diff options
Diffstat (limited to 'install')
-rwxr-xr-x | install/tools/ipa-replica-manage | 22 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 37 |
2 files changed, 55 insertions, 4 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 20d261c8f..b85c491e5 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -27,6 +27,7 @@ from ipaserver.install import replication, dsinstance, installutils from ipaserver import ipaldap from ipapython import version from ipalib import util +from ipalib import errors def parse_options(): from optparse import OptionParser @@ -102,12 +103,15 @@ def del_master(replman, hostname, force=False): try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: - print "No replication agreement found for %s" % hostname + print "No replication agreement found for '%s'" % hostname + return + except errors.NotFound: + print "No replication agreement found for '%s'" % hostname + return if t == replication.IPA_REPLICA: - dirman_passwd = getpass.getpass("Directory Manager password (%s): " % hostname) try: - other_replman = replication.ReplicationManager(hostname, dirman_passwd) + other_replman = replication.ReplicationManager(hostname, dirman_passwd=None) other_replman.suffix = get_suffix() other_replman.delete_agreement(replman.conn.host) except Exception, e: @@ -179,10 +183,13 @@ def synch_master(replman, hostname): def main(): options, args = parse_options() + dirman_passwd = None + if options.dirman_passwd: dirman_passwd = options.dirman_passwd else: - dirman_passwd = getpass.getpass("Directory Manager password: ") + if args[0] in ["add", "init"]: + dirman_passwd = getpass.getpass("Directory Manager password: ") if options.host: host = options.host @@ -227,5 +234,12 @@ except SystemExit, e: except ldap.INVALID_CREDENTIALS: print "Invalid password" sys.exit(1) +except ldap.INSUFFICIENT_ACCESS: + print "Insufficient access" + sys.exit(1) +except ldap.LOCAL_ERROR, e: + print e.args[0]['info'] + sys.exit(1) except Exception, e: print "unexpected error: %s" % str(e) + sys.exit(1) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 1be178933..77dca721d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -72,6 +72,13 @@ add:objectClass: nestedgroup add:cn: certadmin add:description: Certificate Administrators +dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: replicaadmin +add:description: Replication Administrators +add:member:'uid=admin,cn=users,cn=accounts,$SUFFIX' + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -648,3 +655,33 @@ add: aci: '(targetattr = "objectClass")(target = $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold" ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold, cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Taskgroup for managing replicas +dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: managereplica +add:description: Manage Replication Agreements +add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +# Taskgroup for deleting replicas +dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: deletereplica +add:description: Delete Replication Agreements +add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +# Add acis allowing admins to read/write/delete replicas +dn: cn="$SUFFIX",cn=mapping tree,cn=config +add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica) + (objectclass=nsds5replicationagreement)(objectclass= + nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage + replication agreements"; allow (read, write, search) groupdn = + "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +add: aci: '(targetattr=*)(targetfilter="(|(objectclass= + nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement + ))")(version 3.0;acl "Delete replication agreements";allow (delete) + groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' |