Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable LDAPS in replica promotion #29

Closed
wants to merge 1 commit into from
Closed

Enable LDAPS in replica promotion #29

wants to merge 1 commit into from

Conversation

tkrizek
Copy link
Contributor

@tkrizek tkrizek commented Aug 26, 2016
edited by HonzaCholasta

With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.

https://fedorahosted.org/freeipa/ticket/6226

@HonzaCholasta
Copy link
Contributor

LDAPS is not enabled during replica promotion because of this condition in DS setup:

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L391

Maybe we can remove the condition rather than add ds.enable_ssl()?

@tkrizek tkrizek force-pushed the t6226 branch 2 times, most recently from 2ddf255 to 7ccf6dc Compare August 29, 2016 15:02
@tkrizek
Copy link
Contributor Author

tkrizek commented Aug 29, 2016
edited

@jcholast I'm not certain that enabling the LDAPS before replica promotion finishes won't have some unintended side effects.

@simo5
Copy link
Contributor

simo5 commented Aug 29, 2016

@jcholast we can't enable ssl there as the cert is not available yet, look a few lines later:
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dsinstance.py#L397

@simo5
Copy link
Contributor

simo5 commented Aug 29, 2016

That said we should probably enable_ssl righ tafter we get the cert and restart DS, and not in replicainstall.py

Enable LDAPS in replica promotion
4917dc8 
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.

https://fedorahosted.org/freeipa/ticket/6226
@tkrizek
Copy link
Contributor Author

tkrizek commented Aug 29, 2016

I've updated the PR based on the comments, please review.

@simo5
Copy link
Contributor

simo5 commented Aug 29, 2016

LGTM

@HonzaCholasta HonzaCholasta added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Aug 30, 2016
@HonzaCholasta
Copy link
Contributor

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/89de60c5d8ba64d619101a7498b8c4469b6e50ae

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@tkrizek @HonzaCholasta @simo5