2 files changed, 23 insertions, 2 deletions

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 3c63739fa..dc32533ee 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -100,6 +100,7 @@ DEFAULT_CONFIG = (
     ('container_entitlements', 'cn=entitlements,cn=etc'),
     ('container_automember', 'cn=automember,cn=etc'),
     ('container_selinux', 'cn=usermap,cn=selinux'),
+    ('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'),
 
     # Ports, hosts, and URIs:
     # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 9247b58fc..7e89eeb47 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -27,8 +27,7 @@ from ipaserver import ipaldap
 from ipapython import services as ipaservices
 import installutils
 from ldap import modlist
-from ipalib import util
-from ipalib import errors
+from ipalib import api, util, errors
 from ipapython import ipautil
 from ipalib.dn import DN
 
@@ -941,6 +940,27 @@ class ReplicationManager(object):
             else:
                 err = e
 
+        # remove replica memberPrincipal from s4u2proxy configuration
+        dn1 = DN(u'cn=ipa-http-delegation', api.env.container_s4u2proxy, self.suffix)
+        member_principal1 = "HTTP/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
+
+        dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix)
+        member_principal2 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
+
+        for (dn, member_principal) in ((str(dn1), member_principal1),
+                                       (str(dn2), member_principal2)):
+            try:
+                mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)]
+                self.conn.modify_s(dn, mod)
+            except (ldap.NO_SUCH_OBJECT, ldap.NO_SUCH_ATTRIBUTE):
+                root_logger.debug("Replica (%s) memberPrincipal (%s) not found in %s" % \
+                        (replica, member_principal, dn))
+            except Exception, e:
+                if not force:
+                    raise e
+                elif not err:
+                    err = e
+
         # delete master entry with all active services
         try:
             dn = 'cn=%s,cn=masters,cn=ipa,cn=etc,%s' % (replica, self.suffix)