URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
@simo5, I can confirm that the ldapi error occurs every other install. I can 
also confirm that it does not occur during the initial server install on a 
clean machine, so I agree it can be fixed later.

* CA-less install is still broken. To reproduce the bug, make sure to delete 
all certificates from `/etc/httpd/alias` before running the install, otherwise 
[ticket 4639](https://fedorahosted.org/freeipa/ticket/4639) will hide the bug. 
I use:
  certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"

* Replica install fails when `/var/lib/ipa/radb` does not exist prior to 
running the install:
    [28/45]: retrieving DS Certificate
    [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)

* `/var/lib/ipa/radb` should be removed on uninstall.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to