Commit Graph

969 Commits

Author SHA1 Message Date
Martin Basti
b5e941d49b Server Upgrade: Fix comments
https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-04-02 08:42:43 +00:00
Jan Cholasta
fa50068607 upload_cacrt: Fix empty cACertificate in cn=CAcert
https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 14:38:34 +00:00
Martin Basti
c3d441ae03 Server Upgrade: remove --test option
As --test option is not used for developing, and it is not recommended
to test if upgrade will pass, this path removes it copmletely.

https://fedorahosted.org/freeipa/ticket/3448

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:48:41 +01:00
Tomas Babej
4190b1a47c Revert "Server Upgrade: respect --test option in plugins"
This reverts commit c95c4849ae.
2015-03-19 12:48:06 +01:00
Martin Basti
c95c4849ae Server Upgrade: respect --test option in plugins
Several plugins do the LDAP data modification directly.
In test mode these plugis should not be executed.

https://fedorahosted.org/freeipa/ticket/3448

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:40:24 +01:00
Martin Basti
a42fcfc18b Server Upgrade: order update files by default
https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:37:09 +01:00
Martin Basti
0c7274ead8 Server Upgrade: Update entries in order specified in file
Dictionary replaced with list. Particular upgrades are
executed in the same order as they are specified in update
a file.

Different updates for the smae cn, are not merged into one upgrade

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:37:09 +01:00
Martin Basti
144bc6c1eb Server Upgrade: Set modified to false, before each update
Variable self.modified should be set to false before each run of update

Ticket: https://fedorahosted.org/freeipa/ticket/3560
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:37:09 +01:00
Martin Basti
10bc6bd0bf Server Upgrade: Upgrade one file per time
* Files are sorted alphabetically, no numbering required anymore
* One file updated per time

Ticket: https://fedorahosted.org/freeipa/ticket/3560
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:37:09 +01:00
Martin Basti
bb1d7a741c Server Upgrade: do not sort updates by DN
Ticket: https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:37:09 +01:00
Martin Basti
d3f5d5d1ff Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
This is not used anymore.

Ticket: https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 12:33:22 +01:00
Martin Babinsky
26d6c6fbbb ipa-dns-install: use LDAPI to connect to DS
ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.

Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.

This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-18 12:31:23 +01:00
Martin Babinsky
7b6bee030d ipa-dns-install: use STARTTLS to connect to DS
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-18 12:31:23 +01:00
David Kupka
4a20115ce8 Restore default.conf and use it to build API.
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.

https://fedorahosted.org/freeipa/ticket/4896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 12:17:23 +00:00
Martin Basti
52b7101c11 Fix uniqueness plugins
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid

* remove unneded update plugins -> update was moved to .update file

* add uniqueness-across-all-subtrees required by user lifecycle
management

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Basti
4b2ec5468f Migrate uniquess plugins configuration to new style
New configuration style contains options required for user lifecycle
management.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Jan Cholasta
8713c5a695 replica-install: Use different API instance for the remote server
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-03-05 11:01:36 +01:00
Martin Basti
d216cab619 Fix saving named restore status
Accidentaly status was stored after service was stopped by installer

Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-18 10:05:45 +01:00
Martin Basti
b5e06b90c9 Uninstall configured services only
Fixes:
dnskeysyncisntance - requires a stored state to be uninstalled
bindinstance - uninstal service only if bind was configured by IPA

Ticket:https://fedorahosted.org/freeipa/ticket/4869

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-18 10:05:45 +01:00
Martin Basti
f499e506c8 Fix do not enable service before storing status
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-18 10:05:45 +01:00
Martin Basti
c3edfa2d8c Fix restoring services status during uninstall
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.

Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-18 10:05:45 +01:00
Jan Cholasta
deb70d5b13 Do not crash when replica is unreachable in ipa-restore
https://fedorahosted.org/freeipa/ticket/4857

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-27 16:44:02 +01:00
Martin Babinsky
55b7eed77e Use 'remove-ds.pl' to remove DS instance
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)

This patch is related to https://fedorahosted.org/freeipa/ticket/4487.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-01-27 13:35:06 +01:00
Jan Cholasta
c90286cbbc Create correct log directories during full restore in ipa-restore
https://fedorahosted.org/freeipa/ticket/4865

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-27 07:41:58 +00:00
Martin Kosek
0a7a8d6604 Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients.

https://fedorahosted.org/freeipa/ticket/4850

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-21 07:47:22 +00:00
Jan Cholasta
4994cd1d8d Put LDIF files to their original location in ipa-restore
This prevents SELinux failures during online data restore.

https://fedorahosted.org/freeipa/ticket/4822

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-21 08:27:44 +01:00
Jan Cholasta
82ab0eabf8 Do not assume certmonger is running in httpinstance
https://fedorahosted.org/freeipa/ticket/4835

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-20 15:35:18 +01:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00
Martin Kosek
35c4fa2e36 Fix IPA_BACKUP_DIR path name
Path name was not updated during patch rebase.

https://fedorahosted.org/freeipa/ticket/4797
2015-01-14 13:05:09 +01:00
Jan Cholasta
10fe918acd Fix validation of ipa-restore options
Fix restore mode checks. Do some of the existing checks earlier to make them
effective. Check if --instance and --backend exist both in the filesystem and
in the backup.

Log backup type and restore mode before performing restore.

Update ipa-restore man page.

https://fedorahosted.org/freeipa/ticket/4797

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-14 09:10:06 +01:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
6a1304324f Restart dogtag when its server certificate is renewed
https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
5bf1c9a6f7 Do not crash on unknown services in installutils.stopped_service
https://fedorahosted.org/freeipa/ticket/4835

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 17:54:12 +00:00
Jan Cholasta
05e6adecb5 Remove RUV from LDIF files before using them in ipa-restore
https://fedorahosted.org/freeipa/ticket/4822

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-01-13 16:58:34 +00:00
Jan Cholasta
abcbe271d5 Fix ipa-restore on systems without IPA installed
https://fedorahosted.org/freeipa/ticket/4824

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-01-13 16:28:20 +00:00
David Kupka
b6c58ff238 Abort backup restoration on not matching host.
When restoring backup on master other than it was created there is high risk
of unexpected and hard-to-debug behavior. Refuse such restore.

https://fedorahosted.org/freeipa/ticket/4823

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-13 15:01:31 +00:00
Martin Basti
727f8099af Fix traceback if zonemgr error contains unicode
Ticket: https://fedorahosted.org/freeipa/ticket/4805
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-12 17:10:22 +01:00
Martin Basti
af6aece39b Fix zone find during forwardzone upgrade
https://fedorahosted.org/freeipa/ticket/4818

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
Martin Basti
bb405bd972 Fix: Upgrade forwardzones zones after adding newer replica
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.

Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
David Kupka
3c69435c1b Always add /etc/hosts record when DNS is being configured.
This was done previosly but accidentally removed when later with patch for
ticket .

https://fedorahosted.org/freeipa/ticket/4817

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-12-18 13:09:58 +01:00
Simo Sorce
8822be36d3 Stop saving the master key in a stash file
This hasn't been used for a number of releases now, as ipa-kdb directly
fetches the key via LDAP.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-12-11 07:04:18 +01:00
Jan Cholasta
8f9c5988e2 Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
https://fedorahosted.org/freeipa/ticket/4781

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-12-10 17:08:49 +00:00
Jan Cholasta
f7f3c83748 Check subject name encoding in ipa-cacert-manage renew
https://fedorahosted.org/freeipa/ticket/4781

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-10 17:07:05 +00:00
Gabe
6d3403edac Remove usage of app_PYTHON in ipaserver Makefiles
- Remove ChangeLog from ipa-client/Makefile.am

https://fedorahosted.org/freeipa/ticket/4700

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-12-10 15:42:39 +01:00
Jan Cholasta
7b0149f32b Improve validation of --instance and --backend options in ipa-restore
https://fedorahosted.org/freeipa/ticket/4744

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:46:29 +00:00
Tomas Babej
faec4ef9de certs: Fix incorrect flag handling in load_cacert
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-02 14:44:42 +00:00
Gabe
5f223a89ad Update default NTP configuration
- Add in missing 4th default ntp server
- Add iburst to configuration

https://fedorahosted.org/freeipa/ticket/4583

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-02 12:36:03 +01:00
David Kupka
3a6d714bb2 Use singular in help metavars + update man pages.
https://fedorahosted.org/freeipa/ticket/4695

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-11-26 14:33:23 +01:00
Martin Basti
c13862104a Fix zonemgr option encoding detection
Ticket: https://fedorahosted.org/freeipa/ticket/4766
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-25 13:15:44 +00:00
Jan Cholasta
bef1d18878 Add TLS 1.2 to the protocol list in mod_nss config
https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-11-25 12:44:13 +01:00
Martin Basti
230df95ed9 Fix detection of encoding in zonemgr option
Ticket: https://fedorahosted.org/freeipa/ticket/4762
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-24 13:20:35 +00:00
Jan Cholasta
aa9ecb253a Stop tracking certificates before restoring them in ipa-restore
https://fedorahosted.org/freeipa/ticket/4727

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-21 16:29:51 +01:00
David Kupka
373bbee4e3 ipa-restore: Check if directory is provided + better errors.
https://fedorahosted.org/freeipa/ticket/4683

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-21 15:19:56 +01:00
Jan Cholasta
71c4d3e979 Use correct service name in cainstance.backup_config
https://fedorahosted.org/freeipa/ticket/4754

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-11-21 13:22:11 +01:00
Martin Basti
7de424f425 Fix: read_ip_addresses should return ipaddr object
Interactive prompt callback returns list of str instead of CheckedIPAddress
instances.

Ticket: https://fedorahosted.org/freeipa/ticket/4747
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-21 08:54:17 +00:00
Petr Vobornik
a3c799f2f4 restore: clear httpd ccache after restore
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:

 Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Decrypt integrity check failed)

https://fedorahosted.org/freeipa/ticket/4726

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-20 16:43:26 +01:00
Jan Cholasta
3d1e9813e6 Restore file extended attributes and SELinux context in ipa-restore
https://fedorahosted.org/freeipa/ticket/4712

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-20 16:43:26 +01:00
Nathaniel McCallum
3c900ba7a8 Enable QR code display by default in otptoken-add
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.

https://fedorahosted.org/freeipa/ticket/4703

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-19 14:26:00 +01:00
Martin Basti
d2ffd17617 Fix: zonemgr must be unicode value
To support IDNA --zonemgr option must be unicode not ascii

https://fedorahosted.org/freeipa/ticket/4724

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-19 13:37:48 +01:00
Martin Basti
7c176b708e Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-18 18:49:42 +00:00
Martin Basti
f62c7843ff Fix upgrade referint plugin
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 13:26:34 +01:00
Martin Basti
40ea328a78 Fix: DNS policy upgrade raises asertion error
Ticket: https://fedorahosted.org/freeipa/ticket/4708
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 12:12:28 +00:00
Martin Basti
a7162e7766 Fix: DNS installer adds invalid zonemgr email
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.

Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 10:36:28 +00:00
Jan Cholasta
2639997dfe Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-11 16:13:52 +01:00
Petr Vobornik
61d98bdc59 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges
New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-11 10:56:16 +01:00
Petr Viktorin
a8e2a242be ipa-restore: Don't crash if AD trust is not installed
https://fedorahosted.org/freeipa/ticket/4668

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-11 09:54:29 +00:00
Martin Basti
730f33680b Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-06 10:45:16 +01:00
Jan Cholasta
2cf0f0a658 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-05 15:26:42 +01:00
David Kupka
364d466fd7 Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation

https://fedorahosted.org/freeipa/ticket/4585

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-11-05 15:22:51 +01:00
Endi S. Dewata
0b08043c37 Fixed KRA backend.
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-04 16:33:16 +01:00
Gabe
7eca640ffa Remove trivial path constants from modules
https://fedorahosted.org/freeipa/ticket/4399

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-04 12:57:01 +01:00
Martin Basti
5e1172f560 fix forwarder validation errors
Fix tests, validation in dnsconfig mod, wuser warning

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-21 15:55:09 +02:00
Alexander Bokovoy
20761f7fcd Default to use TLSv1.0 and TLSv1.1 on the IPA server side
We only will be changing the setting on the install.
For modifying existing configurations please follow instructions
at https://access.redhat.com/solutions/1232413

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 15:54:02 +02:00
Martin Basti
3eec7e1f53 fix DNSSEC restore named state
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-21 15:52:47 +02:00
Alexander Bokovoy
eb4d559f3b updater: enable uid uniqueness plugin for posixAccounts
https://fedorahosted.org/freeipa/ticket/4636

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-21 13:46:55 +02:00
Martin Basti
49547a54dd DNSSEC: add files to backup
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
8f2f5dfbdf DNSSEC: modify named service to support dnssec
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
ca030a089f DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
30bc3a55cf DNSSEC: platform paths and services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
9101cfa60f DNSSEC: opendnssec services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
eb54814741 DNSSEC: DNS key synchronization daemon
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
9184d9a1bb DNSSEC: schema
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
78018dd67d Add mask, unmask methods for service
This patch allows mask and unmask services in IPA

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:18:47 +02:00
Petr Vobornik
6f81217c18 dns: fix privileges' memberof during dns install
Permissions with member attrs pointing to privileges are created before the privileges.

Run memberof plugin task to fix other ends of the relationships.

https://fedorahosted.org/freeipa/ticket/4637

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-17 14:08:37 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-17 12:53:11 +02:00
David Kupka
c44f4dcbea Stop dogtag when updating its configuration in ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-15 09:12:11 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Jan Cholasta
4cdeacdedf Support MS CS as the external CA in ipa-server-install and ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".

https://fedorahosted.org/freeipa/ticket/4496

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-13 12:18:09 +02:00
David Kupka
35c7bd05af Check that port 8443 is available when installing PKI.
https://fedorahosted.org/freeipa/ticket/4564

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-10 11:57:44 +02:00
Jan Cholasta
92a08266af Fix certmonger configuration in installer code
https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-10 08:48:25 +02:00
Petr Viktorin
cc085d1d4c backup/restore: Add files from /etc/ipa/nssdb
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.

https://fedorahosted.org/freeipa/ticket/4597

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-10-02 13:53:55 +02:00
Tomas Babej
00457a9c10 idviews: Fix typo in upgrade handling of the Default Trust View
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-30 11:49:53 +02:00
Tomas Babej
2a230b6cc1 idviews: Create Default Trust View for upgraded servers
For upgraded servers with enabled AD trust support, we want to
ensure that Default Trust View entry is created.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
b9425751b4 idviews: Add Default Trust View as part of adtrustinstall
Add a Default Trust View, which is used by SSSD as default mapping for AD users.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
16f3786d25 idviews: Add necessary schema for the ID views
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Jan Cholasta
b1fe42df16 Do not crash in CAInstance.__init__ when default argument values are used
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-30 10:06:48 +02:00
Jan Cholasta
da24d8a6e7 Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage
The search criteria did not include the CA agent name.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
86c534df7d Move NSSDatabase from ipaserver.certs to ipapython.certdb
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
83cbfa8eae Do stricter validation of CA certificates
Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.

https://fedorahosted.org/freeipa/ticket/4477

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
3cde7e9cfd Allow choosing CA-less server certificates by name
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.

https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
88083887c9 CA-less installer options usability fixes
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.

The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.

The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.

https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
3aa0731fc6 External CA installer options usability fixes
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.

https://fedorahosted.org/freeipa/ticket/4480

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
60ecba77cd Add NSSDatabase.import_files method for importing files in various formats
The files are accepted in PEM and DER certificate, PKCS#7 certificate chain,
PKCS#8 and raw private key and PKCS#12 formats.

https://fedorahosted.org/freeipa/ticket/4480
https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
f8f3d58688 Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.

https://fedorahosted.org/freeipa/ticket/4447

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-29 13:40:57 +02:00
David Kupka
947c7398ed Detect and configure all usable IP addresses.
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.

https://fedorahosted.org/freeipa/ticket/3575

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-09-26 17:54:18 +02:00
Petr Viktorin
f866186239 ipaserver.install.service: Don't show error message on SystemExit(0)
Additional fix for: https://fedorahosted.org/freeipa/ticket/4499

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-26 16:55:54 +02:00
Martin Basti
66ce71f17a LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-26 13:36:04 +02:00
Martin Basti
29ba9d9d26 Refactoring of autobind, object_exists
Required to prevent code duplications

ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-26 13:21:15 +02:00
Petr Viktorin
dea825fd9c ipa-restore: Set SELinux booleans when restoring
https://fedorahosted.org/freeipa/ticket/4157

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-26 12:12:59 +02:00
Petr Viktorin
c7d6fea06f Move setting SELinux booleans to platform code
Create a platform task for setting SELinux booleans.

Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.

Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.

Preparation for: https://fedorahosted.org/freeipa/ticket/4157

Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-26 12:12:59 +02:00
Martin Basti
7e24e241ba Add correct NS records during installation
All ipa-dns capable server is added to root zones as nameserver

During uninstall all NS records pointing to particular replica are
removed.

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Petr Viktorin
ffe4417c63 ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.

Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.

In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).

https://fedorahosted.org/freeipa/ticket/4551

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 15:31:08 +02:00
Petr Viktorin
9a188607fc upgradeinstance: Restore listeners on failure
Allow running some installation after failure,
and use this for the upgradeinstance cleanup steps.

https://fedorahosted.org/freeipa/ticket/4499

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-25 13:23:51 +02:00
Martin Basti
c81acfff43 FIX: ldap schmema updater needs correct ordering of the updates
Required bugfix in python-ldap 2.4.15

Updates must respect SUP objectclasses/attributes and update
dependencies first

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-25 12:57:01 +02:00
Jan Cholasta
f680a63158 Fix certmonger code causing the ca_renewal_master update plugin to fail
https://fedorahosted.org/freeipa/ticket/4547

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-09-23 16:25:15 +02:00
Petr Viktorin
abba25c826 ipa_backup: Log where the backup is be stored
This makes managing multiple backups & logs easier.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
06566cb62b backup,restore: Don't overwrite /etc/{passwd,group}
The /etc/passwd and /etc/group files are not saved and restored.
The DS user is always created on restore, and the PKI user is created
if a CA is being restored.

https://fedorahosted.org/freeipa/ticket/3866

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
5fef2ecb39 ipa_restore: Split the services list
Make a proper list from the comma-separated string found in
the config.

The only current use of backup_services is in run:
    if 'CA' in self.backup_services:
Without this change, this picked up the 'CA' from 'MEMCACHE'.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
5dfa1116c2 ipaserver.install: Consolidate system user creation
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).

Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.

Preparation for: https://fedorahosted.org/freeipa/ticket/3866

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Ade Lee
9ca5a4e420 Re-enable uninstall feature for ipa-kra-install
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done.  Also, re-added the no_host_dns option which is used when
unpacking a replica file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-15 10:58:29 +02:00
Petr Viktorin
4fac4f4cf6 Allow deleting obsolete permissions; remove operational attribute permissions
https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 18:22:17 +02:00
Ludwig Krispenz
ab196220fd Update SSL ciphers configured in 389-ds-base
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later

https://fedorahosted.org/freeipa/ticket/4395

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-09-12 16:42:09 +02:00
Petr Vobornik
4e6a3c69b0 install: create ff krb extension on every install, replica install and upgrade
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.

https://fedorahosted.org/freeipa/ticket/4478

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-09-11 09:41:51 +02:00
Jan Cholasta
3acec1267e Use autobind when updating CA people entries during certificate renewal
Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump
selinux-policy in the spec file.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-09 10:36:50 +02:00
Ana Krivokapic
d2793a3ca5 Remove internaldb password from password.conf
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-09 10:36:50 +02:00
Jan Cholasta
2ed6fb092e Backup CS.cfg before modifying it
https://fedorahosted.org/freeipa/ticket/4166

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-05 16:10:49 +02:00
Petr Viktorin
68d656f80a Fix: Add managed read permissions for compat tree and operational attrs
This is a fix for an earlier version, which was committed by mistake as:
master: 418ce870bf
ipa-4-0: 3e2c86aeab
ipa-4-1: 9bcd88589e

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
2014-09-05 15:40:13 +02:00
Jan Cholasta
6ad8c464a4 Make CA-less ipa-server-install option --root-ca-file optional.
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.

Document --root-ca-file in ipa-server-install man page.

https://fedorahosted.org/freeipa/ticket/4457

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-05 13:59:04 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Jan Cholasta
93346b1cf9 Normalize external CA cert before passing it to pkispawn
https://fedorahosted.org/freeipa/ticket/4019

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-04 12:13:11 +02:00
David Kupka
8aa01e24a1 Add record(s) to /etc/host when IPA is configured as DNS server.
This is to avoid chicken-egg problem when directory server fails to start
without resolvable hostname and named fails to provide hostname without
directory server.

https://fedorahosted.org/freeipa/ticket/4220

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-03 16:03:31 +02:00
Ade Lee
a25fe00c62 Add a KRA to IPA
This patch adds the capability of installing a Dogtag KRA
to an IPA instance.  With this patch,  a KRA is NOT configured
by default when ipa-server-install is run.  Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.

The KRA shares the same tomcat instance and DS instance as the
Dogtag CA.  Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems.  Certmonger is also confgured to
monitor the new subsystem certificates.

To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.

The install scripts have been refactored somewhat to minimize
duplication of code.  A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs.  This will become very useful when we add more PKI
subsystems.

The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca.  This means that replication
agreements created to replicate CA data will also replicate KRA
data.  No new replication agreements are required.

Added dogtag plugin for KRA.  This is an initial commit providing
the basic vault functionality needed for vault.  This plugin will
likely be modified as we create the code to call some of these
functions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

The uninstallation option in ipa-kra-install is temporarily disabled.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-22 09:59:31 +02:00
Jan Cholasta
359dfe58b9 Convert external CA chain to PKCS#7 before passing it to pkispawn.
https://fedorahosted.org/freeipa/ticket/4397

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-14 10:06:27 +02:00
Jan Cholasta
6bb240fa2c Fix parsing of long nicknames in certutil -L output.
https://fedorahosted.org/freeipa/ticket/4453

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-07 15:07:39 +02:00
Martin Kosek
7caed6ecfb ipa-adtrust-install does not re-add member in adtrust agents group
When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.

Make the installer more robust by being able to fix the inconsistency.

https://fedorahosted.org/freeipa/ticket/4464

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-08-07 11:12:04 +02:00
Jan Cholasta
044c5c833a Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
d27e77adc5 Allow upgrading CA-less to CA-full using ipa-ca-install.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
8bbdfff102 Allow adding CA certificates to certificate store in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
18aa3216e0 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
f39c6ee544 Add new NSSDatabase method get_cert for getting certs from NSS databases.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
987bf3fbf0 Allow multiple CA certificates in replica info files.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
6870eb909e Add function for writing list of certificates to a PEM file to ipalib.x509.
Also rename load_certificate_chain_from_file to
load_certificate_list_from_file.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
6f01499419 Import CA certs from certificate store to HTTP NSS database on server install.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
82d682fa64 Import CA certs from certificate store to DS NSS database on replica install.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
feecdb4cdc Rename CertDB method add_cert to import_cert.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
5f29a71bd7 Upload CA chain from DS NSS database to certificate store on server update.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00