Martin Kosek wrote:
On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.

This also:
   * corrects the ipa-ldap-updater man page
   * remove automatic --realm, --server, --domain options
   * handle upgrade errors properly
   * saves a copy of dse.ldif before we change it so it can be recovered
   * fixes an error discovered by pylint

ticket 1087

rob

NACK.

Patch is promising, ipa-ldap-updater --upgrade works just fine. The
upgrade was also correctly executed after I did the RPM upgrade.

But I have hit two issues:

1) When ipa-ldap-updater is run as a regular user on a configured IPA
server I get the following error:

$ ipa-ldap-updater
IPA is not configured on this system.

This is because regular user cannot access /var/lib/ipa/sysrestore/. I
guess we should either use another method of detecting installed IPA or
make the script root-only (as we do with other scripts taking advantage
of fstore).


2) I get stacktrace when I run ipa-ldap-updater with --ldapi:

$ sudo ipa-ldap-updater --ldapi
Traceback (most recent call last):
   File "/usr/sbin/ipa-ldap-updater", line 125, in<module>
     sys.exit(main())
   File "/usr/sbin/ipa-ldap-updater", line 111, in main
     ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not 
options.test, ldapi=options.ldapi)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 125, in __init__
     conn.do_external_bind(self.pw_name)
   File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 360, in 
do_external_bind
     self.__lateinit()
   File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 260, in 
__lateinit
     [ 'nsslapd-directory' ])
   File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 378, in 
getEntry
     raise errors.NotFound(reason=notfound(args))
ipalib.errors.NotFound: * not found

I know that --ldapi did not work before the patch either, it just
crashed with another stacktrace. But it would be nice to fix this one.

Martin

Issues addressed.

I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm.

rob

Attachment: freeipa-rcrit-755-2-upgrade.patch
Description: application/mbox

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to