| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.
Convert the DN objects to strings to fix the issue.
https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.
Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit. So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options
Fixes https://fedorahosted.org/freeipa/ticket/5435
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.
The special contexts are:
* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates
The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.
https://fedorahosted.org/freeipa/ticket/6389
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Merge CA install code paths use in ipa-server-install, ipa-replica-install
in either domain level and ipa-ca-install into one.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Remote master and CA host names may differ. Always use the remote CA host
name and never the remote master host name in CA replica install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ipca-ca-install: Use a single ldap connection for the entire
script. Connecting with ccache in promote is not needed.
* ipa-cacert-manage: Always connect to ldap, since renew and install
are the only options and renew seems to need ldap connection even
for self signed certificates.
* ipa-compat-manage: Use one ldap connection for the entire script.
Replaced try-finally with proper disconnect, code block reindented.
* ipa-csreplica-manage: Properly establish and close the ldap connection.
* ipa-dns-install: Proper connect, disconnect to ldap.
* ipa-kra-install: Proper connect/disconnect for install and uninstall.
* ipa-ldap-update: Proper connect and disconnect to ldap.
* ipa-nis-manage: Proper connect/disconnect for ldap. Try-finally removed
and code block reindented.
* ipa-replica-manage: Proper connect/disconnect to ldap.
* ipa-replica-prepare: Connect added to validate_options(), where api is
initialized and disconnected added at the end of run. Reconnect in
ask_for_options() to validate directory manager password.
* ipa-server-certinstall: Use api.Backend.ldap2 for ldap connections.
* ipa-server-upgrade: Connect to and disconnect from api.Backend.ldap2.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Installation of Certificate Server replica requires directory manager
password. Specify it explicitly in function call and pass it in
through an argument.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Remove directory manager's password from service's constructors
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-ca-install said that it used
/var/log/ipareplica-ca-install.log
but in fact it used
/var/log/ipaserver-ca-install.log
This patch unites it to ipareplica-ca-install.log
It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.
https://fedorahosted.org/freeipa/ticket/6086
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
| |
The incorrect api was used, and CA record updated was duplicated.
https://fedorahosted.org/freeipa/ticket/5966
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5636
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.
This commit is workaround, proper fix may need to improve ipactl.
https://fedorahosted.org/freeipa/ticket/5262
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5399
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
with replica promotion (domain level > 0) there are no replica files,
thus adding replica file as parameter when domain level > 0 should be
disallowed.
https://fedorahosted.org/freeipa/ticket/5455
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There is no reason to proceed if a CA is already installed, and the
check does not involve a lot of setup, so do it early on.
Ticket: https://fedorahosted.org/freeipa/ticket/5397
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).
https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
CA-less IPA master has 'ra_plugin' set to 'none' in IPA config. When setting
up Dogtag CA on the master we must override this setting in order to load
dogtag backend plugins and succesfully complete CA installation.
https://fedorahosted.org/freeipa/ticket/5288
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To avoid cyclic imports realm_to_serverid function had to be moved to
installutils from dsinstance.
Required for: https://fedorahosted.org/freeipa/ticket/4925
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The port is never available in step 2 of external CA install, as Dogtag is
already running.
https://fedorahosted.org/freeipa/ticket/4660
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
The check is done using a new hidden command ca_is_enabled.
https://fedorahosted.org/freeipa/ticket/4621
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4564
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
| |
Patch 3aa0731f was not merged correctly and import for a function
that no longer exists. This patch fixes the import.
https://fedorahosted.org/freeipa/ticket/4480
|
| |
|
|
|
|
|
|
|
|
|
| |
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
Part of https://fedorahosted.org/freeipa/ticket/3737
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also fixes few incorrect imports.
https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.
https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file
is used consistently in the installers.
https://fedorahosted.org/freeipa/ticket/4240
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.
FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2
https://fedorahosted.org/freeipa/ticket/3438
Updated by pviktori@redhat.com
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.
Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.
https://fedorahosted.org/freeipa/ticket/3804
|
| | |
|
