On 10/05/2012 09:24 PM, Ade Lee wrote:
Agreed with your assessment that the --check-ca is not needed, as we
will be checking this into 3.1 (and not 3.0).


Attaching patch that does this. It also removes the unneeded --dogtag-master-ds-port option. I'll squash it into the big patch later.

Attached is a patch for the "request object" issue.  Basically, the
replication was not working because ipa-replica-prepare was passing in
the wrong port when creating the replica package.

Let me know if you have issues - and remember to add the missing link to
the master.  That fix to add that link will be checked in today and
should be in the dogtag developer nightly build as of tommorow.


We are working on the issues off-list.

--
PetrĀ³

From 63d9b018f065b9447dbc114dd61651cffccf8ba0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 8 Oct 2012 03:51:31 -0400
Subject: [PATCH] Remove unneeded --dogtag-master-ds-port option in
 replica-conncheck, only use check-ca for old installs

---
 install/tools/ipa-replica-conncheck | 29 +++++++++--------------------
 ipaserver/install/replication.py    |  7 +++----
 2 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 879d08d15453803d05ec8930680ece72decdd2d8..f0ca7fcc272536eadce77471ea8326bf966916e7 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -60,6 +60,7 @@ BASE_PORTS = [
                 CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"),
              ]
 
+
 def print_info(msg):
     if not QUIET:
         print msg
@@ -94,11 +95,8 @@ def parse_options():
     common_group.add_option("-c", "--check-ca", dest="check_ca",
                       action="store_true",
                       default=False,
-                      help="Check also ports for Certificate Authority")
-
-    common_group.add_option("-C", "--dogtag-master-ds-port",
-                      dest="dogtag_master_ds_port",
-                      help="Port for Certificate Authority database")
+                      help="Check also ports for Certificate Authority "
+                        "(for servers installed before IPA 3.1)")
 
     common_group.add_option("", "--hostname", dest="hostname",
                       help="The hostname of this server (FQDN). "
@@ -282,13 +280,10 @@ def main():
 
     required_ports = BASE_PORTS
     if options.check_ca:
-        port_val = 7389
-        if options.dogtag_master_ds_port:
-            port_val = int(options.dogtag_master_ds_port)
-
-        ca_port = CheckedPort(port_val, SOCK_STREAM,
-                              "PKI-CA: Directory Service port")
-        required_ports.extend([ca_port])
+        # Check old Dogtag CA replication port
+        # New installs with unified databases use port 389 (checked above)
+        required_ports.append(CheckedPort(7389, SOCK_STREAM,
+            "PKI-CA: Directory Service port"))
 
     if options.replica:
         print_info("Check connection from master to remote replica '%s':" % options.replica)
@@ -322,6 +317,8 @@ def main():
             responder.start()
             RESPONDERS.append(responder)
 
+        remote_check_opts = ['--replica %s' % options.hostname]
+
         if options.auto_master_check:
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
@@ -362,10 +359,6 @@ def main():
             if returncode != 0:
                 raise RuntimeError("Could not get ticket for master server: %s" % stderr)
 
-            remote_check_opts = ['--replica %s' % options.hostname]
-            if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
-                remote_check_opts.append('--check-ca')
-
             print_info("Execute check on remote master")
 
             stderr = ''
@@ -387,10 +380,6 @@ def main():
             print_info("")
             print_info("Please run the following command on remote master:")
 
-            remote_check_opts = ['--replica %s' % options.hostname]
-            if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
-                remote_check_opts.append('--check-ca')
-
             print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
             time.sleep(3600)
             print_info("Connection check timeout: terminating listening program")
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 06466f2995763c07b167a8312ab8bd4d6bf08522..62e33d93f5709422af319bcc6ea680c1c76a3588 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -77,11 +77,10 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
         args.extend(["--password", admin_password])
         nolog=(admin_password,)
 
-    if check_ca:
+    if check_ca and dogtag_master_ds_port == 7389:
         args.append('--check-ca')
-        args.extend(["--dogtag-master-ds-port", dogtag_master_ds_port])
-    (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
-                                              nolog=nolog)
+    (stdin, stderr, returncode) = ipautil.run(
+        args, raiseonerr=False, capture_output=False, nolog=nolog)
 
     if returncode != 0:
         sys.exit("Connection check failed!" +
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to