[Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
Martin Kosek
mkosek at redhat.com
Wed Oct 12 14:03:41 UTC 2011
On Wed, 2011-10-12 at 09:31 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote:
> > On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote:
> > > Martin Kosek wrote:
> > > > For starters I added a 15 second timeout and 2 tries. These numbers are
> > > > arbitrary, I am open to suggestions.
> > > >
> > > > Martin
> > > >
> > > > ---
> > > > Add a timeout to the wget call to cover a case when autodiscovered
> > > > server does not response to our attempt to download ca.crt. Let
> > > > user specify a different IPA server in that case.
> > > >
> > > > https://fedorahosted.org/freeipa/ticket/1960
> > >
> > > There is a wget call in ipa-client-install as well, should a timeout be
> > > added there?
> > >
> > > rob
> > >
> >
> > This wget is for the very same ca.crt that was already (successfully)
> > retrieved when the server was being checked by ipadiscovery. Thus I
> > don't think it is necessary.
>
> Shouldn't it be eliminated then ?
> OR do we really need to dload the cert twice? Or did I misunderstand
> your reply ?
>
> Simo.
You understood correctly. We always try to download ca.crt during
ipacheckldap() call. We clean up all temporary files downloaded during
server verification in the end.
When the user finally confirms and we start the actual client
installation, then we download ca.crt to /etc/ipa/. I think that the
current procedure is OK compared to additional code we would have to add
to pass the ca.crt from ipacheckldap() and cover all possible cases.
Please, open an enhancement ticket if you think otherwise.
Martin
More information about the Freeipa-devel
mailing list