[Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

Rob Crittenden rcritten at redhat.com
Thu Oct 18 18:01:24 UTC 2012 

Tomas Babej wrote:
> On 10/02/2012 03:55 PM, Rob Crittenden wrote:
>> Tomas Babej wrote:
>>> Hi,
>>>
>>> When executing ipa-replica-manage connect to an unknown or irrelevant
>>> master, we now print a sensible error message informing the user
>>> about this possiblity as well.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3105
>>>
>>> Tomas
>>
>> I put a whole bunch of code into a try/except and this may be catching
>> errors in unexpected ways.
>>
>> I'm not entirely sure right now what we should do, but looking at the
>> code in the try:
>>
>> repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
>> repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
>>
>> We take in replica1 and replica1 as arguments (the default for
>> replica1 is the current host).
>>
>> If either of these raise a NotFound it means there there is no master
>> of that name. Does that mean that the master was deleted? Well,
>> clearly not.
>>
>> A lot has changed since I did this, I may have been relying on a
>> side-effect, or just hadn't tested well-enough.
>>
>> I wonder if we need that message at all. Is "foo" is not an IPA server
>> good enough? It still might be confusing if someone didn't know that
>> "foo" was deleted and it was still running. We could probably verify
>> that it is at least an IPA server by doing similar checking in the
>> client, it all depends on how far we want to take it.
>>
>> rob
>
> I modified the patch. Now if the NotFound error is encountered, we try
> to investigate whether we're trying to connect to an IPA server at all.
> Please see if you have any suggestions.
>
> Tomas

Getting there, the errors are a lot better.

Can you modify the 'Connection unsuccessful' message to include the 
server we failed to connect to?

The logger isn't so nice either, I think I'd prefer it if we could 
exclude the severity:

ipa: ERROR: LDAP Error: Connect error: TLS error -8172:Peer's 
certificate issuer has been marked as not trusted by the user.
Connection unsuccessful.

So drop the 'ipa: ERROR: ' part for consistency. TI don't believe we 
configure the root logger at all in this tool so it is using the defaults.

I'd also replace the test for -4 with the constant 
ipadiscovery.NOT_IPA_SERVER

rob

More information about the Freeipa-devel mailing list