[Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.

Endi Sukma Dewata edewata at redhat.com
Fri Sep 4 14:03:43 UTC 2015 

On 9/4/2015 6:35 AM, Martin Basti wrote:
>
>
> On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
>> On 9/1/2015 1:52 AM, Martin Basti wrote:
>>>>>>> The CA and KRA installation code has been modified to use LDAPI
>>>>>>> to create the CA and KRA agents directly in the CA and KRA
>>>>>>> database. This way it's no longer necessary to use the Directory
>>>>>>> Manager password or CA and KRA admin certificate.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/5257
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> 1) Can you use following code instead of direct call of
>>>>>> ldap2.ldap2()?
>>>>>>
>>>>>> if not api.Backend.ldap2.is_connected():
>>>>>>      api.Backend.ldap2.connect(autobind=True)
>>>>>>
>>>>>> conn = api.Backend.ldap2
>>>>
>>>> Why would you want to do that? The original code is fine, except the
>>>> connection check is not necessary (it is a new instance of ldap2, so
>>>> .isconnected() will always return False).
>>>>
>>>>>
>>>>> It's actually isconnected() instead of is_connected(), but even so,
>>>>> the
>>>>> proposed code doesn't work:
>>>>>
>>>>> ipa.ipapython.install.cli.install_tool(Server): DEBUG    The
>>>>> ipa-server-install command failed, exception: TypeError: 'ldap2'
>>>>> object
>>>>> is not callable
>>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2' object
>>>>> is not callable
>>>>>
>>>>>> 2) Patch needs rebase to master branch.
>>>>>
>>>>> The original patch does apply cleanly to master. Did you see a
>>>>> conflict?
>>> Sorry my bad.
>>>
>>> Martin^2
>>>>>
>>>>>> 3)
>>>>>> +        user_dn = DN(('uid', "ipara"), ('ou', 'People'),
>>>>>> self.basedn)
>>>>>> +        conn.create(
>>>>>> +            dn=user_dn,
>>>>>>
>>>>>> can you use add entry() instead of create()? We don't use native
>>>>>> python-ldap, but rather ipaldap methods
>>>>>
>>>>> It's actually calling the ldap2.create() defined in
>>>>> ipaserver/plugins/ldap2.py, which calls add_entry().
>>>>
>>>> NACK. We don't use ldap2.create(). Use add_entry().
>>>>
>>>>>
>>>>> So my original patch still stands.
>>
>> New patch attached.
>>
> ACK, but IMO that comments is not necessary and I would like to push the
> patch without it.
>
> Martin^2

It is necessary if we don't want people to use it. Otherwise someone 
could make the same mistake. Or better yet, just remove the method.

-- 
Endi S. Dewata

More information about the Freeipa-devel mailing list