[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej
tbabej at redhat.com
Wed Oct 10 13:30:35 UTC 2012
On 10/04/2012 11:06 AM, Tomas Babej wrote:
> On 10/03/2012 07:27 PM, Rob Crittenden wrote:
>> Tomas Babej wrote:
>>> On 10/03/2012 03:31 PM, Tomas Babej wrote:
>>>> On 10/02/2012 08:48 PM, Rob Crittenden wrote:
>>>>> Tomas Babej wrote:
>>>>>> On 09/26/2012 09:32 PM, Rob Crittenden wrote:
>>>>>>> Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Connection error message in ipa-client-install now warns the user
>>>>>>>> about the need of opening 389 port for directory server.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/2816
>>>>>>>>
>>>>>>>> I think this can be pushed as a one-liner.
>>>>>>>
>>>>>>> I think we should list all ports that are required for client
>>>>>>> enrollment.
>>>>>>>
>>>>>>> From my calculations we need at a minimum tcp ports 80 and 389,
>>>>>>> either
>>>>>>> or both udp/tcp for port 88 and if NTP is enabled 123 udp for
>>>>>>> enrollment alone. The NTP failure won't cause enrollment to fail
>>>>>>> though, so we may be able to skip that.
>>>>>>>
>>>>>>> Similarly 464 should be enabled but we don't use it during
>>>>>>> enrollment.
>>>>>>>
>>>>>>> rob
>>>>>> I improved the error message. Please check if there are any issues.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Tomas
>>>>>
>>>>> This only works if port 389 is blocked, not 88 or 80.
>>>>>
>>>>> rob
>>>> I tested and added the port configuration info message at the
>>>> appropriate
>>>> places for TCP 80, 88, 389 ports. I also added the info message at the
>>>> end
>>>> of installation output. Please consider if you agree with this
>>>> approach.
>>>>
>>>> Tomas
>>> I reworded the commit message, due to the scope of changes made
>>> since the first revision of the patch.
>>>
>>> Tomas
>>
>> Works a lot better, just a few more suggestions:
>>
>> 1. When we fail to retrieve the CA from the remote server we log it
>> but don't print it. I think this would make it clearer why we think
>> this isn't an IPA server.
>>
>> 2. Do we need to print the ports message at the end? If it gets this
>> far then at least ports 80, 88 and 389 are open.
>>
>> I would suggest dropping the last message. I think we should also
>> open a new ticket and do port checks on the things we need so we can
>> confirm it up front instead of one-at-a-time.
>>
>> rob
> 1.) Done.
> 2.) Well I had a feeling it was not really necessary too - it adds a
> lot to the output of the installation, but the user wouldn't be
> informed about the need of opening 464 port. However, your proposed
> ticket should solve this issue, and will give more specific
> information rather than a general advice. See more:
>
> https://fedorahosted.org/freeipa/ticket/3138
>
> I suggest opening a similar ticket for ipa-server-install, at the end
> we print a general info message about which ports should be open for
> IPA Server to work properly. Re-using the work done in ticket 3138, we
> could rather check which particular ports are not opened and therefore
> give the user more specific information too.
>
> Tomas
Patch now attached, sorry.
Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0016-5-Notify-user-about-necessary-ports-in-ipa-client-inst.patch
Type: text/x-patch
Size: 4836 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121010/07c46420/attachment.bin>
More information about the Freeipa-devel
mailing list