diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-04-29 08:16:06 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-02 13:23:21 +0200 |
commit | d584eb700111bb57f6d10018f4b56d6f10a96d21 (patch) | |
tree | 98de3846d7b38f60fc65374fdd4d7e723936aede | |
parent | bff7a748d622a174a6023b32b5b13ed8b53975dc (diff) | |
download | freeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.tar.gz freeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.tar.xz freeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.zip |
winsync-migrate: Require explicit specification of the target server and validate existing agreement
https://fedorahosted.org/freeipa/ticket/4524
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | ipaserver/winsync_migrate/base.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/ipaserver/winsync_migrate/base.py b/ipaserver/winsync_migrate/base.py index 936a7eee3..afdbda2de 100644 --- a/ipaserver/winsync_migrate/base.py +++ b/ipaserver/winsync_migrate/base.py @@ -26,6 +26,7 @@ from ipapython import admintool from ipapython.dn import DN from ipapython.ipa_log_manager import log_mgr from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import replication DEFAULT_TRUST_VIEW_NAME = u'Default Trust View' @@ -58,6 +59,10 @@ class MigrateWinsync(admintool.AdminTool): dest="realm", help="The AD realm the winsynced users belong to") parser.add_option( + "--server", + dest="server", + help="The AD DC the winsync agreement is established with") + parser.add_option( "-U", "--unattended", dest="interactive", action="store_false", @@ -91,6 +96,34 @@ class MigrateWinsync(admintool.AdminTool): "An error occured during detection of the established " "trust with %s: %s" % (self.options.realm, str(e))) + if self.options.server is None: + raise admintool.ScriptError( + "The AD DC the winsync agreement is established with " + "needs to be specified.") + else: + # Validate the replication agreement between given host and localhost + try: + manager = replication.ReplicationManager( + api.env.realm, + api.env.host, + None) # Use GSSAPI instead of raw directory manager access + + replica_type = manager.get_agreement_type(self.options.server) + except errors.ACIError as e: + raise admintool.ScriptError( + "Used Kerberos account does not have privileges to access " + "the replication agreement info: %s" % str(e)) + except errors.NotFound as e: + raise admintool.ScriptError( + "The replication agreement between %s and %s could not " + "be detected" % (api.env.host, self.options.server)) + + # Check that the replication agreement is indeed WINSYNC + if replica_type != replication.WINSYNC: + raise admintool.ScriptError( + "Replication agreement between %s and %s is not winsync." + % (api.env.host, self.options.server)) + def create_id_user_override(self, entry): """ Creates ID override corresponding to this user entry. |