In FreeIPA 4.4 there are multiple ways to establish an LDAP connection. Connections are also established and re-used in random places.
The refactoring effort focuses on:
master:
Leaving ticket opened, there might be some minor enhancements or fixes. Please close it when refactoring of LDAP connections is done.
9340a14 removes Directory Manager password from nolog which causes it to appear in ca/kra installation logs.
Nice catch, Standa. I missed this one.
In 9340a14 I removed the dm_password from no_log as well as the class, so that change in itself was fine. However, when I realized CA can't be installed without dm_password, I re-added it in 7a1c0db without appending it to no_log.
There is a regression with ipa-ca-install on a DL-0 replica:
$ ipa-ca-install /home/frenaud/replica-info-vm-159.abc.idm.lab.eng.brq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Connection check OK ipa : CRITICAL CA DS schema check failed. Make sure the PKI service on the remote master is operational. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: DatabaseError: Connect error: Start TLS request accepted.Server willing to negotiate SSL.
The commit 5b81dbf seems to be the culprit as it is using (in ipaserver/install/cainstance.py, line 1307)
cacert=config.dir + "/ca.cer"
instead of
cacert=config.dir + "/ca.crt"
Metadata Update from @tkrizek: - Issue assigned to tkrizek - Issue set to the milestone: FreeIPA 4.5
Log in to comment on this ticket.