summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/replication.py
Commit message (Collapse)AuthorAgeFilesLines
* ipa-replica-manage: use `server_del` when removing domain level 1 replicaMartin Babinsky2016-06-171-110/+14
| | | | | | | | | | | `ipa-replica-manage del` will now call `server_del` behind the scenes when a removal of replica from managed topology is requested. The existing removal options were mapped on the server_del options to maintain backwards compatibility with earlier versions. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaserver module for working with managed topologyMartin Babinsky2016-06-171-1/+2
| | | | | | | | | This module should aggregate common functionality utilized in the commands managing domain-level 1 topology. https://fedorahosted.org/freeipa/ticket/5588 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS Locations: dnsserver: remove config when replica is removedMartin Basti2016-06-171-0/+15
| | | | | | | | | | Configuration of DNS server should be removed together with any other information about replica https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove dangling RUVs even if replicas are offlineStanislav Laznicka2016-06-031-0/+1
| | | | | | | | | | | Previously, an offline replica would mean the RUVs cannot be removed otherwise the task would be hanging in the DS. This is fixed in 389-ds 1.3.5. https://fedorahosted.org/freeipa/ticket/5396 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
* Fix: topologysuffix_find doesn't have no_members optionMartin Basti2016-06-021-1/+1
| | | | | | | | | Remove no_members=False from because topologysuffix_attribute doesn't have no_members option, and this causes errors in replication.py https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Performance: Find commands: do not process members by defaultMartin Basti2016-05-311-1/+2
| | | | | | | | | | | | | | | | In all *-find commands, member attributes shouldn't be processed due high amount fo ldpaserches cause serious performance issues. For this reason --no-members option is set by default in CLI and API. To get members in *-find command option --all in CLI is rquired or 'no_members=False' or 'all=True' must be set in API call. For other commands processing of members stays unchanged. WebUI is not affected by this change. https://fedorahosted.org/freeipa/ticket/4995 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Listing and cleaning RUV extended for CA suffixStanislav Laznicka2016-02-021-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5411 Reviewed-By: Martin Basti <mbasti@redhat.com>
* correctly set LDAP bind related attributes when setting up replicationMartin Babinsky2016-01-211-7/+15
| | | | | | | | | | | | | | when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config' entry on remote master during replica installation, the 'nsds5replicabinddn' and 'nsds5replicabinddngroup' attributes are not correctly updated when this entry already existed on the master (e.g. when existing domain-level 0 topology was promoted to domain level 1). This patch ensures that these attributes are always set correctly regardless of existence of the replica entry. https://fedorahosted.org/freeipa/ticket/5412 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enable pylint unnecessary-pass checkMartin Basti2015-12-231-1/+0
| | | | | | Enables check and removes extra pass statement from code. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-1/+1
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* harden domain level 1 topology connectivity checksMartin Babinsky2015-12-211-8/+33
| | | | | | | | | this patch makes the check_last_link_managed() function more resistant to both orphaned topology suffixes and also to cases when there are IPA masters do not seem to manage any suffix. The function will now only complain loudly about these cases and not cause crashes. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-141-2/+2
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-111-1/+5
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* aci: replace per-server ACIs with ipaserver-based ACIsJan Cholasta2015-12-071-111/+0
| | | | | | | https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* extract domain level 1 topology-checking code from ipa-replica-manageMartin Babinsky2015-12-021-0/+90
| | | | | | | | | | This facilitates reusability of this code in other components, e.g. IPA server uninstallers. https://fedorahosted.org/freeipa/ticket/5409 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* use starttls in CSReplicationManager connection againPetr Vobornik2015-11-301-1/+1
| | | | | | | | | | | | | | | | | commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e has: - realm, hostname, dirman_passwd, port, starttls=True) + realm, hostname, dirman_passwd, port) In CSReplicationManager which causes, e.g.: ipa-csreplica-manage -p Secret123 list ipa.example.com cannot connect to 'ldaps://ipa.example.com:389': TLS error -5938:Encountered end of file Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-7/+4
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix more bytes/unicode issuesPetr Viktorin2015-10-221-23/+23
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow to setup the CA when promoting a replicaSimo Sorce2015-10-151-19/+69
| | | | | | | | | This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow ipa-replica-conncheck to use default credsSimo Sorce2015-10-151-2/+5
| | | | | | | | If the user has already run kinit try to use those credentials. The user can always override by explicitly passing the -p flag. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-0/+90
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Limit max age of replication changelogMartin Basti2015-09-211-0/+1
| | | | | | | | | Limit max age of replication changelog to seven days, instead of grow to unlimited size. https://fedorahosted.org/freeipa/ticket/5086 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use byte literals where appropriateJan Cholasta2015-09-171-6/+6
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* winsync: Add inetUser objectclass to the passsync sysaccountTomas Babej2015-09-161-1/+1
| | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=1262315 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-26/+28
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-16/+16
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommandMartin Basti2015-07-171-1/+2
| | | | | | | | | --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-291-9/+3
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
* move replications managers group to cn=sysaccounts,cn=etc,$SUFFIXPetr Vobornik2015-06-111-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* accept missing binddn groupLudwig Krispenz2015-06-031-2/+2
| | | | | | | replicas installed from older versions do not have a binddn group just accept the errror Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* install part - manage topology in shared treeLudwig Krispenz2015-05-261-0/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* replica-manage: Properly delete nested entriesTomas Babej2015-05-261-2/+2
| | | | | | | | | | | Bad ordering of LDAP entries during replica removal resulted in a failure to delete replica and its services from cn=masters,cn=ipa,cn=etc,$SUFFIX. This patch enforces the correct ordering of entries resulting in proper removal of services before the host entry itself. https://fedorahosted.org/freeipa/ticket/5019 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* prevent duplicate IDs when setting up multiple replicas against single masterMartin Babinsky2015-05-071-24/+50
| | | | | | | | | | | This patch forces replicas to use DELETE+ADD operations to increment 'nsDS5ReplicaId' in 'cn=replication,cn=etc,$SUFFIX' on master, and retry multiple times in the case of conflict with another update. Thus when multiple replicas are set-up against single master none of them will have duplicate ID. https://fedorahosted.org/freeipa/ticket/4378 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* Allow PassSync user to locate and update NT usersMartin Kosek2015-01-191-25/+29
| | | | | | | | | | | | | | | Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-301-0/+30
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow IPA master hosts to read and update IPA master information.Jan Cholasta2014-07-301-0/+38
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Remove master ACIs when deleting a replica.Jan Cholasta2014-07-301-0/+43
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etcPetr Viktorin2014-07-021-2/+7
| | | | | | | | | | | On systems installed before #3394 was fixed and nsDS5ReplicaId became single-valued, there are two replica ID values stored in cn=replication: the default (3) and the actual value we want. Instead of failing when multiple values are found, use the largest one. https://fedorahosted.org/freeipa/ticket/4375 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-1/+0
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Move CACERT definition to a single place.Jan Cholasta2014-03-251-1/+1
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix regression which prevents creating a winsync agreementAna Krivokapic2013-11-131-1/+2
| | | | | | | A regression, which prevented creation of a winsync agreement, was introduced in the original fix for ticket #3989. https://fedorahosted.org/freeipa/ticket/3989
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-26/+24
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Make sure nsds5ReplicaStripAttrs is set on agreementsAna Krivokapic2013-10-251-2/+1
| | | | | | | Add nsds5ReplicaStripAttrs to the agreement LDAP entry before the agreement is created. https://fedorahosted.org/freeipa/ticket/3989
* Update only selected attributes for winsync agreementTomas Babej2013-04-161-7/+2
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Full system backup and restoreRob Crittenden2013-04-121-10/+153
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-0/+98
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
generated by cgit (git 2.34.1) at 2025-09-01 14:17:17 +0000