Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.
The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test
https://pagure.io/freeipa/issue/6935
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.
Fixes https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Extract copy-pasted code to a single function.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.
This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:
```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD
https://pagure.io/freeipa/issue/6922
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.
https://pagure.io/freeipa/issue/6928
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
In domain level 1 ipa-ca-install does not require a replica-file. Update the
man page to distinguish the domain level 0 or 1 usage.
https://pagure.io/freeipa/issue/5831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.
https://pagure.io/freeipa/issue/6795
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.
https://pagure.io/freeipa/issue/6735
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This patch allows to install KRA on first IPA server in one step using
ipa-server-install
This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.
Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options
https://pagure.io/freeipa/issue/6630
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.
https://pagure.io/freeipa/issue/6648
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since AD trust installer is now a part of composite installers, their
man pages were updated with separate section documenting relevant AD
trust-related option descriptions.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
`--rid-base` and `--secondary-rid-base` had `-U` option assigned
by error in the man page. Remove it as these options have not short
alias.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There is no point in emitting this message during server/replica
install.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commit 1e6a204b43 added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.
https://fedorahosted.org/freeipa/ticket/6629
Reviewed-By: Martin Basti <mbasti@redhat.com>
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This fix adds information about --ignore-last-of-role in
ipa-server-install man page
Fixes https://fedorahosted.org/freeipa/ticket/6634
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In order to enable correct handling of hard errors from within the
composite installer code, all calls to `sys.exit` have to be replaced
with raising ScriptError.
https://fedorahosted.org/freeipa/ticket/6629
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.
Convert the DN objects to strings to fix the issue.
https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.
Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit. So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options
Fixes https://fedorahosted.org/freeipa/ticket/5435
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>