[freeipa PR#4909][opened] Add unauthenticated nsupdate
by fcami
URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
Title: #4909: Add unauthenticated nsupdate
Action: opened
PR body:
"""
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
+
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
10 months, 3 weeks
[freeipa PR#5256][opened] Handle multiple AJP adapters during upgrade
by cipherboy
URL: https://github.com/freeipa/freeipa/pull/5256
Author: cipherboy
Title: #5256: Handle multiple AJP adapters during upgrade
Action: opened
PR body:
"""
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. `pkispawn` runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
`Signed-off-by: Alexander Scheel <ascheel(a)redhat.com>`
---
Is this scenario likely? Or will IPA have provisioned a secret anyway on older PKI versions? I do not know.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5256/head:pr5256
git checkout pr5256
1 year, 1 month
[freeipa PR#5071][opened] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
by fcami
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
1 year, 3 months
[freeipa PR#5264][opened] [ipatests] Raise log level of 389-ds replication
by stanislavlevin
URL: https://github.com/freeipa/freeipa/pull/5264
Author: stanislavlevin
Title: #5264: [ipatests] Raise log level of 389-ds replication
Action: opened
PR body:
"""
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other messages that are always
written to the error log. Messages at this level are always included in the error log, regardless
of the log level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with a significant delay, this results in logs are not collected by this test node, but for example, the next one.
- as of now, the changes on `cn=config` are made after the installation of a server or replica. If an error occurs during these stages, then the actual log level will be the default and not as expected.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5264/head:pr5264
git checkout pr5264
1 year, 3 months