Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
Part of:
Reviewed-By: Martin Basti <>
Profile management patches introduced a regression where a custom
certificate subject base (if configured) is not used in the default
profile. Use the configured subject base.
Part of:
Reviewed-By: Martin Basti <>
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
Part of:
Reviewed-By: Martin Basti <>
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Reviewed-By: Martin Basti <>
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of:
Reviewed-By: Martin Basti <>
The certprofile object class is used to track IPA-managed
certificate profiles in Dogtag and store IPA-specific settings.
Part of:
Reviewed-By: Martin Basti <>
Install the Dogtag CA to use the LDAPProfileSubsystem instead of the
default (file-based) ProfileSubsystem.
Part of:
Reviewed-By: Martin Basti <>
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged
into a single code base, keep their respective bits in separate modules in the
Reviewed-By: Martin Basti <>
Ensure that the correct version of dogtag is passed from API object to the KRA
uninstaller during IPA server uninstall.
Reviewed-By: Jan Cholasta <>
If value does not exists then do not update entry. Otherwise, together with
nonexistent entry, the LDAP decode error will be raised.
Reviewed-By: Martin Babinsky <>
To detect if DS server is running, use the slapd socket for upgrade, and the LDAP port
for installation.
Without enabled LDAPi socket checking doesnt work.
Reviewed-By: Fraser Tweedale <>
Bad ordering of LDAP entries during replica removal resulted in a failure to
delete replica and its services from cn=masters,cn=ipa,cn=etc,$SUFFIX. This
patch enforces the correct ordering of entries resulting in proper removal of
services before the host entry itself.
Reviewed-By: Martin Babinsky <>
This also prevent the script ipa-upgradeconfig execute upgrading.
Upgrade of services is called from ipa-server-upgrade
Reviewed-By: Jan Cholasta <>
This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.
Reviewed-By: Jan Cholasta <>
With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
credentials used by IPA httpd process when talking to smbd. As result,
LSA RPC connection is seen as anonymous by Samba client code and we cannot
derive session key to use for encrypting trust secrets before transmitting
Additionally, rewrite of the SMB protocol support in Samba caused previously
working logic of choosing DCE RPC binding string to fail. We need to try
a different set of priorities until they fail or succeed.
Requires Samba fixes from
Reviewed-By: Tomas Babej <>
During server upgrade we should wait until DS is ready after restart, otherwise
connection error is raised.
Instead of 389 port, the DS socket is checked.
Reviewed-By: Fraser Tweedale <>
ipa-kra-install validates and asks for directory manager password during
uninstallation phase. Since this password is never used during service
uninstall, the uninstaller will not perform these checks anymore.
Reviewed-By: Martin Basti <>
This is required modification to be able move to new installers.
DNS subsystem will be installed by functions in this module in each of
ipa-server-install, ipa-dns-install, ipa-replica-install install
Reviewed-By: Jan Cholasta <>
during IPA server uninstall, the httpd service ccache is not removed from
runtime directory. This file then causes server-side client install to fail
when performing subsequent installation without rebooting/recreating runtime
This patch ensures that the old httpd ccache is explicitly destroyed during
Reviewed-By: David Kupka <>
IPA creates own instance of CA, so there is no need to check if previous
instance was enabled, because there could not be any.
Reviewed-By: Martin Basti <>
ipa-ldap-updater is now just util which applies changes specified in update
files or schema files.
ipa-ldap-updater will not do overall server upgrade anymore, use
ipa-server-upgrade instead.
Reviewed-By: David Kupka <>
* Prevent to continue with upgrade if a fatal error happened
* Use exceptions to handle failures
Reviewed-By: David Kupka <>
Ldapupdater should not call sys.exit() in the middle of execution and
should fail gracefully
Reviewed-By: David Kupka <>
This patch allows to use base64 encoded values in update files.
Double colon ('::') must be used as separator between attribute name
and base64 encoded value.
Reviewed-By: Jan Cholasta <>
CSV values are not supported in upgrade files anymore
Instead of
add:attribute: 'first, part', second
please use
add:attribute: firts, part
add:attribute: second
Required for ticket:
Reviewed-By: Jan Cholasta <>
Destroy connection is an internal function of Connectible and therefore
it should not be used directly.
Reviewed-By: Martin Babinsky <>