[Freeipa-devel] [PATCH] 755 upgrade IPA on installation

Mon Mar 21 17:24:06 UTC 2011

Martin Kosek wrote:
> On Fri, 2011-03-18 at 11:21 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
>>>>> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
>>>>> restriction when run in --upgrade mode. This allows us to autobind
>>>>> giving root Directory Manager powers.
>>>>>
>>>>> This also:
>>>>> * corrects the ipa-ldap-updater man page
>>>>> * remove automatic --realm, --server, --domain options
>>>>> * handle upgrade errors properly
>>>>> * saves a copy of dse.ldif before we change it so it can be recovered
>>>>> * fixes an error discovered by pylint
>>>>>
>>>>> ticket 1087
>>>>>
>>>>> rob
>>>>
>>>> NACK.
>>>>
>>>> Patch is promising, ipa-ldap-updater --upgrade works just fine. The
>>>> upgrade was also correctly executed after I did the RPM upgrade.
>>>>
>>>> But I have hit two issues:
>>>>
>>>> 1) When ipa-ldap-updater is run as a regular user on a configured IPA
>>>> server I get the following error:
>>>>
>>>> $ ipa-ldap-updater
>>>> IPA is not configured on this system.
>>>>
>>>> This is because regular user cannot access /var/lib/ipa/sysrestore/. I
>>>> guess we should either use another method of detecting installed IPA or
>>>> make the script root-only (as we do with other scripts taking advantage
>>>> of fstore).
>>>>
>>>>
>>>> 2) I get stacktrace when I run ipa-ldap-updater with --ldapi:
>>>>
>>>> $ sudo ipa-ldap-updater --ldapi
>>>> Traceback (most recent call last):
>>>> File "/usr/sbin/ipa-ldap-updater", line 125, in<module>
>>>> sys.exit(main())
>>>> File "/usr/sbin/ipa-ldap-updater", line 111, in main
>>>> ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not
>>>> options.test, ldapi=options.ldapi)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
>>>> line 125, in __init__
>>>> conn.do_external_bind(self.pw_name)
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>>>> 360, in do_external_bind
>>>> self.__lateinit()
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>>>> 260, in __lateinit
>>>> [ 'nsslapd-directory' ])
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line
>>>> 378, in getEntry
>>>> raise errors.NotFound(reason=notfound(args))
>>>> ipalib.errors.NotFound: * not found
>>>>
>>>> I know that --ldapi did not work before the patch either, it just
>>>> crashed with another stacktrace. But it would be nice to fix this one.
>>>>
>>>> Martin
>>>
>>> Issues addressed.
>>>
>>> I'm going to do a best-possible check for IPA Installation when non-root
>>> but stick with the fstore when doing it as root. This is because it is
>>> more important because it may be done automatically in rpm.
>>>
>>> rob
>>
>> fixed a couple more issues Martin discovered:
>>
>> - catch errors if the GSSAPI connection fails
>> - do console logging when doing a password-based update as root
>>
>> rob
>
> ACK. Good job, everything works fine.
>
> Martin
>

pushed to master