IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
ac6e4cb61c
freeipa/install/updates
History
Florence Blanc-Renaud 69bda6b440 Fix ipa-server-upgrade: This entry already exists 
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.

To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.

https://pagure.io/freeipa/issue/7125

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:47:53 +02:00
..
05-pre_upgrade_plugins.update server upgrade: fix upgrade from pre-4.0 2017-02-20 13:00:50 +00:00
10-config.update Decreased timeout for IO blocking for DS 2016-06-02 20:20:28 +02:00
10-enable-betxn.update Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
10-ipapwd.update Make sure ipapwd_extop takes precedence over passwd_modify_extop 2016-06-20 19:09:45 +02:00
10-rootdse.update Set the default attributes for RootDSE 2014-09-24 10:02:44 +02:00
10-selinuxusermap.update Remove schema modifications from update files 2013-11-18 16:54:21 +01:00
10-uniqueness.update Uid uniqueness: fix: exclude compat tree from uniqueness 2015-05-22 15:41:41 +02:00
19-managed-entries.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
20-aci.update Add --password-expiration to allow admin to force user password expiration 2017-03-31 12:19:40 +02:00
20-default_password_policy.update password policy: Add explicit default password policy for hosts and services 2016-12-14 17:46:12 +01:00
20-dna.update Moved update of DNA plugin among update plugins 2016-11-11 12:13:56 +01:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-idoverride_index.update Fix index definition for ipaAnchorUUID 2017-05-30 12:32:34 +02:00
20-indices.update Create indexes for 'serverhostname' attribute 2017-07-04 14:40:52 +02:00
20-ipaservers_hostgroup.update aci: add IPA servers host group 'ipaservers' 2015-12-07 08:13:23 +01:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update topology: Fix: Make sure the old 'realm' topology suffix is not used 2015-12-09 18:57:52 +01:00
20-sslciphers.update Configure 389ds with "default" cipher suite 2016-03-09 10:04:58 +01:00
20-syncrepl.update DS deadlock when memberof scopes topology plugin updates 2016-03-18 13:25:08 +01:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-uuid.update DNSSEC: DNS key synchronization daemon 2014-10-21 12:23:03 +02:00
20-winsync_index.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
21-ca_renewal_container.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
21-certstore_container.update Add container for certificate store. 2014-07-30 16:04:21 +02:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
25-referint.update DNS Locations: when removing location remove it from servers first 2016-06-03 15:58:21 +02:00
30-provisioning.update User life cycle: Stage user Administrators permission/priviledge 2015-05-18 09:37:21 +02:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
37-locations.update DNS Locations: location-* commands 2016-06-03 15:58:21 +02:00
40-automember.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-certprofile.update Add certprofile plugin 2015-06-04 08:27:33 +00:00
40-delegation.update Remove "Request Certificate with SubjectAltName" permission 2016-12-21 17:04:18 +01:00
40-dns.update DNS: Support URI resource record type 2016-10-11 16:48:47 +02:00
40-otp.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-realm_domains.update Add list of domains associated to our realm to cn=etc 2013-02-19 14:15:46 +02:00
40-replication.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-vault.update vault: fix private service vault creation 2015-10-13 14:34:00 +02:00
41-caacl.update Add CA ACL plugin 2015-06-11 10:50:31 +00:00
41-lightweight-cas.update Add 'ca' plugin 2016-06-15 07:13:38 +02:00
45-roles.update Add Role 'Enrollment Administrator' 2017-06-09 16:37:40 +02:00
50-7_bit_check.update Do not check userPassword with 7-bit plugin 2013-06-06 18:12:50 +02:00
50-dogtag10-migration.update Add profiles and default CA ACL on migration 2015-11-24 10:12:24 +01:00
50-externalmembers.update slapi-nis: update configuration to allow external members of IPA groups 2016-03-01 12:40:25 +01:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add crond as a default HBAC service 2013-01-17 09:50:48 -05:00
50-ipaconfig.update Short name resolution: introduce the required schema 2017-03-14 18:37:10 +01:00
50-krbenctypes.update Add Camellia ciphers to allowed list. 2013-07-18 10:49:38 +03:00
50-nis.update Upgrade: Fix upgrade of NIS Server configuration 2016-01-11 09:45:54 +01:00
55-pbacmemberof.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
59-trusts-sysacount.update Upgrade: fix trusts objectclass violationi 2014-11-13 13:31:17 +01:00
60-trusts.update Convert ipa-sam to use the new getkeytab control 2016-02-01 13:28:39 +01:00
61-trusts-s4u2proxy.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
62-ranges.update Remove changetype attribute from update plugin 2014-10-17 12:02:25 +02:00
71-idviews-sasl-mapping.update adtrust: support GSSAPI authentication to LDAP as Active Directory user 2016-06-10 13:39:02 +02:00
71-idviews.update idviews: Create container for ID views under cn=accounts 2014-09-30 10:42:06 +02:00
72-domainlevels.update Add Domain Level feature 2015-05-26 11:59:47 +00:00
73-certmap.update Support for Certificate Identity Mapping 2017-03-02 15:09:42 +01:00
73-custodia.update Setup lightweight CA key retrieval on install/upgrade 2016-06-09 09:04:27 +02:00
73-winsync.update winsync: Add inetUser objectclass to the passsync sysaccount 2015-09-16 17:13:42 +02:00
80-schema_compat.update compat plugin: Update link to slapi-nis project 2017-04-24 17:11:51 +02:00
90-post_upgrade_plugins.update Fix ipa-server-upgrade: This entry already exists 2017-08-30 12:47:53 +02:00
Makefile.am Move the compat plugin setup at the end of install 2017-04-24 17:11:51 +02:00
README Remove schema modifications from update files 2013-11-18 16:54:21 +01:00

README 

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

Updates are applied in blocks of ten so that any entries that are dependant
on another can be added successfully without having to rely on the length
of the DN to get the sorting correct.

The file names should use the format #-<description>.update where # conforms
to this:

10 - 19: Configuration
20 - 29: 389-ds configuration, new indices
30 - 39: Structual elements of the DIT
40 - 49: Pre-loaded data
50 - 59: Cleanup existing data
60 - 69: AD Trust
70 - 79: Reserved
80 - 89: Reserved

These numbers aren't absolute, there may be reasons to put an update
into one place or another, but by adhereing to the scheme it will be
easier to find existing updates and know where to put new ones.