diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2012-11-20 07:47:00 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-11-23 12:19:20 +0100 |
| commit | bef251a13ca075718afe7503b5bbe8caa439a1ea (patch) | |
| tree | 2333a05bf890711abbd9eca48b4ad6ada23466fe /ipaserver/install/replication.py | |
| parent | 994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe (diff) | |
| download | freeipa-bef251a13ca075718afe7503b5bbe8caa439a1ea.tar.gz freeipa-bef251a13ca075718afe7503b5bbe8caa439a1ea.tar.xz freeipa-bef251a13ca075718afe7503b5bbe8caa439a1ea.zip | |
Make ipa-csreplica-manage work with both merged and non-merged DBs
The ipa-csreplica-manage tool often assumed that the port numbers are the
same on both sides of a replication agreement.
This assumption doesn't hold in a cluster with both old-style hosts and
ones with merged DBs.
When managing agreements, determine the port with the PKI (or merged) DS
on each master, and use it.
Also, in CSReplicationManager, always use starttls rather than ldaps://.
Diffstat (limited to 'ipaserver/install/replication.py')
| -rw-r--r-- | ipaserver/install/replication.py | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index dfc3c7716..1c90173d2 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -128,8 +128,8 @@ class ReplicationManager(object): # If we are passed a password we'll use it as the DM password # otherwise we'll do a GSSAPI bind. if starttls: - self.conn = ipaldap.IPAdmin(hostname, port=port) - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) + self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT, + protocol='ldap') self.conn.start_tls_s() else: self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT) @@ -815,17 +815,16 @@ class ReplicationManager(object): self.setup_changelog(conn) def setup_replication(self, r_hostname, r_port=389, r_sslport=636, - r_binddn=None, r_bindpw=None, starttls=False, - is_cs_replica=False): + r_binddn=None, r_bindpw=None, + is_cs_replica=False, local_port=None): assert isinstance(r_binddn, DN) + if local_port is None: + local_port = r_port # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - if starttls: - r_conn = ipaldap.IPAdmin(r_hostname, port=r_port) - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT) - r_conn.start_tls_s() - else: - r_conn = ipaldap.IPAdmin(r_hostname, port=r_sslport, cacert=CACERT) + r_conn = ipaldap.IPAdmin(r_hostname, port=r_port, cacert=CACERT, + protocol='ldap') + r_conn.start_tls_s() if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) @@ -843,7 +842,7 @@ class ReplicationManager(object): self.repl_man_dn, self.repl_man_passwd) if is_cs_replica: - self.setup_agreement(r_conn, self.conn.host, port=r_port, + self.setup_agreement(r_conn, self.conn.host, port=local_port, repl_man_dn=self.repl_man_dn, repl_man_passwd=self.repl_man_passwd, master=False) @@ -852,7 +851,7 @@ class ReplicationManager(object): repl_man_passwd=self.repl_man_passwd, master=True) else: - self.setup_agreement(r_conn, self.conn.host, port=r_port, + self.setup_agreement(r_conn, self.conn.host, port=local_port, repl_man_dn=self.repl_man_dn, repl_man_passwd=self.repl_man_passwd) self.setup_agreement(self.conn, r_hostname, port=r_port, @@ -1207,4 +1206,3 @@ class ReplicationManager(object): print "This may be safely interrupted with Ctrl+C" self.conn.checkTask(dn, dowait=True) - |