summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-04-29 08:16:06 +0200
committerTomas Babej <tbabej@redhat.com>2015-07-02 13:23:21 +0200
commitd584eb700111bb57f6d10018f4b56d6f10a96d21 (patch)
tree98de3846d7b38f60fc65374fdd4d7e723936aede
parentbff7a748d622a174a6023b32b5b13ed8b53975dc (diff)
downloadfreeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.tar.gz
freeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.tar.xz
freeipa-d584eb700111bb57f6d10018f4b56d6f10a96d21.zip
winsync-migrate: Require explicit specification of the target server and validate existing agreement
https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r--ipaserver/winsync_migrate/base.py33
1 files changed, 33 insertions, 0 deletions
diff --git a/ipaserver/winsync_migrate/base.py b/ipaserver/winsync_migrate/base.py
index 936a7eee3..afdbda2de 100644
--- a/ipaserver/winsync_migrate/base.py
+++ b/ipaserver/winsync_migrate/base.py
@@ -26,6 +26,7 @@ from ipapython import admintool
from ipapython.dn import DN
from ipapython.ipa_log_manager import log_mgr
from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import replication
DEFAULT_TRUST_VIEW_NAME = u'Default Trust View'
@@ -58,6 +59,10 @@ class MigrateWinsync(admintool.AdminTool):
dest="realm",
help="The AD realm the winsynced users belong to")
parser.add_option(
+ "--server",
+ dest="server",
+ help="The AD DC the winsync agreement is established with")
+ parser.add_option(
"-U", "--unattended",
dest="interactive",
action="store_false",
@@ -91,6 +96,34 @@ class MigrateWinsync(admintool.AdminTool):
"An error occured during detection of the established "
"trust with %s: %s" % (self.options.realm, str(e)))
+ if self.options.server is None:
+ raise admintool.ScriptError(
+ "The AD DC the winsync agreement is established with "
+ "needs to be specified.")
+ else:
+ # Validate the replication agreement between given host and localhost
+ try:
+ manager = replication.ReplicationManager(
+ api.env.realm,
+ api.env.host,
+ None) # Use GSSAPI instead of raw directory manager access
+
+ replica_type = manager.get_agreement_type(self.options.server)
+ except errors.ACIError as e:
+ raise admintool.ScriptError(
+ "Used Kerberos account does not have privileges to access "
+ "the replication agreement info: %s" % str(e))
+ except errors.NotFound as e:
+ raise admintool.ScriptError(
+ "The replication agreement between %s and %s could not "
+ "be detected" % (api.env.host, self.options.server))
+
+ # Check that the replication agreement is indeed WINSYNC
+ if replica_type != replication.WINSYNC:
+ raise admintool.ScriptError(
+ "Replication agreement between %s and %s is not winsync."
+ % (api.env.host, self.options.server))
+
def create_id_user_override(self, entry):
"""
Creates ID override corresponding to this user entry.