On Mon, 2011-02-14 at 12:00 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: > >> Martin Kosek<mko...@redhat.com> wrote: > >>> When v2 IPA client is trying to join an IPA v1 server > >>> a strange exception is printed out to the user. This patch > >>> detects this by catching an XML-RPC error reported by ipa-join > >>> binary called in the process which fails on unexisting IPA server > >>> 'join' method. > >>> > >>> wget call had to be changed so that IPA client may get to the > >>> ipa-join step. --no-check-certificate had to be added as V1 > >>> server automatically redirects the request to self-signed secure > >>> connection. > >>> > >>> https://fedorahosted.org/freeipa/ticket/553 > >> > >> The patch is ok and applies correctly. My only thought was to download the > >> certificate directly from https://..../ca.crt instead of plain http, but > >> there > >> is probably no real benefit. > >> > >> ack > >> > >> Jan > > > > Jan, thanks for the review. And yes, I could not see a benefit too. > > Since the IPA sever certificate is not a confidential information the > > secure connection is not needed. And since we do not trust the server's > > certificate in this step of installation and --no-check-certificate is > > used, a secure connection would be used for server identity validation > > either. > > > > Therefore, I would ask for the patch to be pushed. > > > > Martin > > I can't duplicate the behavior of it redirecting to the SSL port. The > /ipa/config directory is purposely excluded from the SSL redirect for > this purpose, even on v1 servers. Can we drop that part of the patch? > > rob
I experience this behavior on IPA v1 running on RHEL 5.5 with the following IPA version: $ rpm -q ipa-server ipa-server-1.0.0-15.el5ipa It may have been changed in higher IPA v1 version, like 1.2x. In this case you may drop this part of the patch. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel