URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
frasertweedale commented:
"""
ipa-4-4 PR: #371
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/355#issuecomment-270605522
--
Manage your subscription for the
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
mbasti-rh commented:
"""
Please provide PR for ipa-4-4 too
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/355#issuecomment-270598873
--
Manage your subscription for
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6f7d982fe2e2d2f042e85710b8d8d59167e5796f
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
tomaskrizek commented:
"""
I re-tested the most recent change in domlvl1. ldapssl is turned on both for
CA-less replica install and CA-full replica install.
I also created a ticket for
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
mbasti-rh commented:
"""
@jcholast anyway I still see ways how to improve UX
- print big fat message to user at the end of ipa-ca-install to run
ipa-certupdate everywhere when needed
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
pvoborni commented:
"""
Running `ipa-certupdate` on all systems after `ipa-ca-install` is problematic.
But we can at least make sure that `ipa-ca-install` on replica will get
whatever is
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
jcholast commented:
"""
@mbasti-rh, `ipa-certupdate` has to be run on *all* systems in the domain after
installing a CA. How do you propose we do that from `ipa-ca-install`? Anyway,
the
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
mbasti-rh commented:
"""
> @tomaskrizek FYI, the current documentation states that ipa-certupdate must
> be run after ipa-ca-install (see
>
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
flo-renaud commented:
"""
@tomaskrizek FYI, the current documentation states that ipa-certupdate must be
run after ipa-ca-install (see
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
tomaskrizek commented:
"""
I've tested the following use cases:
- CA-less replica promotion domlvl1: *ldapssl running*; but the following
behaviour is present: If `ipa-ca-install` is
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
frasertweedale commented:
"""
FWIW, this one does not break CA-ful replica promotion.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/355#issuecomment-268432611
--
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
tomaskrizek commented:
"""
89de60c was reveted because while it fixed this particular use case, it broke
others. IIRC it broke regular replica promotion with CA.
The proper fix is not
URL: https://github.com/freeipa/freeipa/pull/355
Title: #355: Set up DS TLS on replica in CA-less topology
jcholast commented:
"""
This is basically the same as 89de60c5d8ba64d619101a7498b8c4469b6e50ae which
had to be reverted because it is not the proper fix.
I would rather wait for the
13 matches
Mail list logo