Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Petr Viktorin

On 05/09/2013 02:06 PM, Martin Kosek wrote:

This should get to 3.2 GA.

--
ipa-dns-install crashed when it was run on a CA-less server.

https://fedorahosted.org/freeipa/ticket/3617



This solves the issue, ACK

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Martin Kosek
On 05/09/2013 02:39 PM, Petr Viktorin wrote:
 On 05/09/2013 02:06 PM, Martin Kosek wrote:
 This should get to 3.2 GA.

 -- 
 ipa-dns-install crashed when it was run on a CA-less server.

 https://fedorahosted.org/freeipa/ticket/3617

 
 This solves the issue, ACK
 

Thanks. Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Jan Cholasta

On 9.5.2013 15:14, Martin Kosek wrote:

On 05/09/2013 02:39 PM, Petr Viktorin wrote:

On 05/09/2013 02:06 PM, Martin Kosek wrote:

This should get to 3.2 GA.

--
ipa-dns-install crashed when it was run on a CA-less server.

https://fedorahosted.org/freeipa/ticket/3617



This solves the issue, ACK



Thanks. Pushed to master.

Martin



Sorry for this, but NACK. With this patch ipa-ca records are not created 
for existing masters unless ipa-dns-install is run on a replica which 
has CA configured. You should instead put the ldap.get_entries() call in 
a try/except block and ignore the NotFound exception which causes the crash.


You can test it by installing IPA without --setup-dns and without 
--external-ca on server1 and then installing a replica with --setup-dns 
and without --setup-ca on server2. After this, ipa-ca record for server1 
should be created.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Martin Kosek
On 05/09/2013 05:44 PM, Jan Cholasta wrote:
 On 9.5.2013 15:14, Martin Kosek wrote:
 On 05/09/2013 02:39 PM, Petr Viktorin wrote:
 On 05/09/2013 02:06 PM, Martin Kosek wrote:
 This should get to 3.2 GA.

 -- 
 ipa-dns-install crashed when it was run on a CA-less server.

 https://fedorahosted.org/freeipa/ticket/3617


 This solves the issue, ACK


 Thanks. Pushed to master.

 Martin

 
 Sorry for this, but NACK. With this patch ipa-ca records are not created for
 existing masters unless ipa-dns-install is run on a replica which has CA
 configured. You should instead put the ldap.get_entries() call in a try/except
 block and ignore the NotFound exception which causes the crash.
 
 You can test it by installing IPA without --setup-dns and without 
 --external-ca
 on server1 and then installing a replica with --setup-dns and without
 --setup-ca on server2. After this, ipa-ca record for server1 should be 
 created.
 
 Honza
 

Sending updated patch, please review if you can.

Martin
From 146d904ec797108f16b73f59ea31554c91cb8957 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 9 May 2013 17:50:15 +0200
Subject: [PATCH] Fix ipa-ca DNS name creation

Previous fix (6d06a7e) did not work properly on a CA-less replica
with CA-powered master.

https://fedorahosted.org/freeipa/ticket/3617
---
 ipaserver/install/bindinstance.py | 16 ++--
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 5a2450e615cb7d0236721f533c22aeb64b94fe9b..ac86e9e7d5713172772b7868233cfa7da91a9fab 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -733,13 +733,17 @@ def __add_ipa_ca_record(self):
 self.__add_ipa_ca_records(self.fqdn, [self.ip_address],
   self.ca_configured)
 
-if self.first_instance and self.ca_configured:
+if self.first_instance:
 ldap = api.Backend.ldap2
-entries = ldap.get_entries(
-DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
-   api.env.basedn),
-ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))',
-['dn'])
+try:
+entries = ldap.get_entries(
+DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+   api.env.basedn),
+ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))',
+['dn'])
+except errors.NotFound:
+root_logger.debug('No server with CA found')
+entries = []
 
 for entry in entries:
 fqdn = entry.dn[1]['cn']
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Jan Cholasta

On 9.5.2013 17:57, Martin Kosek wrote:

On 05/09/2013 05:44 PM, Jan Cholasta wrote:

Sorry for this, but NACK. With this patch ipa-ca records are not created for
existing masters unless ipa-dns-install is run on a replica which has CA
configured. You should instead put the ldap.get_entries() call in a try/except
block and ignore the NotFound exception which causes the crash.

You can test it by installing IPA without --setup-dns and without --external-ca
on server1 and then installing a replica with --setup-dns and without
--setup-ca on server2. After this, ipa-ca record for server1 should be created.

Honza



Sending updated patch, please review if you can.

Martin



Looks good to me, ACK!

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs

2013-05-09 Thread Rob Crittenden

Jan Cholasta wrote:

On 9.5.2013 17:57, Martin Kosek wrote:

On 05/09/2013 05:44 PM, Jan Cholasta wrote:

Sorry for this, but NACK. With this patch ipa-ca records are not
created for
existing masters unless ipa-dns-install is run on a replica which has CA
configured. You should instead put the ldap.get_entries() call in a
try/except
block and ignore the NotFound exception which causes the crash.

You can test it by installing IPA without --setup-dns and without
--external-ca
on server1 and then installing a replica with --setup-dns and without
--setup-ca on server2. After this, ipa-ca record for server1 should
be created.

Honza



Sending updated patch, please review if you can.

Martin



Looks good to me, ACK!



pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel