Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Dne 13.7.2015 v 16:30 Martin Basti napsal(a): On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Dne 14.7.2015 v 12:38 Jan Cholasta napsal(a): Dne 13.7.2015 v 16:30 Martin Basti napsal(a): On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d and Pushed to ipa-4-2: d98aa76b26daf461f19d733fedc4bd9a8c36f05f -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian From 90c77671a3f8969adb06d7c6092369e90acfd59b Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Fri, 10 Jul 2015 18:18:29 +0200 Subject: [PATCH] Start dirsrv for kdcproxy upgrade The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 --- ipaserver/install/server/upgrade.py | 35 +++ 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84a5b06accb10663eaa4d995f66796366040e9c8..f295655dc2aa592e0215f15017c9b65af49eef80 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1396,22 +1396,6 @@ def upgrade_configuration(): http.change_mod_nss_port_from_http() http.configure_certmonger_renewal_guard() -if not http.is_kdcproxy_configured(): -root_logger.info('[Enabling KDC Proxy]') -if http.admin_conn is None: -http.ldapi = True -http.fqdn = fqdn -http.realm = api.env.realm -http.suffix = ipautil.realm_to_suffix(api.env.realm) -http.ldap_connect() -http.create_kdcproxy_conf() -http.enable_kdcproxy() - -http.stop() -update_mod_nss_protocol(http) -fix_trust_flags() -http.start() - ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() @@ -1433,6 +1417,25 @@ def upgrade_configuration(): ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds_enable_sidgen_extdom_plugins(ds) +# Now 389-ds is available, run the remaining http tasks +if not http.is_kdcproxy_configured(): +root_logger.info('[Enabling KDC Proxy]') +if http.admin_conn is None: + # 389-ds needs to be running +ds.start() +http.ldapi = True +http.fqdn = fqdn +http.realm = api.env.realm +http.suffix = ipautil.realm_to_suffix(api.env.realm) +http.ldap_connect() +http.create_kdcproxy_conf() +http.enable_kdcproxy() + +http.stop() +update_mod_nss_protocol(http) +fix_trust_flags() +http.start() + uninstall_selfsign(ds, http) simple_service_list = ( -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code