Martin Kosek wrote:
On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote:
Martin Kosek<mko...@redhat.com>  wrote:
When v2 IPA client is trying to join an IPA v1 server
a strange exception is printed out to the user. This patch
detects this by catching an XML-RPC error reported by ipa-join
binary called in the process which fails on unexisting IPA server
'join' method.

wget call had to be changed so that IPA client may get to the
ipa-join step. --no-check-certificate had to be added as V1
server automatically redirects the request to self-signed secure
connection.

https://fedorahosted.org/freeipa/ticket/553

The patch is ok and applies correctly. My only thought was to download the
certificate directly from https://..../ca.crt instead of plain http, but there
is probably no real benefit.

ack

Jan

Jan, thanks for the review. And yes, I could not see a benefit too.
Since the IPA sever certificate is not a confidential information the
secure connection is not needed. And since we do not trust the server's
certificate in this step of installation and --no-check-certificate is
used, a secure connection would be used for server identity validation
either.

Therefore, I would ask for the patch to be pushed.

Martin

I can't duplicate the behavior of it redirecting to the SSL port. The /ipa/config directory is purposely excluded from the SSL redirect for this purpose, even on v1 servers. Can we drop that part of the patch?

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to