[Freeipa-devel] [PATCH] 755 upgrade IPA on installation
Rob Crittenden
rcritten at redhat.com
Fri Mar 18 15:21:19 UTC 2011
Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
>>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
>>> restriction when run in --upgrade mode. This allows us to autobind
>>> giving root Directory Manager powers.
>>>
>>> This also:
>>> * corrects the ipa-ldap-updater man page
>>> * remove automatic --realm, --server, --domain options
>>> * handle upgrade errors properly
>>> * saves a copy of dse.ldif before we change it so it can be recovered
>>> * fixes an error discovered by pylint
>>>
>>> ticket 1087
>>>
>>> rob
>>
>> NACK.
>>
>> Patch is promising, ipa-ldap-updater --upgrade works just fine. The
>> upgrade was also correctly executed after I did the RPM upgrade.
>>
>> But I have hit two issues:
>>
>> 1) When ipa-ldap-updater is run as a regular user on a configured IPA
>> server I get the following error:
>>
>> $ ipa-ldap-updater
>> IPA is not configured on this system.
>>
>> This is because regular user cannot access /var/lib/ipa/sysrestore/. I
>> guess we should either use another method of detecting installed IPA or
>> make the script root-only (as we do with other scripts taking advantage
>> of fstore).
>>
>>
>> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi:
>>
>> $ sudo ipa-ldap-updater --ldapi
>> Traceback (most recent call last):
>> File "/usr/sbin/ipa-ldap-updater", line 125, in<module>
>> sys.exit(main())
>> File "/usr/sbin/ipa-ldap-updater", line 111, in main
>> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not
>> options.test, ldapi=options.ldapi)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
>> line 125, in __init__
>> conn.do_external_bind(self.pw_name)
>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>> 360, in do_external_bind
>> self.__lateinit()
>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>> 260, in __lateinit
>> [ 'nsslapd-directory' ])
>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>> 378, in getEntry
>> raise errors.NotFound(reason=notfound(args))
>> ipalib.errors.NotFound: * not found
>>
>> I know that --ldapi did not work before the patch either, it just
>> crashed with another stacktrace. But it would be nice to fix this one.
>>
>> Martin
>
> Issues addressed.
>
> I'm going to do a best-possible check for IPA Installation when non-root
> but stick with the fstore when doing it as root. This is because it is
> more important because it may be done automatically in rpm.
>
> rob
fixed a couple more issues Martin discovered:
- catch errors if the GSSAPI connection fails
- do console logging when doing a password-based update as root
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-755-3-upgrade.patch
Type: application/mbox
Size: 16352 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110318/3df6611b/attachment.mbox>
More information about the Freeipa-devel
mailing list