| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This can be used only locally on an existing master (uses ldapi).
Useful to check the domain_level in scripts before the api is
initialized and/or credentials are available.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
move the in installutils so they can be reused by multiple scripts
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
trigger topology updaet if suffix entry is added
trigger topology update if managedSuffix is modified in host entry
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
If the user has already run kinit try to use those credentials.
The user can always override by explicitly passing the -p flag.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes a number of places where api was not passed around internally.
Also allows to install dns in replica promotion which requires an
alternative api to be created with the right configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
servers.
Ticket: https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5358
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5351
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
In py3, the two types are unified under the name "int".
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5360
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Export the file even when KRA is not installed locally so that vault commands
work on all IPA replicas.
https://fedorahosted.org/freeipa/ticket/5302
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
This fixes CVE-2015-5284.
https://fedorahosted.org/freeipa/ticket/5347
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The module was renamed in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
fixes a regression introduced during fixing
https://fedorahosted.org/freeipa/ticket/5184
https://fedorahosted.org/freeipa/ticket/5335
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Previous patches for this ticket introduced error, that replica install
requires to specify -r, -p and -a option in unattended mode.
This options are not needed on replica side.
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Milan KubĂk <mkubik@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since the names of the external groups containing the migrated users
must be stripped of characters which are not valid for use in group names,
two different groups might be mapped to one during this process.
Properly handle collisions in the names by adding an incremental
numeric suffix.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During the migration from winsync replicated users to their
trusted identities, memberships are being preserved. However,
trusted users are external and as such cannot be added as
direct members to the IPA entities. External groups which
encapsulate the migrated users are added as members to those
entities instead.
The name of the external group is generated from the type
of the entity and its name. However, the entity's name can
contain characters which are invalid for use in the group
name.
Adds a helper function to convert a given string to a string
which would be valid for such use and leverages it in the
winsync-migrate tool.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
https://fedorahosted.org/freeipa/ticket/5297
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4517
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
Instantiate CAInstall only once instead of 3 times in a row always with the
same values.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
In the dogtag/ca/kra instances self.domain is never used.
Remove it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
addifnew should add value only if entry exists, instead of creating
entry.
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Limit max age of replication changelog to seven days, instead of grow to
unlimited size.
https://fedorahosted.org/freeipa/ticket/5086
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5250
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
| |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1262315
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
|
|
| |
IPA client is installed on server side during "Restarting web server"
step, which lasts too long. This commit explicitly print message that
IPA client is being installed.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Some files/directories should be removed before backup files are copied
to filesystem.
In case of DNSSEC, the /var/lib/ipa/dnssec/tokens directory has to be
removed, otherwise tokens that are backed up and existing tokens will be
mixed and SOFTHSM log in will not work
https://fedorahosted.org/freeipa/ticket/5293
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Is unable to made CS.cfg when dogtag is running.
https://fedorahosted.org/freeipa/ticket/5287
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
Metaclass specification is incompatible between Python 2 and 3. Use the
six.with_metaclass helper to specify metaclasses.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket: https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When zone list is not restored after unninstall, this may slow down
enbaling DNSSEC signing for zones and print unwanted
errors into log after new installation.
Related to: https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4561
As side effect this also fixes:
https://fedorahosted.org/freeipa/ticket/5266
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
Traceback caused by recent py3 code migration.
https://fedorahosted.org/freeipa/ticket/5283
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
