diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-04-11 10:35:51 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | e16d2623aee089f07854ffc32b976e45d17c03ff (patch) | |
tree | ed664856c297d4e3dc107ea74da9ad2e47116d54 /ipaserver/install/replication.py | |
parent | d1386be4d55128056e93429bbc85a821494560e9 (diff) | |
download | freeipa-e16d2623aee089f07854ffc32b976e45d17c03ff.tar.gz freeipa-e16d2623aee089f07854ffc32b976e45d17c03ff.tar.xz freeipa-e16d2623aee089f07854ffc32b976e45d17c03ff.zip |
Remove master ACIs when deleting a replica.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver/install/replication.py')
-rw-r--r-- | ipaserver/install/replication.py | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fbbad5e6c..168f7ceee 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1202,6 +1202,49 @@ class ReplicationManager(object): err = e try: + entry = self.conn.get_entry( + DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci']) + + sub = {'suffix': self.suffix, 'fqdn': replica} + try: + entry.raw['aci'].remove( + '(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,' + '%(suffix)s")(version 3.0; acl "Add CA Certificates for ' + 'renewals"; allow(add) userdn = "ldap:///fqdn=%(fqdn)s,' + 'cn=computers,cn=accounts,%(suffix)s";)' % sub) + except ValueError: + pass + try: + entry.raw['aci'].remove( + '(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,' + '%(suffix)s")(targetattr = "userCertificate")' + '(version 3.0; acl "Modify CA Certificates for renewals"; ' + 'allow(write) userdn = "ldap:///fqdn=%(fqdn)s,' + 'cn=computers,cn=accounts,%(suffix)s";)' % sub) + except ValueError: + pass + try: + entry.raw['aci'].remove( + '(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,%(suffix)s")' + '(targetattr = cACertificate)(version 3.0; acl "Modify CA ' + 'Certificate"; allow (write) userdn = "ldap:///fqdn=' + '%(fqdn)s,cn=computers,cn=accounts,%(suffix)s";)' % sub) + except ValueError: + pass + + try: + self.conn.update_entry(entry) + except errors.EmptyModlist: + pass + except errors.NotFound: + pass + except Exception, e: + if not force: + raise e + elif not err: + err = e + + try: basedn = DN(('cn', 'etc'), self.suffix) filter = '(dnaHostname=%s)' % replica entries = self.conn.get_entries( |