[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Rob Crittenden
rcritten at redhat.com
Wed Oct 10 14:15:54 UTC 2012
Tomas Babej wrote:
> On 10/04/2012 11:06 AM, Tomas Babej wrote:
>> On 10/03/2012 07:27 PM, Rob Crittenden wrote:
>>> Tomas Babej wrote:
>>>> On 10/03/2012 03:31 PM, Tomas Babej wrote:
>>>>> On 10/02/2012 08:48 PM, Rob Crittenden wrote:
>>>>>> Tomas Babej wrote:
>>>>>>> On 09/26/2012 09:32 PM, Rob Crittenden wrote:
>>>>>>>> Tomas Babej wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Connection error message in ipa-client-install now warns the user
>>>>>>>>> about the need of opening 389 port for directory server.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2816
>>>>>>>>>
>>>>>>>>> I think this can be pushed as a one-liner.
>>>>>>>>
>>>>>>>> I think we should list all ports that are required for client
>>>>>>>> enrollment.
>>>>>>>>
>>>>>>>> From my calculations we need at a minimum tcp ports 80 and 389,
>>>>>>>> either
>>>>>>>> or both udp/tcp for port 88 and if NTP is enabled 123 udp for
>>>>>>>> enrollment alone. The NTP failure won't cause enrollment to fail
>>>>>>>> though, so we may be able to skip that.
>>>>>>>>
>>>>>>>> Similarly 464 should be enabled but we don't use it during
>>>>>>>> enrollment.
>>>>>>>>
>>>>>>>> rob
>>>>>>> I improved the error message. Please check if there are any issues.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Tomas
>>>>>>
>>>>>> This only works if port 389 is blocked, not 88 or 80.
>>>>>>
>>>>>> rob
>>>>> I tested and added the port configuration info message at the
>>>>> appropriate
>>>>> places for TCP 80, 88, 389 ports. I also added the info message at the
>>>>> end
>>>>> of installation output. Please consider if you agree with this
>>>>> approach.
>>>>>
>>>>> Tomas
>>>> I reworded the commit message, due to the scope of changes made
>>>> since the first revision of the patch.
>>>>
>>>> Tomas
>>>
>>> Works a lot better, just a few more suggestions:
>>>
>>> 1. When we fail to retrieve the CA from the remote server we log it
>>> but don't print it. I think this would make it clearer why we think
>>> this isn't an IPA server.
>>>
>>> 2. Do we need to print the ports message at the end? If it gets this
>>> far then at least ports 80, 88 and 389 are open.
>>>
>>> I would suggest dropping the last message. I think we should also
>>> open a new ticket and do port checks on the things we need so we can
>>> confirm it up front instead of one-at-a-time.
>>>
>>> rob
>> 1.) Done.
>> 2.) Well I had a feeling it was not really necessary too - it adds a
>> lot to the output of the installation, but the user wouldn't be
>> informed about the need of opening 464 port. However, your proposed
>> ticket should solve this issue, and will give more specific
>> information rather than a general advice. See more:
>>
>> https://fedorahosted.org/freeipa/ticket/3138
>>
>> I suggest opening a similar ticket for ipa-server-install, at the end
>> we print a general info message about which ports should be open for
>> IPA Server to work properly. Re-using the work done in ticket 3138, we
>> could rather check which particular ports are not opened and therefore
>> give the user more specific information too.
>>
>> Tomas
>
> Patch now attached, sorry.
>
> Tomas
ACK, pushed to master and ipa-3-0
rob
More information about the Freeipa-devel
mailing list