Right before rc1 I discovered a problem in ipa-replica-prepare. It was
crashign when trying to generate the SSL certificates. The first time it
failed on nss_shutdown() claiming that NSS wasn't initialized. The
second time because some object was still in use.
I tracked this down to a change that enables replication. This happens
using an SSL connection to the server. I'm thinking this is some
interaction the openldap NSS connection.
The fix is to use an ldapi connection instead.
ticket 965
rob
>From 02c91465d361c88cc901e5f97e0c9ef1f1e4656e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 17 Feb 2011 22:53:53 -0500
Subject: [PATCH] Fix NSS initialization errors during ipa-replica-prepare
When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.
Back out the temporary code to ignore nss_shutdown errors.
ticket 965
---
ipapython/nsslib.py | 6 +-----
ipaserver/install/replication.py | 2 +-
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index fad65a3..129f1a0 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -126,11 +126,7 @@ class NSSConnection(httplib.HTTPConnection):
if nss.nss_is_initialized():
# close any open NSS database and use the new one
ssl.clear_session_cache()
- try:
- nss.nss_shutdown()
- except NSPRError, e:
- # FIXME: errors shouldn't be raised here
- logging.debug('nss_shutdown: %s', str(e))
+ nss.nss_shutdown()
nss.nss_init(dbdir)
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 0bf0e21..8158197 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -60,7 +60,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
enabled then enable it and restart 389-ds. If it is enabled
the do nothing.
"""
- conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
+ conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True)
if dirman_passwd:
conn.do_simple_bind(bindpw=dirman_passwd)
else:
--
1.7.3.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel