On Sat, 2013-05-04 at 09:16 -0500, Endi Sukma Dewata wrote:
On 5/4/2013 2:45 AM, Ade Lee wrote:
> Here's the changelog:
>
> When setting up clones or non-CA subsystems, pkispawn checks if
> the security domain is accessible and if the user can log in.
> These calls invoke REST URIs, which are not available on older
> subsystems. To support these subsystems, we need to attempt the
> older legacy servlets if the REST APIs are not available.
>
> Ticket #604
>
> This is breaking IPA replica installs because the new URLs are not
> exposed through the proxy config. Even if this is fixed, it will be
> broken for old servers.
>
> The output of getDomainXML is pretty messed up and I'll open a ticket to
> fix it, but given that it appears to be parsed correctly wherever its
> being used, we can fix it later when we have time to test everything.
Question, on Dogtag 9 instance wouldn't all REST calls return 501 (Not
Implemented)? So when calling the login() should we check for 501
instead of 404? Or are we dealing with 2 possible Dogtag 9 instances:
upgraded and not?
Good catch. We have two possible choices here - upgraded or not
upgraded - so I changed the check to look for either 404 or 501.
In this case of IPA, it will always be 404 because older systems will
not have had their proxy config updated.
Pushed to master. Now doing build of 10.0.2-3.
Another possible solution is to return the server version in the
DomainInfo, then if it's not version 10 we skip the login() call.
Everything else looks fine. If this turns out to be not an issue, ACK.