[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej
tbabej at redhat.com
Thu Oct 4 09:06:38 UTC 2012
On 10/03/2012 07:27 PM, Rob Crittenden wrote:
> Tomas Babej wrote:
>> On 10/03/2012 03:31 PM, Tomas Babej wrote:
>>> On 10/02/2012 08:48 PM, Rob Crittenden wrote:
>>>> Tomas Babej wrote:
>>>>> On 09/26/2012 09:32 PM, Rob Crittenden wrote:
>>>>>> Tomas Babej wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Connection error message in ipa-client-install now warns the user
>>>>>>> about the need of opening 389 port for directory server.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/2816
>>>>>>>
>>>>>>> I think this can be pushed as a one-liner.
>>>>>>
>>>>>> I think we should list all ports that are required for client
>>>>>> enrollment.
>>>>>>
>>>>>> From my calculations we need at a minimum tcp ports 80 and 389,
>>>>>> either
>>>>>> or both udp/tcp for port 88 and if NTP is enabled 123 udp for
>>>>>> enrollment alone. The NTP failure won't cause enrollment to fail
>>>>>> though, so we may be able to skip that.
>>>>>>
>>>>>> Similarly 464 should be enabled but we don't use it during
>>>>>> enrollment.
>>>>>>
>>>>>> rob
>>>>> I improved the error message. Please check if there are any issues.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Tomas
>>>>
>>>> This only works if port 389 is blocked, not 88 or 80.
>>>>
>>>> rob
>>> I tested and added the port configuration info message at the
>>> appropriate
>>> places for TCP 80, 88, 389 ports. I also added the info message at the
>>> end
>>> of installation output. Please consider if you agree with this
>>> approach.
>>>
>>> Tomas
>> I reworded the commit message, due to the scope of changes made
>> since the first revision of the patch.
>>
>> Tomas
>
> Works a lot better, just a few more suggestions:
>
> 1. When we fail to retrieve the CA from the remote server we log it
> but don't print it. I think this would make it clearer why we think
> this isn't an IPA server.
>
> 2. Do we need to print the ports message at the end? If it gets this
> far then at least ports 80, 88 and 389 are open.
>
> I would suggest dropping the last message. I think we should also open
> a new ticket and do port checks on the things we need so we can
> confirm it up front instead of one-at-a-time.
>
> rob
1.) Done.
2.) Well I had a feeling it was not really necessary too - it adds a lot
to the output of the installation, but the user wouldn't be informed
about the need of opening 464 port. However, your proposed ticket should
solve this issue, and will give more specific information rather than a
general advice. See more:
https://fedorahosted.org/freeipa/ticket/3138
I suggest opening a similar ticket for ipa-server-install, at the end we
print a general info message about which ports should be open for IPA
Server to work properly. Re-using the work done in ticket 3138, we could
rather check which particular ports are not opened and therefore give
the user more specific information too.
Tomas
More information about the Freeipa-devel
mailing list