Martin Kosek wrote:
On Thu, 2011-03-17 at 17:10 -0400, Rob Crittenden wrote:
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.

This also:
   * corrects the ipa-ldap-updater man page
   * remove automatic --realm, --server, --domain options
   * handle upgrade errors properly
   * saves a copy of dse.ldif before we change it so it can be recovered
   * fixes an error discovered by pylint

ticket 1087



Patch is promising, ipa-ldap-updater --upgrade works just fine. The
upgrade was also correctly executed after I did the RPM upgrade.

But I have hit two issues:

1) When ipa-ldap-updater is run as a regular user on a configured IPA
server I get the following error:

$ ipa-ldap-updater
IPA is not configured on this system.

This is because regular user cannot access /var/lib/ipa/sysrestore/. I
guess we should either use another method of detecting installed IPA or
make the script root-only (as we do with other scripts taking advantage
of fstore).

2) I get stacktrace when I run ipa-ldap-updater with --ldapi:

$ sudo ipa-ldap-updater --ldapi
Traceback (most recent call last):
   File "/usr/sbin/ipa-ldap-updater", line 125, in<module>
   File "/usr/sbin/ipa-ldap-updater", line 111, in main
     ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not 
options.test, ldapi=options.ldapi)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/", 
line 125, in __init__
   File "/usr/lib/python2.7/site-packages/ipaserver/", line 360, in 
   File "/usr/lib/python2.7/site-packages/ipaserver/", line 260, in 
     [ 'nsslapd-directory' ])
   File "/usr/lib/python2.7/site-packages/ipaserver/", line 378, in 
     raise errors.NotFound(reason=notfound(args))
ipalib.errors.NotFound: * not found

I know that --ldapi did not work before the patch either, it just
crashed with another stacktrace. But it would be nice to fix this one.


Issues addressed.

I'm going to do a best-possible check for IPA Installation when non-root but stick with the fstore when doing it as root. This is because it is more important because it may be done automatically in rpm.


Attachment: freeipa-rcrit-755-2-upgrade.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to