diff options
author | Ludwig Krispenz <lkrispen@redhat.com> | 2016-12-09 15:04:21 +0100 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-12-13 12:25:07 +0100 |
commit | 26bd7ebfa27d15221e5d3fa1e3871a0085c31e0f (patch) | |
tree | 9ef97bd4ec6ba8207a8695bf4453e416ab029914 /ipaserver/plugins | |
parent | 17392b0ef754781775a10973b2fee8a6d1697f5d (diff) | |
download | freeipa-26bd7ebfa27d15221e5d3fa1e3871a0085c31e0f.tar.gz freeipa-26bd7ebfa27d15221e5d3fa1e3871a0085c31e0f.tar.xz freeipa-26bd7ebfa27d15221e5d3fa1e3871a0085c31e0f.zip |
Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/domainlevel.py | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py index 42603d71a..306ca0a6d 100644 --- a/ipaserver/plugins/domainlevel.py +++ b/ipaserver/plugins/domainlevel.py @@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry): return DomainLevelRange(0, 0) +def check_conflict_entries(ldap, api, desired_value): + """ + Check if conflict entries exist in topology subtree + """ + + container_dn = DN( + ('cn', 'ipa'), + ('cn', 'etc'), + api.env.basedn + ) + conflict = "(nsds5replconflict=*)" + subentry = "(|(objectclass=ldapsubentry)(objectclass=*))" + try: + ldap.get_entries( + filter="(& %s %s)" % (conflict, subentry), + base_dn=container_dn, + scope=ldap.SCOPE_SUBTREE) + message = _("Domain Level cannot be raised to {0}, " + "existing replication conflicts have to be resolved." + .format(desired_value)) + raise errors.InvalidDomainLevelError(reason=message) + except errors.NotFound: + pass + def get_master_entries(ldap, api): """ Returns list of LDAPEntries representing IPA masters. @@ -131,6 +155,10 @@ class domainlevel_set(Command): .format(desired_value, master['cn'][0])) raise errors.InvalidDomainLevelError(reason=message) + # Check if conflict entries exist in topology subtree + # should be resolved first + check_conflict_entries(ldap, self.api, desired_value) + current_entry.single_value['ipaDomainLevel'] = desired_value ldap.update_entry(current_entry) |