On 10/05/2015 05:00 PM, Timo Aaltonen wrote:

   I'm not sure if the goal is to be able to build IPA on Debian from
git/tarballs, but here's a list of what would need to be fixed first to
get there:

- places where usernames have been hardcoded need something like
   apache -> www-data in:
   * ipaserver/install/httpinstance.py
   * ipaserver/install/ipa_server_certinstall.py
   * ipaserver/install/cainstance.py
   * ipaserver/install/certs.py
this can be extracted to ipaplatform/base/constants.py

   named -> bind in:
   * ipaserver/install/bindinstance.py
this is quite tricky,
for named_user the right location is to ipaplatform/base/constants.py

for service, you can look in ipaplatform/redhat/services.py there is already mapping named to named.pkcs11, we can do something similar in debian platform specification, debian_system_units['named'] = 'bind.service' However if you want to replace named with bind completely, it requires much more changes.

- config/service files that use hardcoded paths in them need to be moved
to a template, and use paths.py macros:
   * install/conf/ipa.conf
   * init/systemd/ipa_memcached.service

- same but with hardcoded usernames
   * init/ipa_memcached.conf
A discussion with other developer is needed how to resolve these files

- ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
because libapache2-mod-nss doesn't enable it on install (can't remember
why, but there was a good reason..)
We did installer changes, Honza may know if this is possible.

- various places using Fedora-specific libpaths (/usr/lib vs.
/usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see
I might be wrong, but I found different issues:
   * ipaserver/install/ldapupdate.py
this affects update files, and the same issue is for ldif files
We can replace path '/var/lib(64)' with substitute variable in those files, and create a platform specific method to determine the correct path, or just substitute with value from ipaplatform/base/paths
   * ipapython/certmonger.py
   * ipaserver/install/certs.py
   * ipaserver/install/ipa_backup.py
   * ipaserver/install/ipa_restore.py
Here for libpath we can use ipaplatform task.py or path.py if it is enough
The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths

- ntp daemon defaults use a different variable name (OPTIONS vs
NTPD_OPTS), and quotes (" vs. ')
   * ipaserver/install/ntpinstance.py
IMO here also default pools should be excluded to constants as a list of ntp servers per platform.
OPTIONS can be excluded to ipaplatform/constants.py
Probably the " or ' issue can be handled in the same way

- "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
'conf.d' on Fedora and then conf-enabled on Debian

- install/share/bind.named.conf.template needs to drop the default zone
on Debian, since that's already configured via includes (-> bind fails
to start), so a template file with an exception for Debian would fix it
The solution here can be augeas, but I'm not sure if we will able to move to augeas soon enough.
This is the same issue as with ipa.conf

- Makefile needs to use --install-layout=deb for setup.py

- ipa-client/ipa-install/ipa-client-automount needs to check for
variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
Leaving this for others.

There.. that should be all I think :) Oh, forgot that currently dnssec
needs to be disabled by some heavy patching, because 9.10.x isn't
packaged yet..
I'm willing to send patch to disable DNSSEC installation if you want.
Is there a chance to get 9.10.x with pkcs11 support?
Can you please open a ticket?

Thank you for this investigation

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to