[Freeipa-devel] [PATCH] 755 upgrade IPA on installation

Martin Kosek mkosek at redhat.com
Fri Mar 18 12:52:27 UTC 2011 

On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
> Re-enable ldapi code in ipa-ldap-updater and remove the searchbase 
> restriction when run in --upgrade mode. This allows us to autobind 
> giving root Directory Manager powers.
> 
> This also:
>   * corrects the ipa-ldap-updater man page
>   * remove automatic --realm, --server, --domain options
>   * handle upgrade errors properly
>   * saves a copy of dse.ldif before we change it so it can be recovered
>   * fixes an error discovered by pylint
> 
> ticket 1087
> 
> rob

NACK.

Patch is promising, ipa-ldap-updater --upgrade works just fine. The
upgrade was also correctly executed after I did the RPM upgrade.

But I have hit two issues:

1) When ipa-ldap-updater is run as a regular user on a configured IPA
server I get the following error:

$ ipa-ldap-updater 
IPA is not configured on this system.

This is because regular user cannot access /var/lib/ipa/sysrestore/. I
guess we should either use another method of detecting installed IPA or
make the script root-only (as we do with other scripts taking advantage
of fstore).


2) I get stacktrace when I run ipa-ldap-updater with --ldapi:

$ sudo ipa-ldap-updater --ldapi
Traceback (most recent call last):
  File "/usr/sbin/ipa-ldap-updater", line 125, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-ldap-updater", line 111, in main
    ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 125, in __init__
    conn.do_external_bind(self.pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in do_external_bind
    self.__lateinit()
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in __lateinit
    [ 'nsslapd-directory' ])
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in getEntry
    raise errors.NotFound(reason=notfound(args))
ipalib.errors.NotFound: * not found

I know that --ldapi did not work before the patch either, it just
crashed with another stacktrace. But it would be nice to fix this one.

Martin

More information about the Freeipa-devel mailing list