[Freeipa-devel] [PATCH] 490 add DNS lookup to new hosts/services

Adam Young ayoung at redhat.com
Fri Aug 6 18:17:03 UTC 2010 

On 08/05/2010 10:36 AM, Rob Crittenden wrote:
> Adam Young wrote:
>> On 08/05/2010 08:45 AM, Rob Crittenden wrote:
>>> Adam Young wrote:
>>>> On 07/30/2010 04:02 PM, Adam Young wrote:
>>>>> On 07/22/2010 02:25 PM, Rob Crittenden wrote:
>>>>>> Make sure that the host behind new host and service records is 
>>>>>> actually a resolvable DNS A record. There is a --force flag if 
>>>>>> you know what you are doing (or just feel like charging ahead 
>>>>>> anyway).
>>>>>>
>>>>>> We use a lot of made-up names in the self-tests, had to add the 
>>>>>> force flag to all of them.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-devel mailing list
>>>>>> Freeipa-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>> I can't get this patch to apply:
>>>>>
>>>>> [ayoung at ayoung freeipa]$ git apply 
>>>>> ~/Documents/IPA/freeipa-490-dns.patch
>>>>> error: patch failed: ipalib/util.py:28
>>>>> error: ipalib/util.py: patch does not apply
>>>>>
>>>>>
>>>>>
>>>>> I've tried it both with and without patch 484
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>
>>>>
>>>> OK, disregard that,  I was able to apply it on top of 484, build 
>>>> and deploy.
>>>>
>>>> I'd give it an ACK except that I can't figure out how to work 
>>>> around  service-add where the service is not yet resolvable.  I 
>>>> understand that this is not desired, but I'm fairly certain that 
>>>> not being able to do this will mess up someone.
>>>> ipa service-add-host --force --hosts=web.example.com 
>>>> HTTP/web.example.com
>>>> Usage: ipa [global-options] service-add-host PRINCIPAL
>>>>
>>>> ipa: error: no such option: --force
>>>>
>>>>
>>>
>>> Good catch, this was an oversight. The add-host option is for adding 
>>> hosts that are allowed to manage this service (keytab, certificate). 
>>> I completely forgot to disable enforcement of DNS on that. I'll 
>>> resubmit the patch once I get that worked out.
>>>
>>> rob
>>
>> Are these the only two permutations (Host, Service ) X (Force , No 
>> Force) or are there others?  Is there something I should test with 
>> the  --dns option?
>>
>>
>
> No, that's about it. --force just says "don't bother with DNS lookup, 
> user claims to know what they are doing."
>
> I looked into this and --force isn't needed with service-add-host. 
> This adds hosts that are allowed to manage the service. The host needs 
> to exist in IPA so therefore must already exist. Therefore --force 
> isn't needed.
>
> What is lacking in the context of the patch is error reporting which 
> hosts failed to add. This is addressed in part by patch 499. All that 
> is needed is the following:
>
> diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
> index 11fd18e..a17af89 100644
> --- a/ipalib/plugins/baseldap.py
> +++ b/ipalib/plugins/baseldap.py
> @@ -615,6 +615,9 @@ class LDAPAddMember(LDAPModMember):
>          Str('member',
>              label=_('Failed members'),
>          ),
> +        Str('managedby',
> +            label=_('Failed members'),
> +        ),
>      )
>
>      def execute(self, *keys, **options):
> @@ -720,6 +723,9 @@ class LDAPRemoveMember(LDAPModMember):
>          Str('member',
>              label=_('Failed members'),
>          ),
> +        Str('managedby',
> +            label=_('Failed members'),
> +        ),
>      )
>
>      def execute(self, *keys, **options):
>
> I'll submit that as a separate patch shortly.
>
> rob
ACK

More information about the Freeipa-devel mailing list