summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/replication.py
Commit message (Collapse)AuthorAgeFilesLines
* Use proper logging for error messagesMartin Basti2017-01-311-4/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/6588r Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* wait_for_entry: use only DN as parameterMartin Basti2017-01-311-4/+2
| | | | | | | | | Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* gracefully handle setting replica bind dn group on old mastersMartin Babinsky2016-12-121-16/+32
| | | | | | | | | | | | Pre-3.3 masters do not support setting 'nsds5replicabinddngroup' attribute on existing replica entry during setup of initial replication. In this case UNWILLING_TO_PERFORM is returned. The code can interpret this error as an indication of old master and fall back to just adding its LDAP principal to entry's 'nsds5replicabinddn' attribute. https://fedorahosted.org/freeipa/ticket/6532 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* replica-conncheck: improve error message during replicainstallTomas Krizek2016-12-061-1/+1
| | | | | | | | | | | Replica conncheck may fail for other reasons then network misconfiguration. For example, an incorrect admin password might be provided. Since conncheck is ran as a separate script in quiet mode, no insightful error message can be displayed. https://fedorahosted.org/freeipa/ticket/6497 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* replication: ensure bind DN group check interval is set on replica configMartin Babinsky2016-11-291-0/+6
| | | | | | | | | | This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-291-11/+15
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ensure that the initial sync using GSSAPI works agains old mastersMartin Babinsky2016-11-171-15/+31
| | | | | | | | | | | | | | IPA 3.x masters neither have 'cn=replication managers' sysaccount groups set, nor do they support adding nsds5ReplicaBinddnGroup attribute to the replica config objects. In order for common replication mechanism to work against them, the replica must be ready to supply the required information to the old master. https://fedorahosted.org/freeipa/ticket/6406 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replication: refactor the code setting principals as replica bind DNsMartin Babinsky2016-11-171-26/+21
| | | | | | | | | | In addition to improving the readability of `setup_krb_princs_as_replica_binddns` method, the re-usable bits were factored out to separate methods https://fedorahosted.org/freeipa/ticket/6406 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replication: augment setup_promote_replication methodMartin Babinsky2016-11-171-3/+7
| | | | | | | | | | | | | the method that sets up initial GSSAPI replication in DL1 was augmented so that the specified bind DN/bind password allows simple bind to remote master using STARTTLS. The CA certificate for the connection is also configurable. This facilitates the use of this method in DL0 where GSSAPI bind can not be used during DS bootstrap while DM credentials are available. https://fedorahosted.org/freeipa/ticket/6406 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Turn replication manager group into ReplicationManager class memberMartin Babinsky2016-11-171-6/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/6406 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replicainstall: use ldap_uri in ReplicationManagerTomas Krizek2016-11-071-7/+6
| | | | | | | | | Use conn.ldap_uri everywhere. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replicainstall: correct hostname in ReplicationManagerTomas Krizek2016-11-071-7/+7
| | | | | | | | | Use self.hostname instead of self.conn.host. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: add restart_dirsrv for directory server restartsTomas Krizek2016-11-071-2/+2
| | | | | | | | | | | | * Create a utility function to restart a directory server and reconnect the api.Backend.ldap2 connection. * Use restart_dirsrv instead of knownservices.dirsrv.restart to ensure api.Backend.ldap2 is reconnected. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge IPAdmin to LDAPClientTomas Krizek2016-11-071-17/+23
| | | | | | | | | | | | | | | | * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge gssapi_bind to LDAPClientTomas Krizek2016-11-071-7/+7
| | | | | | | | | * Rename do_sasl_gssapi_bind to gssapi_bind https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-1/+1
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge simple_bind into LDAPClientTomas Krizek2016-11-071-5/+7
| | | | | | | | | | | | * Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind * Rename binddn to bind_dn * Rename bindpw to bind_password * Explicitly specify bind_dn in all calls https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Pylint: remove unused variables from installers and scriptsMartin Basti2016-10-061-15/+13
| | | | Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-271-0/+2
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove sys.exit from install modules and scriptsStanislav Laznicka2016-08-161-4/+6
| | | | | | | | | sys.exit() calls sometimes make it hard to find bugs and mask code that does not always work properly. https://fedorahosted.org/freeipa/ticket/5750 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipa-replica-manage: use `server_del` when removing domain level 1 replicaMartin Babinsky2016-06-171-110/+14
| | | | | | | | | | | `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaserver module for working with managed topologyMartin Babinsky2016-06-171-1/+2
| | | | | | | | | This module should aggregate common functionality utilized in the commands managing domain-level 1 topology. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: dnsserver: remove config when replica is removedMartin Basti2016-06-171-0/+15
| | | | | | | | | | Configuration of DNS server should be removed together with any other information about replica https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-0/+1
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* Fix: topologysuffix_find doesn't have no_members optionMartin Basti2016-06-021-1/+1
| | | | | | | | | Remove no_members=False from because topologysuffix_attribute doesn't have no_members option, and this causes errors in replication.py https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-1/+2
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Listing and cleaning RUV extended for CA suffixStanislav Laznicka2016-02-021-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5411 Reviewed-By: Martin Basti <mbasti@redhat.com>
* correctly set LDAP bind related attributes when setting up replicationMartin Babinsky2016-01-211-7/+15
| | | | | | | | | | | | | | when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config' entry on remote master during replica installation, the 'nsds5replicabinddn' and 'nsds5replicabinddngroup' attributes are not correctly updated when this entry already existed on the master (e.g. when existing domain-level 0 topology was promoted to domain level 1). This patch ensures that these attributes are always set correctly regardless of existence of the replica entry. https://fedorahosted.org/freeipa/ticket/5412 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enable pylint unnecessary-pass checkMartin Basti2015-12-231-1/+0
| | | | | | Enables check and removes extra pass statement from code. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-1/+1
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* harden domain level 1 topology connectivity checksMartin Babinsky2015-12-211-8/+33
| | | | | | | | | this patch makes the check_last_link_managed() function more resistant to both orphaned topology suffixes and also to cases when there are IPA masters do not seem to manage any suffix. The function will now only complain loudly about these cases and not cause crashes. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-141-2/+2
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-111-1/+5
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-071-111/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* extract domain level 1 topology-checking code from ipa-replica-manageMartin Babinsky2015-12-021-0/+90
| | | | | | | | | | This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* use starttls in CSReplicationManager connection againPetr Vobornik2015-11-301-1/+1
| | | | | | | | | | | | | | | | | commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e has: - realm, hostname, dirman_passwd, port, starttls=True) + realm, hostname, dirman_passwd, port) In CSReplicationManager which causes, e.g.: ipa-csreplica-manage -p Secret123 list ipa.example.com cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-7/+4
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix more bytes/unicode issuesPetr Viktorin2015-10-221-23/+23
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow to setup the CA when promoting a replicaSimo Sorce2015-10-151-19/+69
| | | | | | | | | This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow ipa-replica-conncheck to use default credsSimo Sorce2015-10-151-2/+5
| | | | | | | | If the user has already run kinit try to use those credentials. The user can always override by explicitly passing the -p flag. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-0/+90
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Limit max age of replication changelogMartin Basti2015-09-211-0/+1
| | | | | | | | | Limit max age of replication changelog to seven days, instead of grow to unlimited size. https://fedorahosted.org/freeipa/ticket/5086 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use byte literals where appropriateJan Cholasta2015-09-171-6/+6
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* winsync: Add inetUser objectclass to the passsync sysaccountTomas Babej2015-09-161-1/+1
| | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=1262315 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-26/+28
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-16/+16
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-171-1/+2
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-291-9/+3
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-28 20:40:20 +0000