[Freeipa-devel] [PATCHSET] Replica promotion patches
Simo Sorce
simo at redhat.com
Thu Oct 15 14:54:07 UTC 2015
Commenting only on the 2 remaining patches that need to be committed,
inline.
On 15/10/15 04:45, Jan Cholasta wrote:
> On 23.9.2015 19:47, Simo Sorce wrote:
> "Allow ipa-ca-install to use the new promotion code":
>
> 1) The --replica option was not removed:
Will do, thanks for spotting.
> On 22.9.2015 10:45, Jan Cholasta wrote:
>> 1) The --replica option is redundant. You can safely decide whether this
>> is the first CA master or not based on information in cn=masters.
>
> 2) ipa-ca-install prompts for both admin and DM password:
>
> # ipa-ca-install -r
> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> Directory Manager (existing master) password:
>
> DM password should not be required, right?
Unfortunately if you install the CA in a separate step we still need to
ask for the DM password because dogtag uses simple binds over ldaps://
and not ldapi://, we do not need that if you pass --setup-ca because we
generate a random DM password and replace it with the hash obtained by
the existing master only after all components are installed.
> 3) ipa-ca-install fails with:
>
> Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 445, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 435, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 631, in __spawn_instance
> DogtagInstance.spawn_instance(self, cfg_file)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 185, in spawn_instance
> self.handle_setup_error(e)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 448, in handle_setup_error
> raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> I guess I'm hitting the authentication bug in Dogtag. It is supposed to
> be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
> We might need a new 10.2.7 build.
I am not sure which version has it fixed, Endi ?
> 1) ipa-kra-install fails with:
>
> Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 171, in execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 220, in run
> self._run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 200, in _run
> if config.subject_base is None:
> AttributeError: 'NoneType' object has no attribute 'subject_base'
I need to find out why this stopped working, will post a patch asap.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list