freeipa.git/ipalib/install, branch webui_isolate FreeIPA patches Use Anonymous user to obtain FAST armor ccache 2017-02-14T22:36:58+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 399ab5b87a6d983bd5e3882d0660b81942c184e4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
cryptography has deprecated serial in favor of serial_number 2017-02-10T15:16:44+00:00 Christian Heimes cheimes@redhat.com 2017-02-10T13:20:22+00:00 3d9bec2e879d60e6bb7b2602084d3314765a6283 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Clarify meaning of --domain and --realm in installers 2017-01-05T08:47:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-02T12:22:07+00:00 25a6ddcce8e7b9effaf19431c421dc5b3497fa22 Man pages need bigger overhaul. Take this as hot-fix for FAQ. https://fedorahosted.org/freeipa/ticket/6574 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Configure Anonymous PKINIT on server install 2016-12-12T12:39:44+00:00 Simo Sorce simo@redhat.com 2016-07-26T15:19:01+00:00 ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server install: fix external CA install 2016-12-08T11:08:49+00:00 Jan Cholasta jcholast@redhat.com 2016-11-30T12:55:38+00:00 4fff09978eab520d130d87c0112b5caac907e651 Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Increase the timeout waiting for certificate issuance in installer 2016-12-07T15:53:27+00:00 Florence Blanc-Renaud flo@redhat.com 2016-11-30T15:34:16+00:00 9e3c17c6ded868b4261aa76137c703a4fb866578 During the server installation, the installer requests certificates through certmonger. The current timeout is 60s and is too low. Increase this timeout to api.env.startup_timeout as done in ipa_cacert_manage or ipa_certupdate.py (the code checks the status each 5s up to the timeout value). https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Check the result of cert request in replica installer 2016-11-30T15:33:54+00:00 Florence Blanc-Renaud flo@redhat.com 2016-11-29T20:15:29+00:00 dbb98765d73519289ee22f3de1a5ccde140f6f5d When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipalib: move certstore to the install subpackage 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-23T14:40:21+00:00 a2c58889735c794cd1e93331c755b6f9ba273773 The certstore module depends on ipaplatform. Move it to ipalib.install, as it is used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipautil: move kinit functions to ipalib.install 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-23T16:40:47+00:00 7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipapython: move certmonger and sysrestore to ipalib.install 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-23T14:04:40+00:00 26c46a447f82b4cf37a5076b72cf6328857d5f35 The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>