summaryrefslogtreecommitdiffstats
path: root/install/tools
Commit message (Collapse)AuthorAgeFilesLines
* Formatting fixes and change in security domain apiAde Lee2014-05-271-10/+15
| | | | Re-added function for rebase.
* Allow ipa-replica-install to be used for installing replicasAde Lee2014-05-274-102/+75
|
* set drm to not install by default with ipa-server-installAde Lee2014-05-271-1/+4
|
* Added nolog to pkispawn and some additional fixes from review.Ade Lee2014-05-272-1/+3
|
* Fix various pep 8 issues and comments from reviewAde Lee2014-05-273-6/+4
|
* Added ipa-drm-installAde Lee2014-05-274-64/+201
| | | | | | | | | | ipa-drm-install can be used (with no arguments) to add a DRM to an existing ipa instance that already contains a Dogtag CA. In a subsequent patch, I will add logic to this script to detect if a drm naming context exists, and if so, to look for a replica file for installing on a replica.
* Add a DRM to IPAAde Lee2014-05-274-13/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag DRM to an IPA instance. With this patch, when ipa-server-install is run, a Dogtag CA and a Dogtag DRM are created. The DRM shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. It is also possible to clone the DRM. When the IPA instance is cloned, if --enable-ca and --enable-drm are specified, the DRM is cloned as well. Installing a DRM requires the user to have a Dogtag CA instance. We can look into possibly relaxing that requirement in a later patch. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to DRM and CA installs. This will become very useful when we add more PKI subsystems. I am still working on patches for a ipa-drm-install script, which would be used to add a DRM to an existing master (that includes a dogtag CA), or an existing clone.
* admin tools: Log IPA versionPetr Viktorin2014-05-277-0/+7
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fixed typo in ipa-replica-manage man pageThorsten Scherf2014-05-121-1/+1
| | | | Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Adding verb to error message to make it less confusing.Jan Pazdziora2014-05-061-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Update certmonger configuration in ipa-upgradeconfig.Jan Cholasta2014-03-251-57/+90
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use the same certmonger configuration for both CA masters and clones.Jan Cholasta2014-03-251-10/+4
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use dogtag-ipa-ca-renew-agent to track certificates on master CA.Jan Cholasta2014-03-251-2/+2
| | | | | | | | | Before, dogtag-ipa-renew-agent was used to track the certificates and the certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code was removed from renew_ca_cert and renew_ra_cert. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Show progress when enabling SSL in DS in ipa-server-install output.Jan Cholasta2014-03-251-4/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Upload CA certificate from DS NSS database in CA-less server install.Jan Cholasta2014-03-251-9/+3
| | | | | | | | | | Before, the file provided in the --root-ca-file option was used directly for the upload. However, it is the same file which is imported to the NSS database, so the second code path is not necessary. Also removed now unused upload_ca_dercert method of dsinstance. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Do not create CA certificate files in CA-less server install.Jan Cholasta2014-03-251-15/+4
| | | | | | | | | | The files are created later by ipa-client-install, there's no need to do it twice. This also fixes a bug in CA-less, where the CA certificate is not removed from /etc/pki/nssdb after client uninstall, because it has a different nickname. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-255-9/+7
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update Dogtag 9 database during replica installationMartin Kosek2014-03-142-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9 based master, the PKI database is not updated and miss several ACLs which prevent some of the PKI functions, e.g. an ability to create other clones. Add an update file to do the database update. Content is based on recommendation from PKI team: * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9 This update file can be removed when Dogtag database upgrades are done in PKI component. Upstream tickets: * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) * https://fedorahosted.org/pki/ticket/906 (checking database version) Also make sure that PKI service is restarted in the end of the installation as the other services to make sure it picks changes done during LDAP updates. https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-112-24/+11
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Typo in warning message where IPA realm and domain name differGabe2014-03-051-1/+1
| | | | | | | | Removed 'y' from warning message. https://fedorahosted.org/freeipa/ticket/4211 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add --force option to ipactlAdam Misnyovszki2014-02-202-48/+67
| | | | | | | | | | | | | | | | If an error occurs in the start up sequence in ipactl start/restart, all the services are stopped. Using the --force option prevents stopping of services that have successfully started, just skips the services which can not be started. ipactl status now shows stopped services also, if the directory server is running. With the contribution of Ana Krivokapic https://fedorahosted.org/freeipa/ticket/3509 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipactl can not restart ipa services if current status is stoppedMisnyovszki Adam2014-02-191-2/+12
| | | | | | | | | | | | | | fixed by starting the directory server when restarting if it is not currently running to enable fetching running services later restart didn't check that also added a check, that if the directory server started at the beginning, there is no need to restart it https://fedorahosted.org/freeipa/ticket/4050 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove working directory for bind-dyndb-ldap plugin.Petr Spacek2014-01-271-4/+1
| | | | | | | | | The working directory will be provided directly by bind-dyndb-ldap package. This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. https://fedorahosted.org/freeipa/ticket/3967
* Convert remaining installer code to LDAPEntry API.Jan Cholasta2014-01-245-24/+22
|
* ipa-replica-install: Move check for existing host before DNS resolution checkPetr Viktorin2014-01-231-15/+24
| | | | | | | | | | | | | | | | | | | The checks for existing host and existing replication agreement set a flag that caused an exit() if any of them failed. Between these checks there was an unrelated check, DNS resolution. If the host and DNS checks both failed, this made it look like the DNS check was the cause of failed install. Especially if the user ignored the DNS check in unattended mode, the output was confusing. Remove the flag and fail directly. Do the replication agreement check first; fixing this with ipa-replica-manage del will also remove the host entry. Also, use the logger for error messages so they appear in the log file as well as on the console. https://fedorahosted.org/freeipa/ticket/3889
* Switch httpd to use default CCACHEMartin Kosek2014-01-221-1/+6
| | | | | | | | | | | | | Stock httpd no longer uses systemd EnvironmentFile option which is making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard to debug problems during subsequent ipa-server-install's where HTTP may use a stale CCACHE in the default kernel keyring CCACHE. Avoid forcing custom CCACHE and switch to system one, just make sure that it is properly cleaned by kdestroy run as "apache" user during FreeIPA server installation process. https://fedorahosted.org/freeipa/ticket/4084
* Enable Retro Changelog and Content Synchronization DS pluginsAna Krivokapic2014-01-141-1/+4
| | | | | | | | | Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
* Use /usr/bin/python2Xiao-Long Chen2014-01-0319-19/+19
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Fix incorrect path in error message on sysrestore failureTomas Babej2013-12-201-5/+10
| | | | | | | | On sysrestore failure, user is prompted out to remove the sysrestore file. However, the path to the sysrestore file mentioned in the sentence is not correct. https://fedorahosted.org/freeipa/ticket/4080
* Remove mod_ssl port workaround.Jan Cholasta2013-11-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/4021
* Update the man page for ipa-ldap-updaterPetr Viktorin2013-11-181-8/+20
|
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-054-48/+48
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Guard import of adtrustinstance for case without trustsAlexander Bokovoy2013-11-041-2/+8
| | | | https://fedorahosted.org/freeipa/ticket/4011
* Track DS certificate with certmonger on replicas.Jan Cholasta2013-10-291-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3975
* Remove mod_ssl conflictMartin Kosek2013-10-253-0/+9
| | | | | | | | | | | Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one machine (of course, when listening to different ports). To make sure that mod_ssl is not configured to listen on 443 (default mod_ssl configuration), add a check to the installer checking of either mod_nss or mod_ssl was configured to listen on that port. https://fedorahosted.org/freeipa/ticket/3974
* adtrustinstance: Properly handle uninstall of AD trust instanceTomas Babej2013-10-142-2/+5
| | | | | | | | | | | | | | | | | | The uninstall method of the AD trust instance was not called upon at all in the ipa-server-install --uninstall phase. This patch makes sure that AD trust instance is unconfigured when the server is uninstalled. The following steps are undertaken: * Remove /var/run/samba/krb5cc_samba * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab * Remove /var/lib/samba/*.tdb files Additionally, we make sure winbind service is stopped from within the stop() method. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-adtrust-install: Add warning that we will break existing samba configurationTomas Babej2013-10-141-3/+15
| | | | | | | | In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install, print a warning that we will break existing samba configuration and ask for a confirmation in the interactive mode. Part of: https://fedorahosted.org/freeipa/ticket/3479
* ipa-upgradeconfig: Remove backed up smb.confTomas Babej2013-10-141-0/+14
| | | | | | | | | | | Since we are not able to properly restore the Samba server to the working state after running ipa-adtrust-install, we should not keep the smb.conf in the fstore. This patch makes sure that any backed up smb.conf is removed from the backup and that this file is not backed up anymore. Part of: https://fedorahosted.org/freeipa/ticket/3479
* Winsync re-initialize should not run memberOf fixup taskMartin Kosek2013-10-111-5/+6
| | | | | | | Change re-initialize command to consider memberOf fixup task only for non-winsync replication agreements. https://fedorahosted.org/freeipa/ticket/3854
* Remove --no-serial-autoincrementMartin Kosek2013-10-114-15/+1
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Do not allow '%' in DM passwordMartin Kosek2013-10-041-1/+1
| | | | | | | Having '%' in DM password causes pkispawn to crash. Do not allow users to enter it until pkispawn is fixed. https://bugzilla.redhat.com/show_bug.cgi?id=953488
* Allow PKCS#12 files with empty password in install tools.Jan Cholasta2013-10-041-6/+6
| | | | https://fedorahosted.org/freeipa/ticket/3897
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-042-18/+25
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Warn user about realm-domain mismatch in install scriptsTomas Babej2013-10-034-1/+31
| | | | | | | | | | | | | | If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924
* Do not crash if DS is down during server uninstallAna Krivokapic2013-09-091-23/+41
| | | | | | | | DS is contacted during server uninstallation, in order to obtain information about replication agreements. If DS is unavailable, warn and continue with uninstallation. https://fedorahosted.org/freeipa/ticket/3867
* Fix RUV search scope in ipa-replica-managePetr Vobornik2013-09-041-1/+1
| | | | | | | | The search had an incorrect scope and therefore it didn't find any RUV. This issue prevented removing of replica. https://fedorahosted.org/freeipa/ticket/3876
* Add warning when uninstalling active replicaAna Krivokapic2013-09-041-5/+31
| | | | | | | Add a warning when trying to uninstall a replica that has active replication agreements. https://fedorahosted.org/freeipa/ticket/3867
* Create DS user and group during ipa-restoreAna Krivokapic2013-09-022-27/+6
| | | | | | | ipa-restore would fail if DS user did not exist. Check for presence of DS user and group and create them if needed. https://fedorahosted.org/freeipa/ticket/3856
* Add --dirman-password option to ipa-server-certinstall.Jan Cholasta2013-08-281-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/3869
generated by cgit (git 2.34.1) at 2024-06-20 01:12:56 +0000