Commit Graph

89 Commits

Author SHA1 Message Date
Rob Crittenden
861d1bbdca Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
This fixes 2 AVCS:

* One because we are enabling port 7390 because an SSL port must be
  defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
  Instead generate a separate NSS database and certificate and have
  certmonger track it separately

I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.

ticket 1085
2011-03-15 14:09:57 -04:00
Rob Crittenden
9dfb0f05b0 Use TLS for dogtag replication agreements.
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.

ticket 1060
2011-03-10 09:57:36 -05:00
Rob Crittenden
8c50ea3da3 chkconfig the ipa service off when it is uninstalled.
ticket 1056
2011-03-08 10:23:10 -05:00
Rob Crittenden
c0ecdd1395 Skip DNS validation checks if we're setting up DNS in ipa-server-install.
If we're going to be authoritative ourselves don't bother with what
other DNS servers think.

ticket 1036
2011-03-04 11:05:40 -05:00
Pavel Zuna
64575a411b Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools.

Fix #874
2011-03-03 14:04:34 -05:00
Martin Kosek
f785af4efe Inconsistent sysrestore file handling by IPA server installer
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.

The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.

https://fedorahosted.org/freeipa/ticket/1026
2011-03-03 11:02:02 -05:00
Martin Kosek
5a9a9723de IPA replica/server install does not check for a client
When IPA replica or server is configured it does not check for
possibly installed client. This will cause the installation to
fail in the very end.

This patch adds a check for already configured client and suggests
removing it before server/replica installation.

https://fedorahosted.org/freeipa/ticket/1002
2011-03-03 10:20:39 -05:00
Jan Zeleny
b26e265961 Fixed in ipa-server-install help and man page
https://fedorahosted.org/freeipa/ticket/831
2011-02-18 10:00:48 -05:00
Rob Crittenden
9b73da1d54 Refresh state data before removing the dirsrv user, fixes uninstall.
The state is read only at initialization time. This works ok when
individual services remove their state data but when worked upon again
at the top-level it still has the full state in memory, so when the
state file is re-written all of the data that was removed is re-added.

ticket 916
2011-02-07 14:41:05 -05:00
Martin Kosek
4880598fbd ipa-server-install inconsistent capitalization
A cosmetic patch to IPA server installation output aimed to make
capitalization in installer output consistent. Several installation
tasks started with a lowercase letter and several installation
task steps started with an uppercase letter.

https://fedorahosted.org/freeipa/ticket/776
2011-02-03 10:34:01 -05:00
Rob Crittenden
f3d04bfc40 Fix installing with an external CA and wait for dogtag to come up
There wasn't an exception in the "is the server already installed"
check for a two-stage CA installation.

Made the installer slightly more robust. We create a cache file of
answers so the next run won't ask all the questions again. This cache
is removed when the installation is complete. Previously nothing would work
if the installer was run more than once, this should be fixed now.
The cache is encrypted using the DM password.

The second problem is that the tomcat6 init script returns control
before the web apps are up. Add a small loop in our restart method
to wait for the 9180 port to be available.

This also adds an additional restart to ensure that nonces are disabled.

ticket 835

revise
2011-02-01 17:52:57 -05:00
Simo Sorce
cc9abf5d38 Use a common group for all DS instances
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.

Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-31 16:35:53 -05:00
Rob Crittenden
359d54e741 Don't perform some API self-tests in production mode for performance reasons
The API does a fair number of self tests and locking to assure that the
registered commands are consistent and will work. This does not need
to be done on a production system and adds additional overhead causing
somewhere between a 30 and 50% decrease in performance.

Because makeapi is executed when a build is done ensure that it is
executed in developer mode to ensure that the framework is ok.

ticket 751
2011-01-28 18:49:17 -05:00
Simo Sorce
35b3d6b3be Make the -u option optional in unattended mode
Fixes: https://fedorahosted.org/freeipa/ticket/836
2011-01-24 16:45:43 -05:00
Simo Sorce
e72815771e Remove trailing space 2011-01-24 14:50:50 -05:00
Jakub Hrozek
9232a47877 Create the reverse zone by default
A new option to specify reverse zone creation for unattended installs

https://fedorahosted.org/freeipa/ticket/678
2011-01-07 05:05:54 -05:00
Simo Sorce
21bf175e0c Allow ipa-dns-install to install with just admin credentials
Do this by creating a common way to attach to the ldap server for each
instance.

Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-07 04:54:17 -05:00
Rob Crittenden
e7afe1dec2 Make sure that the messagebus service is started.
This will prevent certmonger failures. On very minimal installs it seems
that messagebus is not always started.

ticket 528
2011-01-04 16:56:18 -05:00
Jakub Hrozek
5747568e5d Ask for reverse zone creation only when --setup-bind is specified 2010-12-22 11:37:12 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Jakub Hrozek
ee4d2739f1 Make the IPA installer IPv6 friendly
Notable changes include:
 * parse AAAA records in dnsclient
 * also ask for AAAA records when verifying FQDN
 * do not use functions that are not IPv6 aware - notably socket.gethostbyname()
   The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
   section "Interface Checklist"
2010-12-20 11:27:34 -05:00
Rob Crittenden
8f87aa1288 Add krb5-pkinit-openssl as a Requires on ipa-server package
ticket 599
2010-12-16 09:33:11 -05:00
Simo Sorce
95c4b894f9 Fix Install using dogtag.
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.

Fixes: https://fedorahosted.org/freeipa/ticket/612
2010-12-10 23:09:41 -05:00
Simo Sorce
bfaea1dd78 Move Selfsigned CA creation out of dsinstance
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.

Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-10 12:28:38 -05:00
Simo Sorce
2efc08a6fc Introduce ipa control script that reads configuration off ldap
This replace the former ipactl script, as well as replace the current way ipa
components are started.

Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.

resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-10 12:28:38 -05:00
Simo Sorce
dea2167afa Move ntp configuration up top.
Also move down some dsinstance related operation close to other dsinstance
operations.

Fixes: https://fedorahosted.org/freeipa/ticket/595
2010-12-09 08:29:29 -05:00
Simo Sorce
a1edfe8c51 Give back smaller and more readable ranges by default.
Instead of allocating a completely random start between 1M and 2G and a range
of 1M values, give 10000 possible 200k ranges. They all start at a 200k
boundary so they generate more readable IDs, at least until there arent't too
many users/replicas involved.
2010-12-07 08:35:42 -05:00
Jakub Hrozek
88188cbb20 Do not create reverse zone by default
Prompt for creation of reverse zone, with the default for unattended
installations being False.

https://fedorahosted.org/freeipa/ticket/418
2010-12-02 16:46:02 -05:00
Rob Crittenden
8d235c6b71 Verify the --ip-address option when setting up DNS.
There was a corner case where the value of --ip-address was never verified
if you were also setting up DNS.

Added this bit of information to the man page too.

ticket 399
2010-11-24 09:18:57 -05:00
Simo Sorce
6a5c4763af id ranges: change DNA configuration
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.

Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.

Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.

fixes: https://fedorahosted.org/freeipa/ticket/198
2010-11-22 12:42:16 -05:00
Jakub Hrozek
57e1edd052 Use sys.exit to quit scripts
Instead of print and return, use sys.exit() to quit scripts with an
error message and a non zero return code.

https://fedorahosted.org/freeipa/ticket/425
2010-11-22 09:51:07 -05:00
Simo Sorce
5d5ec15ee5 Automatically disable pkinit when not supported 2010-11-19 14:49:49 -05:00
Jakub Hrozek
d9dd838014 Log interactive options in install scripts 2010-11-19 13:53:09 -05:00
Simo Sorce
52a46d121b Add support for configuring KDC certs for PKINIT
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
2010-11-18 15:09:36 -05:00
Simo Sorce
74ba0cc7c1 Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
2010-11-18 15:09:31 -05:00
Rob Crittenden
d658b0de5c Use a different user for dogtag DS instance
Also shut down all services before starting uninstall.

ticket 349
2010-11-12 17:26:43 -05:00
Jakub Hrozek
594adb9877 Log script options to logfile
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.

https://fedorahosted.org/freeipa/ticket/393
2010-11-09 13:28:10 -05:00
Simo Sorce
3e98d8ddad install-script: Do not ask to remove DNS data
When we uninstall we wipe out the entire LDAP database, so it doesn't really
make mush sense to try to also remove single entries from it.
This avoids the --uninstall procedure to fail because the DM password is not
available or the LDAP server is down, and we are just trying to cleanup
everything.
2010-10-07 07:54:06 -04:00
Rob Crittenden
da8f51373a Remove spurious error in server uninstaller about client uninstall failure.
This was meant to catch the case where the client wasn't configured and
it missed the most obvious one: the client was installed and is now
uninstalled.
2010-09-24 15:31:44 -04:00
Rob Crittenden
a7ba867438 Add new DNS install argument for setting the zone mgr e-mail addr.
ticket 125
2010-09-23 12:00:12 -04:00
Rob Crittenden
f87bd57c1d Fix certmonger errors when doing a client or server uninstall.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.

This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.

I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.

ticket 142
2010-09-09 16:38:52 -04:00
Adam Young
26b0e8fc98 This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
Rob Crittenden
92e350ca0a Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
2010-05-05 14:57:58 -04:00
Rob Crittenden
04e9056ec2 Make the installer/uninstaller more aware of its state
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.

This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
2010-05-03 13:41:18 -06:00
Rob Crittenden
ac696a5220 Fix a couple of syntax errors in the installer.
I meant to push these along with the original patch but pushed the wrong one.
2010-04-27 17:51:13 -04:00
Pavel Zuna
44c1844493 Replace a new instance of IPAdmin use in ipa-server-install. 2010-04-27 16:29:36 -04:00
Martin Nagy
6e9cc2640b Connect to the ldap during the uninstallation
We need to ask the user for a password and connect to the ldap so the
bind uninstallation procedure can remove old records. This is of course
only helpful if one has more than one IPA server configured.
2010-04-23 17:19:36 -04:00
Rob Crittenden
7c61663def Fix installing IPA with an external CA
- cache all interactive answers
- set non-interactive to True for the second run so nothing is asked
- convert boolean values that are read in
- require absolute paths for the external CA and signed cert files
- fix the invocation message for the second ipa-server-install run
2010-04-23 04:57:34 -06:00
Pavel Zuna
3620135ec9 Use ldap2 instead of legacy LDAP code from v1 in installer scripts. 2010-04-19 11:27:10 -04:00
Rob Crittenden
ff4ddbbb72 Better customize the message regarding the CA based on the install options.
There are now 3 cases:

- Install a dogtag CA and issue server certs using that
- Install a selfsign CA and issue server certs using that
- Install using either dogtag or selfsign and use the provided PKCS#12 files
  for the server certs. The installed CA will still be used by the cert
  plugin to issue any server certs.
2010-03-19 04:55:33 -06:00