Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
We need to check all Kerberos ports both TCP and UDP transports.
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
If a hostname configured in /etc/ipa/default.conf is changed and
is different from the one stored in LDAP in cn=ipa,cn=etc,$SUFFIX
ipactl gives an unintelligible error.
This patch improves the error message and also offers a list of
configured master so that the hostname setting in IPA configuration
can be easily fixed.
https://fedorahosted.org/freeipa/ticket/1558
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.
We can instead pull the subject from the certificate and use that as
the nickname.
https://fedorahosted.org/freeipa/ticket/1141
When a replica for self-signed server is being installed, the
installer crashes with "Not a dogtag CA installation". Make sure
that installation is handled correctly for both dogtag and
self-signed replicas.
https://fedorahosted.org/freeipa/ticket/1479
When DNS plugin is installed via ipa-dns-install and user has a valid
Kerberos ticket at the time, the DNS installation is corrupt and named
won't start, reporting Preauthentication error.
When the non-DM identity is used for authentication, krbprincipalkey
attribute in DNS service LDAP record is not created, thus leading
to the error. This patch makes sure that authentication with Directory
Manager password is used every time.
https://fedorahosted.org/freeipa/ticket/1483
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.
Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.
The reverse DNS zone name is printed to the user during the install.
ticket 1398
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.
Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds
This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.
ticket 1052
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
Implements a way to pass match_local and parse_netmask parameters
to IP option checker.
Now, there is just one common option type "ip" with new optional
attributes "ip_local" and "ip_netmask" which can be used to
pass IP address validation parameters.
https://fedorahosted.org/freeipa/ticket/1333
When a new DNS zone is being created a local hostname is set as a
nameserver of the new zone. However, when the zone is created
during ipa-replica-prepare, the the current master/replica doesn't
have to be an IPA server with DNS support. This would lead to DNS
zones with incorrect NS records as they wouldn't point to a valid
name server.
Now, a list of all master servers with DNS support is retrieved
during DNS zone creation and added as NS records for a new DNS
zone.
https://fedorahosted.org/freeipa/ticket/1261
The conditional used to determine if thd CA 389-ds instance was already
configured was rather poor so it was possible to pass command-line
arguments in to confuse it. This would cause it to not be installed at
all causing the dogtag installation to fail in a strange way.
https://fedorahosted.org/freeipa/ticket/1244
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.
The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.
Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.
https://fedorahosted.org/freeipa/ticket/1243https://fedorahosted.org/freeipa/ticket/1254
--no-host-dns option should allow installing IPA server on a host
without a DNS resolvable name.
Update parse_ip_address and verify_ip_address functions has been
changed not to return None and print error messages in case of
an error, but rather let the Exception be handled by the calling
routine.
https://fedorahosted.org/freeipa/ticket/1246
When re-creating the CADS instance it needs to be more fully-populated
so we have enough information to create an SSL certificate and move
the principal to a real entry.
https://fedorahosted.org/freeipa/ticket/1245
When IPA replica is installed and the master machine record is not
in ~/.ssh/known_hosts, ipa-replica-install will prompt user to answer
a question about adding a host to this file.
This has, however, a potential to break automatic tests.
ipa-replica-conncheck should not require any further user interaction
when all mandatory options are filled.
https://fedorahosted.org/freeipa/ticket/1305
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
