[Freeipa-devel] [PATCHES] Re: Changes to use a single database for dogtag and IPA

Thu Nov 22 14:30:34 UTC 2012

On 11/22/2012 11:01 AM, Martin Kosek wrote:
> On 11/21/2012 01:29 PM, Petr Viktorin wrote:
>> On 11/19/2012 05:35 PM, Martin Kosek wrote:
>>> On 11/15/2012 03:19 PM, Petr Viktorin wrote:
>>>> Recently, the specfile changed (dce53e4) and the patch for changed Dogtag
>>>> defaults made it to master independently (91e477b). Attaching rebased patch.
>>>>
>>>> Note that to continue development on f17, you will need to use the dogtag-devel
>>>> repo:
>>>>     sudo yum-config-manager
>>>> --add-repo=http://nkinder.fedorapeople.org/dogtag-devel/dogtag-devel-fedora.repo
>>>>
>>>>
>>>>
>>>> On 11/13/2012 03:57 PM, Petr Viktorin wrote:
>>>> [...]
>>>>>
>>>>> For convenience, I've also pushed the changes to a personal repository.
>>>>> To fetch to branch "pviktori-dogtag-10" you can do:
>>>>>
>>>>>        git fetch -f git://github.com/encukou/freeipa.git
>>>>> dogtag-10:pviktori-dogtag-10
>>>>>
>>>>
>>>
>>> I went through all the patches again, I found one more issue with the schema
>>> check. As it binds to Directory Server anonymously when retrieving the schema
>>> and tests if "ipaObject" objectclass is present, it can fail and crash when
>>> anonymous binds are not allowed for the Dogtag DS instance. This is what I get
>>> when I disabled anonymous binds and run ipa-replica-install --setup-ca (a
>>> script to turn anonymous binds off attached):
>>>
>>> [root at vm-104 ~]# ipa-replica-install
>>> replica-info-vm-104.idm.lab.bos.redhat.com.gpg --setup-ca
>>> Directory Manager (existing master) password:
>>>
>>> Run connection check to master
>>> [...]
>>> Connection from master to replica is OK.
>>>
>>> Connection check OK
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> LDAP error: INAPPROPRIATE_AUTH
>>> Anonymous access is not allowed
>>>
>>> If possible, it would be good authenticate first. This should be doable, we
>>> have a Directory Manager password available, after all. Some schema retrieval
>>> code that we already have in IPA can be found in SchemaCache class in ldap2.py.
>>
>> Good point. Attaching updated patch.
>>
>>> We may also want to have some flag similar to --skip-conncheck which would
>>> allow admin with an issue like this one skip the check when he is certain that
>>> he copied the schema files.
>>
>> I named it --skip-schema-check.
>>
>>> Adding Ade to check that this scenario is actually sane and Dogtag is supposed
>>> to work with anonymous access disabled for its DS instance.
>>>
>>> When reading the patches, I also saw few places with magic constant "7389"
>>> (your "Fix schema replication from old masters" patch and Ade's patch). I
>>> wonder, would "dogtag.Dogtag9Constants.DS_PORT" be more readable?
>>
>> Fixed in this patch, I'll look at the other one soon.
>>
>>
>>
>> For anyone who wants to test: I keep my Github branch updated. Re-running the
>> fetch command will overwrite your branch with the latest changes.
>> When the current issues are solved I'll repost all patches again in a single mail.
>>
>
> This works fine. I just think that it may be useful to print some info like
> 'Schema check failed, you can use --skip-schema-check to....' in case when the
> following lines thrown an exception:
>
> +    connection = ldap2.IPASimpleLDAPObject(ca_ldap_url)
> +    connection.start_tls_s()
> +    connection.simple_bind_s(DN(('cn', 'Directory Manager')),
> +                             config.dirman_password)
>
> This is an output I received when dirsrv at PKI-IPA on my IPA 2.2 master was down,
> the error was not very descriptive:
>
> # ipa-ca-install replica-info-vm-104.idm.lab.bos.redhat.com.gpg
> Directory Manager (existing master) password:
> ...
> Connection from master to replica is OK.
>
> Connection check OK
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Can't contact LDAP server
> #
>
>
> Something like:
>
> try:
>     connection stuff...
> except Exception:
>     print the info
>     raise
>
> Martin
>

Thanks. Attaching patch with such a message added. I've not included the 
suggestion to use --skip-schema-check, we want the user to fix the 
problem rather than skip the check.

I've also included Ade's patch rebased to current master.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-alee-0001-06-Changes-to-use-a-single-database-for-dogtag-and-IPA.patch
Type: text/x-patch
Size: 36145 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121122/5a667664/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0095-04-Fix-schema-replication-from-old-masters.patch
Type: text/x-patch
Size: 13040 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121122/5a667664/attachment-0001.bin>