On 11/21/2012 01:29 PM, Petr Viktorin wrote:
> On 11/19/2012 05:35 PM, Martin Kosek wrote:
>> On 11/15/2012 03:19 PM, Petr Viktorin wrote:
>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
>>> defaults made it to master independently (91e477b). Attaching rebased patch.
>>> Note that to continue development on f17, you will need to use the
>>> sudo yum-config-manager
>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
>>>> For convenience, I've also pushed the changes to a personal repository.
>>>> To fetch to branch "pviktori-dogtag-10" you can do:
>>>> git fetch -f git://github.com/encukou/freeipa.git
>> I went through all the patches again, I found one more issue with the schema
>> check. As it binds to Directory Server anonymously when retrieving the schema
>> and tests if "ipaObject" objectclass is present, it can fail and crash when
>> anonymous binds are not allowed for the Dogtag DS instance. This is what I
>> when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
>> script to turn anonymous binds off attached):
>> [root@vm-104 ~]# ipa-replica-install
>> replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
>> Directory Manager (existing master) password:
>> Run connection check to master
>> Connection from master to replica is OK.
>> Connection check OK
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> LDAP error: INAPPROPRIATE_AUTH
>> Anonymous access is not allowed
>> If possible, it would be good authenticate first. This should be doable, we
>> have a Directory Manager password available, after all. Some schema retrieval
>> code that we already have in IPA can be found in SchemaCache class in
> Good point. Attaching updated patch.
>> We may also want to have some flag similar to --skip-conncheck which would
>> allow admin with an issue like this one skip the check when he is certain
>> he copied the schema files.
> I named it --skip-schema-check.
>> Adding Ade to check that this scenario is actually sane and Dogtag is
>> to work with anonymous access disabled for its DS instance.
>> When reading the patches, I also saw few places with magic constant "7389"
>> (your "Fix schema replication from old masters" patch and Ade's patch). I
>> wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?
> Fixed in this patch, I'll look at the other one soon.
> For anyone who wants to test: I keep my Github branch updated. Re-running the
> fetch command will overwrite your branch with the latest changes.
> When the current issues are solved I'll repost all patches again in a single
This works fine. I just think that it may be useful to print some info like
'Schema check failed, you can use --skip-schema-check to....' in case when the
following lines thrown an exception:
+ connection = ldap2.IPASimpleLDAPObject(ca_ldap_url)
+ connection.simple_bind_s(DN(('cn', 'Directory Manager')),
This is an output I received when dirsrv@PKI-IPA on my IPA 2.2 master was down,
the error was not very descriptive:
# ipa-ca-install replica-info-vm-104.idm.lab.bos.redhat.com.gpg
Directory Manager (existing master) password:
Connection from master to replica is OK.
Connection check OK
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Can't contact LDAP server
print the info
Freeipa-devel mailing list