Bug 431493 - error in ipa-replica-prepare script
error in ipa-replica-prepare script
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: freeipa10 429034 430034
  Show dependency treegraph
 
Reported: 2008-02-04 18:02 EST by David O'Brien
Modified: 2015-01-04 18:30 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 03:13:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
make replication preparation and installation work again (17.07 KB, patch)
2008-02-05 10:58 EST, Rob Crittenden
no flags Details | Diff
keep the CA PKCS#12 creation with this patch (16.90 KB, patch)
2008-02-05 12:26 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description David O'Brien 2008-02-04 18:02:56 EST
Description of problem:

> When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ doesn't
exist. The directory is actually /etc/dirsrv/slapd-AUSTRALIA-COM/
>

edit /usr/lib/python2.5/site-packages/ipaserver/dsinstance.py and make
config_dirname() look like:

def config_dirname(serverid):
    return "/etc/dirsrv/slapd-" + realm_to_serverid(serverid) + "/" 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. On a functioning ipa server, run the ipa-replica-prepare script.

  
Actual results:


Expected results:


Additional info:
Comment 1 David O'Brien 2008-02-04 18:20:37 EST
I made the recommended changes to the script and it appears to work now. It
would be nice, however, if the script:

1. Told you what it was going to do
2. Provided feedback and info on what to do next (similar to what
ipa-server-install does)

Is there no "ipaconfig" directory where we could write the replica info file,
instead of just into the dir where the command was run (in this particular case
/root)?
Comment 2 Rob Crittenden 2008-02-05 10:58:25 EST
Created attachment 294008 [details]
make replication preparation and installation work again

This bug opened a real can of worms. It turns out that the way the SSL
certificates are created is that the CA, private key and all, is shipped off to
each replica so that the certificates can be generated. Beyond not wanting to
share the CA all over the place the certificates that will be generated will
all have duplicate serial numbers. That led to the following changes:

Use file to store the current CA serial number
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
Comment 3 Rob Crittenden 2008-02-05 12:26:41 EST
Created attachment 294022 [details]
keep the CA PKCS#12 creation with this patch

Same patch as before just keeping the CA PKCS#12 file creation and added a
message at the end of install to remind user to back this file up.
Comment 4 Rob Crittenden 2008-02-05 13:53:55 EST
Committed in changeset 621
Comment 5 Yi Zhang 2008-04-08 20:07:46 EDT
qa verified, bug closed
build used: 4-8-2008 daily build

The following cmd performed to verify the certs:

on ipa master: 
ipaserver-wrong[04/08/08 17:01] certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1001 (0x3e9)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1002 (0x3ea)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Signing-Cert" | grep Serial

on replica server
[root@replica64-1 alias]# certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1004 (0x3ec)
[root@replica64-1 alias]# certutil -L -d /etc/httpd/alias/ -n "Server-Cert" |
grep "Serial"
        Serial Number: 1005 (0x3ed)

Note You need to log in before you can comment on or make changes to this bug.