summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* WIP: store mkey in keytabmaster_keytabSimo Sorce2015-12-121-0/+7
|
* Fail hard if realminitialization failsSimo Sorce2015-12-111-1/+1
| | | | | | No point in proceeding the install will fail later. Signed-off-by: Simo Sorce <simo@redhat.com>
* replica promotion: allow OTP bulk client enrollmentJan Cholasta2015-12-091-14/+31
| | | | | | https://fedorahosted.org/freeipa/ticket/5498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Force creation of services during replica installMartin Basti2015-12-071-1/+2
| | | | | | Missing A record should not prevent replica to be installed. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replicainstall: Admin password should not conflict with replica fileTomas Babej2015-12-071-1/+0
| | | | | | | | The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica promotion: automatically add the local host to ipaserversJan Cholasta2015-12-071-2/+46
| | | | | | | | | | If the user is authorized to modify members of the ipaservers host group, add the local host to ipaservers automatically. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica promotion: use host credentials when setting up replicationJan Cholasta2015-12-071-11/+45
| | | | | | | | | | | Use the local host credentials rather than the user credentials when setting up replication. The host must be a member of the ipaservers host group. The user credentials are still required for connection check. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-071-111/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* aci: add IPA servers host group 'ipaservers'Jan Cholasta2015-12-071-0/+7
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* replica install: improvements in the handling of CA-related IPA config entriesMartin Babinsky2015-12-043-17/+25
| | | | | | | | | | | | When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-install support caless install with promotion.David Kupka2015-12-035-42/+199
| | | | | | https://fedorahosted.org/freeipa/ticket/5441 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modify error message to install first instance of KRAMartin Basti2015-12-021-1/+3
| | | | | | | | First instance of KRA should be installed by ipa-kra-install. https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-kra-install: allow to install first KRA on replicaMartin Basti2015-12-021-6/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/5460 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* implement domain level 1 specific topology checks into IPA server uninstallerMartin Babinsky2015-12-021-27/+166
| | | | | | | | | | | | | When uninstalling domain level 1 master its removal from topology is checked on remote masters. The uninstaller also checks whether the uninstallation disconnects the topology and if yes aborts the procedure. The '--ignore-disconnected-topology' options skips this check. https://fedorahosted.org/freeipa/ticket/5377 https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* extract domain level 1 topology-checking code from ipa-replica-manageMartin Babinsky2015-12-021-0/+90
| | | | | | | | | | This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: Add possiblity to install client in one commandTomas Babej2015-12-012-10/+86
| | | | | | https://fedorahosted.org/freeipa/ticket/5310 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove global variable dns_forwarders from ipaserver.install.dnsPetr Spacek2015-12-012-18/+14
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-dns-install offer IP addresses from resolv.conf as default forwardersPetr Spacek2015-12-015-8/+39
| | | | | | | | | In non-interactive more option --auto-forwarders can be used to do the same. --forward option can be used to supply additional IP addresses. https://fedorahosted.org/freeipa/ticket/5438 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* perform IPA client uninstallation as a last step of server uninstallMartin Babinsky2015-12-011-13/+13
| | | | | | | | | | | | With the ability to promote replicas from an enrolled client the uninstallation procedure has to be changed slightly. If the client-side components are not removed last during replica uninstallation, we can end up with leftover ipa default.conf preventing future client re-enrollment. https://fedorahosted.org/freeipa/ticket/5410 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upgrade: increase time limit for upgradesMartin Basti2015-12-011-1/+4
| | | | | | | | | | | | | | | | Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* use starttls in CSReplicationManager connection againPetr Vobornik2015-11-301-1/+1
| | | | | | | | | | | | | | | | | commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e has: - realm, hostname, dirman_passwd, port, starttls=True) + realm, hostname, dirman_passwd, port) In CSReplicationManager which causes, e.g.: ipa-csreplica-manage -p Secret123 list ipa.example.com cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file Reviewed-By: Tomas Babej <tbabej@redhat.com>
* custodia: Make sure container is created with first custodia replicaTomas Babej2015-11-301-0/+15
| | | | | | | | | | If a first 4.3+ replica is installed in the domain, the custodia container does not exist. Make sure it is created to avoid failures during key generation. https://fedorahosted.org/freeipa/ticket/5474 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-kra-install: error when replica file is passed with domain level > 0Martin Basti2015-11-271-4/+4
| | | | | | | | | | installing kra on promoted replica (domain level > 0) does not require replica file. https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* KRA install: show installation message only if install really startedMartin Basti2015-11-271-6/+3
| | | | | | | | | | | Message that installation started/failed was shown even when install_check fail (installation itself did not start). This commit show messages only if installation started. Enhacement for https://fedorahosted.org/freeipa/ticket/5455 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica promotion: modify default.conf even if DS configuration failsMartin Babinsky2015-11-271-25/+30
| | | | | | | | | | | When we promote an IPA client to replica, we need to write master-like default.conf once we start configuring directory server instance. This way even if DS configuration fails for some reason the server uninstall code can work properly and clean up partially configured replica. https://fedorahosted.org/freeipa/ticket/5417 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix a typo in replica DS creation codeMartin Babinsky2015-11-261-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* KRA: do not stop certmonger during standalone uninstallMartin Basti2015-11-261-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5477 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove invalid error messages from topology upgradeMartin Basti2015-11-252-6/+3
| | | | | | | | | Return False does not mean that update failed, it mean that nothing has been updated, respectively ldap is up to date. https://fedorahosted.org/freeipa/ticket/5482 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-2519-627/+260
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Install: Force service add during replica promotionMartin Basti2015-11-242-2/+4
| | | | | | | | | Replica does not need to have A/AAAA records during install, so we cannot enforce it and service must be added with --force option. https://fedorahosted.org/freeipa/ticket/5420 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* do not disconnect when using existing connection to check default CA ACLsMartin Babinsky2015-11-241-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* disconnect ldap2 backend after adding default CA ACL profilesMartin Babinsky2015-11-241-0/+3
| | | | | | | | | | ensure_default_caacl() was leaking open api.Backend.ldap2 connection which could crash server/replica installation at later stages. This patch ensures that after checking default CA ACL profiles the backend is disconnected. https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add profiles and default CA ACL on migrationFraser Tweedale2015-11-245-44/+81
| | | | | | | | | | | | | | | | | | | | Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-otptoken-import: Fix connection to ldap.David Kupka2015-11-231-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5475 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-cacert-renew: Fix connection to ldap.David Kupka2015-11-231-17/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/5468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Check if IPA is configured before attempting a winsync migrationGabe2015-11-231-1/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5470 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Avoid race condition caused by profile delete and recreateFraser Tweedale2015-11-231-2/+1
| | | | | | | | | | | | | | | When importing IPA-managed certificate profiles into Dogtag, profiles with the same name (usually caIPAserviceCert) are removed, then immediately recreated with the new profile data. This causes a race condition - Dogtag's LDAPProfileSystem profileChangeMonitor thread could observe and process the deletion after the profile was recreated, disappearing it again. Update the profile instead of deleting and recreating it to avoid this race condition. Fixes: https://fedorahosted.org/freeipa/ticket/5269 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* suppress errors arising from adding existing LDAP entries during KRA installMartin Babinsky2015-11-192-3/+17
| | | | | | https://fedorahosted.org/freeipa/ticket/5346 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert renewal: make renewal of ipaCert atomicJan Cholasta2015-11-192-3/+3
| | | | | | | | | This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: export KRA agent PEM file in ipa-kra-installJan Cholasta2015-11-191-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5462 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Drop configure.jarMartin Basti2015-11-133-44/+0
| | | | | | | | | Configure.jar used to be used with firefox version < 10 which is not supported anymore, thus this can be removed. https://fedorahosted.org/freeipa/ticket/5144 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* remove an unneccesary check from IPA server uninstallerMartin Babinsky2015-11-121-7/+0
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* remove Kerberos authenticators when installing/uninstalling service instanceMartin Babinsky2015-11-117-8/+56
| | | | | | | | | | each service possessing Kerberos keytab/ccache will now perform their removal before service principal creation and during service uninstall https://fedorahosted.org/freeipa/ticket/5243 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Remove unused constant NEW_MASTER_MARK from ipaserver.install.dnsPetr Spacek2015-11-111-2/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Remove dead code in ipaserver/install/installutils: read_ip_address()Petr Spacek2015-11-101-14/+0
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* adtrustinstance: Do not use bare except clausesTomas Babej2015-11-101-8/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/5134 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* adtrustinstance: Restart samba service at the end of adtrust-installTomas Babej2015-11-101-0/+7
| | | | | | | | | | Errors related to establishing trust can occur if samba service is not restarted after ipa-adtrust-install has been run. Restart the service at the end of the installer to avoid such issues. https://fedorahosted.org/freeipa/ticket/5134 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* adtrustinstance: Wait for sidgen task completionTomas Babej2015-11-101-3/+15
| | | | | | | | | | As part of hardening of adtrust installer, we should wait until the sidgen task is completed before continuing, as it can take considerable amount of time for a larger deployment. https://fedorahosted.org/freeipa/ticket/5134 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Upgrade: enable custodia service during upgradeMartin Basti2015-11-101-4/+6
| | | | | | | | There was missing step in upgrade that enables the service in LDAP https://fedorahosted.org/freeipa/ticket/5429 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* ipa-replica-prepare: domain level check improvementsMartin Babinsky2015-11-051-4/+17
| | | | | | | | | | | | ipa-replica-prepare command is disabled in non-zero domain-level. Instead of raising and exception with the whole message instructing the user to promote replicas from enrolled clients in level 1+ topologies, the exception itself contains only a brief informative message and the rest is logged at error level. https://fedorahosted.org/freeipa/ticket/5175 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-31 16:13:15 +0000