Commit Graph

79 Commits

Author SHA1 Message Date
Rob Crittenden
54b3842aba Make ipactl a lot smarter and have it manage named as well.
ticket 138
2010-09-07 15:39:18 -04:00
Rob Crittenden
e466bed545 Enable compat plugin by default and configure netgroups
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.

Add a 'status' option to the ipa-copmat-manage tool.

ticket 91
2010-08-19 10:50:07 -04:00
Rob Crittenden
9d9d789912 Correct CA options in ipa-server-install manpage 2010-08-10 16:42:21 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
ed488c6349 Fix ipa-compat-manage and ipa-nis-manage
Neither of these was working properly, I assume due to changes in the ldap
backend. The normalizer now appends the basedn if it isn't included and
this was causing havoc with these utilities.

After fixing the basics I found a few corner cases that I also addressed:
- you can't/shouldn't disable compat if the nis plugin is enabled
- we always want to load the nis LDAP update so we get the netgroup config
- LDAPupdate.update() returns True/False, not an integer

I took some time and fixed up some things pylint complained about too.

Ticket #83
2010-07-15 11:18:11 -04:00
Rob Crittenden
af49945ae4 Fall back to DM password if GSSAPI fails and make deleting more user-friendly
Try to be a bit more descriptive about why a deletion fails and generate a
prettier error message.
2010-06-01 09:52:21 -04:00
Rob Crittenden
8911c92c8d Query the remote server to see if this replica host already exists.
If it does then the installation will fail trying to set up the
keytabs, and not in a way that you say "aha, it's because the host is
already enrolled."
2010-06-01 09:52:14 -04:00
Rob Crittenden
b29de6bf27 Add LDAP upgrade over ldapi support.
This disables all but the ldapi listener in DS so it will be quiet when
we perform our upgrades. It is expected that any other clients that
also use ldapi will be shut down by other already (krb5 and dns).

Add ldapi as an option in ipaldap and add the beginning of pure offline
support (e.g. direct editing of LDIF files).
2010-06-01 09:52:10 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Rob Crittenden
088cc6dc13 Use correct name for CA PKCS#12 file.
I recently renamed this and missed this reference.
2010-04-23 04:56:20 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
45acd086f5 Remove incorrect option -U for --uninstall. -U is short for --unattended. 2010-04-16 09:28:08 -04:00
Rob Crittenden
c19911845d Use GSSAPI auth for the ipa-replica-manage list and del commands.
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.

Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
2010-03-19 17:17:14 -04:00
Rob Crittenden
ff4ddbbb72 Better customize the message regarding the CA based on the install options.
There are now 3 cases:

- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
  for the server certs. The installed CA will still be used by the cert
  plugin to issue any server certs.
2010-03-19 04:55:33 -06:00
Rob Crittenden
f4cb248497 Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
2010-03-19 04:45:41 -06:00
Rob Crittenden
99cb2fe64a Initialize the api so imports work, trust all CAs included in the PKCS#12. 2010-03-19 04:41:05 -06:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00
Rob Crittenden
4216a627c3 Proper use of set up vs setup (verb vs noun)
Resolves #529787
2010-03-16 22:37:26 -06:00
Rob Crittenden
bc47ad0c22 Make the CA a required component and configured by default.
To install IPA without dogtag use the --selfsign option.

The --ca option is now deprecated.

552995
2010-03-02 18:21:12 -05:00
Martin Nagy
8fd41d0434 Add A and PTR records during ipa-replica-prepare
Fixes #528996
2010-02-09 16:30:25 -05:00
Martin Nagy
206d2d48fa Get rid of ipapython.config in ipa-replica-prepare
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.

Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
2010-02-09 16:30:06 -05:00
Martin Nagy
b05f94fb4c Add ipa-dns-install script
Unfortunately, for now there is no --uninstall option.
2010-02-09 15:45:35 -05:00
Rob Crittenden
8f5d9bb62e Add status option to ipactl
Resolves #503437
2010-02-09 04:07:33 -07:00
Rob Crittenden
ea6dfc30fa Set default log level in the *-manage utilities to ERROR and not NOTSET 2010-02-04 11:36:54 -05:00
Rob Crittenden
2416f92bee Fix sample IPA command example at end of installation
Resolves #531455
2010-02-03 14:47:51 -05:00
Rob Crittenden
4f010cfda6 Bring ipa-server-install man page up-to-date, fix some syntax errors
Remove a bunch of trailing spaces
Add the --ca option
Add the --no-host-dns option
Add the --subject option
Fix the one-character option for --no-ntp, should be -N not -n
Add missing line break between --no-ntp and --uninstall

Resolves #545260
2010-02-03 14:42:55 -05:00
Rob Crittenden
bf63cd30a6 Remove some configuration files we create upon un-installation
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
2010-01-28 17:29:18 -05:00
Martin Nagy
d53df67c95 Move some functions from ipa-server-install into installutils
We will need these functions in the new upcoming ipa-dns-install
command.
2010-01-21 17:37:24 -05:00
Martin Nagy
7aa78ee060 Only add an NTP SRV record if we really are setting up NTP
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.

Fixes #500238
2010-01-21 17:09:21 -05:00
Martin Nagy
f8ec022ed0 Move api finalization in ipa-server-install after writing default.conf
We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
2010-01-21 17:09:15 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
49fb5ad493 Add start/stop for the CA 2010-01-11 13:38:45 -05:00
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Rob Crittenden
6a3ed31221 Add force option to ipa-replica-manage to allow forcing deletion of a replica
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
2009-12-11 22:34:58 -07:00
Martin Nagy
d147eafb07 Ask the user before overwriting /etc/named.conf 2009-12-02 13:07:07 +01:00
Martin Nagy
377907e221 Remove unnecessary "error: " prefixes
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
2009-12-02 13:07:00 +01:00
Rob Crittenden
384eec771d Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.

This wipes out the last vestiges of the old ipa.conf from v1.
2009-12-01 09:11:23 -07:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Rob Crittenden
986c4e23e7 Point to correct location of self-signed CA and set pw on 389-DS cert db
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.

The DS db wasn't getting a password set on it. Go ahead and set one.
2009-11-25 09:57:14 -07:00
John Dennis
eb5793b5ea respect debug arg during server install
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
2009-11-19 14:46:18 -05:00
Rob Crittenden
884301ef33 Cache installer questions for the 2-step process of an externally-signed CA
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
2009-11-18 14:28:33 -05:00
Rob Crittenden
da58b0cc75 Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
2009-11-04 04:07:38 -07:00
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Rob Crittenden
81f8c5f0db Auto-detect whether dogtag needs to be uninstalled 2009-10-21 11:14:28 -04:00
Rob Crittenden
e4877c946f Only initialize the API once in the installer
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors

525303
2009-09-28 22:17:01 -06:00