Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Dne 13.7.2015 v 16:30 Martin Basti napsal(a): On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Dne 14.7.2015 v 12:38 Jan Cholasta napsal(a): Dne 13.7.2015 v 16:30 Martin Basti napsal(a): On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK Pushed to master: c701ab612de831f72f21e0f3bfd105fbc515cd4d and Pushed to ipa-4-2: d98aa76b26daf461f19d733fedc4bd9a8c36f05f -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
On 10/07/15 18:29, Christian Heimes wrote: Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Hi,
this patch ensures that DS is running before HTTPInstance attempts to
connect to LDAP.
https://fedorahosted.org/freeipa/ticket/5113
While I was testing the patch I ran into trouble with DS. The upgrade
script couldn't connect to 389/TCP, although ns-slapd was running. After
some digging I found this log line:
Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]:
[10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled
which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The
port was disabled with nsslapd-port: 0. After I stopped DS, changed
the port back to 389 and started DS again, ipa-server-upgrade worked again.
Christian
From 90c77671a3f8969adb06d7c6092369e90acfd59b Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Fri, 10 Jul 2015 18:18:29 +0200
Subject: [PATCH] Start dirsrv for kdcproxy upgrade
The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv
instance. Under some circumstances the dirsrv isn't running. The patch
rearranges some upgrade steps and starts DS before enable_kdcproxy().
https://fedorahosted.org/freeipa/ticket/5113
---
ipaserver/install/server/upgrade.py | 35 +++
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 84a5b06accb10663eaa4d995f66796366040e9c8..f295655dc2aa592e0215f15017c9b65af49eef80 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1396,22 +1396,6 @@ def upgrade_configuration():
http.change_mod_nss_port_from_http()
http.configure_certmonger_renewal_guard()
-if not http.is_kdcproxy_configured():
-root_logger.info('[Enabling KDC Proxy]')
-if http.admin_conn is None:
-http.ldapi = True
-http.fqdn = fqdn
-http.realm = api.env.realm
-http.suffix = ipautil.realm_to_suffix(api.env.realm)
-http.ldap_connect()
-http.create_kdcproxy_conf()
-http.enable_kdcproxy()
-
-http.stop()
-update_mod_nss_protocol(http)
-fix_trust_flags()
-http.start()
-
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
@@ -1433,6 +1417,25 @@ def upgrade_configuration():
ds.suffix = ipautil.realm_to_suffix(api.env.realm)
ds_enable_sidgen_extdom_plugins(ds)
+# Now 389-ds is available, run the remaining http tasks
+if not http.is_kdcproxy_configured():
+root_logger.info('[Enabling KDC Proxy]')
+if http.admin_conn is None:
+ # 389-ds needs to be running
+ds.start()
+http.ldapi = True
+http.fqdn = fqdn
+http.realm = api.env.realm
+http.suffix = ipautil.realm_to_suffix(api.env.realm)
+http.ldap_connect()
+http.create_kdcproxy_conf()
+http.enable_kdcproxy()
+
+http.stop()
+update_mod_nss_protocol(http)
+fix_trust_flags()
+http.start()
+
uninstall_selfsign(ds, http)
simple_service_list = (
--
2.4.3
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
