| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
In ipa-replica-manage commands, we enforce that hostnames we work
with are resolvable. However, this caused errors while deleting
or disconnecting a ipa / winsync replica, if that replica was down
and authoritative server for itself.
Also adds an --no-lookup flag to disable host existence checks.
https://fedorahosted.org/freeipa/ticket/3524
|
|
|
|
|
|
|
| |
Ensure that 'ipactl stop' stops the dirsrv instance, even when no other
services are running.
https://fedorahosted.org/freeipa/ticket/3574
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update
This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.
The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).
https://fedorahosted.org/freeipa/ticket/3578
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3576
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to insert nsDS5ReplicatedAttributeListTotal and
nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors.
With this patch, these attributes are skipped for winsync agreements.
Made find_ipa_replication_agreements() in replication.py more
corresponding to find_replication_agreements. It returns list of
entries instead of unicode strings now.
https://fedorahosted.org/freeipa/ticket/3522
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
| |
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
|
|
|
| |
The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.
https://fedorahosted.org/freeipa/ticket/3523
|
|
|
|
|
|
|
|
|
| |
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.
http://freeipa.org/page/V3/Backup_and_Restore
https://fedorahosted.org/freeipa/ticket/3128
|
|
|
|
|
|
|
|
|
| |
The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not manage replica's zone. Properly handle this use
case.
https://fedorahosted.org/freeipa/ticket/3496
|
|
|
|
|
|
|
|
|
| |
The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/CA-less_install
https://fedorahosted.org/freeipa/ticket/3363
|
|
|
|
|
|
|
|
|
| |
Instead, certificates in pkcs12 files can be given to set up
IPA with no CA at all.
Use a flag, setup_ca, to signal if a CA is being installed.
Design: http://freeipa.org/page/V3/Drop_selfsign
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
installation
We pass names of files with pkcs12 pins to installers which may continue to
use the files after the initial call to create_instance, at which point
the installer has already removed them.
Also, some of the files were not properly removed on failure.
Use ipautil.write_tmp_file for the pin files, which returns a
NamedTemporaryFile object that removes the underlying file when it is
garbage-collected.
Create the files at start of installation. This will allow checking
the pkcs#12 files before the system is modified.
|
|
|
|
|
|
|
|
|
| |
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
|
|
|
|
|
|
|
| |
Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.
https://fedorahosted.org/freeipa/ticket/3515
|
|
|
|
|
|
|
|
| |
Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.
https://fedorahosted.org/freeipa/ticket/3497
|
|
|
|
|
|
|
|
|
| |
Currently the only way to setup integrated DNS is by passing --setup-dns
to ipa-server-install. This patch modifies install so that if
--setup-dns is not passed, the user is asked if they want to configure
integrated dns.
http://fedorahosted.org/freeipa/ticket/2575
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you break a replica install after the agreement is created but
before it gets much further you'll be in the situation where an
agreement exists, no cn=masters entry exists, and the RUV may not
be set yet.
This adds some error handling so the broken install can be safely
removed.
https://fedorahosted.org/freeipa/ticket/3444
|
|
|
|
|
|
| |
We used to set connections argument for bind-dyndb-ldap even when
the attribute was not in named.conf. This is not necessary as
the bind-dyndb-ldap plugin chooses a sane default instead of us.
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.
If one cannot be found then it is reported as an error.
Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.
http://freeipa.org/page/V3/Recover_DNA_Ranges
https://fedorahosted.org/freeipa/ticket/3321
|
|
|
|
|
|
| |
In addition to removing the module, fix all places where it was imported.
Preparation for: https://fedorahosted.org/freeipa/ticket/3446
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.
Change CAInstance to behave correctly in two-step install.
Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.
https://fedorahosted.org/freeipa/ticket/3459
|
| |
|
| |
|
|
|
|
|
| |
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
Add a new init argument, ldap_uri, to IPAdmin to make this possible.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
| |
The unbind and unbind_s functions do the same thing (both are synchronous).
In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
|
|
|
|
| |
The find_entries method is cumbersome to use: it requires keyword arguments
for simple uses, and callers are tempted to ignore the 'truncated' flag
it returns.
Introduce a simpler method, get_entries, that returns the found
list directly, and raises an errors if the list is truncated.
Replace the getList method by get_entries.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
|
| |
A simple sort(key=len) is simpler both implementation-wise and
semantics-wise.
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
|
|
|
|
|
| |
Remove all unused LDAP-related imports, plus some other ones.
This should make it easier to quickly check what uses which LDAP wrapper
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.
The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.
https://fedorahosted.org/freeipa/ticket/3402
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3132
|
|
|
|
|
|
|
|
| |
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.
https://fedorahosted.org/freeipa/ticket/3195
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.
If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.
If a server is not an IPA server it is removed.
https://fedorahosted.org/freeipa/ticket/3388
|
|
|
|
|
|
|
|
| |
When deleting a replica from IPA domain:
* Abort if the installation is about to be left without CA
* Warn if the installation is about to be left without DNS
Ticket: https://fedorahosted.org/freeipa/ticket/2879
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Break the script into several smaller methods.
Use modern idioms: os.path.join instead of string addition; the with statement
for closing files.
Add --quiet, --verbose, and --log-file options. Use logging instead of print
statements. (http://freeipa.org/page/V3/Logging_and_output)
Part of: https://fedorahosted.org/freeipa/ticket/2652
Fixes: https://fedorahosted.org/freeipa/ticket/3285
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3381
|
|
|
|
|
| |
"Add SIDs for existing users andgroups as the final step" changed
to "Add SIDs for existing users and groups as the final step".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
|