[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Rob Crittenden
rcritten at redhat.com
Mon Feb 14 17:00:13 UTC 2011
Martin Kosek wrote:
> On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote:
>> Martin Kosek<mkosek at redhat.com> wrote:
>>> When v2 IPA client is trying to join an IPA v1 server
>>> a strange exception is printed out to the user. This patch
>>> detects this by catching an XML-RPC error reported by ipa-join
>>> binary called in the process which fails on unexisting IPA server
>>> 'join' method.
>>>
>>> wget call had to be changed so that IPA client may get to the
>>> ipa-join step. --no-check-certificate had to be added as V1
>>> server automatically redirects the request to self-signed secure
>>> connection.
>>>
>>> https://fedorahosted.org/freeipa/ticket/553
>>
>> The patch is ok and applies correctly. My only thought was to download the
>> certificate directly from https://..../ca.crt instead of plain http, but there
>> is probably no real benefit.
>>
>> ack
>>
>> Jan
>
> Jan, thanks for the review. And yes, I could not see a benefit too.
> Since the IPA sever certificate is not a confidential information the
> secure connection is not needed. And since we do not trust the server's
> certificate in this step of installation and --no-check-certificate is
> used, a secure connection would be used for server identity validation
> either.
>
> Therefore, I would ask for the patch to be pushed.
>
> Martin
I can't duplicate the behavior of it redirecting to the SSL port. The
/ipa/config directory is purposely excluded from the SSL redirect for
this purpose, even on v1 servers. Can we drop that part of the patch?
rob
More information about the Freeipa-devel
mailing list