replication: ensure bind DN group check interval is set on replica config

This is a safeguard ensuring valid replica configuration against incorrectly
upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on
their domain/ca topology config.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 430a0468a..3f909bbf0 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -456,6 +456,12 @@ class ReplicationManager(object):
             if self.repl_man_group_dn not in binddn_groups:
                 mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
                             self.repl_man_group_dn))
+
+            if 'nsds5replicabinddngroupcheckinterval' not in entry:
+                mod.append(
+                    (ldap.MOD_ADD,
+                     'nsds5replicabinddngroupcheckinterval',
+                     '60'))
             if mod:
                 conn.modify_s(dn, mod)