summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-server-install
Commit message (Collapse)AuthorAgeFilesLines
* Don't check for 389-instances.Rob Crittenden2011-11-161-29/+2
| | | | | | | | | | We no longer need to enforce that no 389-ds instances exist on an IPA server. Checking that the ports exist should be enough. This used to be one mechanism we used to check to see if IPA was already installed. We have a better mechanism now. https://fedorahosted.org/freeipa/ticket/1735
* Hosts file not updated when IP is passed as optionMartin Kosek2011-11-101-2/+4
| | | | | | | | | | | When an IPA server with unresolvable hostname is being installed, a hostname record must be inserted to /etc/hosts or the installation will fail. However, it is not inserted when IP address is passed as an option (--ip-address) and not interactively. This patch fixes this so that /etc/hosts record is inserted in both cases. https://fedorahosted.org/freeipa/ticket/2074
* Fix ipa-server-install answer cacheMartin Kosek2011-11-031-39/+26
| | | | | | | | | | | | | Current Answer Cache storing mechanism is not ideal for storing non-trivial Python types like arrays, custom classes, etc. RawConfigParser just translates values to string, which are not correctly decoded when the Answer Cache is parsed and restored in the installer. This patch replaces RawConfigParser with Python's standard pickle module, which is a recommended way for serialization in Python. https://fedorahosted.org/freeipa/ticket/2054
* Add --zonemgr/--admin-mail validatorMartin Kosek2011-10-261-12/+1
| | | | | | | | | | | Do at least a basic validation of DNS zone manager mail address. Do not require '@' to be in the mail address as the SOA record stores this value without it and people may be used to configure it that way. '@' is always removed by the installer/dns plugin before the DNS zone is created. https://fedorahosted.org/freeipa/ticket/1966
* Check /etc/hosts file in ipa-server-installMartin Kosek2011-10-131-0/+22
| | | | | | | | There may already be a record in /etc/hosts for chosen IP address which may not be detected under some circumstances. Make sure that /etc/hosts is checked properly. https://fedorahosted.org/freeipa/ticket/1923
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-0/+23
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-061-10/+5
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-0/+7
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Work around pkisilent bugs.Jan Cholasta2011-10-041-6/+25
| | | | | | | | | | | Check directory manager password and certificate subject base for invalid characters. (https://bugzilla.redhat.com/show_bug.cgi?id=658641) Shell-escape pkisilent command-line arguments. (https://bugzilla.redhat.com/show_bug.cgi?id=741180) ticket 1636
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-1/+1
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Be more clear about selfsign optionMartin Kosek2011-10-041-2/+8
| | | | | | | | | | | | | | Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
* Improved handling for ipa-pki-proxy.confRob Crittenden2011-09-131-5/+1
| | | | | | | | | - Remove ipa-pki-proxy.conf when IPA is uninstalled - Move file removal to httpinstance.py and use remove_file() - Add a version stanza - Create the file if it doesn't exist on upgraded installs https://fedorahosted.org/freeipa/ticket/1771
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-131-5/+6
| | | | http://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-17/+17
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve man pages structureMartin Kosek2011-09-071-55/+69
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Let Bind track data changesMartin Kosek2011-08-311-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-291-2/+25
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* Verify that the external CA certificate files are correct.Jan Cholasta2011-08-231-6/+41
| | | | ticket 1572
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-181-2/+4
| | | | ticket 1570
* Verify that passwords specified through command line options of ↵Jan Cholasta2011-08-181-0/+5
| | | | | | ipa-server-install meet the length requirement. ticket 1621
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-2/+0
| | | | ticket 1580
* Ask for reverse DNS zone information in attended install right after asking ↵Jan Cholasta2011-08-091-11/+10
| | | | | | for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-031-3/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Clean up existing DN object usageJohn Dennis2011-07-291-3/+3
|
* Fix external CA install.Jan Cholasta2011-07-261-25/+34
| | | | ticket 1523
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-191-18/+4
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* Use information from the certificate subject when setting the NSS nickname.Rob Crittenden2011-07-171-1/+1
| | | | | | | | | | | There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
* Validate that the certificate subject base is in valid DN format.Rob Crittenden2011-07-171-1/+26
| | | | https://fedorahosted.org/freeipa/ticket/1176
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-151-15/+21
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Verify that the hostname is fully-qualified before accessing the service ↵Jan Cholasta2011-06-241-8/+7
| | | | | | | | | information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-1/+2
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Fix IPA install for secure umaskMartin Kosek2011-06-211-12/+16
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-1/+1
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-2/+3
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Do better detection on status of CA DS instance when installing.Rob Crittenden2011-06-131-4/+4
| | | | | | | | | The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
* IPA installation with --no-host-dns failsMartin Kosek2011-06-101-6/+15
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
* Fix external CA installationRob Crittenden2011-06-091-2/+2
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-1/+2
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-19/+17
| | | | ticket 1212
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-271-22/+7
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
* Properly handle --no-reverse being passed on the CLI in interactive modeRob Crittenden2011-05-121-3/+7
| | | | | | | If installing in interactive mode and --no-reverse is passed then the reverse zone was still being created. ticket 1152
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-1/+2
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Ensure that the zonemgr passed to the installer conforms to IA5String.Rob Crittenden2011-04-261-1/+12
| | | | ticket 1164
* Fix lint false positives.Jan Cholasta2011-04-131-1/+1
|
* Fix typo in ipa-server-install.Jan Cholasta2011-04-081-1/+1
|
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-9/+5
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-1/+15
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* chkconfig the ipa service off when it is uninstalled.Rob Crittenden2011-03-081-0/+2
| | | | ticket 1056
* Skip DNS validation checks if we're setting up DNS in ipa-server-install.Rob Crittenden2011-03-041-0/+4
| | | | | | | If we're going to be authoritative ourselves don't bother with what other DNS servers think. ticket 1036
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-4/+6
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
generated by cgit (git 2.34.1) at 2026-01-08 23:38:00 +0000