Commit Graph

69 Commits

Author SHA1 Message Date
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Rob Crittenden
088cc6dc13 Use correct name for CA PKCS#12 file.
I recently renamed this and missed this reference.
2010-04-23 04:56:20 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
45acd086f5 Remove incorrect option -U for --uninstall. -U is short for --unattended. 2010-04-16 09:28:08 -04:00
Rob Crittenden
c19911845d Use GSSAPI auth for the ipa-replica-manage list and del commands.
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.

Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
2010-03-19 17:17:14 -04:00
Rob Crittenden
ff4ddbbb72 Better customize the message regarding the CA based on the install options.
There are now 3 cases:

- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
  for the server certs. The installed CA will still be used by the cert
  plugin to issue any server certs.
2010-03-19 04:55:33 -06:00
Rob Crittenden
f4cb248497 Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
2010-03-19 04:45:41 -06:00
Rob Crittenden
99cb2fe64a Initialize the api so imports work, trust all CAs included in the PKCS#12. 2010-03-19 04:41:05 -06:00
Rob Crittenden
f0d51b65f1 Retrieve the LDAP schema using kerberos credentials.
This is required so we can disable anonymous access in 389-ds.
2010-03-17 23:36:53 -06:00
Rob Crittenden
4216a627c3 Proper use of set up vs setup (verb vs noun)
Resolves #529787
2010-03-16 22:37:26 -06:00
Rob Crittenden
bc47ad0c22 Make the CA a required component and configured by default.
To install IPA without dogtag use the --selfsign option.

The --ca option is now deprecated.

552995
2010-03-02 18:21:12 -05:00
Martin Nagy
8fd41d0434 Add A and PTR records during ipa-replica-prepare
Fixes #528996
2010-02-09 16:30:25 -05:00
Martin Nagy
206d2d48fa Get rid of ipapython.config in ipa-replica-prepare
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.

Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
2010-02-09 16:30:06 -05:00
Martin Nagy
b05f94fb4c Add ipa-dns-install script
Unfortunately, for now there is no --uninstall option.
2010-02-09 15:45:35 -05:00
Rob Crittenden
8f5d9bb62e Add status option to ipactl
Resolves #503437
2010-02-09 04:07:33 -07:00
Rob Crittenden
ea6dfc30fa Set default log level in the *-manage utilities to ERROR and not NOTSET 2010-02-04 11:36:54 -05:00
Rob Crittenden
2416f92bee Fix sample IPA command example at end of installation
Resolves #531455
2010-02-03 14:47:51 -05:00
Rob Crittenden
4f010cfda6 Bring ipa-server-install man page up-to-date, fix some syntax errors
Remove a bunch of trailing spaces
Add the --ca option
Add the --no-host-dns option
Add the --subject option
Fix the one-character option for --no-ntp, should be -N not -n
Add missing line break between --no-ntp and --uninstall

Resolves #545260
2010-02-03 14:42:55 -05:00
Rob Crittenden
bf63cd30a6 Remove some configuration files we create upon un-installation
This is particularly important for Apache since we'd leave the web
server handling unconfigured locations.
2010-01-28 17:29:18 -05:00
Martin Nagy
d53df67c95 Move some functions from ipa-server-install into installutils
We will need these functions in the new upcoming ipa-dns-install
command.
2010-01-21 17:37:24 -05:00
Martin Nagy
7aa78ee060 Only add an NTP SRV record if we really are setting up NTP
The sample bind zone file that is generated if we don't use --setup-dns
is also changed.

Fixes #500238
2010-01-21 17:09:21 -05:00
Martin Nagy
f8ec022ed0 Move api finalization in ipa-server-install after writing default.conf
We will need to have ipalib correctly configured before we start
installing DNS entries with api.Command.dns.
2010-01-21 17:09:15 -05:00
Rob Crittenden
e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
Rob Crittenden
49fb5ad493 Add start/stop for the CA 2010-01-11 13:38:45 -05:00
Rob Crittenden
766b534da0 Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
2009-12-11 23:06:08 -07:00
Rob Crittenden
6a3ed31221 Add force option to ipa-replica-manage to allow forcing deletion of a replica
If a replica is not up for some reason (e.g. you've already deleted it)
this used to quit and not let you delete the replica, generating errors in
the DS logs. This will let you force a deletion.
2009-12-11 22:34:58 -07:00
Martin Nagy
d147eafb07 Ask the user before overwriting /etc/named.conf 2009-12-02 13:07:07 +01:00
Martin Nagy
377907e221 Remove unnecessary "error: " prefixes
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
2009-12-02 13:07:00 +01:00
Rob Crittenden
384eec771d Replace /etc/ipa/ipa.conf with /etc/ipa/default.conf
The new framework uses default.conf instead of ipa.conf. This is useful
also because Apache uses a configuration file named ipa.conf.

This wipes out the last vestiges of the old ipa.conf from v1.
2009-12-01 09:11:23 -07:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Rob Crittenden
986c4e23e7 Point to correct location of self-signed CA and set pw on 389-DS cert db
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.

The DS db wasn't getting a password set on it. Go ahead and set one.
2009-11-25 09:57:14 -07:00
John Dennis
eb5793b5ea respect debug arg during server install
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
2009-11-19 14:46:18 -05:00
Rob Crittenden
884301ef33 Cache installer questions for the 2-step process of an externally-signed CA
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
2009-11-18 14:28:33 -05:00
Rob Crittenden
da58b0cc75 Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
2009-11-04 04:07:38 -07:00
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Rob Crittenden
81f8c5f0db Auto-detect whether dogtag needs to be uninstalled 2009-10-21 11:14:28 -04:00
Rob Crittenden
e4877c946f Only initialize the API once in the installer
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors

525303
2009-09-28 22:17:01 -06:00
Rob Crittenden
31ad1973c5 Better upgrade detection so we don't print spurious errors
Also add copyright

519414
2009-09-15 17:42:36 -04:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Pavel Zuna
db7e0802fa Fix incorrect imports in ipa-server-certinstall. 2009-09-11 09:19:41 -04:00
Martin Nagy
b519b87ea4 Add forgotten chunks from commit 4e5a68397a
I accidentally pushed the older patch that didn't contain bits for
ipa-replica-install.
2009-09-08 22:48:34 +02:00
Jason Gerard DeRose
391b1f2b88 Fixed dns_forwarders not being defined when options.setup_dns is False 2009-09-08 13:09:05 +02:00
Martin Nagy
205a41205b Add A and PTR records of ourselves during installation
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
2009-09-02 22:04:25 +02:00
Martin Nagy
b07d1b54f9 Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.
2009-09-02 22:04:25 +02:00
Martin Nagy
fbda06269d Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
2009-09-02 22:04:25 +02:00
Martin Nagy
4e5a68397a Use DNS forwarders in /etc/named.conf
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
2009-09-02 19:09:28 +02:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00