Remove referrals when removing agreements

Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.

Fixes: https://fedorahosted.org/freeipa/ticket/630

4 files changed, 37 insertions, 8 deletions

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 1399c7c8c..7b09ae130 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -441,20 +441,28 @@ member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
 
 # Replica administration
 
-dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: managereplica
-description: Manage Replication Agreements
+cn: addreplica
+description: Add Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
 
-dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: deletereplica
-description: Delete Replication Agreements
+cn: modifyreplica
+description: Modify Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removereplica
+description: Remove Replication Agreements
 member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
 
 # Entitlement management
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 5ee65dacb..feda1d9b7 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,9 +3,15 @@
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";)
 
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 6f857e9d4..9894d2ad4 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -219,6 +219,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
         failed = False
         try:
             repl2.delete_agreement(replica1)
+            repl2.delete_referral(replica1)
         except ldap.LDAPError, e:
             desc = e.args[0]['desc'].strip()
             info = e.args[0].get('info', '').strip()
@@ -238,6 +239,7 @@ def del_link(replica1, replica2, dirman_passwd, force=False):
         print "Forcing removal on '%s'" % replica1
 
     repl1.delete_agreement(replica2)
+    repl1.delete_referral(replica2)
 
 def del_master(replman, hostname, force=False):
     has_repl_agreement = True
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 5474efdb8..8d388a597 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -407,6 +407,19 @@ class ReplicationManager:
         cn, dn = self.agreement_dn(hostname)
         return self.conn.deleteEntry(dn)
 
+    def delete_referral(self, hostname):
+        esc1_suffix = self.suffix.replace('=', '\\3D').replace(',', '\\2C')
+        esc2_suffix = self.suffix.replace('=', '%3D').replace(',', '%2C')
+        dn = 'cn=%s,cn=mapping tree,cn=config' % esc1_suffix
+        # TODO: should we detect proto/port somehow ?
+        mod = [(ldap.MOD_DELETE, 'nsslapd-referral',
+                'ldap://%s:389/%s' % (hostname, esc2_suffix))]
+
+        try:
+            self.conn.modify_s(dn, mod)
+        except Exception, e:
+            logging.debug("Failed to remove referral value: %s" % str(e))
+
     def check_repl_init(self, conn, agmtdn):
         done = False
         hasError = 0