diff options
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/dsinstance.py | 6 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 28 |
2 files changed, 29 insertions, 5 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 15de54e9a..c1b6531a4 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -149,6 +149,7 @@ class DsInstance(service.Service): self.idmax = None self.subject_base = None self.open_ports = [] + self.run_init_memberof = True if realm_name: self.suffix = util.realm_to_suffix(self.realm_name) self.__setup_sub_dict() @@ -275,6 +276,7 @@ class DsInstance(service.Service): repl.setup_replication(self.master_fqdn, r_binddn="cn=Directory Manager", r_bindpw=self.dm_password) + self.run_init_memberof = repl.needs_memberof_fixup() def __enable(self): self.backup_state("enabled", self.is_enabled()) @@ -413,6 +415,10 @@ class DsInstance(service.Service): self._ldap_mod("memberof-conf.ldif") def init_memberof(self): + + if not self.run_init_memberof: + return + self._ldap_mod("memberof-task.ldif", self.sub_dict) # Note, keep dn in sync with dn in install/share/memberof-task.ldif dn = "cn=IPA install %s,cn=memberof task,cn=tasks,cn=config" % self.sub_dict["TIME"] diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index a6bd7af37..a29b98147 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -107,6 +107,7 @@ class ReplicationManager(object): self.starttls = starttls tmp = util.realm_to_suffix(realm) self.suffix = str(DN(tmp)).lower() + self.need_memberof_fixup = False # If we are passed a password we'll use it as the DM password # otherwise we'll do a GSSAPI bind. @@ -433,6 +434,7 @@ class ReplicationManager(object): which use a different name on each side. If master is None then isn't a dogtag replication agreement. """ + cn, dn = self.agreement_dn(b_hostname, master=master) try: a_conn.getEntry(dn, ldap.SCOPE_BASE) @@ -440,11 +442,14 @@ class ReplicationManager(object): except errors.NotFound: pass - # List of attributes that need to be excluded from replication. - excludes = ('memberof', 'entryusn', - 'krblastsuccessfulauth', - 'krblastfailedauth', - 'krbloginfailedcount') + # List of attributes that need to be excluded from replication initialization. + totalexcludes = ('entryusn', + 'krblastsuccessfulauth', + 'krblastfailedauth', + 'krbloginfailedcount') + + # List of attributes that need to be excluded from normal replication. + excludes = ('memberof', ) + totalexcludes entry = ipaldap.Entry(dn) entry.setValues('objectclass', "nsds5replicationagreement") @@ -472,8 +477,21 @@ class ReplicationManager(object): a_conn.add_s(entry) + try: + mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal', + '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))] + a_conn.modify_s(dn, mod) + except ldap.LDAPError, e: + # Apparently there are problems set the total list + # Probably the master is an old 389-ds server, tell the caller + # that we will have to set the memberof fixup task + self.need_memberof_fixup = True + entry = a_conn.waitForEntry(entry) + def needs_memberof_fixup(self): + return self.need_memberof_fixup + def setup_krb_princs_as_replica_binddns(self, a, b): """ Search the appropriate principal names so we can get |