[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install

[Martin Kosek]

On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote:
> >> Martin Kosek<mkosek at redhat.com>  wrote:
> >>> When v2 IPA client is trying to join an IPA v1 server
> >>> a strange exception is printed out to the user. This patch
> >>> detects this by catching an XML-RPC error reported by ipa-join
> >>> binary called in the process which fails on unexisting IPA server
> >>> 'join' method.
> >>>
> >>> wget call had to be changed so that IPA client may get to the
> >>> ipa-join step. --no-check-certificate had to be added as V1
> >>> server automatically redirects the request to self-signed secure
> >>> connection.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/553
> >>
> >> The patch is ok and applies correctly. My only thought was to download the
> >> certificate directly from https://..../ca.crt instead of plain http, but there
> >> is probably no real benefit.
> >>
> >> ack
> >>
> >> Jan
> >
> > Jan, thanks for the review. And yes, I could not see a benefit too.
> > Since the IPA sever certificate is not a confidential information the
> > secure connection is not needed. And since we do not trust the server's
> > certificate in this step of installation and --no-check-certificate is
> > used, a secure connection would be used for server identity validation
> > either.
> >
> > Therefore, I would ask for the patch to be pushed.
> >
> > Martin
> 
> I can't duplicate the behavior of it redirecting to the SSL port. The 
> /ipa/config directory is purposely excluded from the SSL redirect for 
> this purpose, even on v1 servers. Can we drop that part of the patch?
> 
> rob

I experience this behavior on IPA v1 running on RHEL 5.5 with the
following IPA version:

$ rpm -q ipa-server
ipa-server-1.0.0-15.el5ipa

It may have been changed in higher IPA v1 version, like 1.2x. In this
case you may drop this part of the patch.

Martin