> On Jul 6, 2015, at 11:35 AM, Christian Heimes <chei...@redhat.com> wrote:
> Hello,
> I like to ask for your opinion regarding the pre-exec hook
> 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
> cases like LDAP connection timeout more gracefully. At the moment any
> error causes the script to return a non-zero exit code. This breaks the
> service and apparently also offline RPM upgrades.
> How should I handle error cases? I can change httpd.service to simply
> ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
> invalid state. I could modify the script to catch connection errors and
> to disable kdcproxy in case of an error.
> The options are:
> 1) httpd.service ignores exit code of ipa-httpd-kdcproxy
> 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
> connection error
> 3) 1 + 2
> What do you think?

If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2.

However, ipa-httpd-kdcproxy should leave error codes to real catastrophic 
failures and http.service should be aware of these. So not #1.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to