On Wed, 2011-10-12 at 09:31 -0400, Simo Sorce wrote: > On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote: > > On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote: > > > Martin Kosek wrote: > > > > For starters I added a 15 second timeout and 2 tries. These numbers are > > > > arbitrary, I am open to suggestions. > > > > > > > > Martin > > > > > > > > --- > > > > Add a timeout to the wget call to cover a case when autodiscovered > > > > server does not response to our attempt to download ca.crt. Let > > > > user specify a different IPA server in that case. > > > > > > > > https://fedorahosted.org/freeipa/ticket/1960 > > > > > > There is a wget call in ipa-client-install as well, should a timeout be > > > added there? > > > > > > rob > > > > > > > This wget is for the very same ca.crt that was already (successfully) > > retrieved when the server was being checked by ipadiscovery. Thus I > > don't think it is necessary. > > Shouldn't it be eliminated then ? > OR do we really need to dload the cert twice? Or did I misunderstand > your reply ? > > Simo.
You understood correctly. We always try to download ca.crt during ipacheckldap() call. We clean up all temporary files downloaded during server verification in the end. When the user finally confirms and we start the actual client installation, then we download ca.crt to /etc/ipa/. I think that the current procedure is OK compared to additional code we would have to add to pass the ca.crt from ipacheckldap() and cover all possible cases. Please, open an enhancement ticket if you think otherwise. Martin _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel