4 files changed, 31 insertions, 6 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c2018f4d5..9fddb7584 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -469,7 +469,6 @@ def main():
         raise RuntimeError("Failed to configure the client")
 
     ds.replica_populate()
-    ds.init_memberof()
 
     #Everything installed properly, activate ipa service.
     ipaservices.knownservices.ipa.enable()
diff --git a/install/ui/test/data/json_metadata.json b/install/ui/test/data/json_metadata.json
index 482eb6c3b..f87ab114c 100644
--- a/install/ui/test/data/json_metadata.json
+++ b/install/ui/test/data/json_metadata.json
@@ -3273,6 +3273,7 @@
                     "nsds5replicaroot",
                     "nsds5replicasessionpausetime",
                     "nsds5replicatedattributelist",
+                    "nsds5replicatedattributelisttotal",
                     "nsds5replicatimeout",
                     "nsds5replicatombstonepurgeinterval",
                     "nsds5replicatransportinfo",
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index f2b16dfe8..36a386619 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -169,6 +169,7 @@ class DsInstance(service.Service):
         self.idmax = None
         self.subject_base = None
         self.open_ports = []
+        self.run_init_memberof = True
         if realm_name:
             self.suffix = util.realm_to_suffix(self.realm_name)
             self.__setup_sub_dict()
@@ -295,6 +296,7 @@ class DsInstance(service.Service):
         repl.setup_replication(self.master_fqdn,
                                r_binddn="cn=Directory Manager",
                                r_bindpw=self.dm_password)
+        self.run_init_memberof = repl.needs_memberof_fixup()
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -433,6 +435,10 @@ class DsInstance(service.Service):
         self._ldap_mod("memberof-conf.ldif")
 
     def init_memberof(self):
+
+        if not self.run_init_memberof:
+            return
+
         self._ldap_mod("memberof-task.ldif", self.sub_dict)
         # Note, keep dn in sync with dn in install/share/memberof-task.ldif
         dn = "cn=IPA install %s,cn=memberof task,cn=tasks,cn=config" % self.sub_dict["TIME"]
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index a6bd7af37..3ee4d277e 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -107,6 +107,7 @@ class ReplicationManager(object):
         self.starttls = starttls
         tmp = util.realm_to_suffix(realm)
         self.suffix = str(DN(tmp)).lower()
+        self.need_memberof_fixup = False
 
         # If we are passed a password we'll use it as the DM password
         # otherwise we'll do a GSSAPI bind.
@@ -433,6 +434,7 @@ class ReplicationManager(object):
         which use a different name on each side. If master is None then
         isn't a dogtag replication agreement.
         """
+
         cn, dn = self.agreement_dn(b_hostname, master=master)
         try:
             a_conn.getEntry(dn, ldap.SCOPE_BASE)
@@ -440,11 +442,14 @@ class ReplicationManager(object):
         except errors.NotFound:
             pass
 
-        # List of attributes that need to be excluded from replication.
-        excludes = ('memberof', 'entryusn',
-                    'krblastsuccessfulauth',
-                    'krblastfailedauth',
-                    'krbloginfailedcount')
+        # List of attributes that need to be excluded from replication initialization.
+        totalexcludes = ('entryusn',
+                         'krblastsuccessfulauth',
+                         'krblastfailedauth',
+                         'krbloginfailedcount')
+
+        # List of attributes that need to be excluded from normal replication.
+        excludes = ('memberof', ) + totalexcludes
 
         entry = ipaldap.Entry(dn)
         entry.setValues('objectclass', "nsds5replicationagreement")
@@ -472,8 +477,22 @@ class ReplicationManager(object):
 
         a_conn.add_s(entry)
 
+        if master is None:
+            try:
+                mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
+                       '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))]
+                a_conn.modify_s(dn, mod)
+            except ldap.LDAPError, e:
+                # Apparently there are problems set the total list
+                # Probably the master is an old 389-ds server, tell the caller
+                # that we will have to set the memberof fixup task
+                self.need_memberof_fixup = True
+
         entry = a_conn.waitForEntry(entry)
 
+    def needs_memberof_fixup(self):
+        return self.need_memberof_fixup
+
     def setup_krb_princs_as_replica_binddns(self, a, b):
         """
         Search the appropriate principal names so we can get