2 files changed, 55 insertions, 4 deletions

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 20d261c8f..b85c491e5 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -27,6 +27,7 @@ from ipaserver.install import replication, dsinstance, installutils
 from ipaserver import ipaldap
 from ipapython import version
 from ipalib import util
+from ipalib import errors
 
 def parse_options():
     from optparse import OptionParser
@@ -102,12 +103,15 @@ def del_master(replman, hostname, force=False):
     try:
         t = replman.get_agreement_type(hostname)
     except ldap.NO_SUCH_OBJECT:
-        print "No replication agreement found for %s" % hostname
+        print "No replication agreement found for '%s'" % hostname
+        return
+    except errors.NotFound:
+        print "No replication agreement found for '%s'" % hostname
+        return
 
     if t == replication.IPA_REPLICA:
-        dirman_passwd = getpass.getpass("Directory Manager password (%s): " % hostname)
         try:
-            other_replman = replication.ReplicationManager(hostname, dirman_passwd)
+            other_replman = replication.ReplicationManager(hostname, dirman_passwd=None)
             other_replman.suffix = get_suffix()
             other_replman.delete_agreement(replman.conn.host)
         except Exception, e:
@@ -179,10 +183,13 @@ def synch_master(replman, hostname):
 def main():
     options, args = parse_options()
     
+    dirman_passwd = None
+
     if options.dirman_passwd:
         dirman_passwd = options.dirman_passwd
     else:
-        dirman_passwd = getpass.getpass("Directory Manager password: ")
+        if args[0] in ["add", "init"]:
+            dirman_passwd = getpass.getpass("Directory Manager password: ")
 
     if options.host:
         host = options.host
@@ -227,5 +234,12 @@ except SystemExit, e:
 except ldap.INVALID_CREDENTIALS:
     print "Invalid password"
     sys.exit(1)
+except ldap.INSUFFICIENT_ACCESS:
+    print "Insufficient access"
+    sys.exit(1)
+except ldap.LOCAL_ERROR, e:
+    print e.args[0]['info']
+    sys.exit(1)
 except Exception, e:
     print "unexpected error: %s" % str(e)
+    sys.exit(1)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 1be178933..77dca721d 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -72,6 +72,13 @@ add:objectClass: nestedgroup
 add:cn: certadmin
 add:description: Certificate Administrators
 
+dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: replicaadmin
+add:description: Replication Administrators
+add:member:'uid=admin,cn=users,cn=accounts,$SUFFIX'
+
 # Add the taskgroups referenced by the ACIs for user administration
 
 dn: cn=taskgroups,cn=accounts,$SUFFIX
@@ -648,3 +655,33 @@ add: aci: '(targetattr = "objectClass")(target =
  $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
   ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
  cn=taskgroups,cn=accounts,$SUFFIX";)'
+
+# Taskgroup for managing replicas
+dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: managereplica
+add:description: Manage Replication Agreements
+add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+# Taskgroup for deleting replicas
+dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: deletereplica
+add:description: Delete Replication Agreements
+add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+# Add acis allowing admins to read/write/delete replicas
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)
+ (objectclass=nsds5replicationagreement)(objectclass=
+ nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage
+  replication agreements"; allow (read, write, search) groupdn =
+  "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
+ nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
+ ))")(version 3.0;acl "Delete replication agreements";allow (delete)
+  groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'