diff options
| author | Martin Basti <mbasti@redhat.com> | 2016-06-21 12:37:26 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-06-21 17:09:06 +0200 |
| commit | 9ae98420e94ea2973ecc21be0a984eac855a2a14 (patch) | |
| tree | 77dfe9ec3965f3abaa00bbf942d42df151a1179b | |
| parent | cc6a3325d497286620cada12dca22fe5e5cf15e7 (diff) | |
| download | freeipa-9ae98420e94ea2973ecc21be0a984eac855a2a14.tar.gz freeipa-9ae98420e94ea2973ecc21be0a984eac855a2a14.tar.xz freeipa-9ae98420e94ea2973ecc21be0a984eac855a2a14.zip | |
Replica promotion: use the correct IPA domain for replica
IPA domain is detected from LDAP for replica promote installation.
If local domain and IPA domain does not match, installer refuses
to install replica.
IPA versions 4.3.0 and 4.3.1 allow to specify different domain for
replica. Only one IPA domain is allowed (domain used with master)
and different domain may cause issues.
This commit prevents to install new replica if multiple domains was
used in past. User action is required to fix this issue and remove
incorrect IPA domains from LDAP.
https://fedorahosted.org/freeipa/ticket/5976
Reviewed-By: Petr Spacek <pspacek@redhat.com>
| -rw-r--r-- | ipaserver/install/server/replicainstall.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 1464e26db..52b2ea5b0 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -931,6 +931,33 @@ def ensure_enrolled(installer): except Exception: sys.exit("Configuration of client side components failed!") + +def promotion_check_ipa_domain(master_ldap_conn, basedn): + entry = master_ldap_conn.get_entry(basedn, ['associatedDomain']) + if not 'associatedDomain' in entry: + raise RuntimeError('IPA domain not found in LDAP.') + + if len(entry['associatedDomain']) > 1: + root_logger.critical( + "Multiple IPA domains found. We are so sorry :-(, you are " + "probably experiencing this bug " + "https://fedorahosted.org/freeipa/ticket/5976. Please contact us " + "for help.") + raise RuntimeError( + 'Multiple IPA domains found in LDAP database ({domains}). ' + 'Only one domain is allowed.'.format( + domains=u', '.join(entry['associatedDomain']) + )) + + if entry['associatedDomain'][0] != api.env.domain: + raise RuntimeError( + "Cannot promote this client to a replica. Local domain " + "'{local}' does not match IPA domain '{ipadomain}'. ".format( + local=api.env.domain, + ipadomain=entry['associatedDomain'][0] + )) + + @common_cleanup @preserve_enrollment_state def promote_check(installer): @@ -1129,6 +1156,8 @@ def promote_check(installer): conn.disconnect() conn.connect(ccache=ccache) + promotion_check_ipa_domain(conn, remote_api.env.basedn) + # Check that we don't already have a replication agreement try: (acn, adn) = replman.agreement_dn(config.host_name) |