ipa-csreplica-manage: disable connect/disconnect/del with domain level > 0

* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa topologysegment-*' commands * ipa-csreplica-manage del - a user should use ipa-replica-manage del https://fedorahosted.org/freeipa/ticket/5405 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2015-10-30 13:06:21 +0100
committer: Martin Basti <mbasti@redhat.com> 2015-11-02 13:31:27 +0100
commit: 6119dbb9a915283434f718b38a70017e3ad00840 (patch)
tree: 6c421358522454ec5a2da6a35be7ffb501b93d26
parent: 7ef827eeb6b65af8915019bac82932a2c831fc95 (diff)
download: freeipa-6119dbb9a915283434f718b38a70017e3ad00840.tar.gz
freeipa-6119dbb9a915283434f718b38a70017e3ad00840.tar.xz
freeipa-6119dbb9a915283434f718b38a70017e3ad00840.zip
3 files changed, 36 insertions, 8 deletions
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 202a3cc74..88ca629bb 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -30,6 +30,7 @@ from ipaserver.install import (replication, installutils, bindinstance,
     cainstance, certs)
 from ipalib import api, errors
 from ipalib.constants import CACERT
+from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN
 
@@ -392,6 +393,19 @@ def set_renewal_master(realm, replica):
 
     print("%s is now the renewal master" % replica)
 
+
+def exit_on_managed_topology(what, hint="topologysegment"):
+    if hint == "topologysegment":
+        hinttext = ("Please use `ipa topologysegment-*` commands to manage "
+                   "the topology.")
+    elif hint == "ipa-replica-manage-del":
+        hinttext = ("Please use the `ipa-replica-manage del` command.")
+    else:
+        assert False, "Unexpected value"
+    sys.exit("{0} is deprecated with managed IPA replication topology. {1}"
+             .format(what, hinttext))
+
+
 def main():
     options, args = parse_options()
 
@@ -427,12 +441,19 @@ def main():
 
     options.dirman_passwd = dirman_passwd
 
+    api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                              bind_pw=options.dirman_passwd)
+
     if args[0] == "list":
         replica = None
         if len(args) == 2:
             replica = args[1]
         list_replicas(realm, host, replica, dirman_passwd, options.verbose)
     elif args[0] == "del":
+        if has_managed_topology(api):
+            exit_on_managed_topology(
+                "Removal of IPA CS replication agreement and replication data",
+                hint="ipa-replica-manage-del")
         del_master(realm, args[1], options)
     elif args[0] == "re-initialize":
         re_initialize(realm, options)
@@ -441,6 +462,8 @@ def main():
             sys.exit("force-sync requires the option --from <host name>")
         force_sync(realm, host, options.fromhost, options.dirman_passwd)
     elif args[0] == "connect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Creation of IPA CS replication agreement")
         if len(args) == 3:
             replica1 = args[1]
             replica2 = args[2]
@@ -449,6 +472,8 @@ def main():
             replica2 = args[1]
         add_link(realm, replica1, replica2, dirman_passwd, options)
     elif args[0] == "disconnect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Removal of IPA CS replication agreement")
         if len(args) == 3:
             replica1 = args[1]
             replica2 = args[2]
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1350590b6..b9998da44 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -37,8 +37,9 @@ from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
-from ipalib.constants import CACERT, DOMAIN_LEVEL_0
-from ipalib.util import create_topology_graph, get_topology_connection_errors
+from ipalib.constants import CACERT
+from ipalib.util import (create_topology_graph,
+    get_topology_connection_errors, has_managed_topology)
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
@@ -247,7 +248,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 
     repl2 = None
     what = "Removal of IPA replication agreement"
-    managed_topology = has_managed_topology()
+    managed_topology = has_managed_topology(api)
 
     try:
         repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
@@ -698,7 +699,7 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):
 
 def del_master(realm, hostname, options):
 
-    if has_managed_topology():
+    if has_managed_topology(api):
         del_master_managed(realm, hostname, options)
     else:
         del_master_direct(realm, hostname, options)
@@ -957,7 +958,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
         if os.getegid() != 0:
             root_logger.error("winsync agreements need to be created as root")
             sys.exit(1)
-    elif has_managed_topology():
+    elif has_managed_topology(api):
         exit_on_managed_topology("Creation of IPA replication agreement")
 
     try:
@@ -1349,9 +1350,6 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
         except Exception as e:
             sys.exit("Updating range failed: %s" % e)
 
-def has_managed_topology():
-    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
-    return domainlevel > DOMAIN_LEVEL_0
 
 def exit_on_managed_topology(what):
     sys.exit("{0} is deprecated with managed IPA replication topology. "
diff --git a/ipalib/util.py b/ipalib/util.py
index 29b4ca160..89d67e67a 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -39,6 +39,7 @@ from netaddr.core import AddrFormatError
 import six
 
 from ipalib import errors, messages
+from ipalib.constants import DOMAIN_LEVEL_0
 from ipalib.text import _
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN, RDN
@@ -856,3 +857,7 @@ def detect_dns_zone_realm_type(api, domain):
 
     # If we could not detect type with certainity, return unknown
     return 'unknown'
+
+def has_managed_topology(api):
+    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
+    return domainlevel > DOMAIN_LEVEL_0
author	Martin Basti <mbasti@redhat.com>	2015-10-30 13:06:21 +0100
committer	Martin Basti <mbasti@redhat.com>	2015-11-02 13:31:27 +0100
commit	6119dbb9a915283434f718b38a70017e3ad00840 (patch)
tree	6c421358522454ec5a2da6a35be7ffb501b93d26
parent	7ef827eeb6b65af8915019bac82932a2c831fc95 (diff)
download	freeipa-6119dbb9a915283434f718b38a70017e3ad00840.tar.gz freeipa-6119dbb9a915283434f718b38a70017e3ad00840.tar.xz freeipa-6119dbb9a915283434f718b38a70017e3ad00840.zip