master:

• 5760b7e ipaldap: remove wait/timeout during binds
• de58a5c ipaldap: merge simple_bind into LDAPClient
• 60e38ec ipaldap: merge external_bind into LDAPClient
• 4f1a6a1 ipaldap: merge gssapi_bind to LDAPClient
• 5b81dbf ipaldap: merge IPAdmin to LDAPClient
• 9340a14 install: remove dirman_pw from services
• 24baccb dsinstance: enable ldapi and autobind in ds
• 9fca820 replicainstall: set ldapi uri in replica promotion
• 7a1c0db cainstall: add dm_password to CA installation
• e2780b2 ldap2: change default time/size limit
• 8934d03 dsinstance: conn management
• e8aa262 upgradeinstance: ldap conn management
• e05bdeb install: add restart_dirsrv for directory server restarts
• a77469f install: remove adhoc api.Backend.ldap2 (dis)connect
• df86efd install: ldap conn management
• 49ff159 replicainstall: properly close adhoc connection in promote
• c51b04f ldapupdate: use ldapi in LDAPUpdate
• 03d113c install: remove adhoc dis/connect from services
• 1240262 ipa-adtrust-install: ldap conn management
• 36d9547 ldap2: change default bind_dn
• 922062e install tools: ldap conn management
• 7d02899 replicainstall: correct hostname in ReplicationManager
• a9585ec replicainstall: use ldap_uri in ReplicationManager
• 41098e3 ldap2: modify arguments for create_connection

Leaving ticket opened, there might be some minor enhancements or fixes. Please close it when refactoring of LDAP connections is done.

master:

• 33f7b8d libexec scripts: ldap conn management

9340a14 removes Directory Manager password from nolog which causes it to appear in ca/kra installation logs.

Nice catch, Standa. I missed this one.

In 9340a14 I removed the dm_password from no_log as well as the class, so that change in itself was fine. However, when I realized CA can't be installed without dm_password, I re-added it in 7a1c0db without appending it to no_log.

master:

• a68c95d ipaldap: remove do_bind from LDAPClient

master:

• f183f70 dns: check if container exists using ldapi

There is a regression with ipa-ca-install on a DL-0 replica:

$ ipa-ca-install /home/frenaud/replica-info-vm-159.abc.idm.lab.eng.brq.redhat.com.gpg 
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
ipa         : CRITICAL CA DS schema check failed. Make sure the PKI service on the remote master is operational.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
DatabaseError: Connect error: Start TLS request accepted.Server willing to negotiate SSL.

The commit 5b81dbf seems to be the culprit as it is using (in ipaserver/install/cainstance.py, line 1307)

cacert=config.dir + "/ca.cer"

instead of

cacert=config.dir + "/ca.crt"

master:

• d6300dc cainstance: use correct certificate for replica install check

master:

• 68295bf services: replace admin_conn with api.Backend.ldap2
• 0914fc6 upgrade: ldap conn management

master:

• e617f89 Do not log DM password in ca/kra installation logs