diff options
| -rw-r--r-- | install/share/Makefile.am | 1 | ||||
| -rw-r--r-- | install/share/master-entry.ldif | 2 | ||||
| -rw-r--r-- | install/share/topology-entries.ldif | 13 | ||||
| -rw-r--r-- | install/updates/20-replication.update | 4 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 9 | ||||
| -rw-r--r-- | ipaserver/install/plugins/fix_replica_agreements.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/replication.py | 16 |
7 files changed, 47 insertions, 1 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index da3ed3176..c39352caa 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -64,6 +64,7 @@ app_DATA = \ wsgi.py \ repoint-managed-entries.ldif \ managed-entries.ldif \ + topology-entries.ldif \ user_private_groups.ldif \ host_nis_groups.ldif \ uuid.ldif \ diff --git a/install/share/master-entry.ldif b/install/share/master-entry.ldif index 5d3bccf83..34e5b3443 100644 --- a/install/share/master-entry.ldif +++ b/install/share/master-entry.ldif @@ -2,4 +2,6 @@ dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX changetype: add objectclass: top objectclass: nsContainer +objectclass: ipaReplTopoManagedServer +ipaReplTopoManagedSuffix: $SUFFIX cn: $FQDN diff --git a/install/share/topology-entries.ldif b/install/share/topology-entries.ldif new file mode 100644 index 000000000..5ee4f617a --- /dev/null +++ b/install/share/topology-entries.ldif @@ -0,0 +1,13 @@ +dn: cn=topology,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectclass: top +objectclass: nsContainer +cn: topology + +# default topology configuration area +dn: cn=realm,cn=topology,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectclass: top +objectclass: iparepltopoconf +ipaReplTopoConfRoot: $SUFFIX +cn: realm diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update index 891cbcb88..01fc85033 100644 --- a/install/updates/20-replication.update +++ b/install/updates/20-replication.update @@ -7,3 +7,7 @@ dn: cn=replication,cn=etc,$SUFFIX default: objectclass: nsDS5Replica default: nsDS5ReplicaId: 3 default: nsDS5ReplicaRoot: $SUFFIX + +# Group containing replication bind dns +dn: cn=replication managers,cn=etc,$SUFFIX +default: objectclass: groupofnames diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f1d24e49d..09139405d 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -60,6 +60,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", "65ipacertstore.ldif", "65ipasudo.ldif", "70ipaotp.ldif", + "70topology.ldif", "71idviews.ldif", "15rfc2307bis.ldif", "15rfc4876.ldif") @@ -238,6 +239,7 @@ class DsInstance(service.Service): self.step("configuring DNS plugin", self.__config_dns_module) self.step("enabling entryUSN plugin", self.__enable_entryusn) self.step("configuring lockout plugin", self.__config_lockout_module) + self.step("configuring topology plugin", self.__config_topology_module) self.step("creating indices", self.__create_indices) self.step("enabling referential integrity plugin", self.__add_referint_module) if enable_ssl: @@ -300,6 +302,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -526,6 +529,9 @@ class DsInstance(service.Service): def __add_master_entry(self): self._ldap_mod("master-entry.ldif", self.sub_dict) + def __add_topology_entries(self): + self._ldap_mod("topology-entries.ldif", self.sub_dict) + def __add_winsync_module(self): self._ldap_mod("ipa-winsync-conf.ldif") @@ -554,6 +560,9 @@ class DsInstance(service.Service): def __config_lockout_module(self): self._ldap_mod("lockout-conf.ldif") + def __config_topology_module(self): + self._ldap_mod("ipa-topology-conf.ldif", self.sub_dict) + def __repoint_managed_entries(self): self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict) diff --git a/ipaserver/install/plugins/fix_replica_agreements.py b/ipaserver/install/plugins/fix_replica_agreements.py index a2aa4bce4..1381c7cce 100644 --- a/ipaserver/install/plugins/fix_replica_agreements.py +++ b/ipaserver/install/plugins/fix_replica_agreements.py @@ -49,7 +49,8 @@ class update_replica_attribute_lists(Updater): self.log.debug("Found %d agreement(s)", len(ipa_replicas)) for replica in ipa_replicas: - self.log.debug(replica.single_value.get('description')) + for desc in replica.get('description', []): + self.log.debug(desc) self._update_attr(repl, replica, 'nsDS5ReplicatedAttributeList', diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 8ac024308..643639ef4 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -416,6 +416,7 @@ class ReplicationManager(object): assert isinstance(replica_binddn, DN) dn = self.replica_dn() assert isinstance(dn, DN) + replica_groupdn = DN(('cn', 'replication managers'), ('cn', 'etc'), self.suffix) try: entry = conn.get_entry(dn) @@ -443,6 +444,8 @@ class ReplicationManager(object): nsds5replicatype=[replica_type], nsds5flags=["1"], nsds5replicabinddn=[replica_binddn], + nsds5replicabinddngroup=[replica_groupdn], + nsds5replicabinddngroupcheckinterval=["60"], nsds5replicalegacyconsumer=["off"], ) conn.add_entry(entry) @@ -756,6 +759,7 @@ class ReplicationManager(object): """ rep_dn = self.replica_dn() + group_dn = DN(('cn', 'replication managers'), ('cn', 'etc'), self.suffix) assert isinstance(rep_dn, DN) (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) assert isinstance(a_dn, DN) @@ -772,6 +776,18 @@ class ReplicationManager(object): b.modify_s(rep_dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass + # Add kerberos principal DNs as valid bindDNs to bindDN group + try: + mod = [(ldap.MOD_ADD, "member", b_dn)] + a.modify_s(group_dn, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + pass + try: + mod = [(ldap.MOD_ADD, "member", a_dn)] + b.modify_s(group_dn, mod) + except ldap.TYPE_OR_VALUE_EXISTS: + pass + def gssapi_update_agreements(self, a, b): |