[Freeipa-devel] [PATCH] 0100 Track lightweight CAs on replica installation
Martin Babinsky
mbabinsk at redhat.com
Mon Aug 29 16:39:58 UTC 2016
On 08/23/2016 08:40 AM, Fraser Tweedale wrote:
> Hi folks,
>
> Please review attached patch which fixes
> https://fedorahosted.org/freeipa/ticket/6019.
>
> Thanks,
> Fraser
>
>
>
Hi Fraser,
I have couple of comments:
1.)
- for entry in lwcas:
- self.server_track_lightweight_ca(entry)
+ try:
+ from ipaserver.install import cainstance
+
cainstance.add_lightweight_ca_tracking_requests(self.log, lwcas)
+ except Exception as e:
+ self.log.exception(
+ "Failed to add lightweight CA tracking requests")
You are importing a server-side module in a basically client-side
command which I don't like very much. Isn't there a possibility to use
shared client-server module for this?
2.)
+ def __add_lightweight_ca_tracking_requests(self):
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' %
server_id
+ conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+ is_already_connected = conn.isconnected()
Why use these connection setup shenanigans when you can use either
api.Backend.ldap2 (IIRC this runs in server context so LDAPI should be a
given) or even the service's own 'admin_conn' member.
+
+ if not is_already_connected:
+ try:
+ conn.connect(autobind=True)
+ except errors.PublicError as e:
+ self.log.error(
+ "Cannot connect to LDAP to add "
+ "lightweight CA tracking requests: %s",
+ e
+ )
PEP8 error here, the second line of the message is misformatted.
+ return
+
+ try:
+ lwcas = conn.get_entries(
+ base_dn=ipautil.realm_to_suffix(api.env.realm),
+ filter='(objectclass=ipaca)',
+ attrs_list=['cn', 'ipacaid'],
+ )
I would rather use the result of api.Command.ca_find to fetch sub-CAs.
Also, ipautil.realm_to_suffix is superseded by api.env.basedn to fetch
search base.
+ add_lightweight_ca_tracking_requests(self.log, lwcas)
+ except errors.NotFound:
+ pass # shouldn't happen, but don't fail if it does
I would add at least some debug message here.
+ finally:
+ if not is_already_connected:
+ conn.disconnect()
+
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list