[Freeipa-devel] [PATCH] 0026 Split replica installation in dsinstance

Simo Sorce ssorce at redhat.com
Fri Dec 10 14:14:12 UTC 2010 

On Fri, 10 Dec 2010 14:03:08 +0100
Jakub Hrozek <jhrozek at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/08/2010 01:59 PM, Simo Sorce wrote:
> > On Wed, 8 Dec 2010 08:25:25 +0100
> > Jan Zelený <jzeleny at redhat.com> wrote:
> > 
> >> Simo Sorce <ssorce at redhat.com> wrote:
> >>> This patch allows patch 0025 to work properly for replica
> >>> installation so it is a prereq for it now.
> >>>
> >>> It split installation so that certain steps can be done after the
> >>> tree has been replicated without having them wiped out, like the
> >>> creation of the replica master entry under
> >>> cn=masters,cn=ipa,cn=etc
> >>>
> >>> It also introduce a dependency on the replica file having the
> >>> ca.crt in it. And installs it by default under /etc/ipa/ca.crt
> >>> (the httpinstance later on also stores it also
> >>> under /usr/share/ipa/html/ca.crt)
> >>>
> >>> This patch also makes sure the memberof fixup task is run *after*
> >>> initial replication, just to make sure. Technically the memberof
> >>> plugin is already activated so memberof entries should be properly
> >>> created while replication goes through. But better be thorough.
> >>>
> >>> replication is now started within dsinstance.py and not after ds
> >>> is setup as one of the dsinstance creation steps.
> >>>
> >>> Initial testing gave no issues to me.
> >>>
> >>> Simo.
> >>
> >> Can you please attach the patch? ;-)
> > 
> > Oh, I thought you'd just trust me :-D
> > 
> > Attached.
> > Simo.
> > 
> 
> Two comments:
> If I understand it correctly, only HTTP instance should now use the
> cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in
> ipaserver/install/dsinstance.py should be changed to point to
> /etc/ipa/ca.crt, too.

No the /usr/share/ipa/html/ca.crt is only the public copy so that
clients can download it from the web server.
The DB is in /etc/http/alias

And, yes the CACERT var should be changed, good catch!

> The conn.connect() call in ipa-replica-install could pass
> tls_cacertfile=CACERT since we already called install_ca_cert().

Good catch!

> My installation testing with this patch went OK.

Thanks, I will make the changes and resubmit.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list