Re: [Freeipa-devel] [PATCH] add man page for ipa-kra-install
On 08/24/2014 06:28 PM, Ade Lee wrote: Added man pages for ipa-kra-install. And its not even Tuesday yet :) Please review, Ade If I was new to this, I think I'd be quite lost. I think the man page should briefly explain what KRA is -- just a sentence would be fine. At the very least expand the acronym. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
The docstring of interactive_prompt_callback could use some tweaking, but besides that re-ACK. Dne 21.8.2014 v 14:50 Gabe Alford napsal(a): Hello, Just wondering if this needs to be re-ack'd. Thanks, Gabe On Thu, Jul 31, 2014 at 7:57 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Okay. Sounds good. Update patch attached. On Thu, Jul 31, 2014 at 7:18 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, right. But I still think that's a too-early optimization. We can add this callback when this necessity arises. Until then, I would rather prefer to keep the code clean. Martin On 07/31/2014 03:17 PM, Gabe Alford wrote: Right. The reason I added it in there is that I could see that in the future trust_type could be more than just 'ad' (maybe 'ipa', 'krb', etc?) which at that point I'm not sure a default makes sense. So, I thought to go ahead and add the check for future use cases so that it doesn't have to be remembered later. However, maybe that was just a bad idea as right now it is a pointless check? Gabe On Thu, Jul 31, 2014 at 3:18 AM, Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com wrote: On Thu, 31 Jul 2014, Martin Kosek wrote: Sorry for going late in the game, just a quick question - why do we want to add this part: +if trust_type is None: +kw['trust_type'] = self.prompt_param(self.params[ 'trust_type']) ? I do not see a reason for adding a special interactive prompt callback for that - trust_type has a default value ad. CCing Alexander to double check. I also don't understand why you need to ask interactively for the trust_type as it defaults to non-empty value and this value is the only one we currently support. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] ipa trust-add command should be interactive
Thanks. Pushed to: master: 9415aba87789512e34cb4ed62534cde7822ff70b ipa-4-1: 8bb2af0e0ca375e10a406883ada5769963813763 ipa-4-0: b708001074e1fc1e412bc18b1e5e0b408151847b Martin On 08/25/2014 12:00 PM, Jan Cholasta wrote: The docstring of interactive_prompt_callback could use some tweaking, but besides that re-ACK. Dne 21.8.2014 v 14:50 Gabe Alford napsal(a): Hello, Just wondering if this needs to be re-ack'd. Thanks, Gabe On Thu, Jul 31, 2014 at 7:57 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Okay. Sounds good. Update patch attached. On Thu, Jul 31, 2014 at 7:18 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ah, right. But I still think that's a too-early optimization. We can add this callback when this necessity arises. Until then, I would rather prefer to keep the code clean. Martin On 07/31/2014 03:17 PM, Gabe Alford wrote: Right. The reason I added it in there is that I could see that in the future trust_type could be more than just 'ad' (maybe 'ipa', 'krb', etc?) which at that point I'm not sure a default makes sense. So, I thought to go ahead and add the check for future use cases so that it doesn't have to be remembered later. However, maybe that was just a bad idea as right now it is a pointless check? Gabe On Thu, Jul 31, 2014 at 3:18 AM, Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com wrote: On Thu, 31 Jul 2014, Martin Kosek wrote: Sorry for going late in the game, just a quick question - why do we want to add this part: +if trust_type is None: +kw['trust_type'] = self.prompt_param(self.params[ 'trust_type']) ? I do not see a reason for adding a special interactive prompt callback for that - trust_type has a default value ad. CCing Alexander to double check. I also don't understand why you need to ask interactively for the trust_type as it defaults to non-empty value and this value is the only one we currently support. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/22/2014 03:28 PM, Petr Vobornik wrote: [...] Should the requirement of Dogtag 10.2 be reflected in a spec file? Yes. Sorry for forgetting that point in he review. We can do two things here: 1) Require Dogtag 10.2 (and ask developers to add the vakwetu-dogtag repo for ipa master) or 2) Disable ipa-kra-install and the kra plugin if pki.crypto is not importable How soon will 10.2 be available? If it will take a while I'd rather do 2) but it does mean more churn in the repo. Thoughts? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0114-0115] DNS: allow to add root zone '.'
Patches attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4149
There is a bug in bind-dyndb-ldap (or worse in dirsrv), which cause the
named service is stopped after deleting zone.
Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
--
Martin Basti
From 9ed12420bf52a2d2dab1f8cc4f1f6b1b5f86a801 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Fri, 22 Aug 2014 17:11:22 +0200
Subject: [PATCH 1/2] Fix DNS plugin to allow to add root zone
Ticket: https://fedorahosted.org/freeipa/ticket/4149
---
ipalib/plugins/dns.py | 53 ++-
1 file changed, 31 insertions(+), 22 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 24b303d8405aa3b4a6e0474e75d0e46e6949860d..9c8d09856a57f12b0ff1a52c8f0277f7abb29cdd 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1783,17 +1783,21 @@ class DNSZoneBase(LDAPObject):
zone = keys[-1]
assert isinstance(zone, DNSName)
assert zone.is_absolute()
-zone = zone.ToASCII()
+zone_a = zone.ToASCII()
+
+# special case when zone is the root zone ('.')
+if zone == DNSName.root:
+return super(DNSZoneBase, self).get_dn(zone_a, **options)
# try first relative name, a new zone has to be added as absolute
# otherwise ObjectViolation is raised
-zone = zone[:-1]
-dn = super(DNSZoneBase, self).get_dn(zone, **options)
+zone_a = zone_a[:-1]
+dn = super(DNSZoneBase, self).get_dn(zone_a, **options)
try:
self.backend.get_entry(dn, [''])
except errors.NotFound:
-zone = u%s. % zone
-dn = super(DNSZoneBase, self).get_dn(zone, **options)
+zone_a = u%s. % zone_a
+dn = super(DNSZoneBase, self).get_dn(zone_a, **options)
return dn
@@ -1825,6 +1829,8 @@ class DNSZoneBase(LDAPObject):
try:
api.Command['permission_del'](permission_name, force=True)
except errors.NotFound, e:
+if zone == DNSName.root: # special case root zone
+raise
# compatibility, older IPA versions which allows to create zone
# without absolute zone name
permission_name_rel = self.permission_name(
@@ -1988,20 +1994,21 @@ class DNSZoneBase_add_permission(LDAPQuery):
permission_name = self.obj.permission_name(keys[-1])
# compatibility with older IPA versions which allows relative zonenames
-permission_name_rel = self.obj.permission_name(
-keys[-1].relativize(DNSName.root)
-)
-try:
-api.Object['permission'].get_dn_if_exists(permission_name_rel)
-except errors.NotFound:
-pass
-else:
-# permission exists without absolute domain name
-raise errors.DuplicateEntry(
-message=_('permission %(value)s already exists') % {
-'value': permission_name
-}
+if keys[-1] != DNSName.root: # special case root zone
+permission_name_rel = self.obj.permission_name(
+keys[-1].relativize(DNSName.root)
)
+try:
+api.Object['permission'].get_dn_if_exists(permission_name_rel)
+except errors.NotFound:
+pass
+else:
+# permission exists without absolute domain name
+raise errors.DuplicateEntry(
+message=_('permission %(value)s already exists') % {
+'value': permission_name
+}
+)
permission = api.Command['permission_add_noaci'](permission_name,
ipapermissiontype=u'SYSTEM'
@@ -2417,12 +2424,14 @@ class dnszone_add(DNSZoneBase_add):
nameserver_ip_address)
# Add entry to realmdomains
-# except for our own domain, forwarded zones and reverse zones
+# except for our own domain, forward zones, reverse zones and root zone
zone = keys[0]
if (zone != DNSName(api.env.domain).make_absolute()
and not options.get('idnsforwarders')
-and not zone.is_reverse()):
+and not zone.is_reverse()
+and zone != DNSName.root
+):
try:
api.Command['realmdomains_mod'](add_domain=unicode(zone),
force=True)
@@ -2444,11 +2453,11 @@ class dnszone_del(DNSZoneBase_del):
super(dnszone_del, self).post_callback(ldap, dn, *keys, **options)
# Delete entry from realmdomains
-# except for our own domain
+# except for our own domain, and root zone
zone = keys[0].make_absolute()
if (zone != DNSName(api.env.domain).make_absolute() and
-not zone.is_reverse()
+
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
We plan to do an alpha build of Dogtag 10.2 on Fedora 21 at the end of this week. Ade On Mon, 2014-08-25 at 13:14 +0200, Petr Viktorin wrote: On 08/22/2014 03:28 PM, Petr Vobornik wrote: [...] Should the requirement of Dogtag 10.2 be reflected in a spec file? Yes. Sorry for forgetting that point in he review. We can do two things here: 1) Require Dogtag 10.2 (and ask developers to add the vakwetu-dogtag repo for ipa master) or 2) Disable ipa-kra-install and the kra plugin if pki.crypto is not importable How soon will 10.2 be available? If it will take a while I'd rather do 2) but it does mean more churn in the repo. Thoughts? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.
On 08/19/2014 05:44 PM, Rob Crittenden wrote:
David Kupka wrote:
On 08/19/2014 09:58 AM, Martin Kosek wrote:
On 08/19/2014 09:05 AM, David Kupka wrote:
FreeIPA will use certmonger D-Bus API as discussed in this thread
https://www.redhat.com/archives/freeipa-devel/2014-July/msg00304.html
This change should prevent hard-to-reproduce bugs like
https://fedorahosted.org/freeipa/ticket/4280
Thanks for this effort, the updated certmonger module looks much
better! This
will help us get rid of the non-standard communication with certmonger.
Just couple initial comments from me by reading the code:
1) Testing needs fixed version of certmonger, right? This needs to be
spelled
out right with the patch.
Yes, certmonger 0.75.13 and above should be fine according ticket
https://fedorahosted.org/certmonger/ticket/36. Added to patch description.
You should update the spec to set the minimum version as well.
Sure, thanks.
2) Description text in patches is cheap, do not be afraid to use it and
describe what you did and why. Link to the ticket is missing in the
description
as well:
Ok, increased verbosity a bit :-)
Subject: [PATCH] Use certmonger D-Bus API instead of messing with its
files.
---
3) get_request_id API:
criteria = (
-('cert_storage_location', dogtag_constants.ALIAS_DIR,
- certmonger.NPATH),
-('cert_nickname', nickname, None),
+('cert_storage_location', dogtag_constants.ALIAS_DIR),
+('cert_nickname', nickname),
)
request_id = certmonger.get_request_id(criteria)
Do we want to continue using the criteria object or should we rather
switch
to normal function options? I.e. rather using
request_id = certmonger.get_request_id(cert_nickname=nickname,
cert_storage_location=dogtag_constants.ALIAS_DIR)
? It would look more consistent with other calls. I am just asking,
not insisting.
I've no preference here. It seems to be a very small change. Has anyone
a reason to do it one way and not the other?
I think I used this criteria thing to avoid having a bazillion optional
parameters and for future-proofing. I think at this point the list is
probably pretty stable, so I'd base it on whether you care about having
a whole ton of optional parameters or not (it has the advantage of
self-documenting itself).
The list is probably stable but also really excessive. I don't think it
would help to have more than dozen optional parameters. So I prefer to
leave as-is and change it in future if it is wanted.
3) Starting function:
+try:
+ipautil.run([paths.SYSTEMCTL, 'start', 'certmonger'],
skip_output=True)
+except Exception, e:
+root_logger.error('Failed to start certmonger: %s' % e)
+raise e
I see 2 issues related to this code:
a) Do not call SYSTEMCTL directly. To be platform independent, rather use
services.knownservices.messagebus.start() that is overridable by
someone else
porting to non-systemd platforms.
Is there anything that can't be done using ipalib/ipapython/ipaplatform?
It can't make coffee (yet).
b) In this case, do not use raise e, but just raise to keep the
exception
stack trace intact for better debugging.
Every day there's something new to learn about python or FreeIPA.
Both a) and b) should be fixed in other occasions and places.
I found only one occurence of a) issue. Is there some hidden or are you
talking about the whole FreeIPA project?
4) Feel free to add yourself to Authors section of this module. You
refactored
it greatly to earn it :-)
Done.
You already import dbus, why also separately import DBusException?
Removed, thanks for noticing.
rob
--
David Kupka
From b81786e68fba8efd4bb0c3e86a4702084137e30c Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 20 Aug 2014 13:58:50 +0200
Subject: [PATCH] Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
---
freeipa.spec.in| 2 +-
install/tools/ipa-upgradeconfig| 13 +-
ipa-client/ipa-install/ipa-client-install | 2 +-
ipa-client/ipaclient/ipa_certupdate.py | 5 +-
ipapython/certmonger.py| 521 -
ipaserver/install/cainstance.py| 10 +-
ipaserver/install/certs.py | 28 +-
ipaserver/install/ipa_cacert_manage.py | 4 +-
ipaserver/install/plugins/ca_renewal_master.py | 4 +-
9 files changed, 273 insertions(+), 316 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6f22bc92f76f2e4bd732a995e392d6845dab27b7..15aab5b45c5688f11e0125299c2842f23d986749 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@
[Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
https://fedorahosted.org/freeipa/ticket/3575 Also should fix https://bugzilla.redhat.com/show_bug.cgi?id=1128380 as installation is no longer interrupted when multiple IPs are resolved. But it does not add the option to change the IP address during second run. -- David Kupka From 5785d3ed205141aee0989751cab573fae84c53b3 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Mon, 25 Aug 2014 16:30:49 +0200 Subject: [PATCH] Detect and configure all usable IP addresses. Find, verify and configure all IP addresses that can be used to reach the server FreeIPA is being installed on. Ignore some IP address only if user specifies subset of detected addresses using --ip-address option. This change simplyfies FreeIPA installation on multihomed and dual-stacked servers. https://fedorahosted.org/freeipa/ticket/3575 --- install/tools/ipa-server-install | 61 --- ipaserver/install/bindinstance.py | 46 +++-- ipaserver/install/installutils.py | 86 +++ 3 files changed, 113 insertions(+), 80 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6e77b434a018faec36a2808626c99a54bd493908..5c05a0c6e49a3471b6547a9a627324ba78080211 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -38,6 +38,7 @@ import nss.error import base64 import pwd import textwrap +import re from optparse import OptionGroup, OptionValueError try: @@ -176,7 +177,8 @@ def parse_options(): on their first login) basic_group.add_option(--hostname, dest=host_name, help=fully qualified name of server) basic_group.add_option(--ip-address, dest=ip_address, - type=ip, ip_local=True, +# TODO: remove this workaround (type=ip) when #4506 is done + type=str, help=Master Server IP Address) basic_group.add_option(-N, --no-ntp, dest=conf_ntp, action=store_false, help=do not configure ntp, default=True) @@ -348,6 +350,25 @@ def parse_options(): parser.error(idmax (%u) cannot be smaller than idstart (%u) % (options.idmax, options.idstart)) +# TODO: remove this workaround (parsing reverse zones) when #4506 is done +if options.reverse_zone: +reverse_zone = [] +for rz in re.split(r'[\s,]+', options.reverse_zone): +if rz and rz not in reverse_zone: +reverse_zone.append(rz) +options.reverse_zone = reverse_zone + +# TODO: remove this workaround (parsing IPs) when #4506 is done +if options.ip_address: +ip_address = [] +for ip in re.split(r'[\s,]+', options.ip_address): +if ip and ip not in ip_address: +try: +ip_address.append(CheckedIPAddress(ip, match_local=True)) +except ValueError, e: +parser.error(Invalid IP address: %s % e) +options.ip_address = ip_address + #Automatically disable pkinit w/ dogtag until that is supported options.setup_pkinit = False @@ -832,11 +853,11 @@ def main(): realm_name = host_name = domain_name = -ip_address = +ip_address = [] master_password = dm_password = admin_password = -reverse_zone = None +reverse_zone = [] if not options.setup_dns and not options.unattended: if ipautil.user_input(Do you want to configure integrated DNS (BIND)?, False): @@ -895,11 +916,14 @@ def main(): domain_name = domain_name.lower() -ip = get_server_ip_address(host_name, fstore, options.unattended, options) -ip_address = str(ip) +ip_address = get_server_ip_address(host_name, fstore, options.unattended, options) -if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip): -sys.exit(1) +for ip in map(str, ip_address): +for rev_zone in reverse_zone: +if bindinstance.verify_reverse_zone(rev_zone, ip): +break +else: +sys.exit(1) if not options.realm_name: realm_name = read_realm_name(domain_name, options.unattended) @@ -972,16 +996,23 @@ def main(): dns_forwarders = read_dns_forwarders() if options.reverse_zone: -reverse_zone = bindinstance.normalize_zone(options.reverse_zone) +for rz in options.reverse_zone: +reverse_zone.append(bindinstance.normalize_zone(rz)) elif not options.no_reverse: if options.unattended: -reverse_zone = util.get_reverse_zone_default(ip) +for ip in map(str, ip_address): +rz = util.get_reverse_zone_default(ip) +if not rz in reverse_zone: +reverse_zone.append(rz) elif bindinstance.create_reverse(): -
Re: [Freeipa-devel] [PATCH] add man page for ipa-kra-install
What if I add the following first paragraph? The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault. Ade On Mon, 2014-08-25 at 10:28 +0200, Petr Viktorin wrote: On 08/24/2014 06:28 PM, Ade Lee wrote: Added man pages for ipa-kra-install. And its not even Tuesday yet :) Please review, Ade If I was new to this, I think I'd be quite lost. I think the man page should briefly explain what KRA is -- just a sentence would be fine. At the very least expand the acronym. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] add man page for ipa-kra-install
On 08/25/2014 06:17 PM, Ade Lee wrote: What if I add the following first paragraph? The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault. Ade Perfect. On Mon, 2014-08-25 at 10:28 +0200, Petr Viktorin wrote: On 08/24/2014 06:28 PM, Ade Lee wrote: Added man pages for ipa-kra-install. And its not even Tuesday yet :) Please review, Ade If I was new to this, I think I'd be quite lost. I think the man page should briefly explain what KRA is -- just a sentence would be fine. At the very least expand the acronym. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [RFE] Backporting capabilities
https://fedorahosted.org/freeipa/ticket/4427 Here is a design that enables backporting capabilities (i.e. backwards-incompatible API changes) to maintenance branches of FreeIPA. The premise is that no branched development occurs on the maintenance branch, only single targeted changes are brought back. I believe it solves the problem rather nicely, and the implementation would be pretty straightforward. The downside is that uses weird API versions like '2.347+backported_capability' (which are currently valid API versions, though). http://www.freeipa.org/page/V4/Backporting_Capabilities -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] add man page for ipa-kra-install
New patch attached.
If OK, please commit for me.
Thanks,
Ade
On Mon, 2014-08-25 at 18:25 +0200, Petr Viktorin wrote:
On 08/25/2014 06:17 PM, Ade Lee wrote:
What if I add the following first paragraph?
The KRA (Key Recovery Authority) is a component used to securely store
secrets such as passwords, symmetric keys and private asymmetric keys.
It is used as the back-end repository for the IPA Password Vault.
Ade
Perfect.
On Mon, 2014-08-25 at 10:28 +0200, Petr Viktorin wrote:
On 08/24/2014 06:28 PM, Ade Lee wrote:
Added man pages for ipa-kra-install. And its not even Tuesday yet :)
Please review,
Ade
If I was new to this, I think I'd be quite lost.
I think the man page should briefly explain what KRA is -- just a
sentence would be fine. At the very least expand the acronym.
From ea23a915a74834005b584996c868fb4acfbf5e5b Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Sun, 24 Aug 2014 12:19:55 -0400
Subject: [PATCH] Added man page for ipa-kra-install
---
freeipa.spec.in | 1 +
install/tools/man/Makefile.am | 1 +
install/tools/man/ipa-kra-install.1 | 50 +
3 files changed, 52 insertions(+)
create mode 100644 install/tools/man/ipa-kra-install.1
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3079625aecb9d6067cb3315d64de727b5204f8ab..6df4f06f2925700a35a4fc608c379ac400caa888 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -712,6 +712,7 @@ fi
%{_mandir}/man1/ipa-server-install.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz
+%{_mandir}/man1/ipa-kra-install.1.gz
%{_mandir}/man1/ipa-compat-manage.1.gz
%{_mandir}/man1/ipa-nis-manage.1.gz
%{_mandir}/man1/ipa-managed-entries.1.gz
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index f9f75f183c406a2159c025b17e5bf463a46e12d2..38c049c79fbd2ce22888b47ee576c4574e98c45b 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -15,6 +15,7 @@ man1_MANS = \
ipa-dns-install.1 \
ipa-adtrust-install.1 \
ipa-ca-install.1 \
+ ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
ipa-nis-manage.1 \
diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
new file mode 100644
index ..60b53b0e9389762df3d656d105a1e5cabb89f7f0
--- /dev/null
+++ b/install/tools/man/ipa-kra-install.1
@@ -0,0 +1,50 @@
+.\ A man page for ipa-kra-install
+.\ Copyright (C) 2014 Red Hat, Inc.
+.\
+.\ This program is free software; you can redistribute it and/or modify
+.\ it under the terms of the GNU General Public License as published by
+.\ the Free Software Foundation, either version 3 of the License, or
+.\ (at your option) any later version.
+.\
+.\ This program is distributed in the hope that it will be useful, but
+.\ WITHOUT ANY WARRANTY; without even the implied warranty of
+.\ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\ General Public License for more details.
+.\
+.\ You should have received a copy of the GNU General Public License
+.\ along with this program. If not, see http://www.gnu.org/licenses/.
+.\
+.\ Author: Ade Lee a...@redhat.com
+.\
+.TH ipa-kra-install 1 Aug 24 2014 FreeIPA FreeIPA Manual Pages
+.SH NAME
+ipa\-kra\-install \- Install a KRA on a server
+.SH SYNOPSIS
+ipa\-kra\-install [\fIOPTION\fR]... [replica_file]
+.SH DESCRIPTION
+Adds a KRA as an IPA\-managed service. This requires that the IPA server is already installed and configured, including a CA.
+
+The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault.
+
+ipa\-kra\-install can be run without replica_file to add KRA to the existing CA.
+ipa\-kra\-install will contact the CA to determine if a KRA has already been installed on another replica, and if so, will exit indicating that a replica_file is required.
+
+The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
+
+The uninstall option can be used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected. The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall.
+.SH OPTIONS
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug logging when more verbose output is needed
+.TP
+\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
+Directory Manager (existing master) password
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+An unattended installation that will never prompt for user input
+.TP
+\fB\-U\fR, \fB\-\-uninstall\fR
+Uninstall the KRA from the local IPA server.
+.SH EXIT
[Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname
Hi,
ipa-client-install was failing for me on a fresh F-21 machine until I
manually dragged in python-backports-ssl_match_hostname
From d5ff5ec7cb2ee0b3f116b4e9a25d2907bb8140d9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Mon, 25 Aug 2014 19:33:30 +0200
Subject: [PATCH] CLIENT: Explicitly require
python-backports-ssl_match_hostname
Without python-backports-ssl_match_hostname installed, an ipa-client
installation could have failed with:
from backports.ssl_match_hostname import match_hostname
ImportError: No module named ssl_match_hostname
This patch adds an explicit dependency to
python-backports-ssl_match_hostname.
---
ipa-client/ipa-client.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa-client/ipa-client.spec.in b/ipa-client/ipa-client.spec.in
index
686259ad24b241c232dce83b695a05f6fd6c3849..36701afc50f12b27556a70ed41defc77d4bec93a
100644
--- a/ipa-client/ipa-client.spec.in
+++ b/ipa-client/ipa-client.spec.in
@@ -9,7 +9,7 @@ URL:http://www.freeipa.org
Source0:%{name}-%{version}.tgz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: python python-ldap python-krbV ipa-python cyrus-sasl-gssapi
+Requires: python python-ldap python-krbV ipa-python cyrus-sasl-gssapi
python-backports-ssl_match_hostname
%{!?python_sitelib: %define python_sitelib %(%{__python} -c from
distutils.sysconfig import get_python_lib; print get_python_lib())}
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
