freeipa.git/ipa-client/ipa-install, branch webui-cleanup FreeIPA patches Retrieve the CA certificate before starting enrollment. 2010-06-21T13:52:15+00:00 Rob Crittenden rcritten@redhat.com 2010-06-11T15:02:29+00:00 4ca95a0cbfa5bb50d90cda496db6558ba3d5544e We need the CA certificate so we can use SSL when binding with a one-time password (bulk enrollment) 
We need the CA certificate so we can use SSL when binding with a
one-time password (bulk enrollment)
Remove Requires on separate package python-krbV in client 2010-06-02T18:41:16+00:00 Rob Crittenden rcritten@redhat.com 2010-06-01T18:24:37+00:00 dbd1f501114f9ace96fc4c9b1a2308202f4e646a We need the configured kerberos realm so we can clean up /etc/krb5.keytab. We have this already in /etc/ipa/default.conf so use that instead of requiring a whole other python package to do it. 
We need the configured kerberos realm so we can clean up /etc/krb5.keytab.
We have this already in /etc/ipa/default.conf so use that instead of
requiring a whole other python package to do it.
Check to see if we are configured before uninstalling. 2010-05-07T16:02:12+00:00 Rob Crittenden rcritten@redhat.com 2010-05-07T02:13:41+00:00 2876bd11dd2e2fc4fa25769d8df9407bf11689cd Allow the --force flag to override on both install and uninstall 
Allow the --force flag to override on both install and uninstall
Add simple test to see if client is already configured 2010-05-06T21:17:16+00:00 Rob Crittenden rcritten@redhat.com 2010-05-06T20:41:59+00:00 3bf7268d749f869d1d238caf2ee9a6c28ed40280 If this ever gets out of sync the user can always remove /var/lib/ipa-client/sysrestore/*, they just need to understand the implications. One potential problem is with certmonger. If you install the client and then re-install without uninstalling then the subsequent certificate request by certmonger will fail because it will already be tracking a certificate in /etc/pki/nssdb of the same nickname and subject (the old cert). 
If this ever gets out of sync the user can always remove
/var/lib/ipa-client/sysrestore/*, they just need to understand the
implications.

One potential problem is with certmonger. If you install the client
and then re-install without uninstalling then the subsequent
certificate request by certmonger will fail because it will already
be tracking a certificate in /etc/pki/nssdb of the same nickname and
subject (the old cert).
Make calling service and chkconfig tolerant of the service not installed 2010-05-06T20:47:25+00:00 Rob Crittenden rcritten@redhat.com 2010-05-06T19:35:20+00:00 cd5eddd843cc36b1fa6444996fc1ff1ce7a1e22b For example, if nscd is not installed this would throw lots of errors about not being able to disable it, stop it, etc. 
For example, if nscd is not installed this would throw lots of errors about
not being able to disable it, stop it, etc.
Call certmonger after krb5, avoid uninstall errors, better password handling. 2010-05-06T15:05:30+00:00 Rob Crittenden rcritten@redhat.com 2010-05-05T18:52:39+00:00 83cb7e75b8d6ff031f2f731b0b194fc562ad56b0 - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode 
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
Make the installer/uninstaller more aware of its state 2010-05-03T19:41:18+00:00 Rob Crittenden rcritten@redhat.com 2010-05-03T19:21:51+00:00 04e9056ec2b6e0360f3f3545fd638ecc17aaad2c We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients 
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
client installation fixes: nscd, sssd min version, bogus join error 2010-05-03T19:40:14+00:00 Rob Crittenden rcritten@redhat.com 2010-05-03T19:15:43+00:00 cef30893ecc7aa7b6cdcef0092b5ba4245af20a2 - Don't run nscd if using sssd, the caching of nscd conflicts with sssd - Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes - only try to read the file configuration if the server isn't passed in 
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
Reorder some things in the client installer 2010-05-03T19:33:08+00:00 Rob Crittenden rcritten@redhat.com 2010-04-16T21:36:55+00:00 244870932cecb11791cdbe27e46c0973589e9929 - Fetch the CA cert before running certmonger - Delete entries from the keytab before removing /etc/krb5.conf - Add and remove the IPA CA to /etc/pki/nssdb 
- Fetch the CA cert before running certmonger
- Delete entries from the keytab before removing /etc/krb5.conf
- Add and remove the IPA CA to /etc/pki/nssdb
Use the certificate subject base in IPA when requesting certs in certmonger. 2010-04-23T10:57:40+00:00 Rob Crittenden rcritten@redhat.com 2010-04-05T20:27:46+00:00 1d635090cbd68b6bec9ce57a2fbfd9ff1b91f908 When using the dogtag CA we can control what the subject of an issued certificate is regardless of what is in the CSR, we just use the CN value. The selfsign CA does not have this capability. The subject format must match the configured format or certificate requests are rejected. The default format is CN=%s,O=IPA. certmonger by default issues requests with just CN so all requests would fail if using the selfsign CA. This subject base is stored in cn=ipaconfig so we can just fetch that value in the enrollment process and pass it to certmonger to request the right thing. Note that this also fixes ipa-join to work with the new argument passing mechanism. 
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.