On 07/30/2012 10:54 AM, Jan Cholasta wrote: > Dne 27.7.2012 22:50, Rob Crittenden napsal(a): >> Jan Cholasta wrote: >>> Dne 25.7.2012 22:58, Rob Crittenden napsal(a): >>>> Jan Cholasta wrote: >>>> >>>>> All these scripts could use more exception handling, but I guess >>>>> potential bugs can be sorted out later. >>>> >>>> Well, they all run in the background so even if they caught errors >>>> nothing would see them unless we decide to syslog errors. >> >> I decided to syslog the errors, there is no other way around this. >> >>>>> >>>>> install/share/default-aci.ldif: >>>>> >>>>> The ACIs are wrong (Kerberos principal instead of ldap URI in >>>>> userdn, in >>>>> 40-delegation.update it is done right). >>>> >>>> Nice catch, not sure how I missed that. Fixed. >>> >>> You forgot to fix the allow(add) one, it still has userdn = >>> "host/$FQDN@$REALM". >>> >> >> Fixed. >> >>> I did: >>> >>> 1. ipa-server-install on host1, using IPA from master >>> 2. ipa-replica-install on host2, using IPA from master >>> 3. update host1 to IPA with your patch applied >>> 4. update host2 to IPA with your patch applied >>> 5. ipa-ca-install on host2 >>> >>> After that, ipaCert is not tracked on host2 at all (I had to add it >>> manually using "getcert start-tracking -d /etc/httpd/alias -n ipaCert -c >>> dogtag-ipa-retrieve-agent-submit -C >>> /usr/lib64/ipa/certmonger/restart_httpd -p /etc/httpd/alias/pwdfile.txt >>> -T ipaCert"). >> >> Fixed, it wasn't being tracked on upgrades. >> >> I filed a ticket for the audit cert renewing for only 6 months. It is a >> dogtag bug. > > OK, thanks. > >> >> I've seen some oddness when testing by moving the date forward, CS >> replication has stopped working. I kick it with ipa-csreplica-manage >> force-sync --from=<master> and that fixes things. This is unrelated to >> my patch. >> >> rob > > ACK. > > Honza >
Pushed to master. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel