Test tests topologies listed bellow with and without CA on replicas:
star topology: 3 replicas
line topology: 3 replicas
complete topology: 3 replicas
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Use the local host credentials rather than the user credentials when
setting up replication. The host must be a member of the ipaservers host
group. The user credentials are still required for connection check.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
python-gssapi chokes on empty ccache files, so instead of creating an empty
temporary ccache file in private_ccache, create a temporary directory and
use a non-existent file in that directory as the ccache.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.
A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Move this check before the parts that check topology suffix connectivity, wait
for removed segments etc. If the hostname does not exist, it should really be
one of the first errors user encounters during ipa-replica-manage del.
https://fedorahosted.org/freeipa/ticket/5424
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
Reviewed-By: Martin Basti <mbasti@redhat.com>
Update .mailmap with misconfigured patch authors since the last
feature release. Based on the git history, add new Developer
contributors.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Commit 46ae52569a reimplemented reporting of
managed topology suffixes in server-find/show commands using membership
attributes. This patch fixes consumers of this attribute in ipa-replica-manage
command and webui to reflect this change.
Reviewed-By: Martin Basti <mbasti@redhat.com>
With the ability to promote replicas from an enrolled client the
uninstallation procedure has to be changed slightly. If the client-side
components are not removed last during replica uninstallation, we can end up
with leftover ipa default.conf preventing future client re-enrollment.
https://fedorahosted.org/freeipa/ticket/5410
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Default ldap search limit is now 30 sec by default during upgrade.
Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.
Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.
https://fedorahosted.org/freeipa/ticket/5267
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Message that installation started/failed was shown even when
install_check fail (installation itself did not start).
This commit show messages only if installation started.
Enhacement for https://fedorahosted.org/freeipa/ticket/5455
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
