[Freeipa-devel] [PATCHES] Re: Changes to use a single database for dogtag and IPA

Dmitri Pal dpal at redhat.com
Tue Nov 27 00:01:27 UTC 2012 

On 11/22/2012 05:01 AM, Martin Kosek wrote:
> On 11/21/2012 01:29 PM, Petr Viktorin wrote:
>> On 11/19/2012 05:35 PM, Martin Kosek wrote:
>>> On 11/15/2012 03:19 PM, Petr Viktorin wrote:
>>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
>>>> defaults made it to master independently (91e477b). Attaching rebased patch.
>>>>
>>>> Note that to continue development on f17, you will need to use the dogtag-devel
>>>> repo:
>>>>    sudo yum-config-manager
>>>> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
>>>>
>>>>
>>>>
>>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
>>>> [...]
>>>>> For convenience, I've also pushed the changes to a personal repository.
>>>>> To fetch to branch "pviktori-dogtag-10" you can do:
>>>>>
>>>>>       git fetch -f git://github.com/encukou/freeipa.git
>>>>> dogtag-10:pviktori-dogtag-10
>>>>>
>>> I went through all the patches again, I found one more issue with the schema
>>> check. As it binds to Directory Server anonymously when retrieving the schema
>>> and tests if "ipaObject" objectclass is present, it can fail and crash when
>>> anonymous binds are not allowed for the Dogtag DS instance. This is what I get
>>> when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
>>> script to turn anonymous binds off attached):
>>>
>>> [root at vm-104 ~]# ipa-replica-install
>>> replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
>>> Directory Manager (existing master) password:
>>>
>>> Run connection check to master
>>> [...]
>>> Connection from master to replica is OK.
>>>
>>> Connection check OK
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> LDAP error: INAPPROPRIATE_AUTH
>>> Anonymous access is not allowed
>>>
>>> If possible, it would be good authenticate first. This should be doable, we
>>> have a Directory Manager password available, after all. Some schema retrieval
>>> code that we already have in IPA can be found in SchemaCache class in ldap2.py.
>> Good point. Attaching updated patch.
>>
>>> We may also want to have some flag similar to --skip-conncheck which would
>>> allow admin with an issue like this one skip the check when he is certain that
>>> he copied the schema files.
>> I named it --skip-schema-check.


If we have any new command line switches we need a wiki page for this
feature.
The thread here also suggests that it is really worth capturing and not
only for this.
So please create a wiki. Later it will be possible to use in preparation
to the test days.
Also please link the the wiki to the ticket.

>>> Adding Ade to check that this scenario is actually sane and Dogtag is supposed
>>> to work with anonymous access disabled for its DS instance.
>>>
>>> When reading the patches, I also saw few places with magic constant "7389"
>>> (your "Fix schema replication from old masters" patch and Ade's patch). I
>>> wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?
>> Fixed in this patch, I'll look at the other one soon.
>>
>>
>>
>> For anyone who wants to test: I keep my Github branch updated. Re-running the
>> fetch command will overwrite your branch with the latest changes.
>> When the current issues are solved I'll repost all patches again in a single mail.
>>
> This works fine. I just think that it may be useful to print some info like
> 'Schema check failed, you can use --skip-schema-check to....' in case when the
> following lines thrown an exception:
>
> +    connection = ldap2.IPASimpleLDAPObject(ca_ldap_url)
> +    connection.start_tls_s()
> +    connection.simple_bind_s(DN(('cn', 'Directory Manager')),
> +                             config.dirman_password)
>
> This is an output I received when dirsrv at PKI-IPA on my IPA 2.2 master was down,
> the error was not very descriptive:
>
> # ipa-ca-install replica-info-vm-104.idm.lab.bos.redhat.com.gpg
> Directory Manager (existing master) password:
> ...
> Connection from master to replica is OK.
>
> Connection check OK
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Can't contact LDAP server
> #
>
>
> Something like:
>
> try:
>    connection stuff...
> except Exception:
>    print the info
>    raise
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list