Warn that deleting replica is irreversible, try to detect reconnection.

Using ipa-replica-manage del <replica> is irreversible. You can't
turn around and do a connect to it, all heck will break loose. This is
because we clean up all references to the replica when we delete so if
we connect to it again we'll end up deleting all of its principals.

When a connection is deleted then the agreement is removed on both sides.
What isn't removed is the nsDS5ReplicaBindDN so we can use that to
determine if we previously had a connection.

https://fedorahosted.org/freeipa/ticket/2126

2 files changed, 24 insertions, 1 deletions

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index da327e5b9..f1f5425ca 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -29,6 +29,7 @@ from ipaserver.install import bindinstance
 from ipaserver import ipaldap
 from ipapython import version
 from ipalib import api, errors, util
+from ipalib.dn import DN
 from ipapython.ipa_log_manager import *
 
 CACERT = "/etc/ipa/ca.crt"
@@ -287,6 +288,7 @@ def del_master(realm, hostname, options):
     # 3. If an IPA agreement connect to the master to be removed.
     repltype = thisrepl.get_agreement_type(hostname)
     if repltype == replication.IPA_REPLICA:
+        winsync = False
         try:
             delrepl = replication.ReplicationManager(realm, hostname, options.dirman_passwd)
         except Exception, e:
@@ -308,8 +310,17 @@ def del_master(realm, hostname, options):
             replica_names = delrepl.find_ipa_replication_agreements()
     else:
         # WINSYNC replica, delete agreement from current host
+        winsync = True
         replica_names = [options.host]
 
+    if not winsync and not options.force:
+        print "Deleting a master is irreversible."
+        print "To reconnect to the remote master you will need to prepare " \
+              "a new replica file"
+        print "and re-install."
+        if not ipautil.user_input("Continue to delete?", False):
+            sys.exit("Deletion aborted")
+
     # 4. Remove each agreement
     for r in replica_names:
         try:
@@ -390,6 +401,18 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
                                         options.passsync, options.win_subtree,
                                         options.cacert)
     else:
+        # First see if we already exist on the remote master. If so this was
+        # a previously deleted connection.
+        try:
+            repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)
+            master_dn = repl2.replica_dn()
+            binddn = str(DN(('krbprincipalname','ldap/%s@%s' % (replica1, api.env.realm)),(api.env.container_service),(api.env.basedn)))
+            master = repl2.conn.getEntry(master_dn, ldap.SCOPE_BASE)
+            binddns = master.getValues('nsDS5ReplicaBindDN')
+            if binddns and binddn in binddns:
+                sys.exit("You cannot connect to a previously deleted master")
+        except errors.NotFound:
+            pass
         repl1.setup_gssapi_replication(replica2, "cn=Directory Manager", dirman_passwd)
     print "Connected '%s' to '%s'" % (replica1, replica2)
 
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
index 8fca50a5a..002c42998 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -61,7 +61,7 @@ The Directory Manager password to use for authentication
 Provide additional information
 .TP
 \fB\-f\fR, \fB\-\-force\fR
-Ignore some types of errors
+Ignore some types of errors, don't prompt when deleting a master
 .TP
 \fB\-\-binddn\fR=\fIADMIN_DN\fR
 Bind DN to use with remote server (default is cn=Directory Manager) \- Be careful to quote this value on the command line