Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 06/21/2013 01:52 PM, Ana Krivokapic wrote: On 06/12/2013 02:28 PM, Tomas Babej wrote: ... 2) I wonder if we can also remove the '--zone-notif' option from ipa-server-install and ipa-dns-install. It is already deprecated so maybe this is a good time to drop it altogether? +1, this zone was already hidden and deprecated for a year now, so I think it is safe for it to be removed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0227-0229 freeipa-tests package Beaker integration plugin
On 06/24/2013 10:33 AM, Petr Viktorin wrote: On 06/17/2013 09:10 PM, Dmitri Pal wrote: On 06/17/2013 11:08 AM, Petr Viktorin wrote: ipa-run-tests --with-beakerlib is horribly slow for me, is that expected? Yes. For every logged line, BeakerLib's default logging backend starts up Python, parses a XML file, appends the line, and writes the XML out again. So especially with longer runs it's really slow. Is there any way to solve this problem? For example send the output over the DBUS to a special service that would have the python already loaded and would do the appending to the files and writing the output. Also there can be an optimization that it would not save the file up until the change affects a different file. The logic would be: loop: If do not have an open output file open one and keep it in memory Read a request for update until receive a special message for termination or a signal, then break out of the loop If the request for update for the same file update the file Else save currently open file and start a new one, add data to the newly started file end close currently open file I hope Beaker does something like you described. The slow part is only the XML backend, which gets selected if you run BeakerLib without Beaker. We could write (or find?) a faster logging backend but it's not really necessary. Without Beaker the BeakerLib logging is not of much use anyway. Right. In our upstream continuous integration testing, this option should be off - no logging performance issues for us. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Bug?
On 06/24/2013 03:00 PM, Rob Crittenden wrote: Dean Hunter wrote: Is this a bug for which I should open a bug report? # Configure the Network File Server yum install --assumeyes freeipa-admintools Loaded plugins: langpacks, refresh-packagekit Package freeipa-admintools-3.2.1-1.fc19.x86_64 already installed and latest version Nothing to do echo adminpassword | kinit admin Password for ad...@hunter.org mailto:ad...@hunter.org ipa service-add nfs/ipa19.hunter.org --- Added service nfs/ipa19.hunter.org@HUNTER. mailto:ipa19.hunter.org@HUNTERORG --- Principal: nfs/ipa19.hunter@hunter.org Managed by: ipa19.hunter.org ipa-getkeytab \\ --keytab /etc/krb5.keytab \\ --principal nfs/ipa19.hunter.org \\ --server ipa19.hunter.org Failed to retrieve encryption type Camellia-128 CTS mode with CMAC (#25) Failed to retrieve encryption type Camellia-256 CTS mode with CMAC (#26) kdestroy Not really. Camellia was enabled by default in 1.11 (it was added back in 1.9, but disabled by default). IPA does not currently enable the cipher on the KDC. So this is the client requesting all enabled ciphers and the server not returning the Camellia ciphers. It is just a warning. At best this is an RFE to enable Camellia by default on the KDC. rob I filed an upstream ticket: https://fedorahosted.org/freeipa/ticket/3749 Thanks Dean and Rob! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
On 06/24/2013 04:22 PM, Petr Viktorin wrote: On 06/20/2013 12:56 PM, Tomas Babej wrote: On 06/17/2013 02:34 PM, Ana Krivokapic wrote: On 06/06/2013 11:10 AM, Tomas Babej wrote: Hi, Adds --use-posix option to ipa trust-add command. It takes two allowed values: 'yes' : the 'ipa-ad-trust-posix' range type is enforced 'no' : the 'ipa-ad-trust' range type is enforced When --use-posix option is not specified, the range type should be determined by ID range discovery. https://fedorahosted.org/freeipa/ticket/3650 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works nicely, but I have a few comments: 1) You added a new option to the API, but you forgot to bump the IPA_API_VERSION_MINOR in the VERSION file. 2) Typo in commit message: shold instead of should. 3) This construct: +if range_type is not None: +if range_type != old_range_type: can be replaced with a more readable variant which also avoids nested ifs: +if range_type and range_type != old_range_type: All fixed. 4) Some unit tests to cover the behavior of the newly added option would be nice. This is not doable at the moment, we have no unit test framework to test the trust-add command. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Tomas I don't know much about AD trusts, but a command-line/API option that takes a 'yes' or 'no' string raised a tiny warning flag for me. It looks like it's possible that there can be other range types in the future than posix and algorithmic? If that's the case, there should be a --range-type option instead. (If not, I'd still go for --range-type but that would just be bikeshedding.) In any case I think an explicit 'auto' option would be nice. But that's just an outsider's view, maybe --use-posix makes more sense. AFAIK, for CLI changes there should be a a design page; is this covered anywhere? It should be covered in the parent RFE ticket: https://fedorahosted.org/freeipa/ticket/2904 I see it is not there. This is still a task for Tomas or Alexander. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
On 24.6.2013 16:22, Petr Viktorin wrote: I don't know much about AD trusts, but a command-line/API option that takes a 'yes' or 'no' string raised a tiny warning flag for me. It looks like it's possible that there can be other range types in the future than posix and algorithmic? If that's the case, there should be a --range-type option instead. (If not, I'd still go for --range-type but that would just be bikeshedding.) In any case I think an explicit 'auto' option would be nice. But that's just an outsider's view, maybe --use-posix makes more sense. +1 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 141 Fix CA-less check in ipa-replica-install and ipa-ca-install
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3750. Honza -- Jan Cholasta From f6fbd4a2ef1db3fa543f37e87c10722379e21108 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 25 Jun 2013 08:31:56 + Subject: [PATCH] Fix CA-less check in ipa-replica-install and ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3750 --- install/tools/ipa-ca-install | 2 +- install/tools/ipa-replica-install | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 060cc66..1fd59ec 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -160,7 +160,7 @@ def main(): config.dir = dir config.setup_ca = True -if ipautil.file_exists(config.dir + /dscert.p12): +if not ipautil.file_exists(config.dir + /cacert.p12): print 'CA cannot be installed in CA-less setup.' sys.exit(1) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 5b3a88f..1ea0f92 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -513,7 +513,7 @@ def main(): config.dir = dir config.setup_ca = options.setup_ca -if config.setup_ca and ipautil.file_exists(config.dir + /dscert.p12): +if config.setup_ca and not ipautil.file_exists(config.dir + /cacert.p12): print 'CA cannot be installed in CA-less setup.' sys.exit(1) -- 1.8.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 142 Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/3705.
Honza
--
Jan Cholasta
From 873beb4d2ce268906f808f71af32919dec30928b Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Jun 2013 08:41:46 +
Subject: [PATCH] Do not skip SSSD known hosts in ipa-client-install
--ssh-trust-dns.
https://fedorahosted.org/freeipa/ticket/3705
---
ipa-client/ipa-install/ipa-client-install | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index a5ba46c..b188161 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1212,12 +1212,12 @@ def configure_ssh_config(fstore, options):
'PubkeyAuthentication': 'yes',
}
+if options.sssd and file_exists(SSH_PROXYCOMMAND):
+changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
+changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
if options.trust_sshfp:
changes['VerifyHostKeyDNS'] = 'yes'
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
-elif options.sssd and file_exists(SSH_PROXYCOMMAND):
-changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
-changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
change_ssh_config(ssh_config, changes, ['Host'])
root_logger.info('Configured %s', ssh_config)
--
1.8.2.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0165] Fix crash caused by race-condition between shutdown and update processing
ACK. Works as expected. Regards, Tomas Hozza - Original Message - Hello, Fix crash caused by race-condition between shutdown and update processing. Variable 'name' was uninitialized when manager_get_ldap_instance() returned ISC_R_NOTFOUND. The successive call to dns_name_dynamic() caused the crash. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 425 Do not redirect to https in /ipa/ui on non-HTML files
On 06/24/2013 07:00 PM, Tomas Babej wrote: On 06/24/2013 06:13 PM, Petr Vobornik wrote: Those resources are needed by page which has to use http(browser config) prior to acceptance of CA cert. https://fedorahosted.org/freeipa/ticket/3748 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I think you (technically) need to update the version in the first commented line. Thanks for pointing this out Tomas. I see you learned a lesson last time :-) (Probably would not be an issue for anybody, since we haven't done a release since it was last changed) Yeah, this is not critical. But it may still make sense to bump the number, if just for a sake of consistency if someone would do some git blame investigation based on this line. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 425 Do not redirect to https in /ipa/ui on non-HTML files
On 06/25/2013 12:22 PM, Martin Kosek wrote:
On 06/24/2013 07:00 PM, Tomas Babej wrote:
On 06/24/2013 06:13 PM, Petr Vobornik wrote:
Those resources are needed by page which has to use http(browser config)
prior to acceptance of CA cert.
https://fedorahosted.org/freeipa/ticket/3748
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I think you (technically) need to update the version in the first commented
line.
Thanks for pointing this out Tomas. I see you learned a lesson last time :-)
(Probably would not be an issue for anybody, since we haven't done a release
since it was last changed)
Yeah, this is not critical. But it may still make sense to bump the number, if
just for a sake of consistency if someone would do some git blame
investigation based on this line.
Martin
Version bumped, updated patch attached.
--
Petr Vobornik
From bc60575a75ceed8dbc2f3791fad095ef62e00a42 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Mon, 24 Jun 2013 17:44:15 +0200
Subject: [PATCH] Do not redirect to https in /ipa/ui on non-HTML files
Those resources are needed by page which has to use http(browser config) prior to acceptance of CA cert.
https://fedorahosted.org/freeipa/ticket/3748
---
install/conf/ipa-rewrite.conf | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf
index 552682b05bb8a911c8b735a3e7252cba24288f9b..37661b8200ed7ab4e316093de90b811b8e6fa3cf 100644
--- a/install/conf/ipa-rewrite.conf
+++ b/install/conf/ipa-rewrite.conf
@@ -1,4 +1,4 @@
-# VERSION 5 - DO NOT REMOVE THIS LINE
+# VERSION 6 - DO NOT REMOVE THIS LINE
RewriteEngine on
@@ -15,6 +15,7 @@ RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301]
# configuration.
RewriteCond %{SERVER_PORT} !^443$$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
+RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
# Rewrite for plugin index, make it like it's a static file
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0166] Fix minor coding style issue in update_config()
On 24.6.2013 16:50, Tomas Hozza wrote: ACK Pushed to master: 0bcf544fbcedee7cf3eb74a5bcd4749ce4ebc089 The patch looks good. Regards, Tomas Hozza - Original Message - Hello, Fix minor coding style issue in update_config(). -- Petr^2 Spacek -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0165] Fix crash caused by race-condition between shutdown and update processing
On 25.6.2013 12:13, Tomas Hozza wrote: ACK. Pushed to master: 12e31102f18aa4676e3ac7da4334806dc8afc801 Works as expected. Regards, Tomas Hozza - Original Message - Hello, Fix crash caused by race-condition between shutdown and update processing. Variable 'name' was uninitialized when manager_get_ldap_instance() returned ISC_R_NOTFOUND. The successive call to dns_name_dynamic() caused the crash. -- Petr^2 Spacek -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0230-0240 Integration testing framework
On 06/14/2013 05:44 PM, Petr Viktorin wrote:
On 06/14/2013 04:41 PM, Jan Cholasta wrote:
On 14.6.2013 16:19, Jan Cholasta wrote:
Hi,
On 13.6.2013 14:16, Petr Viktorin wrote:
On 06/10/2013 04:48 PM, Petr Viktorin wrote:
On 05/31/2013 01:46 PM, Petr Viktorin wrote:
Apply on top of my patches 0227-0234.
These patches add an initial integration testing framework.
Patch 0230 adds a plugin for ordered test classes.
Nose orders methods within a test suite alphabetically, but we
generally
want to run them in the order defined. This adds the @ordered
decorator
that causes Nose to do just that, provided the plugin is loaded and
enabled, and that the methods are defined in the same file. The
ipa-run-tests wrapper is changed to enable the plugin.
In the future we may want to use this for unit tests as well. It
might
also make sense to separate it from the FreeIPA project altogether.
Patch 0231 adds configuration for tests. This reads environment
variables like:
- MASTER (FQDN of initial server)
- REPLICA (space-separated FQDNs of replicas)
- CLIENT (space-separated FQDNs of clients),
- IPATEST_DIR (directory the tests use on the remote machines)
etc., and loads them into an easy-to use Python object.
A tool called ipa-test-config is provided that generates a full
set of
environment variables for shell-based tests from these, either
global or
specific for a given host.
If environment variables don't work for us, alternate configuration
methods can be added in the future.
I think you forgot to add %dir
%{python_sitelib}/ipatests/test_integration to the spec file.
Is the self = cls() line at the beginning of Config.from_env()
intentional?
+self = cls()
+env_normalize(env)
+
+self = cls(test_dir=env.get('IPATEST_DIR') or '/root/ipatests',
No. I removed it, thanks for thee catch.
Also typo in commit message: Integration tests are be configured ...
Thanks, fixed.
Patch 0232 adds an integration test framework.
This extends Host object available from the configuration with
methods
to run commands and copy files on the remote host, and adds a base
class
for integration tests which can currently install and uninstall IPA
in a
star topology. (In the future, the install/uninstall code should
also
be made available as a shell command.)
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.
The base class uses the @ordered decorator mentioned above.
Patch 0233 improves on how commands are run on remote hosts.
In the previous patch, the process's stdin and stdout were combined
as a
quick hack to avoid the problem that if we first read stdout and then
stderr, then stderr's buffer can fill up and we'd deadlock (and the
other way around). With this patch the streams are read in parallel.
In the future this can be extended to calling whole commands in
parallel
(e.g. uninstalling IPA on all the hosts at once).
Patch 0234 adds log collection to the BeakerLib integration plugin.
This tars up the marked logs, downloads then, and calls
rlFileSubmit on
them.
Missing space in commit message: ... log files fromthe remote ...
Thanks, fixed.
---
Attaching additional patches:
Patch 0237 configures logging in ipa-run-tests to forward messages
from
the IPA logging machinery to a normal Python logger. This way the logs
are captured
The logs are also printed to stderr so that there's some activity on
the
terminal after you run the utility.
Patch 0238 makes it possible to use RSA private SSH keys to log in to
the remote machines. The key is given in $IPA_ROOT_SSH_KEY, and
used if
$IPA_ROOT_SSH_PASSWORD is empty.
I've added this to the design page.
It seems that the code prefers password authentication over public key
authentication if both are configured. IMO it would be better if it did
the opposite.
Good point, fixed, design page updated.
Patch 0239 makes test setup change the hostname, /etc/hosts, and
/etc/resolv.conf to match the configured values. These should be
equivalent to the fixes in
https://github.com/freeipa/tests/blob/master/ipa-tests/beaker/ipa-server/shared/ipa-install.sh#L733
In test teardown, the changes are undone.
I've rebased the patrchset and added small fixes for patches 0232 and
0239.
New patch 0240 contains a few fixes/improvements to the Host class that
were not trivial to rebase into previous patches.
The WIP patch adds a sketch of some of the tests for CA-less
(http://www.freeipa.org/page/V3/CA-less_install#Test_Plan). Please
comment if you can see where things can be improved for test authors!
Just a word of warning, there are still a few test cases I need to add
to the CA-less test plan.
Sure. I did this mainly to see how things look from the test author's
point of view.
Adding two additional patches for better Beaker integration:
Patch 0241 allows e.g. adding ticket numbers for automatic test case
management
Patch
[Freeipa-devel] [PATCH 0167-0168] Release bind-dyndb-ldap 3.4.
Hello,
Update NEWS file for upcoming 3.4 release.
Pushed to master: ca7f5db6bdf86a813a470dd3b64c442b2a72d28e
Bump NVR to 3.4.
Pushed to master: 6e00a2e186f045df771ef558c90d4c6570d9feb1
--
Petr^2 Spacek
From ca7f5db6bdf86a813a470dd3b64c442b2a72d28e Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 25 Jun 2013 13:56:00 +0200
Subject: [PATCH] Update NEWS file for upcoming 3.4 release.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
NEWS | 5 +
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index 0d38ba6014f96223cff494aa3a157b388ba33035..b4a71ef9a4fb48c6c3297db882b697527126b55c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+3.4
+=
+[1] Crash during BIND shutdown caused by race condition in update processing
+was fixed.
+
3.3
=
[1] Crash triggered by missing sasl_user parameter was fixed.
--
1.7.11.7
From 6e00a2e186f045df771ef558c90d4c6570d9feb1 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 25 Jun 2013 14:17:09 +0200
Subject: [PATCH] Bump NVR to 3.4.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
configure.ac | 2 +-
contrib/bind-dyndb-ldap.spec | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 87675d83c8fc48b606d6796b50186a75839ae788..222e520e0aa61bca58cff81bea672fcab04355b3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [3.3], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [3.4], [freeipa-devel@redhat.com])
AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index f583611eb889e8aa5bce1917c7c80489a4b39f23..d4515edc6609fbb2119ebf5f9a256c89485f222c 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
%define VERSION %{version}
Name: bind-dyndb-ldap
-Version:3.3
+Version:3.4
Release:0%{?dist}
Summary:LDAP back-end plug-in for BIND
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing bind-dyndb-ldap version 3.4
The FreeIPA team is proud to announce bind-dyndb-ldap version 3.4. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. The new version has also been built for Fedora 19 and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-3.4-1.fc19 This release includes one fix. == Changes in 3.4 == [1] Crash during BIND shutdown caused by race condition in update processing was fixed. == Upgrading == An server can be upgraded simply by installing updated rpms. BIND has to be restarted manually after the RPM installation. You will need to clean up configuration file /etc/named.conf if your configuration contains typos or other unsupported options. Downgrading back to any 2.x version is supported under following conditions: - new object class idnsForwardZone is not utilized - record types not supported by 2.x versions are not utilized - configured connection count is = 3 (to prevent deadlocks in 2.x releases) == Important change planned for 4.0 release == Configurations with and without persistent search are now deprecated. Support for 'zone_refresh' and 'psearch' options will be removed in 4.0 release. Bind-dyndb-ldap 4.0 will require LDAP server with support for RFC 4533. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin': None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919, in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389 DS project:
https://fedorahosted.org/389/ticket/47406.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
