[Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Ade Lee alee at redhat.com
Fri Oct 5 19:24:57 UTC 2012 

Agreed with your assessment that the --check-ca is not needed, as we
will be checking this into 3.1 (and not 3.0).

Attached is a patch for the "request object" issue.  Basically, the
replication was not working because ipa-replica-prepare was passing in
the wrong port when creating the replica package.

Let me know if you have issues - and remember to add the missing link to
the master.  That fix to add that link will be checked in today and
should be in the dogtag developer nightly build as of tommorow.

Ade

On Fri, 2012-10-05 at 11:57 +0200, Petr Viktorin wrote:
> On 10/04/2012 10:04 PM, Ade Lee wrote:
> > Attached is a patch to handle the ipa-replica-conncheck issue.  It
> > should be applied on top of your patch.
> >
> > Essentially, the fix is as follows:
> > A. If the DS_PORT = 7389, then we pass --check-ca in the
> > ipa-replica-conncheck to be executed on the master.
> > a1. If the master is ipa 2.x, this will prompt a check for port 7389.
> > a2. If the master is ipa 3, this will default to dogtag_ds_port of 7389.
> >
> > B. Else if DS_PORT = 389, then we pass nothing to the
> > ipa-replica-conncheck to be executed on the master.  This is because we
> > will be checking 389 in any case for the IPA DS check.
> >
> > Ade
> 
> The code works, I got past the connection check, and now I'm getting the 
> same internal server error with a clone from IPA 2.2 as with a clone 
> from "3.0 upgraded from 2.2" (unknown object class "request").
> 
> However, since with this patch IPA will depend on Dogtag 10, 
> install_constants.DS_PORT will always be 389, so case A will never 
> happen. I think the two if-blocks that add the --check-ca can be dropped 
> entirely.
> 
> Assuming that even a clone from an old instance will use the single DB,
> conncheck's --dogtag-master-ds-port option is redundant: iff the server 
> supports it, it uses port 389 which doesn't need re-checking.
> 
> >
> > 0001-Allow-ipa-replica-conncheck-to-work-with-2.2-instanc.patch
> >
> >
> >  From a9cd4cb15e6c230e5690f3fa919fda9c5728ee10 Mon Sep 17 00:00:00 2001
> > From: Ade Lee<alee at redhat.com>
> > Date: Thu, 4 Oct 2012 15:55:29 -0400
> > Subject: [PATCH] Allow ipa-replica-conncheck to work with 2.2 instances
> >
> > ---
> >   install/tools/ipa-replica-conncheck | 15 +++++++--------
> >   1 file changed, 7 insertions(+), 8 deletions(-)
> >
> > diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
> > index c9fb816be43d873a6ca79396e77270fd0d10aa12..498ef49e84e1dc8325b6fc2d850c8bffb9297e69 100755
> > --- a/install/tools/ipa-replica-conncheck
> > +++ b/install/tools/ipa-replica-conncheck
> > @@ -282,7 +282,11 @@ def main():
> >
> >       required_ports = BASE_PORTS
> >       if options.check_ca:
> > -        ca_port = CheckedPort(int(options.dogtag_master_ds_port), SOCK_STREAM,
> > +        port_val = 7389
> > +        if options.dogtag_master_ds_port:
> > +            port_val = int(options.dogtag_master_ds_port)
> > +
> > +        ca_port = CheckedPort(port_val, SOCK_STREAM,
> >                                 "PKI-CA: Directory Service port")
> >           required_ports.extend([ca_port])
> >
> > @@ -359,11 +363,8 @@ def main():
> >                   raise RuntimeError("Could not get ticket for master server: %s" % stderr)
> >
> >               remote_check_opts = ['--replica %s' % options.hostname]
> > -            if options.check_ca:
> > +            if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
> >                   remote_check_opts.append('--check-ca')
> > -                remote_check_opts.extend(["--dogtag-master-ds-port",
> > -                    str(dogtag.install_constants.DS_PORT)])
> > -
> >
> >               print_info("Execute check on remote master")
> >
> > @@ -387,10 +388,8 @@ def main():
> >               print_info("Please run the following command on remote master:")
> >
> >               remote_check_opts = ['--replica %s' % options.hostname]
> > -            if options.check_ca:
> > +            if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
> >                   remote_check_opts.append('--check-ca')
> > -                remote_check_opts.extend(["--dogtag-master-ds-port",
> > -                    str(dogtag.install_constants.DS_PORT)])
> >
> >               print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
> >               time.sleep(3600)
> > -- 1.7.12
> >
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-ipa-replica-prepare-to-include-correct-port.patch
Type: text/x-patch
Size: 967 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121005/e2948e7a/attachment.bin>

More information about the Freeipa-devel mailing list