summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Do not allow '%' in DM passwordMartin Kosek2013-10-041-1/+1
| | | | | | | Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-042-18/+25
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Warn user about realm-domain mismatch in install scriptsTomas Babej2013-10-034-1/+31
| | | | | | | | | | | | | | If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924
* Do not crash if DS is down during server uninstallAna Krivokapic2013-09-091-23/+41
| | | | | | | | DS is contacted during server uninstallation, in order to obtain information about replication agreements. If DS is unavailable, warn and continue with uninstallation. https://fedorahosted.org/freeipa/ticket/3867
* Fix RUV search scope in ipa-replica-managePetr Vobornik2013-09-041-1/+1
| | | | | | | | The search had an incorrect scope and therefore it didn't find any RUV. This issue prevented removing of replica. https://fedorahosted.org/freeipa/ticket/3876
* Add warning when uninstalling active replicaAna Krivokapic2013-09-041-5/+31
| | | | | | | Add a warning when trying to uninstall a replica that has active replication agreements. https://fedorahosted.org/freeipa/ticket/3867
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-022-27/+6
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Add --dirman-password option to ipa-server-certinstall.Jan Cholasta2013-08-281-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3869
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-263-3/+5
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Fix broken replica installationAna Krivokapic2013-08-201-4/+10
| | | | | | | Make sure the subject base parameter is correctly passed and used during the creation of the DS instance on a replica. https://fedorahosted.org/freeipa/ticket/3868
* Add --pin option to ipa-server-certinstall.Jan Cholasta2013-08-201-5/+2
| | | | | | Hide the unnecessary --dirsrv_pin and --http_pin options. https://fedorahosted.org/freeipa/ticket/3869
* Port ipa-server-certinstall to the admintool framework.Jan Cholasta2013-08-201-141/+4
| | | | | | | Change the log file path from /var/log/ipa/default.log to admintool's default path. https://fedorahosted.org/freeipa/ticket/3641
* Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do.Jan Cholasta2013-08-201-34/+18
| | | | | | | In particular, PKCS#12 validation and server certificate selection is now done the same way as in ipa-server-install and ipa-replica-prepare. https://fedorahosted.org/freeipa/ticket/3641
* Bypass ipa-replica-conncheck ssh tests when ssh is not installedNathaniel McCallum2013-08-151-29/+31
| | | | https://fedorahosted.org/freeipa/ticket/3777
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-095-118/+79
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-2/+94
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Free NSS objects in --external-ca scenarioMartin Kosek2013-07-261-0/+5
| | | | | | | | | | In external CA installation, ipa-server-install leaked NSS objects which caused an installation crash later when a subsequent call of NSSConnection tried to free them. Properly freeing the NSS objects avoid this crash. https://fedorahosted.org/freeipa/ticket/3773
* Print newline after receiving EOF in installutils.read_password.Jan Cholasta2013-07-2411-13/+13
|
* Ask for PKCS#12 password interactively in ipa-server-install.Jan Cholasta2013-07-241-26/+50
| | | | https://fedorahosted.org/freeipa/ticket/3717
* ipa-adtrust-install: configure compatibility tree to serve trusted domain usersAlexander Bokovoy2013-07-182-1/+40
| | | | | | | | | | | | | | | | | | | | | | | | | Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567
* Add 'ipa_server_mode' option to SSSD configurationAna Krivokapic2013-07-181-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/3652
* Provide ipa-advise toolTomas Babej2013-07-174-0/+69
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig. https://fedorahosted.org/freeipa/ticket/3670
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-3/+4
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-272-15/+17
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Remove entitlement supportMartin Kosek2013-06-264-248/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Fix CA-less check in ipa-replica-install and ipa-ca-install.Jan Cholasta2013-06-262-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3750
* Do not allow installing CA replicas in CA-less setup.Jan Cholasta2013-06-122-0/+8
| | | | | https://fedorahosted.org/freeipa/ticket/3673 https://fedorahosted.org/freeipa/ticket/3674
* Remove stray error condition in ipa-server-install.Jan Cholasta2013-06-121-3/+0
|
* Use the correct PKCS#12 file for HTTP server.Jan Cholasta2013-06-121-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3665
* Manage ipa-otpd.socket by IPATomas Babej2013-06-063-14/+33
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Use private ccache in ipa install toolsTomas Babej2013-06-054-16/+22
| | | | | | | | All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666
* Remove code to install Dogtag 9Petr Viktorin2013-05-314-38/+11
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-141-0/+1
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-serverRob Crittenden2013-05-091-0/+1
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607
* Generate plugin index dynamicallyPetr Vobornik2013-05-062-67/+0
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Web UI plugin loaderPetr Vobornik2013-05-062-1/+68
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Handle connection timeout in ipa-replica-manageTomas Babej2013-05-021-1/+13
| | | | | | | | When connecting to replica, ipa-replica-manage could fail with unknown error due to connection time out. This patch properly handles the situation Fixed in conjunction with https://fedorahosted.org/freeipa/ticket/3524
* Enforce host existence only where needed in ipa-replica-manageTomas Babej2013-05-022-48/+73
| | | | | | | | | | | In ipa-replica-manage commands, we enforce that hostnames we work with are resolvable. However, this caused errors while deleting or disconnecting a ipa / winsync replica, if that replica was down and authoritative server for itself. Also adds an --no-lookup flag to disable host existence checks. https://fedorahosted.org/freeipa/ticket/3524
* Always stop dirsrv in 'ipactl stop'Ana Krivokapic2013-04-291-11/+9
| | | | | | | Ensure that 'ipactl stop' stops the dirsrv instance, even when no other services are running. https://fedorahosted.org/freeipa/ticket/3574
* Fix syntax errors in schema filesPetr Viktorin2013-04-261-0/+65
| | | | | | | | | | | | | | | | - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
* Do not display an interactive mode message in unattended modeAna Krivokapic2013-04-241-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/3576
* Update only selected attributes for winsync agreementTomas Babej2013-04-162-4/+15
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Drop --selfsign server functionalityPetr Viktorin2013-04-152-8/+2
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-1/+1
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-151-1/+24
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.Jan Cholasta2013-04-151-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-153-26/+31
| | | | https://fedorahosted.org/freeipa/ticket/3547
* ipa-server-install: correct help text for --external_{cert,ca}_filePetr Viktorin2013-04-152-7/+7
| | | | | | | The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523
* Full system backup and restoreRob Crittenden2013-04-128-118/+278
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
generated by cgit (git 2.34.1) at 2026-04-20 11:36:28 +0000