Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 02:39 PM, Petr Viktorin wrote: On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK Thanks. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 9.5.2013 15:14, Martin Kosek wrote: On 05/09/2013 02:39 PM, Petr Viktorin wrote: On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK Thanks. Pushed to master. Martin Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 05:44 PM, Jan Cholasta wrote: On 9.5.2013 15:14, Martin Kosek wrote: On 05/09/2013 02:39 PM, Petr Viktorin wrote: On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK Thanks. Pushed to master. Martin Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza Sending updated patch, please review if you can. Martin From 146d904ec797108f16b73f59ea31554c91cb8957 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 9 May 2013 17:50:15 +0200 Subject: [PATCH] Fix ipa-ca DNS name creation Previous fix (6d06a7e) did not work properly on a CA-less replica with CA-powered master. https://fedorahosted.org/freeipa/ticket/3617 --- ipaserver/install/bindinstance.py | 16 ++-- 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 5a2450e615cb7d0236721f533c22aeb64b94fe9b..ac86e9e7d5713172772b7868233cfa7da91a9fab 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -733,13 +733,17 @@ def __add_ipa_ca_record(self): self.__add_ipa_ca_records(self.fqdn, [self.ip_address], self.ca_configured) -if self.first_instance and self.ca_configured: +if self.first_instance: ldap = api.Backend.ldap2 -entries = ldap.get_entries( -DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), - api.env.basedn), -ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))', -['dn']) +try: +entries = ldap.get_entries( +DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + api.env.basedn), +ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))', +['dn']) +except errors.NotFound: +root_logger.debug('No server with CA found') +entries = [] for entry in entries: fqdn = entry.dn[1]['cn'] -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 9.5.2013 17:57, Martin Kosek wrote: On 05/09/2013 05:44 PM, Jan Cholasta wrote: Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza Sending updated patch, please review if you can. Martin Looks good to me, ACK! -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
Jan Cholasta wrote: On 9.5.2013 17:57, Martin Kosek wrote: On 05/09/2013 05:44 PM, Jan Cholasta wrote: Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza Sending updated patch, please review if you can. Martin Looks good to me, ACK! pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel