diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-06-12 08:37:40 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 1778f0ebc95bf53c2746ce5461f76458c40560cd (patch) | |
tree | e6e1048eee4e105405aeecbcb587de1274910eb7 | |
parent | 61159b7ff2b92d40bad3a6084a249f5c51b07a48 (diff) | |
download | freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.gz freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.xz freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.zip |
Allow IPA master hosts to read and update IPA master information.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-rw-r--r-- | install/updates/40-delegation.update | 4 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 38 |
2 files changed, 42 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 10579b759..39129b8e4 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -177,3 +177,7 @@ default:objectClass: groupofnames default:objectClass: top default:cn: IPA Masters Readers default:description: Read list of IPA masters + +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' +add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 168f7ceee..f1e70a1d4 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1245,6 +1245,44 @@ class ReplicationManager(object): err = e try: + entry = self.conn.get_entry( + DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + self.suffix), + ['aci']) + + sub = {'suffix': self.suffix, 'fqdn': replica} + try: + entry.raw['aci'].remove( + '(targetfilter = "(objectClass=nsContainer)")' + '(targetattr = "cn || objectClass || ipaConfigString")' + '(version 3.0; acl "Read IPA Masters"; allow (read, ' + 'search, compare) userdn = "ldap:///fqdn=%(fqdn)s,' + 'cn=computers,cn=accounts,%(suffix)s";)' % sub) + except ValueError: + pass + try: + entry.raw['aci'].remove( + '(targetfilter = "(objectClass=nsContainer)")' + '(targetattr = "ipaConfigString")(version 3.0; acl ' + '"Modify IPA Masters"; allow (write) userdn = ' + '"ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,' + '%(suffix)s";)' % sub) + except ValueError: + pass + + try: + self.conn.update_entry(entry) + except errors.EmptyModlist: + pass + except errors.NotFound: + pass + except Exception, e: + if not force: + raise e + elif not err: + err = e + + try: basedn = DN(('cn', 'etc'), self.suffix) filter = '(dnaHostname=%s)' % replica entries = self.conn.get_entries( |