summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
Commit message (Collapse)AuthorAgeFilesLines
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-051-1/+1
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Fix wording of error message.Jan Cholasta2011-03-291-1/+1
| | | | ticket 1009
* Wait for Directory Server ports to openMartin Kosek2011-03-213-12/+34
| | | | | | | | | | | When Directory Server operation is run right after the server restart the listening ports may not be opened yet. This makes the installation fail. This patch fixes this issue by waiting for both secure and insecure Directory Server ports to open after every restart. https://fedorahosted.org/freeipa/ticket/1076
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-212-21/+53
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Ensure that the system hostname is lower-case.Rob Crittenden2011-03-181-0/+3
| | | | ticket 1080
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-154-15/+79
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Domain to RealmSimo Sorce2011-03-141-10/+15
| | | | | | | | Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. https://bugzilla.redhat.com/show_bug.cgi?id=684690 https://fedorahosted.org/freeipa/ticket/1091
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-4/+52
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* ipa-dns-install script failsMartin Kosek2011-03-081-1/+1
| | | | | | | This patch fixes a typo in class Service, function __get_conn which causes ipa-dns-install script to fail every time. https://fedorahosted.org/freeipa/ticket/1065
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-15/+30
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+5
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-1/+1
| | | | ticket 1005
* Fix replica setup using replication admin kerberos credentialsSimo Sorce2011-03-011-1/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1022
* Use wrapper for sasl gssapi binds so it behaves like other bindsSimo Sorce2011-03-012-9/+6
| | | | | | | | | | By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
* Fix winsync agreements setupSimo Sorce2011-03-011-23/+38
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1006
* Set SuiteSpotGroup when setting up our 389-ds instances.Rob Crittenden2011-02-242-1/+5
| | | | | | | | The group is now required because 389-ds has tightened the permissions on /var/run/dirsrv. We use the same group for both our LDAP instances and /var/run/dirsrv ends up as root:dirsrv mode 0770. ticket 1010
* Create default disabled sudo bind userJr Aquino2011-02-232-2/+12
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-221-2/+14
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Use unicode parameters in the host pluginJakub Hrozek2011-02-181-3/+1
| | | | https://fedorahosted.org/freeipa/ticket/977
* Fix NSS initialization errors during ipa-replica-prepareRob Crittenden2011-02-181-1/+1
| | | | | | | | | | | When enabling replication we make an SSL connection. I think the way this goes is python-ldap -> openldap -> NSS. It may be a problem in the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any case if we use ldapi instead the problem goes away. Back out the temporary code to ignore nss_shutdown errors. ticket 965
* Fix handling of /etc/hostsJan Cholasta2011-02-151-5/+14
| | | | ticket 971
* Fine tuning DNS optionsJakub Hrozek2011-02-142-4/+23
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* Let 389-ds start up even if Kerboros is not configured yet.Rob Crittenden2011-02-141-5/+9
| | | | | | | | | | | | The situation is if during installation /etc/krb5.conf either doesn't exist or configures no realms then 389-ds won't start up at all, causing the installation to fail. This will let the server start up in a degraded mode. Also need to make the sub_dict in ldapupdate.py handle no realm otherwise the installation will abort enabling the compat plugin. ticket 606
* Add a replace option to ipa-ldap-updater.Rob Crittenden2011-02-141-1/+14
| | | | | | | | We have no way to say "replace value X with Y". This would be useful for us to replace a default value only if the user hasn't already updated it. related to ticket 930
* Ensure that file ownership doesn't change when config is updated.Rob Crittenden2011-02-111-0/+4
| | | | | | | | | Out of the blue update_file() and set_directive() changed file ownership to root:root when it updated some files. This was causing dogtag to break. So grab the owner before opening the file and reset it after closing. ticket 928
* Disable replication version plugin by default.Rob Crittenden2011-02-102-0/+25
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Fix crash in DNS installer.Pavel Zuna2011-02-101-3/+3
| | | | Fix #927
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-033-7/+7
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* IPv6 enhancementsJakub Hrozek2011-02-022-14/+23
| | | | | | | * Make host-add, host-del and reverse zone creation IPv6 aware * Make Bind listen on IPv6 interfaces, too https://fedorahosted.org/freeipa/ticket/398
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-0/+23
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Force sync in both direction before changing replication agreementsSimo Sorce2011-02-011-15/+25
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/887
* Add an address for a nameserver when a new zone is created during installJakub Hrozek2011-01-311-8/+12
| | | | https://fedorahosted.org/freeipa/ticket/881
* Fix privilege name we are assigning to DNS principal.Rob Crittenden2011-01-311-1/+1
| | | | This fixes an installation failure.
* Use a common group for all DS instancesSimo Sorce2011-01-313-65/+58
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Fix assorted bugs found by pylintJakub Hrozek2011-01-252-3/+3
|
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-252-3/+6
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Always add DNS records when installing a replicaSimo Sorce2011-01-251-0/+58
| | | | | | | Even if the replica is not running a DNS server other replicas might. So if the DNS container is present, then try to add DNS records. Fixes: https://fedorahosted.org/freeipa/ticket/824
* Populate shared tree with replica related valuesSimo Sorce2011-01-252-0/+51
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Do not set a replication dn when using SASL/GSSAPI replicationSimo Sorce2011-01-241-23/+16
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/817
* Update kerberos password policy values on LDAP binds.Rob Crittenden2011-01-211-0/+4
| | | | | | | | | | | | | | | On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-0/+5
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-0/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Add a way to print output from commandsSimo Sorce2011-01-181-12/+15
| | | | | | | | Instead pof always capturing the output, make it possible to let it go to the standard output pipes. Use this in ipactl to let init scripts show their output. Fixes: https://fedorahosted.org/freeipa/ticket/765
* Password generation and logging in ipa-server-installMartin Kosek2011-01-182-2/+7
| | | | | | | | | | | | When a randomly generated password contains a space character as the first or the last character, installation fails on kdb5_ldap_util calling, which does not accept that. This patch fixes the generator to generate space only on allowed position. This patch also ensures that no password is printed to server install log. https://fedorahosted.org/freeipa/ticket/731
* Fix replica installation warningsSimo Sorce2011-01-141-2/+2
| | | | | We were attempting to re-add these entries on the replicas too. Which were failing because these containers, obviously, already existed there.
* Port installer and host plugin to the new DNS pluginJakub Hrozek2011-01-141-15/+15
| | | | | | * move ipa dns-resolve to the new plugin * port the installer and the host plugin to the new interface * remove the old plugin
* Remove radius options completely.Simo Sorce2011-01-141-2/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-141-2/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Use GSSAPI for replicationSimo Sorce2011-01-142-13/+141
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
generated by cgit (git 2.34.1) at 2024-11-20 16:27:43 +0000