Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, in module from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py , line 878, in module from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend.py , line 36, in module from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/version. py, line 25, in module NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 On 1/19/11 4:11 PM, Simo Sorce sso...@redhat.com wrote: Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in permissive mode until the new policy lands in fedora land. Bugs have been opened and I think the policy has already landed in rawhide. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On 1/20/11 10:11 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, inmodule from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__. py , line 878, inmodule from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend. py , line 36, inmodule from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/versio n. py, line 25, inmodule NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 This error is unrelated though I'm unsure what is broken. The first thing the build should do is run the version-update target which will do substitutions in ipapython/version.py.in into ipapython/version.py. It seems that didn't happen or is otherwise broke. Can you see if version-update is being called by make? rob Thank you for catching that Rob! This was unrelated. Did a full remove and a new clone. Patch works correctly. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On Thu, 20 Jan 2011 19:24:59 + JR Aquino jr.aqu...@citrix.com wrote: Patch works correctly. ACK thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
Long ago we decided to use the ldapi socket to let the KDC access the
ldap data in order to avoid comunication over the network (even if it
is 127.0.0.1).
This patch finally implements that. Although beware that this patch
will need you to either create custom policy or to set selinux in
permissive mode until the new policy lands in fedora land.
Bugs have been opened and I think the policy has already landed in
rawhide.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 5328b459ae3f55377b9609a796dd05dc026ba791 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 19 Jan 2011 14:08:48 -0500
Subject: [PATCH] Make krb5kdc use the ldapi socket to talk to dirsrv
Fixes: https://fedorahosted.org/freeipa/ticket/812
---
install/share/krb5.conf.template |2 +-
ipaserver/install/krbinstance.py |2 ++
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index ab569714bc7d49370ac65587b63bc23e6bd46ca0..9cf4ee84d5e12bc5ecf524f1544e87b2d787c476 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -34,7 +34,7 @@
[dbmodules]
$REALM = {
db_library = kldap
-ldap_servers = ldap://127.0.0.1/
+ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket
ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index e7c1116377a66954ecf4c024510e6d9dd79ba69d..9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -35,6 +35,7 @@ from ipalib import errors
from ipaserver import ipaldap
from ipaserver.install import replication
+from ipaserver.install.dsinstance import realm_to_serverid
import ldap
from ldap import LDAPError
@@ -255,6 +256,7 @@ class KrbInstance(service.Service):
SUFFIX=self.suffix,
DOMAIN=self.domain,
HOST=self.host,
+ SERVER_ID=realm_to_serverid(self.realm),
REALM=self.realm)
def __configure_sasl_mappings(self):
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
