freeipa.git/ipaserver/install/plugins, branch coverity FreeIPA patches DNS install: Ensure that DNS servers container exists 2016-07-15T12:13:32+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-14T15:14:59+00:00 37bfd1fdde8906b2b5712d1f99f3f4be8f91ca0a during DNS installation it is assumed that the cn=servers,cn=dns container is always present in LDAP backend when migrating DNS server info to LDAP. This may not always be the case (e.g. when a new replica is set up against older master) so the code must take additional steps to ensure this container is present. https://fedorahosted.org/freeipa/ticket/6083 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.

This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.

https://fedorahosted.org/freeipa/ticket/6083

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DNS Locations: dnsserver: put server_id option into named.conf 2016-06-17T13:22:24+00:00 Martin Basti mbasti@redhat.com 2016-06-13T18:41:24+00:00 52590d6fa581e3b53e2c9350dc307a1f360c40a3 The option server_id is required for DNS location feature, otherwise it will not work. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The option server_id is required for DNS location feature, otherwise it
will not work.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipalib: move server-side plugins to ipaserver 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-04-28T08:30:05+00:00 6e44557b601f769d23ee74555a72e8b5cc62c0c9 Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used 2016-05-30T18:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-04-28T20:19:03+00:00 6eb00561c0f85085d86f7be936b632ba017fc4f1 This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This upgrade has to be done on each IPA DNS server independently. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This upgrade has to be done on each IPA DNS server independently.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used 2016-05-30T18:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-04-27T13:24:01+00:00 e45a80308c947a58c0fb5266d75eedc1d9aef321 This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNS upgrade: change forwarding policy to = only for conflicting forward zones 2016-05-30T18:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-04-27T12:44:17+00:00 f750d42b6f2d7f792ce56b6832d2bd1ae1f333a0 This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders too (in LDAP and in named.conf on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNS upgrade: separate backup logic to make it reusable 2016-05-30T18:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-04-27T10:49:23+00:00 a4da9a23788d9f09f562c12d80353fca42f73441 https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
Add ipaDNSVersion option to dnsconfig* commands and use new attribute 2016-05-30T18:14:32+00:00 Petr Spacek pspacek@redhat.com 2016-04-25T12:07:16+00:00 321a2ba9185e4a21d5b2f9949cd3bec32a1fd60a Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and ipaConfigString was bad idea from the very beginning as it was hard to manipulate the number in it. To avoid problems in future we are introducing new ipaDNSVersion attribute which is used on cn=dns instead of ipaConfigString. Original value of ipaConfigString is kept in the tree for now so older upgraders see it and do not execute the upgrade procedure again. The attribute can be changed only by installer/upgrade so it is not exposed in dnsconfig_mod API. Command dnsconfig_show displays it only if --all option was used. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.

To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.

The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.

Command dnsconfig_show displays it only if --all option was used.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipalib, ipaserver: migrate all plugins to Registry-based registration 2016-05-25T14:06:26+00:00 Jan Cholasta jcholast@redhat.com 2016-03-03T14:12:19+00:00 bed546ee8220992084520737320a646dc47ec1e3 Do not use the deprecated API.register method. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Do not use the deprecated API.register method.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
replica install: do not set CA renewal master flag 2016-05-24T12:54:01+00:00 Jan Cholasta jcholast@redhat.com 2016-05-23T14:18:02+00:00 dea924ac8a04c923d96e04c4c40e253ae1ee857c The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.

Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.

https://fedorahosted.org/freeipa/ticket/5902

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>