[Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections

Wed Mar 11 14:13:38 UTC 2015

On 11/03/15 13:00, Martin Babinsky wrote:
> These patches solve https://fedorahosted.org/freeipa/ticket/4933.
>
> They are to be applied to master branch. I will rebase them for 
> ipa-4-1 after the review.
>
Thank you for the patches.

I have a few comments:

IPA-4-1
Replace simple bind with LDAPI is too big change for 4-1, we should 
start TLS if possible to avoid MINSSF>0 error. The LDAPI patches should 
go only into IPA master branch.

You can do something like this:

--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -107,6 +107,10 @@ class Service(object):
                  if not self.realm:
                      raise errors.NotFound(reason="realm is missing for 
%s" % (self))
                  conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+            elif self.dm_password is not None:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389,
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=True)
              else:
                  conn = ipaldap.IPAdmin(self.fqdn, port=389)


PATCH 0018:
1)
please add there more chatty commit message about using LDAPI

2)
I do not like much idea of adding 'realm' kwarg into __init__ method of 
OpenDNSSECInstance
IIUC, it is because get_masters() method, which requires realm to use LDAPI.

You can just add ods.realm=<realm>, before call get_master() in 
ipa-dns-install
     if options.dnssec_master:
+        ods.realm=api.env.realm
         dnssec_masters = ods.get_masters()
(Honza will change it anyway during refactoring)

PATCH 0019:
1)
commit message deserves to be more chatty, can you explain there why you 
removed kerberos cache?

Martin^2

-- 
Martin Basti


