On 24.11.2015 08:37, Fraser Tweedale wrote:
On Mon, Nov 23, 2015 at 10:05:32AM +0100, Jan Cholasta wrote:
On 23.11.2015 06:54, Fraser Tweedale wrote:
Hi all,

The attached patches fix #5459[1]: Default CA ACL rule is not
created during ipa-replica-install.

These patches apply on branch ipa-4-2.  There is a (trivial)
conflict in imports when applying to master.

When a patch does not apply cleanly on all the target branches, you should
attach a rebased patch as well.

I strongly recommend review / testing of these patches with patches
0042-0043[2] due to the prevalence of the other issue.

[1] https://fedorahosted.org/freeipa/ticket/5459
[2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html

Patch 0044: ACK

Patch 0045:

1) The check in caacl_del could be better, please take a look at how the
admins group is handled in ipalib/plugins/group.py for an example. You
should at least raise ProtectedEntryError rather than ValidationError.

2) _add_default_caacl() should be located in

3) Rather than calling the cainstance functions in replicainstall.install(),
they should be called from CAInstance.configure_instance() to make them
effective in ipa-ca-install and replica promotion as well.


Updated patches for ipa-4-2 and master branches attached.

The new patch 0045 is somewhat more intrusive; I have tested server
install, replica install (with CA) from 3.0 and 4.2 master and
ipa-ca-install with replica file from 3.0 master... but more testing
would be no bad thing!

Works for me, ACK.

Pushed to:
master: 620036d26e98fdcefff00168e9e5463a8257d49c
ipa-4-2: a2371f38e4fb027aeacaf0ab6f2b35ae49fa41ea

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to