IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 18:01:23 -06:00
Code Issues Packages Projects Releases Wiki Activity
a1991aeac1
freeipa/ipaserver/install
History
John Dennis a1991aeac1 Use secure method to acquire IPA CA certificate 
Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2013-01-23 14:26:42 -05:00
..
plugins Update plugin to upload CA certificate to LDAP 2013-01-23 14:26:41 -05:00
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
adtrustinstance.py ipa-adtrust-install: allow to reset te NetBIOS domain name 2012-11-08 08:18:14 +01:00
bindinstance.py Add OCSP and CRL URIs to certificates 2012-12-07 11:00:17 -05:00
cainstance.py Installer should not connect to 127.0.0.1 2013-01-21 12:13:09 -05:00
certs.py Use secure method to acquire IPA CA certificate 2013-01-23 14:26:42 -05:00
dsinstance.py Upload CA cert in the directory on install 2013-01-23 14:26:41 -05:00
httpinstance.py Make service naming in ipa-server-install consistent 2012-10-22 21:37:11 -04:00
installutils.py Changes to use a single database for dogtag and IPA 2012-11-23 12:19:19 +01:00
ipa_ldap_updater.py Use DN objects instead of strings 2012-08-12 16:23:24 -04:00
krbinstance.py Make service naming in ipa-server-install consistent 2012-10-22 21:37:11 -04:00
ldapupdate.py Sort LDAP updates properly 2013-01-11 11:29:04 -05:00
Makefile.am Add ipa-adtrust-install utility 2011-09-14 18:45:13 -04:00
memcacheinstance.py Add ipa_memcached service 2012-02-09 13:20:28 -06:00
ntpinstance.py Make service naming in ipa-server-install consistent 2012-10-22 21:37:11 -04:00
replication.py Make ipa-csreplica-manage work with both merged and non-merged DBs 2012-11-23 12:19:20 +01:00
service.py Make service naming in ipa-server-install consistent 2012-10-22 21:37:11 -04:00
sysupgrade.py Add sysupgrade state file 2012-06-10 21:23:10 -04:00
upgradeinstance.py Make service naming in ipa-server-install consistent 2012-10-22 21:37:11 -04:00