freeipa.git/ipaserver/install/server, branch ipasam_getkeytab FreeIPA patches implement domain level 1 specific topology checks into IPA server uninstaller 2015-12-02T13:10:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-19T16:58:44+00:00 b8c619a7139bd7b65caa03b68431e22791ff19bf When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
When uninstalling domain level 1 master its removal from topology is checked
on remote masters. The uninstaller also checks whether the uninstallation
disconnects the topology and if yes aborts the procedure. The
'--ignore-disconnected-topology' options skips this check.

https://fedorahosted.org/freeipa/ticket/5377
https://fedorahosted.org/freeipa/ticket/5409

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
replicainstall: Add possiblity to install client in one command 2015-12-01T15:33:13+00:00 Tomas Babej tbabej@redhat.com 2015-11-23T11:46:15+00:00 034e76062fd897dc67b5a395735a5471257bfc8b https://fedorahosted.org/freeipa/ticket/5310 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5310

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove global variable dns_forwarders from ipaserver.install.dns 2015-12-01T09:19:25+00:00 Petr Spacek pspacek@redhat.com 2015-11-10T15:53:10+00:00 8f5f0d6edd25d2ca747c0477366fb392a26390f2 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-dns-install offer IP addresses from resolv.conf as default forwarders 2015-12-01T09:19:25+00:00 Petr Spacek pspacek@redhat.com 2015-11-10T10:22:43+00:00 45d9d4e8ae524cdc91effc05ce3fe1c06cfb750e In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In non-interactive more option --auto-forwarders can be used to do the
same. --forward option can be used to supply additional IP addresses.

https://fedorahosted.org/freeipa/ticket/5438

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
perform IPA client uninstallation as a last step of server uninstall 2015-12-01T08:39:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-27T13:05:21+00:00 f6240f21fc9ae2ade54acedf98770e5f5e433d38 With the ability to promote replicas from an enrolled client the uninstallation procedure has to be changed slightly. If the client-side components are not removed last during replica uninstallation, we can end up with leftover ipa default.conf preventing future client re-enrollment. https://fedorahosted.org/freeipa/ticket/5410 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
With the ability to promote replicas from an enrolled client the
uninstallation procedure has to be changed slightly. If the client-side
components are not removed last during replica uninstallation, we can end up
with leftover ipa default.conf preventing future client re-enrollment.

https://fedorahosted.org/freeipa/ticket/5410

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
replica promotion: modify default.conf even if DS configuration fails 2015-11-27T09:32:04+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-20T08:57:05+00:00 7978c214731edfa4e05d64ffd2079d327e7b34d4 When we promote an IPA client to replica, we need to write master-like default.conf once we start configuring directory server instance. This way even if DS configuration fails for some reason the server uninstall code can work properly and clean up partially configured replica. https://fedorahosted.org/freeipa/ticket/5417 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
When we promote an IPA client to replica, we need to write master-like
default.conf once we start configuring directory server instance. This way
even if DS configuration fails for some reason the server uninstall code can
work properly and clean up partially configured replica.

https://fedorahosted.org/freeipa/ticket/5417

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
install: drop support for Dogtag 9 2015-11-25T08:12:25+00:00 Jan Cholasta jcholast@redhat.com 2015-11-09T17:28:47+00:00 aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0 Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com> 
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
Add profiles and default CA ACL on migration 2015-11-24T09:12:24+00:00 Fraser Tweedale ftweedal@redhat.com 2015-11-23T01:09:32+00:00 620036d26e98fdcefff00168e9e5463a8257d49c Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert renewal: make renewal of ipaCert atomic 2015-11-19T12:06:12+00:00 Jan Cholasta jcholast@redhat.com 2015-11-09T09:53:02+00:00 f3076c6ab37e081ba9b0ec9f0502379f60dfbd10 This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com> 
This prevents errors when renewing other certificates during the renewal of
ipaCert.

https://fedorahosted.org/freeipa/ticket/5436

Reviewed-By: David Kupka <dkupka@redhat.com>
Drop configure.jar 2015-11-13T13:02:45+00:00 Martin Basti mbasti@redhat.com 2015-10-27T14:36:55+00:00 19044e87ac54200b7710b8ec5405175c3d749e76 Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>