freeipa.git/ipaserver/install, branch ipasam_getkeytab FreeIPA patches Modify error message to install first instance of KRA 2015-12-02T16:21:32+00:00 Martin Basti mbasti@redhat.com 2015-11-30T17:18:38+00:00 bbbe411f357b7fbad533b5211a90bb0558b1abbe First instance of KRA should be installed by ipa-kra-install. https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
First instance of KRA should be installed by ipa-kra-install.

https://fedorahosted.org/freeipa/ticket/5460

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-kra-install: allow to install first KRA on replica 2015-12-02T16:20:19+00:00 Martin Basti mbasti@redhat.com 2015-11-23T12:43:53+00:00 efeb7d54ba7e3145a7a0b50c4b275d208cb656e6 https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5460

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
implement domain level 1 specific topology checks into IPA server uninstaller 2015-12-02T13:10:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-19T16:58:44+00:00 b8c619a7139bd7b65caa03b68431e22791ff19bf When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
When uninstalling domain level 1 master its removal from topology is checked
on remote masters. The uninstaller also checks whether the uninstallation
disconnects the topology and if yes aborts the procedure. The
'--ignore-disconnected-topology' options skips this check.

https://fedorahosted.org/freeipa/ticket/5377
https://fedorahosted.org/freeipa/ticket/5409

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
extract domain level 1 topology-checking code from ipa-replica-manage 2015-12-02T13:10:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-19T16:55:23+00:00 8d4b14e0ce33baed5f237175ef2a853538ead0a8 This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
This facilitates reusability of this code in other components, e.g. IPA server
uninstallers.

https://fedorahosted.org/freeipa/ticket/5409

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
replicainstall: Add possiblity to install client in one command 2015-12-01T15:33:13+00:00 Tomas Babej tbabej@redhat.com 2015-11-23T11:46:15+00:00 034e76062fd897dc67b5a395735a5471257bfc8b https://fedorahosted.org/freeipa/ticket/5310 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5310

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove global variable dns_forwarders from ipaserver.install.dns 2015-12-01T09:19:25+00:00 Petr Spacek pspacek@redhat.com 2015-11-10T15:53:10+00:00 8f5f0d6edd25d2ca747c0477366fb392a26390f2 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-dns-install offer IP addresses from resolv.conf as default forwarders 2015-12-01T09:19:25+00:00 Petr Spacek pspacek@redhat.com 2015-11-10T10:22:43+00:00 45d9d4e8ae524cdc91effc05ce3fe1c06cfb750e In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In non-interactive more option --auto-forwarders can be used to do the
same. --forward option can be used to supply additional IP addresses.

https://fedorahosted.org/freeipa/ticket/5438

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
perform IPA client uninstallation as a last step of server uninstall 2015-12-01T08:39:19+00:00 Martin Babinsky mbabinsk@redhat.com 2015-11-27T13:05:21+00:00 f6240f21fc9ae2ade54acedf98770e5f5e433d38 With the ability to promote replicas from an enrolled client the uninstallation procedure has to be changed slightly. If the client-side components are not removed last during replica uninstallation, we can end up with leftover ipa default.conf preventing future client re-enrollment. https://fedorahosted.org/freeipa/ticket/5410 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
With the ability to promote replicas from an enrolled client the
uninstallation procedure has to be changed slightly. If the client-side
components are not removed last during replica uninstallation, we can end up
with leftover ipa default.conf preventing future client re-enrollment.

https://fedorahosted.org/freeipa/ticket/5410

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Upgrade: increase time limit for upgrades 2015-12-01T07:51:44+00:00 Martin Basti mbasti@redhat.com 2015-11-18T09:31:05+00:00 2a1a3c498a71e85193af76a25333ebe9011e6b2a Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Default ldap search limit is now 30 sec by default during upgrade.

Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.

Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.

https://fedorahosted.org/freeipa/ticket/5267

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
use starttls in CSReplicationManager connection again 2015-11-30T11:26:51+00:00 Petr Vobornik pvoborni@redhat.com 2015-10-16T13:57:59+00:00 7b976c664d5b961d5297f235197e9124ce66d5ff commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e has: - realm, hostname, dirman_passwd, port, starttls=True) + realm, hostname, dirman_passwd, port) In CSReplicationManager which causes, e.g.: ipa-csreplica-manage -p Secret123 list ipa.example.com cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file Reviewed-By: Tomas Babej <tbabej@redhat.com> 
commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e

has:
-            realm, hostname, dirman_passwd, port, starttls=True)
+            realm, hostname, dirman_passwd, port)

In CSReplicationManager

which causes, e.g.:

ipa-csreplica-manage -p Secret123 list ipa.example.com
cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file

Reviewed-By: Tomas Babej <tbabej@redhat.com>