On 11/22/2012 05:01 AM, Martin Kosek wrote: > On 11/21/2012 01:29 PM, Petr Viktorin wrote: >> On 11/19/2012 05:35 PM, Martin Kosek wrote: >>> On 11/15/2012 03:19 PM, Petr Viktorin wrote: >>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag >>>> defaults made it to master independently (91e477b). Attaching rebased >>>> patch. >>>> >>>> Note that to continue development on f17, you will need to use the >>>> dogtag-devel >>>> repo: >>>> sudo yum-config-manager >>>> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo >>>> >>>> >>>> >>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote: >>>> [...] >>>>> For convenience, I've also pushed the changes to a personal repository. >>>>> To fetch to branch "pviktori-dogtag-10" you can do: >>>>> >>>>> git fetch -f git://github.com/encukou/freeipa.git >>>>> dogtag-10:pviktori-dogtag-10 >>>>> >>> I went through all the patches again, I found one more issue with the schema >>> check. As it binds to Directory Server anonymously when retrieving the >>> schema >>> and tests if "ipaObject" objectclass is present, it can fail and crash when >>> anonymous binds are not allowed for the Dogtag DS instance. This is what I >>> get >>> when I disabled anonymous binds and run ipa-replica-install --setup-ca (a >>> script to turn anonymous binds off attached): >>> >>> [root@vm-104 ~]# ipa-replica-install >>> replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca >>> Directory Manager (existing master) password: >>> >>> Run connection check to master >>> [...] >>> Connection from master to replica is OK. >>> >>> Connection check OK >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> LDAP error: INAPPROPRIATE_AUTH >>> Anonymous access is not allowed >>> >>> If possible, it would be good authenticate first. This should be doable, we >>> have a Directory Manager password available, after all. Some schema >>> retrieval >>> code that we already have in IPA can be found in SchemaCache class in >>> ldap2.py. >> Good point. Attaching updated patch. >> >>> We may also want to have some flag similar to --skip-conncheck which would >>> allow admin with an issue like this one skip the check when he is certain >>> that >>> he copied the schema files. >> I named it --skip-schema-check.
If we have any new command line switches we need a wiki page for this feature. The thread here also suggests that it is really worth capturing and not only for this. So please create a wiki. Later it will be possible to use in preparation to the test days. Also please link the the wiki to the ticket. >>> Adding Ade to check that this scenario is actually sane and Dogtag is >>> supposed >>> to work with anonymous access disabled for its DS instance. >>> >>> When reading the patches, I also saw few places with magic constant "7389" >>> (your "Fix schema replication from old masters" patch and Ade's patch). I >>> wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable? >> Fixed in this patch, I'll look at the other one soon. >> >> >> >> For anyone who wants to test: I keep my Github branch updated. Re-running the >> fetch command will overwrite your branch with the latest changes. >> When the current issues are solved I'll repost all patches again in a single >> mail. >> > This works fine. I just think that it may be useful to print some info like > 'Schema check failed, you can use --skip-schema-check to....' in case when the > following lines thrown an exception: > > + connection = ldap2.IPASimpleLDAPObject(ca_ldap_url) > + connection.start_tls_s() > + connection.simple_bind_s(DN(('cn', 'Directory Manager')), > + config.dirman_password) > > This is an output I received when dirsrv@PKI-IPA on my IPA 2.2 master was > down, > the error was not very descriptive: > > # ipa-ca-install replica-info-vm-104.idm.lab.bos.redhat.com.gpg > Directory Manager (existing master) password: > ... > Connection from master to replica is OK. > > Connection check OK > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Can't contact LDAP server > # > > > Something like: > > try: > connection stuff... > except Exception: > print the info > raise > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel