Replication: Adjust replica installation to omit processing memberof computations

https://fedorahosted.org/freeipa/ticket/1794

If the master does not yet support the total update list feature we still run
the memberof fixup task and not fail to replicate due to the new attribute not
being settable.

Jointly-developed-with: Simo Sorce <ssorce@redhat.com>
Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>

4 files changed, 31 insertions, 6 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c2018f4d5..9fddb7584 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -469,7 +469,6 @@ def main():
         raise RuntimeError("Failed to configure the client")
 
     ds.replica_populate()
-    ds.init_memberof()
 
     #Everything installed properly, activate ipa service.
     ipaservices.knownservices.ipa.enable()
diff --git a/install/ui/test/data/json_metadata.json b/install/ui/test/data/json_metadata.json
index 482eb6c3b..f87ab114c 100644
--- a/install/ui/test/data/json_metadata.json
+++ b/install/ui/test/data/json_metadata.json
@@ -3273,6 +3273,7 @@
                     "nsds5replicaroot",
                     "nsds5replicasessionpausetime",
                     "nsds5replicatedattributelist",
+                    "nsds5replicatedattributelisttotal",
                     "nsds5replicatimeout",
                     "nsds5replicatombstonepurgeinterval",
                     "nsds5replicatransportinfo",
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index f2b16dfe8..36a386619 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -169,6 +169,7 @@ class DsInstance(service.Service):
         self.idmax = None
         self.subject_base = None
         self.open_ports = []
+        self.run_init_memberof = True
         if realm_name:
             self.suffix = util.realm_to_suffix(self.realm_name)
             self.__setup_sub_dict()
@@ -295,6 +296,7 @@ class DsInstance(service.Service):
         repl.setup_replication(self.master_fqdn,
                                r_binddn="cn=Directory Manager",
                                r_bindpw=self.dm_password)
+        self.run_init_memberof = repl.needs_memberof_fixup()
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -433,6 +435,10 @@ class DsInstance(service.Service):
         self._ldap_mod("memberof-conf.ldif")
 
     def init_memberof(self):
+
+        if not self.run_init_memberof:
+            return
+
         self._ldap_mod("memberof-task.ldif", self.sub_dict)
         # Note, keep dn in sync with dn in install/share/memberof-task.ldif
         dn = "cn=IPA install %s,cn=memberof task,cn=tasks,cn=config" % self.sub_dict["TIME"]
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index a6bd7af37..3ee4d277e 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -107,6 +107,7 @@ class ReplicationManager(object):
         self.starttls = starttls
         tmp = util.realm_to_suffix(realm)
         self.suffix = str(DN(tmp)).lower()
+        self.need_memberof_fixup = False
 
         # If we are passed a password we'll use it as the DM password
         # otherwise we'll do a GSSAPI bind.
@@ -433,6 +434,7 @@ class ReplicationManager(object):
         which use a different name on each side. If master is None then
         isn't a dogtag replication agreement.
         """
+
         cn, dn = self.agreement_dn(b_hostname, master=master)
         try:
             a_conn.getEntry(dn, ldap.SCOPE_BASE)
@@ -440,11 +442,14 @@ class ReplicationManager(object):
         except errors.NotFound:
             pass
 
-        # List of attributes that need to be excluded from replication.
-        excludes = ('memberof', 'entryusn',
-                    'krblastsuccessfulauth',
-                    'krblastfailedauth',
-                    'krbloginfailedcount')
+        # List of attributes that need to be excluded from replication initialization.
+        totalexcludes = ('entryusn',
+                         'krblastsuccessfulauth',
+                         'krblastfailedauth',
+                         'krbloginfailedcount')
+
+        # List of attributes that need to be excluded from normal replication.
+        excludes = ('memberof', ) + totalexcludes
 
         entry = ipaldap.Entry(dn)
         entry.setValues('objectclass', "nsds5replicationagreement")
@@ -472,8 +477,22 @@ class ReplicationManager(object):
 
         a_conn.add_s(entry)
 
+        if master is None:
+            try:
+                mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
+                       '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))]
+                a_conn.modify_s(dn, mod)
+            except ldap.LDAPError, e:
+                # Apparently there are problems set the total list
+                # Probably the master is an old 389-ds server, tell the caller
+                # that we will have to set the memberof fixup task
+                self.need_memberof_fixup = True
+
         entry = a_conn.waitForEntry(entry)
 
+    def needs_memberof_fixup(self):
+        return self.need_memberof_fixup
+
     def setup_krb_princs_as_replica_binddns(self, a, b):
         """
         Search the appropriate principal names so we can get