Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4

pspacek · 2016-08-22T06:35:46Z

https://fedorahosted.org/freeipa/ticket/6233

…-lookup https://fedorahosted.org/freeipa/ticket/6233

MartinBasti · 2016-08-22T17:15:48Z

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1142c3a28079316e2946ef008ad52e7e4cf89863

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd for performance enhancement ssh fro ipa client was failing Test Procedure: 1. setup a master and a client 2. add ldap_deref_threshold=0 to sssd.conf 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd for performance enhancement ssh fro ipa client was failing Test Procedure: 1. setup a master and a client 2. add ldap_deref_threshold=0 to sssd.conf 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Patch freeipa#5 added test to nightly yamls Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Patch freeipa#5 added test to nightly yamls Patch freeipa#6 removed test added to fedora 28 nightly as it is not needed Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieve and default.conf updated at step freeipa#4. Fixes: https://pagure.io/freeipa/issue/7188

When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieved and default.conf updated at step freeipa#4. Fixes: https://pagure.io/freeipa/issue/7188

When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. Finally, defer the httpd service restart until after the possible update of default.conf so that the IPA API executes with the new configuration. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieved and default.conf updated at step freeipa#4. Fixes: https://pagure.io/freeipa/issue/7188

When a deployment gets promoted from CA-less to CA-ful other replicas still have enable_ra=False in default.conf, and do not have the ra-agent key and certificate. Enhance ipa-certupdate to detect when the deployment has become CA-ful; retrieve the ra-agent credential and update default.conf. The rationale for adding this behaviour to ipa-certupdate is that it is already necessary to use this command to update local trust stores with the new CA certificate(s). So by using ipa-certupdate we avoid introducing additional steps for administrators. It is necessary to choose a CA master to use as the ca_host. We use the first server returned by LDAP. A better heuristic might be to choose a master in the same location but this is just left as a comment unless or until the need is proven. Finally, defer the httpd service restart until after the possible update of default.conf so that the IPA API executes with the new configuration. This change also addresses the case of a CA server being removed from the topology, i.e. ipa-certupdate detects when non-CA replicas are pointing at the removed server, and chooses a new ca_host. HOW TO TEST: 1. Install a CA-less server (first server). 2. Install a CA-less replica. 3. Run 'ipa-ca-install' on first server, promoting deployment from CA-less to CA-ful. 4. Run 'ipa-certupdate' on second server. 5. Exceute 'ipa cert-show 5' on second server. Should succeed, because ra-agent credential was retrieved and default.conf updated at step freeipa#4. Fixes: https://pagure.io/freeipa/issue/7188 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Fix man page ipa-replica-manage: remove duplicate -c option from --no…

a5ea882

…-lookup https://fedorahosted.org/freeipa/ticket/6233

MartinBasti added the ack Pull Request approved, can be merged label Aug 22, 2016

MartinBasti added the pushed Pull Request has already been pushed label Aug 22, 2016

MartinBasti closed this Aug 22, 2016

frasertweedale mentioned this pull request Jun 30, 2020

certupdate: update config when deployment becomes CA-ful #4861

Closed

fcami mentioned this pull request Aug 2, 2021

ipaserver: disable resolved' stub resolver #5939

Closed

Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4

Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4

pspacek commented Aug 22, 2016 •

edited by MartinBasti

MartinBasti commented Aug 22, 2016

Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4

Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup #4

Conversation

pspacek commented Aug 22, 2016 • edited by MartinBasti

MartinBasti commented Aug 22, 2016

pspacek commented Aug 22, 2016 •

edited by MartinBasti