[Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Petr Viktorin pviktori at redhat.com
Tue Oct 2 13:02:19 UTC 2012 

On 10/01/2012 05:02 PM, Ade Lee wrote:
> On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote:
>> On 10/01/2012 03:35 PM, Petr Viktorin wrote:
>>> On 09/27/2012 10:26 AM, Petr Viktorin wrote:
>>>> On 09/20/2012 05:58 AM, Ade Lee wrote:
>>>>> Changes to use a single database for dogtag and IPA
>>>>>
>>>>>       New servers that are installed with dogtag 10 instances will use
>>>>>       a single database instance for dogtag and IPA, albeit with different
>>>>>       suffixes.  Dogtag will communicate with the instance through a
>>>>>       database user with permissions to modify the dogtag  suffix only.
>>>>>       This user will authenticate using client auth using the subsystem
>>>>> cert
>>>>>       for the instance.
>>>>>
>>>>>       This patch includes changes to allow the creation of masters and
>>>>> clones
>>>>>       with single ds instances.
>>>>>
>>>>> I have tested being able to create a master and a clone using f17 and
>>>>> dogtag 10.  Note that you will need to use the latest builds on the
>>>>> dogtag repo to get some changes that were checked in today.  We'll kick
>>>>> off another official f18 dogtag build in a day or so.
>>>>>
>>>>> This is a pretty big change - so I expect many issues to come up as
>>>>> things get tested.  But as this will take awhile to get resolved, its
>>>>> better to get this out for review as fast as possible.
>>>>>
>>>>> Happy reviewing.
>>>>>
>>>>> Ade
>>>>>
>>>>>
>>>>
>>>> Attaching a rebased patch with a couple of style issues fixed.
>>>> - PEP8 compliance (remove trailing whitespace, use parentheses rather
>>>> than \ for line continuation, wrap touched lines at 80 characters)
>>>> - for files, use the with statement instead of the "open/close sandwich"
>>>> - don't mix tabs and spaces in install/share/certmap.conf.template
>>>>
>>>> I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
>>>> now obsoletes pki-setup.
>>>>
>>>>
>>>> I still need selinux in permissive mode to install on f17, and I still
>>>> need to exclude *.i686 packages when updating.
>>>>
>>>
>>> Are the following limitations expected?
>>>
>>> IPA and Dogtag have to be updated simultaneously; it's not possible to have
>>> current IPA master with Dogtag 10, or IPA with this patch with D9.
>>>
>>> It is not possible to create a replica from a machine with a single DS to an
>>> older version without the patch -- the older version will try the wrong ports.
>>
>> In this case, I think we are covered - we do not support installation of a
>> replica with a lower version than the master where the replica info file was
>> created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure
>> this for next version release. For 3.0 I think we will have to settle with a
>> note in Documentation.
>>
>
> There is currently a dogtag bug where when the master is dogtag 9 (or
> dogtag 9 converted to 10), and the clone is dogtag 10, the clone will
> fail to get the installation token from the security domain.  This is
> because the dogtag 10 code tries the new restful interface call -- which
> is not present on a dogtag 9 subsystem.
> https://fedorahosted.org/pki/ticket/334
>
>
> This has been fixed in the latest dogtag 10 nightly builds.  And will be
> in the next dogtag 10 official build, which we plan to create and
> release today.
>
> Incidentally, to see whats coming up in the new dogtag build, look for
> the 10.0.0-0.X.a2 milestone (plus some of what is closed in 9.0.24)
>

Okay, testing with the dogtag-devel repo, on f17.

The following scenarios don't work:

- Start with a master on D9
- install a replica on D10, without a CA
- run ipa-ca-install on the replica
   ipa-replica-conncheck: error: no such option: --dogtag-master-ds-port


- Start with a master on D9
- install a replica without a CA (either Dogtag version)
- Update all machines
- run ipa-ca-install on the replica
   com.netscape.certsrv.base.PKIException: 
com.netscape.certsrv.base.PKIException: Failed to obtain installation 
token from security domain

I get the following errors in catalina.out on the replica:
08:40:11,149 DEBUG 
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to 
retrieve ServletContext: expandEntityReferences defaults to true
08:40:11,158 DEBUG 
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to 
retrieve ServletContext: expandEntityReferences defaults to true
CMS Warning: FAILURE: Cannot build CA chain. Error 
java.security.cert.CertificateException: Certificate is not a PKCS #11 
certificate|FAILURE: authz instance DirAclAuthz initialization failed 
and skipped, error=Property internaldb.ldapconn.port missing value|


-- 
Petr³

More information about the Freeipa-devel mailing list