Current Answer Cache storing mechanism is not ideal for storing
non-trivial Python types like arrays, custom classes, etc.
RawConfigParser just translates values to string, which
are not correctly decoded when the Answer Cache is parsed and
restored in the installer.
This patch replaces RawConfigParser with Python's standard pickle
module, which is a recommended way for serialization in Python.
https://fedorahosted.org/freeipa/ticket/2054
Do at least a basic validation of DNS zone manager mail address.
Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.
https://fedorahosted.org/freeipa/ticket/1966
There may already be a record in /etc/hosts for chosen IP address
which may not be detected under some circumstances. Make sure
that /etc/hosts is checked properly.
https://fedorahosted.org/freeipa/ticket/1923
Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.
This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.
https://fedorahosted.org/freeipa/ticket/1931
Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.
https://fedorahosted.org/freeipa/ticket/1923
In checking to see if the dogtag proxy configuration needed to be updated
we didn't handle the case where dogtag isn't installed at all.
https://fedorahosted.org/freeipa/ticket/1951
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).
Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.
https://fedorahosted.org/freeipa/ticket/1899
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.
https://fedorahosted.org/freeipa/ticket/1916
Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:
- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
when one runs ipa-server-install
https://fedorahosted.org/freeipa/ticket/1908
If we can get a ticket for the master then we know we got all right.
This should avoid being prompted again by ssh if the kinit failed and for some
reason the error was not caught (seen in live tests).
- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs
https://fedorahosted.org/freeipa/ticket/1771
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
There are too many options in ipa-*-install scripts which makes it
difficult to read. This patch adds subsections to install script
online help and man pages to improve readability. No option has
been changed.
To further improve man pages:
1) All man pages were changed to have the same header and top-center
title to provide united look.
2) Few typos in man pages have been fixed
https://fedorahosted.org/freeipa/ticket/1687
We need to check all Kerberos ports both TCP and UDP transports.
Since we have the PKI proxy configuration all communication with the CA happens
on the standard 80/443 ports so we need to check them always.
We do not need to leave the old CA ports open. These ports are still used
locally but not over the network.
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.
https://fedorahosted.org/freeipa/ticket/1555
