From 714b0d11ec5e6d756739bfca2cdf3bad31979615 Mon Sep 17 00:00:00 2001
From: JR Aquino <jr.aquino@citrix.com>
Date: Fri, 16 Sep 2011 10:23:02 -0700
Subject: Replication: Adjust replica installation to omit processing memberof
 computations

https://fedorahosted.org/freeipa/ticket/1794

If the master does not yet support the total update list feature we still
run the memberof fixup task and not fail to replicate due to the new
attribute not being settable.

Jointly-developed-with: Simo Sorce <ssorce@redhat.com>
Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
---
 ipaserver/install/replication.py | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

(limited to 'ipaserver/install/replication.py')

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index a6bd7af3..a29b9814 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -107,6 +107,7 @@ class ReplicationManager(object):
         self.starttls = starttls
         tmp = util.realm_to_suffix(realm)
         self.suffix = str(DN(tmp)).lower()
+        self.need_memberof_fixup = False
 
         # If we are passed a password we'll use it as the DM password
         # otherwise we'll do a GSSAPI bind.
@@ -433,6 +434,7 @@ class ReplicationManager(object):
         which use a different name on each side. If master is None then
         isn't a dogtag replication agreement.
         """
+
         cn, dn = self.agreement_dn(b_hostname, master=master)
         try:
             a_conn.getEntry(dn, ldap.SCOPE_BASE)
@@ -440,11 +442,14 @@ class ReplicationManager(object):
         except errors.NotFound:
             pass
 
-        # List of attributes that need to be excluded from replication.
-        excludes = ('memberof', 'entryusn',
-                    'krblastsuccessfulauth',
-                    'krblastfailedauth',
-                    'krbloginfailedcount')
+        # List of attributes that need to be excluded from replication initialization.
+        totalexcludes = ('entryusn',
+                         'krblastsuccessfulauth',
+                         'krblastfailedauth',
+                         'krbloginfailedcount')
+
+        # List of attributes that need to be excluded from normal replication.
+        excludes = ('memberof', ) + totalexcludes
 
         entry = ipaldap.Entry(dn)
         entry.setValues('objectclass', "nsds5replicationagreement")
@@ -472,8 +477,21 @@ class ReplicationManager(object):
 
         a_conn.add_s(entry)
 
+        try:
+            mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
+                   '(objectclass=*) $ EXCLUDE %s' % " ".join(totalexcludes))]
+            a_conn.modify_s(dn, mod)
+        except ldap.LDAPError, e:
+            # Apparently there are problems set the total list
+            # Probably the master is an old 389-ds server, tell the caller
+            # that we will have to set the memberof fixup task
+            self.need_memberof_fixup = True
+
         entry = a_conn.waitForEntry(entry)
 
+    def needs_memberof_fixup(self):
+        return self.need_memberof_fixup
+
     def setup_krb_princs_as_replica_binddns(self, a, b):
         """
         Search the appropriate principal names so we can get
-- 
cgit