diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-02-22 16:02:19 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-02-23 15:54:59 +0100 |
commit | ecf544ea0b5e5f8cc8b1339268bb85da90a03f03 (patch) | |
tree | 11b2b0715def3b0862d66078cee62f712f3e53f3 /ipaserver/install/plugins | |
parent | b9e368553421e4ca7052ffbd4ce01926e8519196 (diff) | |
download | freeipa-ecf544ea0b5e5f8cc8b1339268bb85da90a03f03.tar.gz freeipa-ecf544ea0b5e5f8cc8b1339268bb85da90a03f03.tar.xz freeipa-ecf544ea0b5e5f8cc8b1339268bb85da90a03f03.zip |
Make sure memberof is in replication attribute exclusion list.
A previous bug caused this attribute to not be added which would lead
to unnecessary replication. This runs as an updater plugin.
https://fedorahosted.org/freeipa/ticket/2223
Diffstat (limited to 'ipaserver/install/plugins')
-rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/plugins/fix_replica_memberof.py | 62 |
2 files changed, 63 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index a96d0be5c..cfa84c36d 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -4,6 +4,7 @@ appdir = $(pythondir)/ipaserver/install app_PYTHON = \ __init__.py \ baseupdate.py \ + fix_replica_memberof.py \ rename_managed.py \ updateclient.py \ $(NULL) diff --git a/ipaserver/install/plugins/fix_replica_memberof.py b/ipaserver/install/plugins/fix_replica_memberof.py new file mode 100644 index 000000000..4ab3df426 --- /dev/null +++ b/ipaserver/install/plugins/fix_replica_memberof.py @@ -0,0 +1,62 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import pwd +from ipaserver.install.plugins import PRE_UPDATE, MIDDLE +from ipaserver.install.plugins.baseupdate import PreUpdate +from ipaserver import ipaldap +from ipaserver.install import replication +from ipalib import api + +class update_replica_memberof(PreUpdate): + """ + Run through all replication agreements and ensure that memberOf is + included in the EXCLUDE list so we don't cause replication storms. + """ + order=MIDDLE + + def execute(self, **options): + # We need an IPAdmin connection to the backend + conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm) + conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) + + repl = replication.ReplicationManager(api.env.realm, api.env.host, + None, conn=conn) + entries = repl.find_replication_agreements() + self.log.debug("Found %d agreement(s)" % len(entries)) + for replica in entries: + self.log.debug(replica.description) + if 'memberof' not in replica.nsDS5ReplicatedAttributeList: + self.log.debug("Attribute list needs updating") + current = replica.toDict() + replica.setValue('nsDS5ReplicatedAttributeList', + replica.nsDS5ReplicatedAttributeList + ' memberof') + try: + repl.conn.updateEntry(replica.dn, current, replica.toDict()) + self.log.debug("Updated") + except Exception, e: + self.log.error("Error caught updating replica: %s" % str(e)) + else: + self.log.debug("No update necessary") + self.log.debug("Done updating agreements") + + return (False, False, []) # No restart, no apply now, no updates + +api.register(update_replica_memberof) |