On 11/15/2012 03:19 PM, Petr Viktorin wrote:
> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
> defaults made it to master independently (91e477b). Attaching rebased patch.
> 
> Note that to continue development on f17, you will need to use the 
> dogtag-devel
> repo:
>   sudo yum-config-manager
> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
> 
> 
> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
> [...]
>>
>> For convenience, I've also pushed the changes to a personal repository.
>> To fetch to branch "pviktori-dogtag-10" you can do:
>>
>>      git fetch -f git://github.com/encukou/freeipa.git
>> dogtag-10:pviktori-dogtag-10
>>
> 

I went through all the patches again, I found one more issue with the schema
check. As it binds to Directory Server anonymously when retrieving the schema
and tests if "ipaObject" objectclass is present, it can fail and crash when
anonymous binds are not allowed for the Dogtag DS instance. This is what I get
when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
script to turn anonymous binds off attached):

[root@vm-104 ~]# ipa-replica-install
replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
Directory Manager (existing master) password:

Run connection check to master
[...]
Connection from master to replica is OK.

Connection check OK

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

LDAP error: INAPPROPRIATE_AUTH
Anonymous access is not allowed

If possible, it would be good authenticate first. This should be doable, we
have a Directory Manager password available, after all. Some schema retrieval
code that we already have in IPA can be found in SchemaCache class in ldap2.py.

We may also want to have some flag similar to --skip-conncheck which would
allow admin with an issue like this one skip the check when he is certain that
he copied the schema files.

Adding Ade to check that this scenario is actually sane and Dogtag is supposed
to work with anonymous access disabled for its DS instance.


When reading the patches, I also saw few places with magic constant "7389"
(your "Fix schema replication from old masters" patch and Ade's patch). I
wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?

Martin

Attachment: ldap-non-anonymous.sh
Description: application/shellscript

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to