summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/replication.py
Commit message (Collapse)AuthorAgeFilesLines
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-05-301-1/+5
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* Retry retrieving ldap principals when setting up replication.Rob Crittenden2012-05-221-18/+60
| | | | | | | | | | | | We've seen on a few occassions where one side or the other is missing the ldap principal. This causes replication to fail when trying to convert to using GSSAPI. If this happens force a synchronization again and try the retrieval again, up to 10 times. This should also make the error report clearer if even after the retries one of the principals doesn't exist. https://fedorahosted.org/freeipa/ticket/2737
* Remove duplicate and unused utility codePetr Viktorin2012-05-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPA has some unused code from abandoned features (Radius, ipa 1.x user input, commant-line tab completion), as well as some duplicate utilities. This patch cleans up the utility modules. Duplicate code consolidated into ipapython.ipautil: {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix {ipaserver,ipapython}.ipautil.CIDict (with style improvements from the ipaserver version) {ipapython.entity,ipaserver.ipautil}.utf8_encode_value {ipapython.entity,ipaserver.ipautil}.utf8_encode_values ipalib.util.get_fqdn was removed in favor of the same function in ipaserver.install.installutils Removed unused code: ipalib.util: load_plugins_in_dir import_plugins_subpackage make_repr (was imported but unused; also removed from tests) ipapython.ipautil: format_list parse_key_value_pairs read_pairs_file read_items_file user_input_plain AttributeValueCompleter ItemCompleter ipaserver.ipautil: get_gsserror (a different version exists in ipapython.ipautil) ipaserver.ipautil ended up empty and is removed entirely. https://fedorahosted.org/freeipa/ticket/2650
* Fix ipa-replica-manage TLS connection errorMartin Kosek2012-03-141-2/+5
| | | | | | | | | | | | | | New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up a winsync replication. We always receive a connection error stating that Peer's certificate is not recognized even though we pass a correct certificate. This patch fixes the way we set up TLS. The change is backwards compatible with older versions of openldap. https://fedorahosted.org/freeipa/ticket/2500
* Remove memberPrincipal for deleted replicasMartin Kosek2012-03-021-2/+22
| | | | | | | | | | | | When a replica is deleted, its memberPrincipal entries in cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica is reinstalled and connected again, the installer would report an error with duplicate value in LDAP. This patch extends replica cleanup procedure to remove replica principal from s4u2proxy configuration. https://fedorahosted.org/freeipa/ticket/2451
* Fix managing winsync replication agreements with ipa-replica-manageRob Crittenden2012-02-271-1/+1
| | | | | | | | | | | | force-sync, re-initialize and del were not working because they all attempted to contact the AD server. winsync agreements are managed on the local 389-ds instance. This also: - requires root to create winsync agreement (for updating NSS db) - fixes filter in get_replication_agreement() to work with winsync https://fedorahosted.org/freeipa/ticket/2128
* Make sure memberof is in replication attribute exclusion list.Rob Crittenden2012-02-231-12/+17
| | | | | | | A previous bug caused this attribute to not be added which would lead to unnecessary replication. This runs as an updater plugin. https://fedorahosted.org/freeipa/ticket/2223
* Check for the existence of a replication agreement before deleting it.Rob Crittenden2012-01-301-0/+22
| | | | | | | | | | | | | When using ipa-replica-manage or ipa-csreplica-manage to delete an agreement with a host we would try to make a connection to that host prior to tryign to delete it. This meant that the trying to delete a host we don't have an agreement with would return a connection error instead of a "no agreement with host foo" error. Also display a completed message when an agreement is removed. https://fedorahosted.org/freeipa/ticket/2048 https://fedorahosted.org/freeipa/ticket/2125
* Leave nsds5replicaupdateschedule parameter unsetOndrej Hamada2012-01-241-11/+8
| | | | | | | | The nsDS5ReplicaUpdateSchedule parameter is omited what results in replication being run all the time. The parameter is still used for forcing replica update but after that action it is always deleted. https://fedorahosted.org/freeipa/ticket/1482
* Fix replication setupSimo Sorce2012-01-131-9/+19
| | | | | | Changes to add a cs-replication management tool mistakenly always set a flag that caused replicas to not add the list of attribute we exclude from replication.
* Fix LDAP add calls in replication moduleMartin Kosek2012-01-131-11/+11
| | | | | | | Replace conn.add_s(entry) with conn.addEntry(entry) to avoid function calls with an invalid number of parameters. https://fedorahosted.org/freeipa/ticket/2139
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-231-23/+24
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Replication: Adjust replica installation to omit processing memberof ↵JR Aquino2011-11-141-5/+23
| | | | | | | | | | | | | computations https://fedorahosted.org/freeipa/ticket/1794 If the master does not yet support the total update list feature we still run the memberof fixup task and not fail to replicate due to the new attribute not being settable. Jointly-developed-with: Simo Sorce <ssorce@redhat.com> Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-3/+3
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Remove checks for ds-replication pluginMartin Kosek2011-09-221-15/+0
| | | | | | | The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
* Convert server install code to platform-independent access to system servicesAlexander Bokovoy2011-09-131-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Clean up existing DN object usageJohn Dennis2011-07-291-4/+4
|
* Specify the package name when the replication plugin is missing.Rob Crittenden2011-07-181-1/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1155
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-171-27/+65
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* Remove sensitive information from logsMartin Kosek2011-07-131-3/+4
| | | | | | | | When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-231-0/+33
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Handle principal not found errors when converting replication a greementsRob Crittenden2011-04-281-0/+7
| | | | | | | | | | | There are times where one side or the other is missing its peers krbprincipalname when converting from simple to GSSAPI replication. Ticket 1188 should address the cause of this. This patch provides better information and handling should either side be missing. ticket 1044
* Wait for memberof task and DS to start before proceeding in installation.Rob Crittenden2011-04-221-0/+2
| | | | | | | | | | | | | This was causing a replica DS instance to crash if the task was not completed when we attempted a shutdown to do a restart. In replication.py we were restarting the DS instance without waiting for the ports to become available. It is unlikely that the dn of the memberof task will change but just in case I noted it in the two places it is referenced. ticket 1188
* Fix lint false positives.Jan Cholasta2011-04-131-2/+2
|
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Fix replica setup using replication admin kerberos credentialsSimo Sorce2011-03-011-1/+2
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1022
* Use wrapper for sasl gssapi binds so it behaves like other bindsSimo Sorce2011-03-011-7/+5
| | | | | | | | | | By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
* Fix winsync agreements setupSimo Sorce2011-03-011-23/+38
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1006
* Fix NSS initialization errors during ipa-replica-prepareRob Crittenden2011-02-181-1/+1
| | | | | | | | | | | When enabling replication we make an SSL connection. I think the way this goes is python-ldap -> openldap -> NSS. It may be a problem in the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any case if we use ldapi instead the problem goes away. Back out the temporary code to ignore nss_shutdown errors. ticket 965
* Disable replication version plugin by default.Rob Crittenden2011-02-101-0/+21
| | | | | | | | | | | | | | | | The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
* Force sync in both direction before changing replication agreementsSimo Sorce2011-02-011-15/+25
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/887
* Fix ipa-replica-manage regressions with winsyncSimo Sorce2011-01-251-3/+5
| | | | | | Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807
* Populate shared tree with replica related valuesSimo Sorce2011-01-251-0/+29
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/820
* Do not set a replication dn when using SASL/GSSAPI replicationSimo Sorce2011-01-241-23/+16
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/817
* Use GSSAPI for replicationSimo Sorce2011-01-141-12/+128
| | | | | | | Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
* Refactor some replication codeSimo Sorce2011-01-141-86/+91
| | | | | This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690
* Make ipa-replica-manage del actually remove all replication agreementsSimo Sorce2010-12-211-2/+4
| | | | | | | | The previous code was removing only one agreement, leaving all other in place. This would leave dangling replication agreements once the replica is uninstalled. Fixes: https://fedorahosted.org/freeipa/ticket/624
* Remove referrals when removing agreementsSimo Sorce2010-12-211-0/+13
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Make ipa-replica-manage list return all known mastersSimo Sorce2010-12-211-4/+4
| | | | | | | if ipa-replica-manage list is given a master name as argument then the tool has the old behavior of listing that specific master replication agreements Fixes: https://fedorahosted.org/freeipa/ticket/625
* Add disconnect command to ipa-replica-manageSimo Sorce2010-12-211-0/+22
| | | | | | | | Can remove replication agreements between 2 replicas as long as it is not the last agreement (except for Ad replication agreements, which can always be removed). Fixes: https://fedorahosted.org/freeipa/ticket/551
* Remove common entries when deleting a master.Simo Sorce2010-12-211-0/+73
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Verify that the replication plugin exists before setting up replicas.Rob Crittenden2010-12-171-0/+14
| | | | ticket 502
* Split dsinstance configurationSimo Sorce2010-12-101-2/+1
| | | | | This is so that master and replica creation can perform different operations as they need slightly diffeent settings to be applied.
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-301-1/+1
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Exclude Krb lockout attributes from replicationSimo Sorce2010-11-181-1/+8
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/440
* Use GSSAPI auth for the ipa-replica-manage list and del commands.Rob Crittenden2010-03-191-1/+19
| | | | | | | | | | | | This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the ipaldap.py module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
* Clean up some problems discovered with pylint and pycheckerRob Crittenden2009-08-121-6/+8
| | | | | Much of this is formatting to make pylint happy but it also fixes some real bugs.
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-5/+5
|
* Remove more unused files and functions, replace ipaerror with new error classesRob Crittenden2009-02-061-5/+5
|
generated by cgit (git 2.34.1) at 2025-09-02 16:29:56 +0000