[Freeipa-devel] [PATCH] 264 own IPA httpd conf files
For IPA 1-2 Have our spec file own the Apache configuration files we create. rob freeipa-264-spec.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 263 Tighten up upgrade detection
We have an upgrade script that runs in rpm %post to see if an existing installation needs to be updated. This sometimes printed spurious error messages that were confusing. This patch attempts to tighten things up a bit. rob freeipa-263-upgrade.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 260 allow a CA to be regenerated
Simo Sorce wrote: On Fri, 2009-08-28 at 13:38 -0400, Rob Crittenden wrote: Add an option so we can generate a new cert for a CA. This is so we can ultimately fix the missing CA basic constraint but it will also allow the CA to be renewed. This also fixes a small bug when generating the CA basic constraint. It wasn't getting set as Critical because somehow I had it sending a 7 instead of a y :-( Ack. Simo. Pushed to ipa-1-2 rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Add A and PTR records of ourselves during installation
Rob Crittenden wrote: > Martin Nagy wrote: > > If the DNS zones already exist but don't contain our own records, add > > them. This patch introduces the ipalib.api into the installers. For now, > > the code is still little messy. Later patches will abandon the way we > > create zones now and use ipalib.api exclusively. > > > > Martin > > ack Pushed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option
Rob Crittenden wrote: > Martin Nagy wrote: > > Since we are changing the behaviour of the --setup-dns option > > substantially, we might as well remove the old --setup-bind option. > > > > Martin > > > > ack Pushed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 1/3] Setup bind only after restarting kdc and dirsrv
Rob Crittenden wrote: > Martin Nagy wrote: > > BIND starting before we apply LDAP updates and restart kdc and directory > > server causes trouble. We resolve this for now by postponing BIND setup > > to the end of installation. Another reason is that we will be using > > xml-rpc during the setup in the future. > > > > Martin > > ack Pushed ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 3/3] Add A and PTR records of ourselves during installation
Martin Nagy wrote: If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively. Martin ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option
Martin Nagy wrote: Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. Martin ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 1/3] Setup bind only after restarting kdc and dirsrv
Martin Nagy wrote: BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future. Martin ack smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote: > On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote: > > Martin Nagy wrote: > > > Hi, > > > This patch adds options --forwarder and --no-forwarders. At least > > one of > > > them must be used if you are doing a setup with DNS server. They are > > > also mutually exclusive. The --forwarder option can be used more > > than > > > once to specify more servers. If the installer runs in interactive > > mode, > > > it will prompt the user if none of these option was given at the > > command > > > > > > Martin > > > > Actually, I forgot on the replica installer. Updated patch attached. > > Ack, > Simo. Pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 3/3] Add A and PTR records of ourselves during installation
If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively. Martin >From 09c8e86063113acb444ad32117b1dba839eae115 Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Wed, 2 Sep 2009 16:22:50 +0200 Subject: [PATCH 3/3] Add A and PTR records of ourselves during installation If the DNS zones already exist but don't contain our own records, add them. This patch introduces the ipalib.api into the installers. For now, the code is still little messy. Later patches will abandon the way we create zones now and use ipalib.api exclusively. --- install/tools/ipa-replica-install |8 +++- install/tools/ipa-server-install |7 ++- ipaserver/install/bindinstance.py | 19 --- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 6dd9488..0571f94 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -31,7 +31,7 @@ from ipaserver.install import dsinstance, replication, installutils, krbinstance from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs from ipaserver import ipaldap from ipapython import version -from ipalib import util +from ipalib import api, util CACERT="/usr/share/ipa/html/ca.crt" @@ -361,6 +361,12 @@ def main(): service.restart("krb5kdc") if options.setup_dns: +# First bootstrap the plug-in framework +api.bootstrap(in_server=True) +api.finalize() +api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", + bind_pw=config.dirman_password) + install_bind(config, options) # Call client install script diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 306bed5..cad1a3c 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -51,7 +51,7 @@ from ipaserver.install.installutils import * from ipapython import sysrestore from ipapython.ipautil import * -from ipalib import util +from ipalib import api, util pw_name = None @@ -646,6 +646,11 @@ def main(): bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) if options.setup_dns: +# First bootstrap the plug-in framework +api.bootstrap(in_server=True) +api.finalize() +api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password) + bind.create_instance() else: bind.create_sample_bind_zone() diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index e2c91f3..2a922a3 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -28,7 +28,7 @@ import service from ipaserver import ipaldap from ipapython import sysrestore from ipapython import ipautil -from ipalib import util +from ipalib import api, util def check_inst(): # So far this file is always present in both RHEL5 and Fedora if all the necessary @@ -122,15 +122,19 @@ class BindInstance(service.Service): zone_dn = "idnsName=%s,cn=dns,%s" % (self.domain, self.suffix) reverse_zone_dn = "idnsName=%s.in-addr.arpa,cn=dns,%s" % (self.reverse_subnet, self.suffix) +a_rr_dn = "idnsName=%s,%s" % (self.host, zone_dn) +ptr_rr_dn = "idnsName=%s,%s" % (self.reverse_host, reverse_zone_dn) server = ldap.initialize("ldap://"; + self.fqdn) server.simple_bind_s() if object_exists(zone_dn): -pass # TODO: Add dns records to the zone +if not object_exists(a_rr_dn): +self.step("adding our A record", self.__setup_a_record) else: self.step("setting up our zone", self.__setup_zone) if object_exists(reverse_zone_dn): -pass # TODO: Add dns records to the reverse zone +if not object_exists(ptr_rr_dn): +self.step("adding our PTR record", self.__setup_ptr_record) else: self.step("setting up reverse zone", self.__setup_reverse_zone) @@ -173,6 +177,15 @@ class BindInstance(service.Service): def __setup_reverse_zone(self): self._ldap_mod("dns_reverse.ldif", self.sub_dict) +def __setup_a_record(self): +api.Command.dns_add_rr(unicode(self.domain), unicode(self.host), + u'A', unicode(self.ip_address)) + +def __setup_ptr_record(self): +api.Command.dns_add_rr(unicode(self.reverse_subnet + ".in-addr.arpa"), + unicode(self.reverse_host), u'PTR', + unicode(self.host)) + def __setup_principal(self): dns_principal = "DNS/" + self.fqdn + "@" + self.rea
[Freeipa-devel] [PATCH 2/3] Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. Martin >From 245db49b6fb70ec02bb97f3fa338d7a8a2052803 Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Wed, 2 Sep 2009 12:27:42 +0200 Subject: [PATCH 2/3] Remove old --setup-bind option Since we are changing the behaviour of the --setup-dns option substantially, we might as well remove the old --setup-bind option. --- install/tools/ipa-server-install |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 03ee6f4..306bed5 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -79,9 +79,6 @@ def parse_options(): default=False, help="Configure a CA instance") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address") -# FIXME: Remove this option -parser.add_option("--setup-bind", dest="setup_dns", action="store_true", - default=False, help="configure bind with our zone file") parser.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") parser.add_option("--forwarder", dest="forwarders", action="append", -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 1/3] Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future. Martin >From ec71011ff70fc0bc811c505e1be2325cd36a8752 Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Wed, 2 Sep 2009 12:24:17 +0200 Subject: [PATCH 1/3] Setup bind only after restarting kdc and dirsrv BIND starting before we apply LDAP updates and restart kdc and directory server causes trouble. We resolve this for now by postponing BIND setup to the end of installation. Another reason is that we will be using xml-rpc during the setup in the future. --- install/tools/ipa-replica-install |5 +++-- install/tools/ipa-server-install | 16 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a4d8848..6dd9488 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -328,8 +328,6 @@ def main(): install_krb(config) install_http(config) -if options.setup_dns: -install_bind(config, options) if CA: CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() @@ -362,6 +360,9 @@ def main(): service.restart("dirsrv") service.restart("krb5kdc") +if options.setup_dns: +install_bind(config, options) + # Call client install script try: ipautil.run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 2c890b4..03ee6f4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -633,14 +633,6 @@ def main(): fd.write("enable_ra=True\n") fd.close() -# Create a BIND instance -bind = bindinstance.BindInstance(fstore, dm_password) -bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) -if options.setup_dns: -bind.create_instance() -else: -bind.create_sample_bind_zone() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg("Applying LDAP updates") @@ -653,6 +645,14 @@ def main(): service.print_msg("restarting the KDC") krb.restart() +# Create a BIND instance +bind = bindinstance.BindInstance(fstore, dm_password) +bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) +if options.setup_dns: +bind.create_instance() +else: +bind.create_sample_bind_zone() + # Set the admin user kerberos password ds.change_admin_password(admin_password) -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Start bind only after restarting kdc and dirsrv
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote: > On Wed, 2009-09-02 at 02:37 +0200, Martin Nagy wrote: > > BIND starting before we apply LDAP updates and restart kdc and > > directory > > server causes trouble. We resolve this for now by postponing BIND > > start > > to the end of installation. > > Ack, > Simo. Self-nack. I will need to use the xmlrpc plug-ins and decided that it will be better to move the whole installation of bind after kdc and directory server are restarted. I'll post the new patch after some testing. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote: > Martin Nagy wrote: > > Hi, > > This patch adds options --forwarder and --no-forwarders. At least > one of > > them must be used if you are doing a setup with DNS server. They are > > also mutually exclusive. The --forwarder option can be used more > than > > once to specify more servers. If the installer runs in interactive > mode, > > it will prompt the user if none of these option was given at the > command > > > > Martin > > Actually, I forgot on the replica installer. Updated patch attached. Ack, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Start bind only after restarting kdc and dirsrv
On Wed, 2009-09-02 at 02:37 +0200, Martin Nagy wrote: > BIND starting before we apply LDAP updates and restart kdc and > directory > server causes trouble. We resolve this for now by postponing BIND > start > to the end of installation. Ack, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel