HonzaCholasta
2017-04-07 07:39:06 UTC
URL: https://github.com/freeipa/freeipa/pull/698
Author: HonzaCholasta
Title: #698: install: request service certs after host keytab is set up
Action: opened
PR body:
"""
**dsinstance: reconnect ldap2 after DS is restarted by certmonger**
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.
Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.
**httpinstance: avoid httpd restart during certificate request**
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.
Stop httpd at the beginning of httpd install to avoid the restart.
**dsinstance, httpinstance: consolidate certificate request code**
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.
Consolidate the non-promotion and promotion code paths into one.
**install: request service certs after host keytab is set up**
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.
Make sure all certmonger requests in the installer are done after the host
keytab is set up.
**renew agent: revert to host keytab authentication**
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.
This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7.
**renew agent, restart scripts: connect to LDAP after kinit**
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.
https://pagure.io/freeipa/issue/6757
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/698/head:pr698
git checkout pr698
Author: HonzaCholasta
Title: #698: install: request service certs after host keytab is set up
Action: opened
PR body:
"""
**dsinstance: reconnect ldap2 after DS is restarted by certmonger**
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.
Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.
**httpinstance: avoid httpd restart during certificate request**
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.
Stop httpd at the beginning of httpd install to avoid the restart.
**dsinstance, httpinstance: consolidate certificate request code**
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.
Consolidate the non-promotion and promotion code paths into one.
**install: request service certs after host keytab is set up**
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.
Make sure all certmonger requests in the installer are done after the host
keytab is set up.
**renew agent: revert to host keytab authentication**
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.
This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7.
**renew agent, restart scripts: connect to LDAP after kinit**
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.
https://pagure.io/freeipa/issue/6757
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/698/head:pr698
git checkout pr698