[Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
Rob Crittenden
rcritten at redhat.com
Mon Feb 14 20:04:02 UTC 2011
Martin Kosek wrote:
> On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote:
>>>> Martin Kosek<mkosek at redhat.com> wrote:
>>>>> When v2 IPA client is trying to join an IPA v1 server
>>>>> a strange exception is printed out to the user. This patch
>>>>> detects this by catching an XML-RPC error reported by ipa-join
>>>>> binary called in the process which fails on unexisting IPA server
>>>>> 'join' method.
>>>>>
>>>>> wget call had to be changed so that IPA client may get to the
>>>>> ipa-join step. --no-check-certificate had to be added as V1
>>>>> server automatically redirects the request to self-signed secure
>>>>> connection.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/553
>>>>
>>>> The patch is ok and applies correctly. My only thought was to download the
>>>> certificate directly from https://..../ca.crt instead of plain http, but there
>>>> is probably no real benefit.
>>>>
>>>> ack
>>>>
>>>> Jan
>>>
>>> Jan, thanks for the review. And yes, I could not see a benefit too.
>>> Since the IPA sever certificate is not a confidential information the
>>> secure connection is not needed. And since we do not trust the server's
>>> certificate in this step of installation and --no-check-certificate is
>>> used, a secure connection would be used for server identity validation
>>> either.
>>>
>>> Therefore, I would ask for the patch to be pushed.
>>>
>>> Martin
>>
>> I can't duplicate the behavior of it redirecting to the SSL port. The
>> /ipa/config directory is purposely excluded from the SSL redirect for
>> this purpose, even on v1 servers. Can we drop that part of the patch?
>>
>> rob
>
> I experience this behavior on IPA v1 running on RHEL 5.5 with the
> following IPA version:
>
> $ rpm -q ipa-server
> ipa-server-1.0.0-15.el5ipa
>
> It may have been changed in higher IPA v1 version, like 1.2x. In this
> case you may drop this part of the patch.
>
> Martin
>
Ok, pushed to master without the wget change.
rob
More information about the Freeipa-devel
mailing list