Commit Graph

889 Commits

Author SHA1 Message Date
Tibor Dudlák
7fd2102a78 Add --force-join into ipa-replica-install manpage
Resolves: https://pagure.io/freeipa/issue/7011
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-15 13:56:53 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Florence Blanc-Renaud
f960450820 ipa-replica-conncheck: handle ssh not installed
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.

The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test

https://pagure.io/freeipa/issue/6935

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-30 12:02:13 +02:00
Jan Cholasta
96ca62f81d server certinstall: support PKINIT
Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
9ea764ecf5 cacert manage: support PKINIT
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
René Genz
bdd88a3eab fix spelling mistake; minor rewording
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Tomas Krizek
1b1bace750 ca, kra install: validate DM password
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.

Fixes https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Tomas Krizek
80d61c2e01 ca install: merge duplicated code for DM password
Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Jan Cholasta
b03ede8796 ipa-cacert-manage: add --external-ca-type
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.

This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:

```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Florence Blanc-Renaud
f3e1efdcf5 ipa-kra-install manpage: document domain-level 1
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD

https://pagure.io/freeipa/issue/6922

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-05-11 17:03:00 +02:00
Stanislav Laznicka
6522c4a837
fix managed-entries printing IPA not installed
ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.

https://pagure.io/freeipa/issue/6928

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-10 08:57:24 +02:00
realsobek
298f725e5b fix minor typos in ipa-adtrust-install.1
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-25 12:20:45 +02:00
Stanislav Laznicka
0c0af8cf7a compat-manage: behave the same for all users
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Abhijeet Kasurde
cb86931472
Minor typo fixes
Fixes https://pagure.io/freeipa/issue/6865

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 15:42:17 +02:00
Florence Blanc-Renaud
b96a942cdc ipa-ca-install man page: Add domain level 1 help
In domain level 1 ipa-ca-install does not require a replica-file. Update the
man page to distinguish the domain level 0 or 1 usage.

https://pagure.io/freeipa/issue/5831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 12:16:58 +02:00
Stanislav Laznicka
8af884d048 replica-prepare man: remove pkinit option refs
Remove the references to the pkinit options which was forgotten
about in 46d4d534c0

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
9e3ae785ac Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Christian Heimes
f5bf5466ed Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 15:02:06 +02:00
Florence Blanc-Renaud
3ea2834b76
man ipa-cacert-manage install needs clarification
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.

https://pagure.io/freeipa/issue/6795

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-22 10:13:56 +01:00
Christian Heimes
602b395cf1 Fix Python 3 pylint errors
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 19:11:32 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Martin Babinsky
5cb98496aa
ipa-managed-entries: only permit running the command on IPA master
https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-09 10:31:43 +01:00
Martin Babinsky
715367506b
ipa-managed-entries: use server-mode API
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-09 10:31:43 +01:00
Martin Basti
4006cbbc02 KRA: add --setup-kra to ipa-server-install
This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 15:50:30 +01:00
Martin Basti
6c95f33d37 man: add missing --setup-adtrust option to manpage
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options

https://pagure.io/freeipa/issue/6630

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-08 12:57:53 +01:00
Tomas Krizek
223a48b6d9
man: update ipa-cacert-manage
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.

https://pagure.io/freeipa/issue/6648

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 17:02:25 +01:00
Martin Babinsky
23cebe1356 Update server/replica installer man pages
Since AD trust installer is now a part of composite installers, their
man pages were updated with separate section documenting relevant AD
trust-related option descriptions.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
f62f0b7485 Fix erroneous short name options in ipa-adtrust-install man page
`--rid-base` and `--secondary-rid-base` had `-U` option assigned
by error in the man page. Remove it as these options have not short
alias.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
ef37c42ab9 print the installation info only in standalone mode
There is no point in emitting this message during server/replica
install.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Thorsten Scherf
573a0f1ffe added help about default value for --external-ca-type option
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:54:53 +01:00
Jan Cholasta
fe6f2b6f6e scripts, tests: explicitly set confdir in the rest of server code
Commit 1e6a204b43 added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.

https://fedorahosted.org/freeipa/ticket/6389

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-22 08:07:48 +00:00
Martin Babinsky
98bf0cc966 Move AD trust installation code to a separate module
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-17 13:34:35 +01:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Abhijeet Kasurde
08b8bfa9b5 Update man page of ipa-server-install
This fix adds information about --ignore-last-of-role in
ipa-server-install man page

Fixes https://fedorahosted.org/freeipa/ticket/6634

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-17 08:54:10 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Stanislav Laznicka
08c71703a4 Remove is_fips_enabled checks in installers and ipactl
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-13 18:10:55 +01:00
Martin Babinsky
d7cfbb870f Replace exit() calls with exceptions
In order to enable correct handling of hard errors from within the
composite installer code, all calls to `sys.exit` have to be replaced
with raising ScriptError.

https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Martin Babinsky
e27f6bfdc3 Remove unused variables in exception handling
https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Martin Babinsky
847be3a8a8 ipa-adtrust-install: format the code for PEP-8 compliance
https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Jan Cholasta
87400cdec1 ipa-ca-install: do not fail without --subject-base and --ca-subject
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.

Convert the DN objects to strings to fix the issue.

https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-31 07:18:39 +01:00
Abhijeet Kasurde
c56e02b3c5 Remove deprecated ipa-upgradeconfig command
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:51:39 +01:00
Fraser Tweedale
0c95a00147 Add sanity checks for use of --ca-subject and --subject-base
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:28:50 +01:00
Fraser Tweedale
3f56609732 Indicate that ca subject / subject base uses LDAP RDN order
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.

Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-11 15:27:55 +01:00
Fraser Tweedale
3d01ec14c6 Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
46bf0e89ae ipa-ca-install: add missing --subject-base option
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
c6db493b06 installer: rename --subject to --subject-base
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Stanislav Laznicka
25a6ddcce8 Clarify meaning of --domain and --realm in installers
Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 09:47:25 +01:00
Abhijeet Kasurde
80c0e5cb8d Enumerate available options in IPA installer
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options

Fixes https://fedorahosted.org/freeipa/ticket/5435

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-03 13:00:36 +01:00