[Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
Martin Basti
mbasti at redhat.com
Wed Mar 11 14:13:38 UTC 2015
On 11/03/15 13:00, Martin Babinsky wrote:
> These patches solve https://fedorahosted.org/freeipa/ticket/4933.
>
> They are to be applied to master branch. I will rebase them for
> ipa-4-1 after the review.
>
Thank you for the patches.
I have a few comments:
IPA-4-1
Replace simple bind with LDAPI is too big change for 4-1, we should
start TLS if possible to avoid MINSSF>0 error. The LDAPI patches should
go only into IPA master branch.
You can do something like this:
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -107,6 +107,10 @@ class Service(object):
if not self.realm:
raise errors.NotFound(reason="realm is missing for
%s" % (self))
conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+ elif self.dm_password is not None:
+ conn = ipaldap.IPAdmin(self.fqdn, port=389,
+ cacert=paths.IPA_CA_CRT,
+ start_tls=True)
else:
conn = ipaldap.IPAdmin(self.fqdn, port=389)
PATCH 0018:
1)
please add there more chatty commit message about using LDAPI
2)
I do not like much idea of adding 'realm' kwarg into __init__ method of
OpenDNSSECInstance
IIUC, it is because get_masters() method, which requires realm to use LDAPI.
You can just add ods.realm=<realm>, before call get_master() in
ipa-dns-install
if options.dnssec_master:
+ ods.realm=api.env.realm
dnssec_masters = ods.get_masters()
(Honza will change it anyway during refactoring)
PATCH 0019:
1)
commit message deserves to be more chatty, can you explain there why you
removed kerberos cache?
Martin^2
--
Martin Basti
More information about the Freeipa-devel
mailing list