ends statement earlier 2017-01-18T08:15:54+00:00 Pavel Vomacka pvomacka@redhat.com 2017-01-11T16:14:01+00:00 9d2ef64fb9e1357dc4a3cde8d93c796daefd2f6e Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Coverity: Fix possibility of access to attribute of undefined 2017-01-18T08:15:54+00:00 Pavel Vomacka pvomacka@redhat.com 2017-01-11T16:13:19+00:00 a69c4448c58b2438952fd806e2515eea7575b27b Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
renew agent: handle non-replicated certificates 2017-01-16T13:37:25+00:00 Jan Cholasta jcholast@redhat.com 2017-01-06T09:45:38+00:00 d5af11f65cc2a2d6860579a63a173b67cb12bcf3 In addition to replicated certificates (Dogtag certificates, RA certificate), handle non-replicated certificates in dogtag-ipa-ca-renew-agent as well. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add sanity checks for use of --ca-subject and --subject-base 2017-01-11T14:28:50+00:00 Fraser Tweedale ftweedal@redhat.com 2016-12-20T10:21:10+00:00 0c95a00147b1dd508736dacc847873ddddafb504 Print an error and terminate if --ca-subject or --subject-base are used when installing a CA-less master or when performing standalone installation of a CA replica. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Indicate that ca subject / subject base uses LDAP RDN order 2017-01-11T14:27:55+00:00 Fraser Tweedale ftweedal@redhat.com 2016-11-16T23:26:02+00:00 3f5660973251fe4b178e6486b6b86fbdd162d4d6 Update man pages and help output to indicate that --subject-base and --ca-subject options interpret their arguments in LDAP order. Fixes: https://fedorahosted.org/freeipa/ticket/6455 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.

Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow full customisability of IPA CA subject DN 2017-01-11T14:26:20+00:00 Fraser Tweedale ftweedal@redhat.com 2016-11-16T10:49:36+00:00 3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6 Currently only the "subject base" of the IPA CA subject DN can be customised, via the installer's --subject-base option. The RDN "CN=Certificate Authority" is appended to form the subject DN, and this composition is widely assumed. Some administrators need more control over the CA subject DN, especially to satisfy expectations of external CAs when the IPA CA is to be externally signed. This patch adds full customisability of the CA subject DN. Specifically: - Add the --ca-subject option for specifying the full IPA CA subject DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE". - ipa-ca-install, when installing a CA in a previous CA-less topology, updates DS certmap.conf with the new new CA subject DN. - DsInstance.find_subject_base no longer looks in certmap.conf, because the CA subject DN can be unrelated to the subject base. Fixes: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
dsinstance: extract function for writing certmap.conf 2017-01-11T14:26:20+00:00 Fraser Tweedale ftweedal@redhat.com 2016-12-14T03:23:11+00:00 f54df62abae4a15064bf297634558eb9be83ce33 For full customisability of the IPA CA subject DN, we will need the ability to update DS `certmap.conf' when upgrading a deployment from CA-less to CA-ful. Extract the existing behaviour, which is private to DsInstance, to the `write_certmap_conf' top-level function. Also update `certmap.conf.template' for substition of the whole CA subject DN (not just the subject base). Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.

Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.

Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-ca-install: add missing --subject-base option 2017-01-11T14:26:20+00:00 Fraser Tweedale ftweedal@redhat.com 2016-11-30T06:26:15+00:00 46bf0e89ae054b34adc66d08f205a5155e6f3fd6 Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
installer: rename --subject to --subject-base 2017-01-11T14:26:20+00:00 Fraser Tweedale ftweedal@redhat.com 2016-11-16T09:59:58+00:00 c6db493b06320455a2366945911939a605df2a73 The --subject option is actually used to provide the "subject base". We are also going to add an option for fully specifying the IPA CA subject DN in a subsequent commit. So to avoid confusion, rename --subject to --subject-base, retaining --subject as a deprecated alias. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>