freeipa/ipaserver/install
Alexander Scheel 8a715feb57 Handle multiple AJP adapters during upgrade
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.

Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.

This patch benefits IPA in the scenario when:

 1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
 2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
    resulting in split IPv4/IPv6 adapters -- this would only happen
    on a direct migration from 8.2 -> 8.4
 3. ipa upgrade script then runs to provision an AJP secret value for
    use with both Dogtag and IPA.

Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:43:22 +01:00
..
plugins Ignore database errors when trying to extract ipaCert on upgrade 2021-01-28 09:19:32 +01:00
server Remove the option stop_certmonger from stop_tracking_* 2021-02-15 17:13:53 +02:00
__init__.py Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06 15:42:33 +02:00
adtrust.py Use api.env.container_sysaccounts 2020-04-28 11:28:29 +02:00
adtrustinstance.py uninstall: Don't fail on missing /var/lib/samba 2020-08-17 10:46:23 +02:00
bindinstance.py ipaserver: don't ignore zonemgr option on install 2021-02-25 20:24:55 +01:00
ca.py Remove the option stop_certmonger from stop_tracking_* 2021-02-15 17:13:53 +02:00
cainstance.py Suppress error message if the CRL directory doesn't exist 2021-02-18 16:52:05 +01:00
certs.py Ensure that KDC cert has SAN DNS entry 2021-01-29 13:36:41 -05:00
conncheck.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
custodiainstance.py Add user and group wrappers 2020-09-22 09:23:18 -04:00
dns.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
dnskeysyncinstance.py dnskeysyncinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
dogtag.py Verify pki ini override early 2019-04-10 13:43:23 +02:00
dogtaginstance.py Handle multiple AJP adapters during upgrade 2021-03-25 15:43:22 +01:00
dsinstance.py Skip offline dse.ldif patching by default 2020-10-05 15:02:14 +02:00
httpinstance.py cleanup: Drop never used path for httpd's ccache 2021-03-04 14:17:01 +02:00
installutils.py Avoid comparing 'max' with 'max\n'. 2021-03-23 08:35:32 +01:00
ipa_acme_manage.py ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints 2020-11-17 18:48:24 +02:00
ipa_backup.py Always define the path DNSSEC_OPENSSL_CONF 2020-11-30 15:52:19 +01:00
ipa_cacert_manage.py ipa-cacert-manage: add prune option 2021-02-12 14:08:11 -05:00
ipa_cert_fix.py ipa-cert-fix: improve handling of 'pki-server cert-fix' failure 2021-03-01 11:23:35 +11:00
ipa_crlgen_manage.py CRL generation master: new utility to enable|disable 2019-03-14 09:39:55 +01:00
ipa_kra_install.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa_ldap_updater.py Simplify LDAPUpdater 2020-09-22 09:21:00 -04:00
ipa_otptoken_import.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_pkinit_manage.py PKINIT: fix ipa-pkinit-manage enable|disable 2018-12-05 11:06:21 +01:00
ipa_replica_install.py Enable replica install info logging to match ipa-server-install 2018-11-01 13:08:58 +01:00
ipa_restore.py Add user and group wrappers 2020-09-22 09:23:18 -04:00
ipa_server_certinstall.py Require an ipa-ca SAN on 3rd party certs if ACME is enabled 2020-11-02 14:01:05 -05:00
ipa_server_install.py Improve console logging for ipa-server-install 2018-06-20 08:38:03 +02:00
ipa_server_upgrade.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipa_trust_enable_agent.py ipa-adtrust-install: run remote configuration for new agents 2020-03-05 14:40:58 +01:00
ipa_winsync_migrate.py ipa commands: print 'IPA is not configured' when ipa is not setup 2018-08-23 12:08:45 +02:00
ipactl.py Ensure IPA is running (ideally) before uninstalling the KRA 2021-02-04 01:29:53 +01:00
kra.py Ensure IPA is running (ideally) before uninstalling the KRA 2021-02-04 01:29:53 +01:00
krainstance.py Change KRA profiles in certmonger tracking so they can renew 2020-12-01 12:56:03 +01:00
krbinstance.py Ensure that KDC cert has SAN DNS entry 2021-01-29 13:36:41 -05:00
ldapupdate.py Remove magic sleep from create_index_task 2020-10-05 15:02:14 +02:00
odsexporterinstance.py odsexporterinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
opendnssecinstance.py opendnssecinstance: use late binding for UID/GID resolution 2020-12-22 14:05:13 +02:00
otpdinstance.py Enable pylint missing-final-newline check 2015-12-23 07:59:22 +01:00
replication.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
schemaupdate.py Unify access to FQDN 2020-10-26 17:11:19 +11:00
service.py service: handle empty list of services to update their state 2020-12-18 13:33:44 +02:00
sysupgrade.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
upgradeinstance.py Move where the restore state is marked during IPA server upgrade 2020-12-02 14:08:51 +02:00