On 03/14/2014 10:29 AM, Alexander Bokovoy wrote:
On Thu, 13 Mar 2014, Martin Kosek wrote:
On 03/13/2014 03:15 PM, Martin Kosek wrote:
On 03/13/2014 09:09 AM, Martin Kosek wrote:
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.

Add an update file to do the database update. Content is based on
recommendation from PKI team:
   * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9

This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
   * https://fedorahosted.org/pki/ticket/710 (database upgrade
   * https://fedorahosted.org/pki/ticket/906 (checking database


I found few issues with the patch:
- New update file was not added to Makefile.am
- PKI was not restarted after LDAP updates so it did not pick up the
ACLs and
replica installation will crash anyway. Now the PKI is always
restarted at the
end of server/replica installation.


FYI - I was just confirmed that this patch finally fixed the issue
even in
automatized environment (beaker).


With this patch in place, can we release 3.3.6 and update FreeIPA in
Fedora 19 and Fedora 20? There are already reports on IRC from people
trying to migrate via replica from CentOS to Fedora.

I have started testing this on RHEL 6.4 (master) → f20 git master with this patch (replica), but ran into https://fedorahosted.org/pki/ticket/816. I don't think we should release until that is fixed.


Freeipa-devel mailing list

Reply via email to