diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-07-12 15:04:03 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-07-17 21:01:57 -0400 |
commit | 32c1aa45b3d41e15adb2ca8f8713e774046bc340 (patch) | |
tree | 450988ab15cd153173f73086dd8fac741caffb01 | |
parent | 87040c0af1e76b5477cd53d515ed8071d941ce24 (diff) | |
download | freeipa-32c1aa45b3d41e15adb2ca8f8713e774046bc340.tar.gz freeipa-32c1aa45b3d41e15adb2ca8f8713e774046bc340.tar.xz freeipa-32c1aa45b3d41e15adb2ca8f8713e774046bc340.zip |
Fix detection of deleted masters
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning. This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.
Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
-rwxr-xr-x | install/tools/ipa-replica-manage | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index a039ccaa2..b095daf03 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -401,18 +401,24 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): options.passsync, options.win_subtree, options.cacert) else: - # First see if we already exist on the remote master. If so this was - # a previously deleted connection. + # Check if the master entry exists for both servers. + # If one of the tree misses one of the entries, it means one of the + # replicas was fully deleted previously and needs to be reinstalled + # from scratch try: + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), (api.env.basedn)) + master1_dn = str(DN(('cn', replica1), masters_dn)) + master2_dn = str(DN(('cn', replica2), masters_dn)) + + repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE) + repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE) + repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd) - master_dn = repl2.replica_dn() - binddn = str(DN(('krbprincipalname','ldap/%s@%s' % (replica1, api.env.realm)),(api.env.container_service),(api.env.basedn))) - master = repl2.conn.getEntry(master_dn, ldap.SCOPE_BASE) - binddns = master.getValues('nsDS5ReplicaBindDN') - if binddns and binddn in binddns: - sys.exit("You cannot connect to a previously deleted master") + repl2.conn.getEntry(master1_dn, ldap.SCOPE_BASE) + repl2.conn.getEntry(master2_dn, ldap.SCOPE_BASE) + except errors.NotFound: - pass + sys.exit("You cannot connect to a previously deleted master") repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd) print "Connected '%s' to '%s'" % (replica1, replica2) |