Automatically update IPA LDAP on rpm upgrades

Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
author: Rob Crittenden <rcritten@redhat.com> 2011-03-18 11:19:53 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2011-03-21 13:23:53 -0400
commit: ca5332951c68904b0763f79f3612209271206b2a (patch)
tree: d2e39143f5d1b7b78fb40fd906e0d722c1b19d3d /install
parent: ba5e0c43070c1ec77e45a032cd3dabbe0f7a76fc (diff)
download: freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.gz
freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.xz
freeipa-ca5332951c68904b0763f79f3612209271206b2a.zip
2 files changed, 43 insertions, 19 deletions
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index 161766e3..b325e35e 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -23,6 +23,7 @@
 # TODO
 # save undo files?
 
+import os
 import sys
 try:
     from ipapython.config import IPAOptionParser
@@ -30,6 +31,7 @@ try:
     from ipaserver.install import installutils
     from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
     from ipaserver.install.upgradeinstance import IPAUpgrade
+    from ipapython import sysrestore
     import logging
     import krbV
 except ImportError:
@@ -57,12 +59,9 @@ def parse_options():
     parser.add_option("-u", '--upgrade', action="store_true", dest="upgrade",
                       default=False, help="Upgrade an installed server in offline mode")
 
-    config.add_standard_options(parser)
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 
-    config.init_config(options)
-
     return safe_options, options, args
 
 def get_dirman_password():
@@ -75,11 +74,19 @@ def get_dirman_password():
 
 def main():
     loglevel = logging.INFO
+    badsyntax = False
 
     safe_options, options, args = parse_options()
     if options.debug:
         loglevel = logging.DEBUG
 
+    if os.getegid() == 0:
+        fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+        if not fstore.has_files():
+            sys.exit("IPA is not configured on this system.")
+    elif not os.path.exists('/etc/ipa/default.conf'):
+        sys.exit("IPA is not configured on this system.")
+
     dirman_password = ""
     if options.password:
         pw = ipautil.template_file(options.password, [])
@@ -93,6 +100,8 @@ def main():
         files = args
 
     if options.upgrade:
+        if os.getegid() != 0:
+            sys.exit('Upgrade can only be done as root')
         logging.basicConfig(level=loglevel,
                             format='%(levelname)s %(message)s',
                             filename='/var/log/ipaupgrade.log')
@@ -101,7 +110,15 @@ def main():
         upgrade = IPAUpgrade(realm, files, live_run=not options.test)
         upgrade.create_instance()
         modified = upgrade.modified
+        badsyntax = upgrade.badsyntax
     else:
+        if os.getegid() == 0 and options.ldapi:
+            sys.exit('ldapi cannot be used by root')
+        # Clear all existing log handlers, this is need to log as root
+        loggers = logging.getLogger()
+        if loggers.handlers:
+            for handler in loggers.handlers:
+                loggers.removeHandler(handler)
         logging.basicConfig(level=loglevel,
                             format='%(levelname)s %(message)s')
         ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi)
@@ -109,7 +126,9 @@ def main():
             files = ld.get_all_files(UPDATES_DIR)
         modified = ld.update(files)
 
-    if modified and options.test:
+    if badsyntax:
+        return 1
+    elif modified and options.test:
         return 2
     else:
         return 0
@@ -128,7 +147,3 @@ except SystemExit, e:
     sys.exit(e)
 except KeyboardInterrupt, e:
     sys.exit(1)
-except config.IPAConfigError, e:
-    print "An IPA server to update cannot be found. Has one been configured yet?"
-    print "The error was: %s" % e
-    sys.exit(1)
diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
index 795b3681..9924d2f8 100644
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@@ -1,21 +1,21 @@
 .\" A man page for ipa-ldap-updater
 .\" Copyright (C) 2008 Red Hat, Inc.
-.\" 
+.\"
 .\" This program is free software; you can redistribute it and/or modify
 .\" it under the terms of the GNU General Public License as published by
 .\" the Free Software Foundation, either version 3 of the License, or
 .\" (at your option) any later version.
-.\" 
+.\"
 .\" This program is distributed in the hope that it will be useful, but
 .\" WITHOUT ANY WARRANTY; without even the implied warranty of
 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 .\" General Public License for more details.
-.\" 
+.\"
 .\" You should have received a copy of the GNU General Public License
 .\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
-.\" 
+.\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
-.\" 
+.\"
 .TH "ipa-ldap-updater" "1" "Sep 12 2008" "freeipa" ""
 .SH "NAME"
 ipa\-ldap\-updater \- Update the IPA LDAP configuration
@@ -34,7 +34,9 @@ There are 4 keywords:
     * default: the starting value
     * add: add a value (or values) to an attribute
     * remove: remove a value (or values) from an attribute
-    * only: set an attribute to this 
+    * only: set an attribute to this
+    * deleteentry: remove the entry
+    * replace: replace an existing value, format is old: new
 
 Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.
 
@@ -48,8 +50,9 @@ The available template variables are:
     * $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)
     * $DOMAIN \- the domain name (example.com)
     * $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)
+    * $ESCAPED_SUFFIX \- the ldap-escaped IPA LDAP suffix
     * $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
-    * $TIME \- an integer representation of current time 
+    * $TIME \- an integer representation of current time
 
 A few rules:
 
@@ -59,17 +62,23 @@ A few rules:
    4. removing a value that doesn't exist is ok. It is simply ignored.
    5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied
    6. If a DN does exist the default values are skipped
-   7. Only the first rule on a line is respected 
+   7. Only the first rule on a line is respected
 .SH "OPTIONS"
-.TP 
+.TP
 \fB\-d\fR, \fB\-\-debug
 Enable debug logging when more verbose output is needed
-.TP 
+.TP
 \fB\-t\fR, \fB\-\-test\fR
 Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.
-.TP 
+.TP
 \fB\-y\fR
 File containing the Directory Manager password
+.TP
+\fB\-l\fR, \fB\-\-ldapi\fR
+Connect to the LDAP server using the ldapi socket
+.TP
+\fB\-u\fR, \fB\-\-\-upgrade\fR
+Upgrade an installed server in offline mode (implies \-\-ldapi)
 .SH "EXIT STATUS"
 0 if the command was successful
author	Rob Crittenden <rcritten@redhat.com>	2011-03-18 11:19:53 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2011-03-21 13:23:53 -0400
commit	ca5332951c68904b0763f79f3612209271206b2a (patch)
tree	d2e39143f5d1b7b78fb40fd906e0d722c1b19d3d /install
parent	ba5e0c43070c1ec77e45a032cd3dabbe0f7a76fc (diff)
download	freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.gz freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.xz freeipa-ca5332951c68904b0763f79f3612209271206b2a.zip