dns: fix privileges' memberof during dns install

Permissions with member attrs pointing to privileges are created before the privileges.

Run memberof plugin task to fix other ends of the relationships.

https://fedorahosted.org/freeipa/ticket/4637

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 30 insertions, 0 deletions

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 636e04f5e..d964daf22 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -23,6 +23,7 @@ import pwd
 import netaddr
 import re
 import sys
+import time
 
 import ldap
 
@@ -674,6 +675,35 @@ class BindInstance(service.Service):
 
     def __setup_dns_container(self):
         self._ldap_mod("dns.ldif", self.sub_dict)
+        self.__fix_dns_privilege_members()
+
+    def __fix_dns_privilege_members(self):
+        ldap = api.Backend.ldap2
+
+        cn = 'Update PBAC memberOf %s' % time.time()
+        task_dn = DN(('cn', cn), ('cn', 'memberof task'), ('cn', 'tasks'),
+                     ('cn', 'config'))
+        basedn = DN(api.env.container_privilege, api.env.basedn)
+        entry = ldap.make_entry(
+            task_dn,
+            objectclass=['top', 'extensibleObject'],
+            cn=[cn],
+            basedn=[basedn],
+            filter=['(objectclass=*)'],
+            ttl=[10])
+        ldap.add_entry(entry)
+
+        start_time = time.time()
+        while True:
+            try:
+                task = ldap.get_entry(task_dn)
+            except errors.NotFound:
+                break
+            if 'nstaskexitcode' in task:
+                break
+            time.sleep(1)
+            if time.time() > (start_time + 60):
+                raise errors.TaskTimeout(task='memberof', task_dn=task_dn)
 
     def __setup_zone(self):
         # Always use force=True as named is not set up yet