On 11/03/15 13:00, Martin Babinsky wrote:
These patches solve https://fedorahosted.org/freeipa/ticket/4933.

They are to be applied to master branch. I will rebase them for ipa-4-1 after the review.

Thank you for the patches.

I have a few comments:

Replace simple bind with LDAPI is too big change for 4-1, we should start TLS if possible to avoid MINSSF>0 error. The LDAPI patches should go only into IPA master branch.

You can do something like this:
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -107,6 +107,10 @@ class Service(object):
                 if not self.realm:
raise errors.NotFound(reason="realm is missing for %s" % (self))
                 conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+            elif self.dm_password is not None:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389,
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=True)
                 conn = ipaldap.IPAdmin(self.fqdn, port=389)

PATCH 0018:
please add there more chatty commit message about using LDAPI

I do not like much idea of adding 'realm' kwarg into __init__ method of OpenDNSSECInstance
IIUC, it is because get_masters() method, which requires realm to use LDAPI.

You can just add ods.realm=<realm>, before call get_master() in ipa-dns-install
    if options.dnssec_master:
+        ods.realm=api.env.realm
        dnssec_masters = ods.get_masters()
(Honza will change it anyway during refactoring)

PATCH 0019:
commit message deserves to be more chatty, can you explain there why you removed kerberos cache?


Martin Basti

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to