Automatically update IPA LDAP on rpm upgrades

Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.

This also:
 * corrects the ipa-ldap-updater man page
 * remove automatic --realm, --server, --domain options
 * handle upgrade errors properly
 * saves a copy of dse.ldif before we change it so it can be recovered
 * fixes an error discovered by pylint

ticket 1087

1 files changed, 23 insertions, 8 deletions

diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index 161766e3..b325e35e 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -23,6 +23,7 @@
 # TODO
 # save undo files?
 
+import os
 import sys
 try:
     from ipapython.config import IPAOptionParser
@@ -30,6 +31,7 @@ try:
     from ipaserver.install import installutils
     from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
     from ipaserver.install.upgradeinstance import IPAUpgrade
+    from ipapython import sysrestore
     import logging
     import krbV
 except ImportError:
@@ -57,12 +59,9 @@ def parse_options():
     parser.add_option("-u", '--upgrade', action="store_true", dest="upgrade",
                       default=False, help="Upgrade an installed server in offline mode")
 
-    config.add_standard_options(parser)
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 
-    config.init_config(options)
-
     return safe_options, options, args
 
 def get_dirman_password():
@@ -75,11 +74,19 @@ def get_dirman_password():
 
 def main():
     loglevel = logging.INFO
+    badsyntax = False
 
     safe_options, options, args = parse_options()
     if options.debug:
         loglevel = logging.DEBUG
 
+    if os.getegid() == 0:
+        fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+        if not fstore.has_files():
+            sys.exit("IPA is not configured on this system.")
+    elif not os.path.exists('/etc/ipa/default.conf'):
+        sys.exit("IPA is not configured on this system.")
+
     dirman_password = ""
     if options.password:
         pw = ipautil.template_file(options.password, [])
@@ -93,6 +100,8 @@ def main():
         files = args
 
     if options.upgrade:
+        if os.getegid() != 0:
+            sys.exit('Upgrade can only be done as root')
         logging.basicConfig(level=loglevel,
                             format='%(levelname)s %(message)s',
                             filename='/var/log/ipaupgrade.log')
@@ -101,7 +110,15 @@ def main():
         upgrade = IPAUpgrade(realm, files, live_run=not options.test)
         upgrade.create_instance()
         modified = upgrade.modified
+        badsyntax = upgrade.badsyntax
     else:
+        if os.getegid() == 0 and options.ldapi:
+            sys.exit('ldapi cannot be used by root')
+        # Clear all existing log handlers, this is need to log as root
+        loggers = logging.getLogger()
+        if loggers.handlers:
+            for handler in loggers.handlers:
+                loggers.removeHandler(handler)
         logging.basicConfig(level=loglevel,
                             format='%(levelname)s %(message)s')
         ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi)
@@ -109,7 +126,9 @@ def main():
             files = ld.get_all_files(UPDATES_DIR)
         modified = ld.update(files)
 
-    if modified and options.test:
+    if badsyntax:
+        return 1
+    elif modified and options.test:
         return 2
     else:
         return 0
@@ -128,7 +147,3 @@ except SystemExit, e:
     sys.exit(e)
 except KeyboardInterrupt, e:
     sys.exit(1)
-except config.IPAConfigError, e:
-    print "An IPA server to update cannot be found. Has one been configured yet?"
-    print "The error was: %s" % e
-    sys.exit(1)