On 2/21/11 11:18 AM, "JR Aquino" <jr.aqu...@citrix.com> wrote:
>On 2/21/11 10:46 AM, "Jan Zeleny" <jzel...@redhat.com> wrote: > >>Rob Crittenden <rcrit...@redhat.com> wrote: >>> JR Aquino wrote: >>> > On 2/17/11 9:46 AM, "Jan Zeleny"<jzel...@redhat.com> wrote: >>> >> JR Aquino<jr.aqu...@citrix.com> wrote: >>> >>> Lets try now. Attached is the corrected patch. >>> >>> >>> >>> There were several spots in ipa-client-install where the server >>>could >>> >>> be defined and it was getting missed. >>> >>> I have omitted any change to ipa-client-install and instead just >>> >>> focused on ipadiscovery.py >>> >>> >>> >>> ipadiscovery.py now performs its own fetch of the CACert just to be >>> >>> sure. >>> >>> >>> >>> Regarding TLS vs LDAPS. >>> >>> >>> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was >>>never >>> >>> standardized in any formal specification. This usage has been >>> >>> deprecated along with LDAPv2, which was officially retired in 2003. >>> >>> >>> >>> LDAPS is still supported, but considered deprecated in favor of TLS >>>as >>> >>> defined in RFC2830. >>> >>> >>> >>> On 2/17/11 2:01 AM, "Jan Zelený"<jzel...@redhat.com> wrote: >>> >>>> JR Aquino<jr.aqu...@citrix.com> wrote: >>> >>>>> This patch addresses the need to utilize TLS when using the >>> >>>>> ipa-client-install tool. It addresses ticket: >>> >>>>> https://fedorahosted.org/freeipa/ticket/974 >>> >>>> >>> >>>> Nack, running ipa-client-install returned this error: >>> >>>> >>> >>>> # ipa-client-install >>> >>>> Retrieving CA from None failed. >>> >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt >>> >>> >>> >>> http://None/ipa/config/ca.crt' >>> >>> >>> >>>> returned non-zero exit status 4 >>> >>>> >>> >>>> >>> >>>> One more question - shouldn't you use ldaps directly to connect to >>>the >>> >>>> server? >>> >>>> Jan >>> >> >>> >> Sorry, I have to Nack it again, the patch seems incoplete, since it >>>is >>> >> only >>> >> adding some cacert fetching code to IPADiscovery. >>> >> >>> >> Jan >>> > >>> > Please ignore previous patches for #18. Attached is the replacement >>>all >>> > inclusive patch for this ticket. >>> > >>> > >>> > Per Rob: >>> > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, >>>it >>> > should populate a tempdir with the temp cert for the initial >>>discovery >>> > bind. >>> > >>> > Attached is the full patch to provide both TLS and the safer wget of >>>the >>> > ca.crt to a temporary directory created by tempfile.mkdtemp() >>> > >>> > Please verify that ipa-client-install from a separate machine >>>functions >>> > as expected against a FreeIPA server who is set to "nsslapd-minssf: >>>56" >>> >>> It looks ok except for the try/except around the tempfile. If it fails >>> all heck is gonna break loose. We should raise a RuntimeError in that >>>case. >>> >>> rob >> >>Agreed, I had moreless the same comment prepared. > >Correction made, patch attached. > > except OSError, e: > raise RuntimeError("Creating temporary directory failed: %s" % >str(e)) In the spirt of consistency, I have corrected a section further down where sys.exit is called instead of raising the exception. I have also broken out the removal of the temp files in a finally clause. Please review, and confirm that it meets with your approval.
binAWXH3UqnwJ.bin
Description: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel