[Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 2 15:41:22 UTC 2015
On Tue, 02 Jun 2015, Martin Kosek wrote:
>On 06/02/2015 05:32 PM, Alexander Bokovoy wrote:
>> On Tue, 02 Jun 2015, Martin Kosek wrote:
>>> On 06/02/2015 05:24 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/02/2015 05:16 PM, Martin Kosek wrote:
>>>>> On 06/02/2015 05:08 PM, Ludwig Krispenz wrote:
>>>>>> On 06/02/2015 03:53 PM, Petr Vobornik wrote:
>>>>>>> On 06/02/2015 02:20 PM, Ludwig Krispenz wrote:
>>>>>>>> On 06/02/2015 12:09 PM, Oleg Fayans wrote:
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> The following error was caught during replica installation (I used all
>>>>>>>>> the latest patches from Ludwig and Martin Basti):
>>>>>>> - except ldap.TYPE_OR_VALUE_EXISTS:
>>>>>>> + except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT):
>>>>>>>
>>>>>>> What happens if all replicas are updated and domain level is raised? I don't
>>>>>>> think that the group will be populated. Or will it be? Without it, topology
>>>>>>> plugin won't work, right?
>>>>>> good point,
>>>>>> it will be limited, when adding a new segment a replication agreement will be
>>>>>> created, but it will not have the credentials to replicate.
>>>>>>> There should be a moment where all the DNs are added.
>>>>>> yes, there could probably be a check when topology plugin gets active if the
>>>>>> binddn group exists and if not create and populate it
>>>>> Should we finally start maintaining by default IPA Masters hostgroup? *That*
>>>>> should be the BIND DN group which Topology plugins works with, no?
>>>> what would be the members of this group ?
>>>> the binddn group needs all the ldap principals in it so that a replica can do
>>>> gssapi replication to another replica.
>>>
>>> Ah. Hosts would be members of the group, i.e. host/server1.example.test
>>> principals. If this is the case, the IPA Masters group does not look that
>>> helpful.
>> No, host's DN is fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX. This
>> is exception in the way Kerberos services addressed.
>
>Sure. But my point here was that host principals (and a hostgroup) are not
>helpful here as DS will be authenticating with ldap/... principals.
Correct, so you need to go one step more and simply add
krbprincipalname=ldap/ipa.master,... to the list. You know that if the
host from IPA Masters hostgroup, then it has to have ldap service and if
it is not, then it is not a master, so you'd skip that one.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list