[Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance
Jakub Hrozek
jhrozek at redhat.com
Fri Dec 10 13:03:08 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/08/2010 01:59 PM, Simo Sorce wrote:
> On Wed, 8 Dec 2010 08:25:25 +0100
> Jan Zelený <jzeleny at redhat.com> wrote:
>
>> Simo Sorce <ssorce at redhat.com> wrote:
>>> This patch allows patch 0025 to work properly for replica
>>> installation so it is a prereq for it now.
>>>
>>> It split installation so that certain steps can be done after the
>>> tree has been replicated without having them wiped out, like the
>>> creation of the replica master entry under cn=masters,cn=ipa,cn=etc
>>>
>>> It also introduce a dependency on the replica file having the
>>> ca.crt in it. And installs it by default under /etc/ipa/ca.crt (the
>>> httpinstance later on also stores it also
>>> under /usr/share/ipa/html/ca.crt)
>>>
>>> This patch also makes sure the memberof fixup task is run *after*
>>> initial replication, just to make sure. Technically the memberof
>>> plugin is already activated so memberof entries should be properly
>>> created while replication goes through. But better be thorough.
>>>
>>> replication is now started within dsinstance.py and not after ds is
>>> setup as one of the dsinstance creation steps.
>>>
>>> Initial testing gave no issues to me.
>>>
>>> Simo.
>>
>> Can you please attach the patch? ;-)
>
> Oh, I thought you'd just trust me :-D
>
> Attached.
> Simo.
>
Two comments:
If I understand it correctly, only HTTP instance should now use the cert
in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in
ipaserver/install/dsinstance.py should be changed to point to
/etc/ipa/ca.crt, too.
The conn.connect() call in ipa-replica-install could pass
tls_cacertfile=CACERT since we already called install_ca_cert().
My installation testing with this patch went OK.
Jakub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0CJQwACgkQHsardTLnvCVWTACcDYBtCjoAPwFJ1s44xXoaL7zv
vsAAn1S6wb7BapWzGZa69zCpC7ds24l+
=R62T
-----END PGP SIGNATURE-----
More information about the Freeipa-devel
mailing list