[Freeipa-devel] [PATCHSET] Replica promotion patches

Simo Sorce simo at redhat.com
Thu Oct 15 14:54:07 UTC 2015 

Commenting only on the 2 remaining patches that need to be committed, 
inline.

On 15/10/15 04:45, Jan Cholasta wrote:
> On 23.9.2015 19:47, Simo Sorce wrote:

> "Allow ipa-ca-install to use the new promotion code":
>
> 1) The --replica option was not removed:

Will do, thanks for spotting.

> On 22.9.2015 10:45, Jan Cholasta wrote:
>> 1) The --replica option is redundant. You can safely decide whether this
>> is the first CA master or not based on information in cn=masters.
>
> 2) ipa-ca-install prompts for both admin and DM password:
>
> # ipa-ca-install -r
> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> Directory Manager (existing master) password:
>
> DM password should not be required, right?

Unfortunately if you install the CA in a separate step we still need to 
ask for the DM password because dogtag uses simple binds over ldaps:// 
and not ldapi://, we do not need that if you pass --setup-ca because we 
generate a random DM password and replace it with the hash obtained by 
the existing master only after all components are installed.

> 3) ipa-ca-install fails with:
>
> Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 445, in start_creation
>      run_step(full_msg, method)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 435, in run_step
>      method()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 631, in __spawn_instance
>      DogtagInstance.spawn_instance(self, cfg_file)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 185, in spawn_instance
>      self.handle_setup_error(e)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 448, in handle_setup_error
>      raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> I guess I'm hitting the authentication bug in Dogtag. It is supposed to
> be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
> We might need a new 10.2.7 build.

I am not sure which version has it fixed, Endi ?


> 1) ipa-kra-install fails with:
>
> Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 171, in execute
>      return_value = self.run()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 220, in run
>      self._run()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 200, in _run
>      if config.subject_base is None:
> AttributeError: 'NoneType' object has no attribute 'subject_base'


I need to find out why this stopped working, will post a patch asap.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list