[Freeipa-devel] [PATCH] 0010 Add 'host' setting into default.conf configuration file
Martin Kosek
mkosek at redhat.com
Wed Sep 3 14:25:00 UTC 2014
On 09/03/2014 03:41 PM, Jan Cholasta wrote:
> Dne 3.9.2014 v 15:29 Nalin Dahyabhai napsal(a):
>> On Tue, Sep 02, 2014 at 10:18:12AM +0200, Jan Cholasta wrote:
>>> Dne 27.8.2014 v 16:49 David Kupka napsal(a):
>>>> On 08/27/2014 11:22 AM, Jan Cholasta wrote:
>>>>> Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a):
>>>>>> David Kupka wrote:
>>>>>>> On 08/26/2014 03:08 PM, Jan Cholasta wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Dne 26.8.2014 v 13:01 David Kupka napsal(a):
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4481
>>>>>>>>
>>>>>>>> Doing this will break ipa-client-automount and ipa-certupdate, because
>>>>>>>> they assume that api.env.host contains the hostname of the local
>>>>>>>> system
>>>>>>>> (which is the default value).
>>>>>>>
>>>>>>> It looked suspiciously simple so I could expect that there is some
>>>>>>> catch.
>>>>>>>>
>>>>>>>> There is obviously some confusion about what the option should
>>>>>>>> represent
>>>>>>>> (documentation says server hostname, code does client hostname),
>>>>>>>> IMO we
>>>>>>>> should resolve that first.
>>>>>>>
>>>>>>> Ok, are there any suggestions? What is the desired state?
>>>>>>
>>>>>> AIUI the server option is deprecated because it wasn't being used, not
>>>>>> that it needed to be replaced. I believe that in most cases the server
>>>>>> name is pulled from the xmlrpc_uri.
>>>>>
>>>>> Yes, that's what the ticket says:
>>>>> <https://fedorahosted.org/freeipa/ticket/3071>.
>>>>
>>>> Ok, adding 'host' entry with local host name.
>>>>>>
>>>>>> host has always meant the local host name.
>>>>>>
>>>>>> I think the man page is wrong.
>>>>>
>>>>> +1
>>>>>
>>>> Fixing the line in man page.
>>>>>>
>>>>>> rob
>>>
>>> ACK as long as this works for Nalin.
>>
>> The other half of this was cases where there's no ldap_uri set. Just so
>> there's no confusion, if ldap_uri and/or server_uri are not set, what
>> are the recommended fallback settings that should be used for
>> constructing them? I suspect it's "server", then "host", which is the
>> reverse of the order that they're currently being consulted, but I
>> figured I'd ask while we're all here.
>
> "ldap_uri" is set only on servers, on clients you should use "server" (we
> should probably un-deprecate it). You could use "host" as a fallback, but it
> will only work on servers, as it points to the local host. IMO the right order
> is "server", then "ldap_uri", then maybe "host".
BTW what happens when original server that the client enrolled with no longer
exist and was replaced by some other server with other FQDN. Will certmonger
fail in this case or will it fall back and do DNS SRV record to find
alternative server like "ipa" command does?
Martin
More information about the Freeipa-devel
mailing list