[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

Rob Crittenden rcritten at redhat.com
Wed Oct 3 17:27:17 UTC 2012 

Tomas Babej wrote:
> On 10/03/2012 03:31 PM, Tomas Babej wrote:
>> On 10/02/2012 08:48 PM, Rob Crittenden wrote:
>>> Tomas Babej wrote:
>>>> On 09/26/2012 09:32 PM, Rob Crittenden wrote:
>>>>> Tomas Babej wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Connection error message in ipa-client-install now warns the user
>>>>>> about the need of opening 389 port for directory server.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2816
>>>>>>
>>>>>> I think this can be pushed as a one-liner.
>>>>>
>>>>> I think we should list all ports that are required for client
>>>>> enrollment.
>>>>>
>>>>> From my calculations we need at a minimum tcp ports 80 and 389, either
>>>>> or both udp/tcp for port 88 and if NTP is enabled 123 udp for
>>>>> enrollment alone. The NTP failure won't cause enrollment to fail
>>>>> though, so we may be able to skip that.
>>>>>
>>>>> Similarly 464 should be enabled but we don't use it during enrollment.
>>>>>
>>>>> rob
>>>> I improved the error message. Please check if there are any issues.
>>>>
>>>> Thanks
>>>>
>>>> Tomas
>>>
>>> This only works if port 389 is blocked, not 88 or 80.
>>>
>>> rob
>> I tested and added the port configuration info message at the appropriate
>> places for TCP 80, 88, 389 ports. I also added the info message at the
>> end
>> of installation output. Please consider if you agree with this approach.
>>
>> Tomas
> I reworded the commit message, due to the scope of changes made
> since the first revision of the patch.
>
> Tomas

Works a lot better, just a few more suggestions:

1. When we fail to retrieve the CA from the remote server we log it but 
don't print it. I think this would make it clearer why we think this 
isn't an IPA server.

2. Do we need to print the ports message at the end? If it gets this far 
then at least ports 80, 88 and 389 are open.

I would suggest dropping the last message. I think we should also open a 
new ticket and do port checks on the things we need so we can confirm it 
up front instead of one-at-a-time.

rob

More information about the Freeipa-devel mailing list