replication: augment setup_promote_replication method

the method that sets up initial GSSAPI replication in DL1 was augmented so
that the specified bind DN/bind password allows simple bind to remote master
using STARTTLS. The CA certificate for the connection is also configurable.

This facilitates the use of this method in DL0 where GSSAPI bind can not be
used during DS bootstrap while DM credentials are available.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 2e3b12f8d..6209f81fd 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1602,12 +1602,16 @@ class ReplicationManager(object):
             entry['nsDS5ReplicaBindDN'].remove(replica_binddn)
         conn.update_entry(entry)
 
-    def setup_promote_replication(self, r_hostname):
+    def setup_promote_replication(self, r_hostname, r_binddn=None,
+                                  r_bindpw=None, cacert=CACERT):
         # note - there appears to be a bug in python-ldap - it does not
         # allow connections using two different CA certs
         ldap_uri = ipaldap.get_ldap_uri(r_hostname)
-        r_conn = ipaldap.LDAPClient(ldap_uri)
-        r_conn.gssapi_bind()
+        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=cacert)
+        if r_bindpw:
+            r_conn.simple_bind(r_binddn, r_bindpw)
+        else:
+            r_conn.gssapi_bind()
 
         # Setup the first half
         l_id = self._get_replica_id(self.conn, r_conn)