[Freeipa-devel] [PATCHES] Re: Changes to use a single database for dogtag and IPA

Thu Nov 22 10:01:11 UTC 2012

On 11/21/2012 01:29 PM, Petr Viktorin wrote:
> On 11/19/2012 05:35 PM, Martin Kosek wrote:
>> On 11/15/2012 03:19 PM, Petr Viktorin wrote:
>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
>>> defaults made it to master independently (91e477b). Attaching rebased patch.
>>>
>>> Note that to continue development on f17, you will need to use the dogtag-devel
>>> repo:
>>>    sudo yum-config-manager
>>> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
>>>
>>>
>>>
>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
>>> [...]
>>>>
>>>> For convenience, I've also pushed the changes to a personal repository.
>>>> To fetch to branch "pviktori-dogtag-10" you can do:
>>>>
>>>>       git fetch -f git://github.com/encukou/freeipa.git
>>>> dogtag-10:pviktori-dogtag-10
>>>>
>>>
>>
>> I went through all the patches again, I found one more issue with the schema
>> check. As it binds to Directory Server anonymously when retrieving the schema
>> and tests if "ipaObject" objectclass is present, it can fail and crash when
>> anonymous binds are not allowed for the Dogtag DS instance. This is what I get
>> when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
>> script to turn anonymous binds off attached):
>>
>> [root at vm-104 ~]# ipa-replica-install
>> replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
>> Directory Manager (existing master) password:
>>
>> Run connection check to master
>> [...]
>> Connection from master to replica is OK.
>>
>> Connection check OK
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> LDAP error: INAPPROPRIATE_AUTH
>> Anonymous access is not allowed
>>
>> If possible, it would be good authenticate first. This should be doable, we
>> have a Directory Manager password available, after all. Some schema retrieval
>> code that we already have in IPA can be found in SchemaCache class in ldap2.py.
> 
> Good point. Attaching updated patch.
> 
>> We may also want to have some flag similar to --skip-conncheck which would
>> allow admin with an issue like this one skip the check when he is certain that
>> he copied the schema files.
> 
> I named it --skip-schema-check.
> 
>> Adding Ade to check that this scenario is actually sane and Dogtag is supposed
>> to work with anonymous access disabled for its DS instance.
>>
>> When reading the patches, I also saw few places with magic constant "7389"
>> (your "Fix schema replication from old masters" patch and Ade's patch). I
>> wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?
> 
> Fixed in this patch, I'll look at the other one soon.
> 
> 
> 
> For anyone who wants to test: I keep my Github branch updated. Re-running the
> fetch command will overwrite your branch with the latest changes.
> When the current issues are solved I'll repost all patches again in a single mail.
> 

This works fine. I just think that it may be useful to print some info like
'Schema check failed, you can use --skip-schema-check to....' in case when the
following lines thrown an exception:

+    connection = ldap2.IPASimpleLDAPObject(ca_ldap_url)
+    connection.start_tls_s()
+    connection.simple_bind_s(DN(('cn', 'Directory Manager')),
+                             config.dirman_password)

This is an output I received when dirsrv at PKI-IPA on my IPA 2.2 master was down,
the error was not very descriptive:

# ipa-ca-install replica-info-vm-104.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:
...
Connection from master to replica is OK.

Connection check OK

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Can't contact LDAP server
#

Something like:

try:
   connection stuff...
except Exception:
   print the info
   raise

Martin