[Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance
Simo Sorce
ssorce at redhat.com
Fri Dec 10 14:14:12 UTC 2010
On Fri, 10 Dec 2010 14:03:08 +0100
Jakub Hrozek <jhrozek at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/08/2010 01:59 PM, Simo Sorce wrote:
> > On Wed, 8 Dec 2010 08:25:25 +0100
> > Jan Zelený <jzeleny at redhat.com> wrote:
> >
> >> Simo Sorce <ssorce at redhat.com> wrote:
> >>> This patch allows patch 0025 to work properly for replica
> >>> installation so it is a prereq for it now.
> >>>
> >>> It split installation so that certain steps can be done after the
> >>> tree has been replicated without having them wiped out, like the
> >>> creation of the replica master entry under
> >>> cn=masters,cn=ipa,cn=etc
> >>>
> >>> It also introduce a dependency on the replica file having the
> >>> ca.crt in it. And installs it by default under /etc/ipa/ca.crt
> >>> (the httpinstance later on also stores it also
> >>> under /usr/share/ipa/html/ca.crt)
> >>>
> >>> This patch also makes sure the memberof fixup task is run *after*
> >>> initial replication, just to make sure. Technically the memberof
> >>> plugin is already activated so memberof entries should be properly
> >>> created while replication goes through. But better be thorough.
> >>>
> >>> replication is now started within dsinstance.py and not after ds
> >>> is setup as one of the dsinstance creation steps.
> >>>
> >>> Initial testing gave no issues to me.
> >>>
> >>> Simo.
> >>
> >> Can you please attach the patch? ;-)
> >
> > Oh, I thought you'd just trust me :-D
> >
> > Attached.
> > Simo.
> >
>
> Two comments:
> If I understand it correctly, only HTTP instance should now use the
> cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in
> ipaserver/install/dsinstance.py should be changed to point to
> /etc/ipa/ca.crt, too.
No the /usr/share/ipa/html/ca.crt is only the public copy so that
clients can download it from the web server.
The DB is in /etc/http/alias
And, yes the CACERT var should be changed, good catch!
> The conn.connect() call in ipa-replica-install could pass
> tls_cacertfile=CACERT since we already called install_ca_cert().
Good catch!
> My installation testing with this patch went OK.
Thanks, I will make the changes and resubmit.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list