summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Enforce host existence only where needed in ipa-replica-manageTomas Babej2013-05-022-48/+73
| | | | | | | | | | | In ipa-replica-manage commands, we enforce that hostnames we work with are resolvable. However, this caused errors while deleting or disconnecting a ipa / winsync replica, if that replica was down and authoritative server for itself. Also adds an --no-lookup flag to disable host existence checks. https://fedorahosted.org/freeipa/ticket/3524
* Always stop dirsrv in 'ipactl stop'Ana Krivokapic2013-04-291-11/+9
| | | | | | | Ensure that 'ipactl stop' stops the dirsrv instance, even when no other services are running. https://fedorahosted.org/freeipa/ticket/3574
* Fix syntax errors in schema filesPetr Viktorin2013-04-261-0/+65
| | | | | | | | | | | | | | | | - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
* Do not display an interactive mode message in unattended modeAna Krivokapic2013-04-241-2/+3
| | | | https://fedorahosted.org/freeipa/ticket/3576
* Update only selected attributes for winsync agreementTomas Babej2013-04-162-4/+15
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Drop --selfsign server functionalityPetr Viktorin2013-04-152-8/+2
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-1/+1
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-151-1/+24
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.Jan Cholasta2013-04-151-1/+13
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-153-26/+31
| | | | https://fedorahosted.org/freeipa/ticket/3547
* ipa-server-install: correct help text for --external_{cert,ca}_filePetr Viktorin2013-04-152-7/+7
| | | | | | | The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523
* Full system backup and restoreRob Crittenden2013-04-128-118/+278
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Properly handle ipa-replica-install when its zone is not managed by IPATomas Babej2013-04-021-6/+16
| | | | | | | | | The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-022-4/+8
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-022-12/+56
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* ipa-server-install: Remove the --selfsign optionPetr Viktorin2013-04-022-44/+33
| | | | | | | | | Instead, certificates in pkcs12 files can be given to set up IPA with no CA at all. Use a flag, setup_ca, to signal if a CA is being installed. Design: http://freeipa.org/page/V3/Drop_selfsign Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* ipa-server-install: Make temporary pin files available for the whole ↵Petr Viktorin2013-04-021-37/+21
| | | | | | | | | | | | | | | installation We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
* Put pid-file to named.confMartin Kosek2013-03-291-1/+44
| | | | | | | | | Fedora 19 has splitted /var/run and /run directories while in Fedora 18 it used to be a symlink. Thus, named may expect its PID file to be in other direct than it really is and fail to start. Add pid-file configuration option to named.conf both for new installations and for upgraded machines.
* Add mkhomedir option to ipa-server-install and ipa-replica-installAna Krivokapic2013-03-284-0/+22
| | | | | | | Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515
* Use default NETBIOS name in unattended ipa-adtrust-installAna Krivokapic2013-03-221-1/+4
| | | | | | | | Unattended ipa-adtrust-install used to fail if --netbios option was not provided. This patches fixes this, so that instead of failing the default NETBIOS name is used. https://fedorahosted.org/freeipa/ticket/3497
* Add DNS Setup Prompt to InstallBrian Cook2013-03-211-0/+5
| | | | | | | | | Currently the only way to setup integrated DNS is by passing --setup-dns to ipa-server-install. This patch modifies install so that if --setup-dns is not passed, the user is asked if they want to configure integrated dns. http://fedorahosted.org/freeipa/ticket/2575
* Improve some error handling in ipa-replica-manageRob Crittenden2013-03-141-3/+6
| | | | | | | | | | | | If you break a replica install after the agreement is created but before it gets much further you'll be in the situation where an agreement exists, no cn=masters entry exists, and the RUV may not be set yet. This adds some error handling so the broken install can be safely removed. https://fedorahosted.org/freeipa/ticket/3444
* Do not force named connections on upgradesMartin Kosek2013-03-141-1/+1
| | | | | | We used to set connections argument for bind-dyndb-ldap even when the attribute was not in named.conf. This is not necessary as the bind-dyndb-ldap plugin chooses a sane default instead of us.
* Use tkey-gssapi-keytab in named.confMartin Kosek2013-03-141-1/+68
| | | | | | | | | | | Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-132-7/+326
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-134-9/+5
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Fix installing server with external CAPetr Viktorin2013-03-081-34/+42
| | | | | | | | | | | | | | Reorganize ipa-server-instal so that DS (and NTP server) installation only happens in step one. Change CAInstance to behave correctly in two-step install. Add an `init_info` method to DSInstance that includes common attribute/sub_dict initialization from create_instance and create_replica. Use it in ipa-server-install to get a properly configured DSInstance for later tasks. https://fedorahosted.org/freeipa/ticket/3459
* ipa-replica-manage: migrate to single_value after LDAPEntry updatesAlexander Bokovoy2013-03-061-2/+2
|
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-012-6/+6
|
* Use the dn attribute of LDAPEntry to set/get DNs of entries.Jan Cholasta2013-03-012-6/+6
| | | | | Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn attribute instead.
* Remove some uses of raw python-ldapPetr Viktorin2013-03-015-176/+110
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Use IPAdmin rather than raw python-ldap in ipactlPetr Viktorin2013-03-011-42/+32
| | | | | | Add a new init argument, ldap_uri, to IPAdmin to make this possible. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.unbind_s(), keep unbind()Petr Viktorin2013-03-012-3/+3
| | | | | | | | The unbind and unbind_s functions do the same thing (both are synchronous). In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove search_s and search_ext_s from IPAdminPetr Viktorin2013-03-012-11/+13
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)Petr Viktorin2013-03-013-12/+9
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace deleteEntry with delete_entryPetr Viktorin2013-03-011-2/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace getList by a get_entries methodPetr Viktorin2013-03-013-14/+15
| | | | | | | | | | | The find_entries method is cumbersome to use: it requires keyword arguments for simple uses, and callers are tempted to ignore the 'truncated' flag it returns. Introduce a simpler method, get_entries, that returns the found list directly, and raises an errors if the list is truncated. Replace the getList method by get_entries. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-013-28/+40
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.get_dns_sorted_by_lengthPetr Viktorin2013-03-011-6/+4
| | | | | | | A simple sort(key=len) is simpler both implementation-wise and semantics-wise. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove some unused importsPetr Viktorin2013-03-013-4/+0
| | | | | | Remove all unused LDAP-related imports, plus some other ones. This should make it easier to quickly check what uses which LDAP wrapper
* Check SSH connection in ipa-replica-conncheckPetr Viktorin2013-02-191-8/+35
| | | | | | | | | | | | | Since it is not really possible to separate SSH errors from errors of the called program, add a SSH check before calling replica-conncheck on the master. The check also adds the master to a temporary known_hosts file, so suppressing SSH's warning about unknown host is no longer necessary. If the "real" connection fails despite the check, any SSH errors will be included in the output. https://fedorahosted.org/freeipa/ticket/3402
* Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedirJakub Hrozek2013-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3132
* ipa-adtrust-install should ask for SID generationMartin Kosek2013-02-121-6/+42
| | | | | | | | When ipa-adtrust-install is run, check if there are any objects that need have SID generated. If yes, interactively ask the user if the sidgen task should be run. https://fedorahosted.org/freeipa/ticket/3195
* Add LDAP server fallback to client installerRob Crittenden2013-02-071-1/+1
| | | | | | | | | | | | | | Change the discovery code to validate all servers, regardless of where the originated (either via SRV records or --server). This will prevent the client installer from failing if one of those records points to a server that is either not running or is not an IPA server. If a server is not available it is not removed from the list of configured servers, simply moved to the end of the list. If a server is not an IPA server it is removed. https://fedorahosted.org/freeipa/ticket/3388
* Take into consideration services when deleting replicasAna Krivokapic2013-02-061-0/+23
| | | | | | | | When deleting a replica from IPA domain: * Abort if the installation is about to be left without CA * Warn if the installation is about to be left without DNS Ticket: https://fedorahosted.org/freeipa/ticket/2879
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-488/+4
| | | | | | | | | | | | | Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
* Use fully qualified CCACHE namesMartin Kosek2013-02-013-3/+3
| | | | | | | | | | | | | | Some parts of install scripts used only ccache name as returned by krbV.CCache.name attribute. However, when this name is used again to initialize krbV.CCache object or when it is used in KRB5CCNAME environmental variable, it fails for new DIR type of CCACHE. We should always use both CCACHE type and name when referring to them to avoid these crashes. ldap2 backend was also updated to accept directly krbV.CCache object which contains everything we need to authenticate with ccache. https://fedorahosted.org/freeipa/ticket/3381
* Remove unused krbV importsMartin Kosek2013-02-011-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/3381
* Fix a typo in ipa-adtrust-install helpTomas Babej2013-01-311-1/+1
| | | | | "Add SIDs for existing users andgroups as the final step" changed to "Add SIDs for existing users and groups as the final step".
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-1/+53
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
generated by cgit (git 2.34.1) at 2024-09-24 21:31:14 +0000