#5626 a replica promoted from CA-less master has RA backend and plugins enabled in default.conf
Closed: Fixed None Opened 8 years ago by mbabinsk.

After performing promotion of a replica from CA-less master and examining default.conf, we can see that RA backend is enabled and RA plugin is set to Dogtag 10:

[global]
basedn = dc=ipa,dc=test
realm = IPA.TEST
domain = ipa.test
host = replica1.ipa.test
xmlrpc_uri = https://replica1.ipa.test/ipa/xml
enable_ra = True

ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
mode = production
ra_plugin = dogtag
dogtag_version = 10

These settings are rather pointless in an environment without CA. Instead, we should disable them during promotion as is done in domain level 0 replica installation.

Steps to reproduce:

  1. Set up a CA-less master with domain level 1
  2. Install a domain level 1 replica
  3. open /etc/ipa/default.conf

Expected results:

The RA-related directives should look like this:

enable_ra = False
ra_plugin = None

Actual results:

instead the Dogtag RA backend is happily enabled:

enable_ra = True
ra_plugin = dogtag
dogtag_version = 10

master:

  • 7dae5c0 disable RA plugins when promoting a replica from CA-less master

ipa-4-3:

  • b63505e disable RA plugins when promoting a replica from CA-less master

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3.1

7 years ago

Login to comment on this ticket.

Metadata