[freeipa PR#2580][opened] Issue #7744: Use api.env.server for config.ca_host_name
by jaredledvina
URL: https://github.com/freeipa/freeipa/pull/2580
Author: jaredledvina
Title: #2580: Issue #7744: Use api.env.server for config.ca_host_name
Action: opened
PR body:
"""
Bug: https://pagure.io/freeipa/issue/7744
This is a really quick attempt to fix this bug. Currently, the CA server is always chosen from LDAP. As a result, when installing the CA but, passing in `--server`, the replica install will use the server passed in but the CA install can replicate from another. This leads to lots of confusion when reviewing the replication topology and can lead to replicating the entire CA domain from a high latency link.
This really bites us in production where new replicas will replicate initially from a server on the other side of the world and that link has high latency causing failures midway through the install.
I think this change will work and am happy to test it out. I'd love to see this back ported to 4.5.4 but, understand if that's not possible.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2580/head:pr2580
git checkout pr2580
5 years, 4 months
[freeipa PR#2706][opened] pkinit enable: use local dogtag only if host has CA
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/2706
Author: flo-renaud
Title: #2706: pkinit enable: use local dogtag only if host has CA
Action: opened
PR body:
"""
## pkinit enable: use local dogtag only if host has CA
`ipa-pkinit-manage enable` is failing if called on a master that does not have a CA instance, because it is trying to contact dogtag on the localhost.
The command should rather use certmonger in this case, and let certmonger contact the right master to request the KDC certificate.
Fixes: https://pagure.io/freeipa/issue/7795
## ipatests: add integration test for pkinit enable on replica
`ipa-pkinit-manage` enable was failing when run on a replica without a CA instance.
Add a test with the following scenario:
- install a replica with `--no-pkinit`
- check that the KDC cert is self signed
- call `ipa-pkinit-manage enable`
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2706/head:pr2706
git checkout pr2706
5 years, 4 months
[freeipa PR#2698][opened] replica install: set the same master as preferred source for domain a…
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/2698
Author: flo-renaud
Title: #2698: replica install: set the same master as preferred source for domain a…
Action: opened
PR body:
"""
…nd CA
During ipa-replica-install, the installer creates a ReplicaConfig
object that contains a config.ca_host_name attribute, built from
api.env.ca_host.
This attribute is used as preferred source when asking the DNS for a CA
master from which to initialize the CA instance
(see commit 8decef33 for master selection and preferred host).
In most of the cases, /etc/ipa/default.conf does not contain any
definition for ca_host. In this case, api.env.ca_host is set to
the local hostname.
As a consequence, replica install is trying to use the local host
as preferred source (which does not have any CA yet), and the method
to find the CA source randomly picks the CA in the DNS.
With the fix, the master picked for domain replication is also used as
preferred source for CA/KRA.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2698/head:pr2698
git checkout pr2698
5 years, 4 months
[freeipa PR#2696][opened] Fix server_del tests
by tiran
URL: https://github.com/freeipa/freeipa/pull/2696
Author: tiran
Title: #2696: Fix server_del tests
Action: opened
PR body:
"""
The test case test_removal_of_master_disconnects_both_topologies is
failing because server-del emits an unexpected error message. The test
scenario has a master with DNS server, which gets tests first.
```
Removing master.ipa.test from replication topology, please wait...
ipa: ERROR: Server removal aborted: Deleting this server will leave your installation without a DNS..
```
Don't install any DNS services to get the expected error message. The
DNS server case is handled by another test case.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2696/head:pr2696
git checkout pr2696
5 years, 4 months