Bug 432066 - installation scripts and othe parts derive domain name from host name
installation scripts and othe parts derive domain name from host name
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 429034
  Show dependency treegraph
 
Reported: 2008-02-08 12:41 EST by Simo Sorce
Modified: 2015-01-04 18:30 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 03:16:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
determine domain at install time. Use that when creating replicas (13.54 KB, patch)
2008-02-15 20:10 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Simo Sorce 2008-02-08 12:41:53 EST
Description of problem:

Installation scripts assume the DSN domain name to always be the hostnme minus
the host specific part (eg. hostname[hostname.find(".")+1:]

This may lead to incorrect setup on replicas in other geographies or depratemts,
etc... where the local DNS setup would require a different domain.
example:

First Master has name: master.example.com
Replica has name: replica.nyc.example.com

In this case the scripts running on the first server would coma up with
domain_name = example.com
Scripts running on replica with nyc.example.com

In some cases this might be the right thing, in others it won't, we need to
asses when it is ok, and when instead we need to use the master's domain name.
Comment 1 Rob Crittenden 2008-02-11 20:20:04 EST
So basically what I need to do is add a new argument for domain_name in the
create_instance() functions so that we don't do this:

freeipa/ipaserver/dsinstance.py:        self.domain =
host_name[host_name.find(".")+1:]
freeipa/ipaserver/bindinstance.py:        self.domain = fqdn[fqdn.find(".")+1:]
freeipa/ipaserver/httpinstance.py:        self.domain = fqdn[fqdn.find(".")+1:]

This looks like a more general bug because we ignore the domain altogether other
than using it to create the realm. We need to pass this along even for the
master install.
Comment 2 Rob Crittenden 2008-02-13 19:55:53 EST
This is going to require us to store the initial domain name somewhere so we can
pass it along when we create replication agreements. /etc/ipa/ipa.conf seems
like a logic place to put it but I don't think there is a way to discover it. We
don't currently store it in either LDAP or DNS (that I can see).

One option is to leave it in /etc/ipa/ipa.conf only. This value is only needed
on the first master (as it should be the only one to create replicas). The other
option is to create a separate file for this. Either would have the positive
side-effect of easily preventing other replicas to create replicas because they
would lack this file/value.
Comment 3 Simo Sorce 2008-02-14 10:04:47 EST
(In reply to comment #2)
> This is going to require us to store the initial domain name somewhere so we can
> pass it along when we create replication agreements. /etc/ipa/ipa.conf seems
> like a logic place to put it but I don't think there is a way to discover it. We
> don't currently store it in either LDAP or DNS (that I can see).

I am not sure what you mean by this.
The domain name is definitely in DNS :-)
And it is the base of the zone where SRV records hang on.
So far it is also == REALM (there fore it is $SUFFIX in LDAP)

If we need it explicitly tho, I'd store it in LDAP somwhere.

> One option is to leave it in /etc/ipa/ipa.conf only. This value is only needed
> on the first master (as it should be the only one to create replicas). The other
> option is to create a separate file for this. Either would have the positive
> side-effect of easily preventing other replicas to create replicas because they
> would lack this file/value.

Replicas can't generate further replicas because they lack the master
certificate anyway, right ?
Anyway text files are bad for us, I'd avoid them in most cases unless we have no
way to store something in LDAP.
Comment 4 Rob Crittenden 2008-02-14 11:37:26 EST
I can't assume that they are using our bind zone and REALM doesn't have to be
the upper-case version of the domain.

Good point about the CA.

I'm not sure where to store this in LDAP, any suggestions? I guess we could add
a new attribute in the ipaconfig objectclass.
Comment 5 Simo Sorce 2008-02-14 14:14:57 EST
yes adding it to ipaconfig sounds ok
Comment 6 Rob Crittenden 2008-02-15 20:10:34 EST
Created attachment 295056 [details]
determine domain at install time. Use that when creating replicas
Comment 7 Rob Crittenden 2008-02-20 09:58:19 EST
Committed in changeset 651
Comment 8 Yi Zhang 2008-05-28 18:34:42 EDT
the solution is to store ream information into ream_info file

QA Verified on May 28, 2008 (Yi)

Build used: May 28, 2008 (i386)

Note You need to log in before you can comment on or make changes to this bug.