Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, in module from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__.py , line 878, in module from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend.py , line 36, in module from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/version. py, line 25, in module NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 On 1/19/11 4:11 PM, Simo Sorce sso...@redhat.com wrote: Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in permissive mode until the new policy lands in fedora land. Bugs have been opened and I think the policy has already landed in rawhide. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On 1/20/11 10:11 AM, Rob Crittenden rcrit...@redhat.com wrote: JR Aquino wrote: NACK. Please retest this... I'm not sure how it is related, but I receive an error during the make rpm process: Traceback (most recent call last): File ./makeapi, line 27, inmodule from ipalib import * File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/__init__. py , line 878, inmodule from frontend import Command, LocalOrRemote File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipalib/frontend. py , line 36, inmodule from ipapython.version import API_VERSION File /usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279/ipapython/versio n. py, line 25, inmodule NUM_VERSION=200 NameError: name '__NUM_VERSION__' is not defined make[1]: *** [version-update] Error 1 make[1]: Leaving directory `/usr/src/freeipa/rpmbuild/BUILD/freeipa-2.0.0GITb9ad279' error: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.315pIJ (%build) make: *** [rpms] Error 1 This error is unrelated though I'm unsure what is broken. The first thing the build should do is run the version-update target which will do substitutions in ipapython/version.py.in into ipapython/version.py. It seems that didn't happen or is otherwise broke. Can you see if version-update is being called by make? rob Thank you for catching that Rob! This was unrelated. Did a full remove and a new clone. Patch works correctly. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
On Thu, 20 Jan 2011 19:24:59 + JR Aquino jr.aqu...@citrix.com wrote: Patch works correctly. ACK thanks, pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0065 Use ldapi with krb5kdc
Long ago we decided to use the ldapi socket to let the KDC access the ldap data in order to avoid comunication over the network (even if it is 127.0.0.1). This patch finally implements that. Although beware that this patch will need you to either create custom policy or to set selinux in permissive mode until the new policy lands in fedora land. Bugs have been opened and I think the policy has already landed in rawhide. Simo. -- Simo Sorce * Red Hat, Inc * New York From 5328b459ae3f55377b9609a796dd05dc026ba791 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 19 Jan 2011 14:08:48 -0500 Subject: [PATCH] Make krb5kdc use the ldapi socket to talk to dirsrv Fixes: https://fedorahosted.org/freeipa/ticket/812 --- install/share/krb5.conf.template |2 +- ipaserver/install/krbinstance.py |2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index ab569714bc7d49370ac65587b63bc23e6bd46ca0..9cf4ee84d5e12bc5ecf524f1544e87b2d787c476 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -34,7 +34,7 @@ [dbmodules] $REALM = { db_library = kldap -ldap_servers = ldap://127.0.0.1/ +ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket ldap_kerberos_container_dn = cn=kerberos,$SUFFIX ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index e7c1116377a66954ecf4c024510e6d9dd79ba69d..9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -35,6 +35,7 @@ from ipalib import errors from ipaserver import ipaldap from ipaserver.install import replication +from ipaserver.install.dsinstance import realm_to_serverid import ldap from ldap import LDAPError @@ -255,6 +256,7 @@ class KrbInstance(service.Service): SUFFIX=self.suffix, DOMAIN=self.domain, HOST=self.host, + SERVER_ID=realm_to_serverid(self.realm), REALM=self.realm) def __configure_sasl_mappings(self): -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel