[Freeipa-devel] [PATCHES] Re: Changes to use a single database for dogtag and IPA
Martin Kosek
mkosek at redhat.com
Mon Nov 19 16:35:24 UTC 2012
On 11/15/2012 03:19 PM, Petr Viktorin wrote:
> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
> defaults made it to master independently (91e477b). Attaching rebased patch.
>
> Note that to continue development on f17, you will need to use the dogtag-devel
> repo:
> sudo yum-config-manager
> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
>
>
> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
> [...]
>>
>> For convenience, I've also pushed the changes to a personal repository.
>> To fetch to branch "pviktori-dogtag-10" you can do:
>>
>> git fetch -f git://github.com/encukou/freeipa.git
>> dogtag-10:pviktori-dogtag-10
>>
>
I went through all the patches again, I found one more issue with the schema
check. As it binds to Directory Server anonymously when retrieving the schema
and tests if "ipaObject" objectclass is present, it can fail and crash when
anonymous binds are not allowed for the Dogtag DS instance. This is what I get
when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
script to turn anonymous binds off attached):
[root at vm-104 ~]# ipa-replica-install
replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
Directory Manager (existing master) password:
Run connection check to master
[...]
Connection from master to replica is OK.
Connection check OK
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
LDAP error: INAPPROPRIATE_AUTH
Anonymous access is not allowed
If possible, it would be good authenticate first. This should be doable, we
have a Directory Manager password available, after all. Some schema retrieval
code that we already have in IPA can be found in SchemaCache class in ldap2.py.
We may also want to have some flag similar to --skip-conncheck which would
allow admin with an issue like this one skip the check when he is certain that
he copied the schema files.
Adding Ade to check that this scenario is actually sane and Dogtag is supposed
to work with anonymous access disabled for its DS instance.
When reading the patches, I also saw few places with magic constant "7389"
(your "Fix schema replication from old masters" patch and Ade's patch). I
wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-non-anonymous.sh
Type: application/x-shellscript
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121119/8be14887/attachment.bin>
More information about the Freeipa-devel
mailing list