ipa-replica-manage: Do not allow topology altering commands from DL 1

With Domain Level 1 and above, the usage of ipa-replica-manage commands that alter the replica topology is deprecated. Following commands are prohibited: * connect * disconnect Upon executing any of these commands, users are pointed out to the ipa topologysegment-* replacements. Exception is creation/deletion of winsync agreement. Part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Petr Vobornik <pvoborni@redhat.com> 2015-06-10 18:23:37 +0200
committer: Petr Vobornik <pvoborni@redhat.com> 2015-06-15 15:02:06 +0200
commit: 45dccedd12e6d26e146ad9c30c2c304e6b2eded1 (patch)
tree: be5dba622993f2288ad409b009d5d90094db75e6 /install
parent: 4137f2a8ed6bf1457c7dadf0ed4e6a4465abc621 (diff)
download: freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.tar.gz
freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.tar.xz
freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.zip
1 files changed, 37 insertions, 16 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 0d2688e6d..36efda88c 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -241,23 +241,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
     """
 
     repl2 = None
+    what = "Removal of IPA replication agreement"
+    managed_topology = has_managed_topology()
 
     try:
         repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
-
         type1 = repl1.get_agreement_type(replica2)
-
-        repl_list = repl1.find_ipa_replication_agreements()
-        if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
-            print "Cannot remove the last replication link of '%s'" % replica1
-            print "Please use the 'del' command to remove it from the domain"
-            return False
-
     except errors.NotFound:
-        print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
+        # it's possible that the agreement could not have been found because of
+        # the new topology plugin naming convention: <A>-to-<B> instead of
+        # meTo<B>.
+        if managed_topology:
+            print "'%s' has no winsync replication agreement for '%s'" % (replica1, replica2)
+            exit_on_managed_topology(what)
+        else:
+            print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
         return False
     except Exception, e:
-        print "Failed to determine agreement type for '%s': %s" % (replica1, e)
+        print "Failed to determine agreement type for '%s': %s" % (replica2, e)
+
+    if type1 == replication.IPA_REPLICA and managed_topology:
+        exit_on_managed_topology(what)
+
+    repl_list = repl1.find_ipa_replication_agreements()
+    if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
+        print "Cannot remove the last replication link of '%s'" % replica1
+        print "Please use the 'del' command to remove it from the domain"
         return False
 
     if type1 == replication.IPA_REPLICA:
@@ -747,12 +756,6 @@ def del_master(realm, hostname, options):
     try:
         if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
                                              dm_password=options.dirman_passwd):
-            if options.dirman_passwd:
-                api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                                          bind_pw=options.dirman_passwd)
-            else:
-                ccache = krbV.default_context().default_ccache()
-                api.Backend.ldap2.connect(ccache=ccache)
             bind = bindinstance.BindInstance()
             bind.remove_master_dns_records(hostname, realm, realm.lower())
             bind.remove_ipa_ca_dns_records(hostname, realm.lower())
@@ -777,6 +780,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
         if os.getegid() != 0:
             root_logger.error("winsync agreements need to be created as root")
             sys.exit(1)
+    elif has_managed_topology():
+        exit_on_managed_topology("Creation of IPA replication agreement")
 
     try:
         repl = replication.ReplicationManager(realm, replica1, dirman_passwd)
@@ -1167,6 +1172,14 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
         except Exception, e:
             sys.exit("Updating range failed: %s" % e)
 
+def has_managed_topology():
+    domainlevel = api.Command['domainlevel_get']().get('result', 0)
+    return domainlevel > 0
+
+def exit_on_managed_topology(what):
+    sys.exit("{0} is deprecated with managed IPA replication topology. "
+             "Please use `ipa topologysegment-*` commands to manage "
+             "the topology.".format(what))
 
 def main():
     if os.getegid() == 0:
@@ -1209,6 +1222,14 @@ def main():
 
     options.dirman_passwd = dirman_passwd
 
+    # Initialize the LDAP connection
+    if options.dirman_passwd:
+        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                                  bind_pw=options.dirman_passwd)
+    else:
+        ccache = krbV.default_context().default_ccache()
+        api.Backend.ldap2.connect(ccache=ccache)
+
     if args[0] == "list":
         replica = None
         if len(args) == 2:
author	Petr Vobornik <pvoborni@redhat.com>	2015-06-10 18:23:37 +0200
committer	Petr Vobornik <pvoborni@redhat.com>	2015-06-15 15:02:06 +0200
commit	45dccedd12e6d26e146ad9c30c2c304e6b2eded1 (patch)
tree	be5dba622993f2288ad409b009d5d90094db75e6 /install
parent	4137f2a8ed6bf1457c7dadf0ed4e6a4465abc621 (diff)
download	freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.tar.gz freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.tar.xz freeipa-45dccedd12e6d26e146ad9c30c2c304e6b2eded1.zip