On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink". This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going to
push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf
will not be available for IPA to use. Whatever the issue is with this
patch it has to be fairly minor. The difference in approach is that
this one includes the conf file and places it in /etc/httpd/conf.d. The
problem is possibly the fact that this one uses localhost instead of the
FQDN, although I did test it both ways prior to adding it to the RPM,
and it worked with localhost and SELinux in enforcing mode.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
