0000-12-31 18:09:24 -05:50
|
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2007 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
2010-12-09 06:59:11 -06:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
0000-12-31 18:09:24 -05:50
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2010-12-09 06:59:11 -06:00
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
0000-12-31 18:09:24 -05:50
|
|
|
#
|
|
|
|
|
|
|
|
import time, logging
|
|
|
|
|
2010-12-13 13:28:11 -06:00
|
|
|
import os
|
2009-02-04 09:53:34 -06:00
|
|
|
import ldap
|
|
|
|
from ipaserver import ipaldap
|
2008-03-07 09:56:03 -06:00
|
|
|
from ldap import modlist
|
2009-02-04 09:53:34 -06:00
|
|
|
from ipalib import util
|
2009-04-23 07:51:59 -05:00
|
|
|
from ipalib import errors
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
DIRMAN_CN = "cn=directory manager"
|
2010-12-07 17:23:05 -06:00
|
|
|
CACERT = "/etc/ipa/ca.crt"
|
2008-09-11 11:56:55 -05:00
|
|
|
# the default container used by AD for user entries
|
2009-08-11 16:08:09 -05:00
|
|
|
WIN_USER_CONTAINER = "cn=Users"
|
2008-09-11 11:56:55 -05:00
|
|
|
# the default container used by IPA for user entries
|
2009-08-11 16:08:09 -05:00
|
|
|
IPA_USER_CONTAINER = "cn=users,cn=accounts"
|
0000-12-31 18:09:24 -05:50
|
|
|
PORT = 636
|
0000-12-31 18:09:24 -05:50
|
|
|
TIMEOUT = 120
|
2008-11-10 16:08:22 -06:00
|
|
|
|
|
|
|
IPA_REPLICA = 1
|
|
|
|
WINSYNC = 2
|
|
|
|
|
2010-02-19 12:29:14 -06:00
|
|
|
SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
|
|
|
|
|
2010-12-13 13:28:11 -06:00
|
|
|
def check_replication_plugin():
|
|
|
|
"""
|
|
|
|
Confirm that the 389-ds replication is installed.
|
|
|
|
|
|
|
|
Emit a message and return True/False
|
|
|
|
"""
|
|
|
|
if not os.path.exists('/usr/lib/dirsrv/plugins/libreplication-plugin.so') and \
|
|
|
|
not os.path.exists('/usr/lib64/dirsrv/plugins/libreplication-plugin.so'):
|
|
|
|
print "The 389-ds replication plug-in was not found on this system"
|
|
|
|
return False
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
class ReplicationManager:
|
2008-09-11 11:56:55 -05:00
|
|
|
"""Manage replication agreements between DS servers, and sync
|
|
|
|
agreements with Windows servers"""
|
0000-12-31 18:09:24 -05:50
|
|
|
def __init__(self, hostname, dirman_passwd):
|
|
|
|
self.hostname = hostname
|
|
|
|
self.dirman_passwd = dirman_passwd
|
2008-08-11 15:15:30 -05:00
|
|
|
|
2010-02-19 12:29:14 -06:00
|
|
|
# If we are passed a password we'll use it as the DM password
|
|
|
|
# otherwise we'll do a GSSAPI bind.
|
2008-08-11 15:15:30 -05:00
|
|
|
self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
|
2010-02-19 12:29:14 -06:00
|
|
|
if dirman_passwd:
|
|
|
|
self.conn.do_simple_bind(bindpw=dirman_passwd)
|
|
|
|
else:
|
|
|
|
self.conn.sasl_interactive_bind_s('', SASL_AUTH)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
self.repl_man_passwd = dirman_passwd
|
|
|
|
|
|
|
|
# these are likely constant, but you could change them
|
|
|
|
# at runtime if you really want
|
|
|
|
self.repl_man_dn = "cn=replication manager,cn=config"
|
|
|
|
self.repl_man_cn = "replication manager"
|
|
|
|
self.suffix = ""
|
|
|
|
|
2008-10-29 12:37:15 -05:00
|
|
|
def _get_replica_id(self, conn, master_conn):
|
|
|
|
"""
|
|
|
|
Returns the replica ID which is unique for each backend.
|
|
|
|
|
|
|
|
conn is the connection we are trying to get the replica ID for.
|
|
|
|
master_conn is the master we are going to replicate with.
|
|
|
|
"""
|
|
|
|
# First see if there is already one set
|
|
|
|
dn = self.replica_dn()
|
|
|
|
try:
|
|
|
|
replica = conn.search_s(dn, ldap.SCOPE_BASE, "objectclass=*")[0]
|
|
|
|
if replica.getValue('nsDS5ReplicaId'):
|
|
|
|
return int(replica.getValue('nsDS5ReplicaId'))
|
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
pass
|
|
|
|
|
|
|
|
# Ok, either the entry doesn't exist or the attribute isn't set
|
|
|
|
# so get it from the other master
|
|
|
|
retval = -1
|
|
|
|
dn = "cn=replication, cn=etc, %s" % self.suffix
|
|
|
|
try:
|
|
|
|
replica = master_conn.search_s(dn, ldap.SCOPE_BASE, "objectclass=*")[0]
|
|
|
|
if not replica.getValue('nsDS5ReplicaId'):
|
|
|
|
logging.debug("Unable to retrieve nsDS5ReplicaId from remote server")
|
|
|
|
raise RuntimeError("Unable to retrieve nsDS5ReplicaId from remote server")
|
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
logging.debug("Unable to retrieve nsDS5ReplicaId from remote server")
|
|
|
|
raise
|
|
|
|
|
|
|
|
# Now update the value on the master
|
|
|
|
retval = int(replica.getValue('nsDS5ReplicaId'))
|
|
|
|
mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaId', str(retval + 1))]
|
|
|
|
|
|
|
|
try:
|
|
|
|
master_conn.modify_s(dn, mod)
|
|
|
|
except Exception, e:
|
|
|
|
logging.debug("Problem updating nsDS5ReplicaID %s" % e)
|
|
|
|
raise
|
|
|
|
|
|
|
|
return retval
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def find_replication_dns(self, conn):
|
2010-02-19 12:29:14 -06:00
|
|
|
"""
|
|
|
|
The replication agreements are stored in
|
|
|
|
cn="$SUFFIX",cn=mapping tree,cn=config
|
|
|
|
|
|
|
|
FIXME: Rather than failing with a read error if a user tries
|
|
|
|
to read this it simply returns zero entries. We need to use
|
|
|
|
GER to determine if we are allowed to read this to return a proper
|
|
|
|
response. For now just return "No entries" even if the user may
|
|
|
|
not be allowed to see them.
|
|
|
|
"""
|
2008-10-03 15:07:08 -05:00
|
|
|
filt = "(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))"
|
0000-12-31 18:09:24 -05:50
|
|
|
try:
|
0000-12-31 18:09:24 -05:50
|
|
|
ents = conn.search_s("cn=mapping tree,cn=config", ldap.SCOPE_SUBTREE, filt)
|
0000-12-31 18:09:24 -05:50
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
return []
|
|
|
|
return [ent.dn for ent in ents]
|
|
|
|
|
|
|
|
def add_replication_manager(self, conn, passwd=None):
|
|
|
|
"""
|
|
|
|
Create a pseudo user to use for replication. If no password
|
|
|
|
is provided the directory manager password will be used.
|
|
|
|
"""
|
|
|
|
|
|
|
|
if passwd:
|
|
|
|
self.repl_man_passwd = passwd
|
|
|
|
|
|
|
|
ent = ipaldap.Entry(self.repl_man_dn)
|
|
|
|
ent.setValues("objectclass", "top", "person")
|
|
|
|
ent.setValues("cn", self.repl_man_cn)
|
|
|
|
ent.setValues("userpassword", self.repl_man_passwd)
|
|
|
|
ent.setValues("sn", "replication manager pseudo user")
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn.add_s(ent)
|
|
|
|
except ldap.ALREADY_EXISTS:
|
|
|
|
# should we set the password here?
|
|
|
|
pass
|
|
|
|
|
|
|
|
def delete_replication_manager(self, conn, dn="cn=replication manager,cn=config"):
|
|
|
|
try:
|
|
|
|
conn.delete_s(dn)
|
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
pass
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def get_replica_type(self, master=True):
|
0000-12-31 18:09:24 -05:50
|
|
|
if master:
|
|
|
|
return "3"
|
|
|
|
else:
|
|
|
|
return "2"
|
|
|
|
|
|
|
|
def replica_dn(self):
|
|
|
|
return 'cn=replica, cn="%s", cn=mapping tree, cn=config' % self.suffix
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def local_replica_config(self, conn, replica_id):
|
0000-12-31 18:09:24 -05:50
|
|
|
dn = self.replica_dn()
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn.getEntry(dn, ldap.SCOPE_BASE)
|
|
|
|
# replication is already configured
|
|
|
|
return
|
2009-04-23 07:51:59 -05:00
|
|
|
except errors.NotFound:
|
0000-12-31 18:09:24 -05:50
|
|
|
pass
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
replica_type = self.get_replica_type()
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
entry = ipaldap.Entry(dn)
|
|
|
|
entry.setValues('objectclass', "top", "nsds5replica", "extensibleobject")
|
|
|
|
entry.setValues('cn', "replica")
|
|
|
|
entry.setValues('nsds5replicaroot', self.suffix)
|
|
|
|
entry.setValues('nsds5replicaid', str(replica_id))
|
|
|
|
entry.setValues('nsds5replicatype', replica_type)
|
|
|
|
entry.setValues('nsds5flags', "1")
|
|
|
|
entry.setValues('nsds5replicabinddn', [self.repl_man_dn])
|
|
|
|
entry.setValues('nsds5replicalegacyconsumer', "off")
|
|
|
|
|
|
|
|
conn.add_s(entry)
|
|
|
|
|
|
|
|
def setup_changelog(self, conn):
|
|
|
|
dn = "cn=changelog5, cn=config"
|
|
|
|
dirpath = conn.dbdir + "/cldb"
|
|
|
|
entry = ipaldap.Entry(dn)
|
|
|
|
entry.setValues('objectclass', "top", "extensibleobject")
|
|
|
|
entry.setValues('cn', "changelog5")
|
|
|
|
entry.setValues('nsslapd-changelogdir', dirpath)
|
|
|
|
try:
|
|
|
|
conn.add_s(entry)
|
|
|
|
except ldap.ALREADY_EXISTS:
|
|
|
|
return
|
|
|
|
|
|
|
|
def setup_chaining_backend(self, conn):
|
|
|
|
chaindn = "cn=chaining database, cn=plugins, cn=config"
|
|
|
|
benamebase = "chaindb"
|
|
|
|
urls = [self.to_ldap_url(conn)]
|
|
|
|
cn = ""
|
|
|
|
benum = 1
|
|
|
|
done = False
|
|
|
|
while not done:
|
|
|
|
try:
|
|
|
|
cn = benamebase + str(benum) # e.g. localdb1
|
|
|
|
dn = "cn=" + cn + ", " + chaindn
|
|
|
|
entry = ipaldap.Entry(dn)
|
|
|
|
entry.setValues('objectclass', 'top', 'extensibleObject', 'nsBackendInstance')
|
|
|
|
entry.setValues('cn', cn)
|
|
|
|
entry.setValues('nsslapd-suffix', self.suffix)
|
|
|
|
entry.setValues('nsfarmserverurl', urls)
|
|
|
|
entry.setValues('nsmultiplexorbinddn', self.repl_man_dn)
|
|
|
|
entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd)
|
|
|
|
|
|
|
|
self.conn.add_s(entry)
|
|
|
|
done = True
|
|
|
|
except ldap.ALREADY_EXISTS:
|
|
|
|
benum += 1
|
|
|
|
except ldap.LDAPError, e:
|
|
|
|
print "Could not add backend entry " + dn, e
|
|
|
|
raise
|
|
|
|
|
|
|
|
return cn
|
|
|
|
|
|
|
|
def to_ldap_url(self, conn):
|
|
|
|
return "ldap://%s:%d/" % (conn.host, conn.port)
|
|
|
|
|
|
|
|
def setup_chaining_farm(self, conn):
|
|
|
|
try:
|
|
|
|
conn.modify_s(self.suffix, [(ldap.MOD_ADD, 'aci',
|
|
|
|
[ "(targetattr = \"*\")(version 3.0; acl \"Proxied authorization for database links\"; allow (proxy) userdn = \"ldap:///%s\";)" % self.repl_man_dn ])])
|
|
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
|
logging.debug("proxy aci already exists in suffix %s on %s" % (self.suffix, conn.host))
|
|
|
|
|
|
|
|
def get_mapping_tree_entry(self):
|
|
|
|
try:
|
|
|
|
entry = self.conn.getEntry("cn=mapping tree,cn=config", ldap.SCOPE_ONELEVEL,
|
|
|
|
"(cn=\"%s\")" % (self.suffix))
|
2009-04-23 07:51:59 -05:00
|
|
|
except errors.NotFound, e:
|
0000-12-31 18:09:24 -05:50
|
|
|
logging.debug("failed to find mappting tree entry for %s" % self.suffix)
|
|
|
|
raise e
|
|
|
|
|
2008-08-11 15:15:30 -05:00
|
|
|
return entry
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
|
|
|
|
def enable_chain_on_update(self, bename):
|
|
|
|
mtent = self.get_mapping_tree_entry()
|
|
|
|
dn = mtent.dn
|
|
|
|
|
|
|
|
plgent = self.conn.getEntry("cn=Multimaster Replication Plugin,cn=plugins,cn=config",
|
|
|
|
ldap.SCOPE_BASE, "(objectclass=*)", ['nsslapd-pluginPath'])
|
|
|
|
path = plgent.getValue('nsslapd-pluginPath')
|
|
|
|
|
|
|
|
mod = [(ldap.MOD_REPLACE, 'nsslapd-state', 'backend'),
|
|
|
|
(ldap.MOD_ADD, 'nsslapd-backend', bename),
|
|
|
|
(ldap.MOD_ADD, 'nsslapd-distribution-plugin', path),
|
|
|
|
(ldap.MOD_ADD, 'nsslapd-distribution-funct', 'repl_chain_on_update')]
|
|
|
|
|
|
|
|
try:
|
|
|
|
self.conn.modify_s(dn, mod)
|
|
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
|
logging.debug("chainOnUpdate already enabled for %s" % self.suffix)
|
2008-05-05 13:03:51 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def setup_chain_on_update(self, other_conn):
|
|
|
|
chainbe = self.setup_chaining_backend(other_conn)
|
|
|
|
self.enable_chain_on_update(chainbe)
|
2008-05-05 13:03:51 -05:00
|
|
|
|
2008-11-12 13:01:59 -06:00
|
|
|
def add_passsync_user(self, conn, password):
|
|
|
|
pass_dn = "uid=passsync,cn=sysaccounts,cn=etc,%s" % self.suffix
|
|
|
|
print "The user for the Windows PassSync service is %s" % pass_dn
|
|
|
|
try:
|
|
|
|
conn.getEntry(pass_dn, ldap.SCOPE_BASE)
|
|
|
|
print "Windows PassSync entry exists, not resetting password"
|
|
|
|
return
|
2009-04-23 07:51:59 -05:00
|
|
|
except errors.NotFound:
|
2008-11-12 13:01:59 -06:00
|
|
|
pass
|
|
|
|
|
|
|
|
# The user doesn't exist, add it
|
|
|
|
entry = ipaldap.Entry(pass_dn)
|
|
|
|
entry.setValues("objectclass", ["account", "simplesecurityobject"])
|
|
|
|
entry.setValues("uid", "passsync")
|
|
|
|
entry.setValues("userPassword", password)
|
|
|
|
conn.add_s(entry)
|
|
|
|
|
|
|
|
# Add it to the list of users allowed to bypass password policy
|
|
|
|
extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config"
|
|
|
|
entry = conn.getEntry(extop_dn, ldap.SCOPE_BASE)
|
|
|
|
pass_mgrs = entry.getValues('passSyncManagersDNs')
|
|
|
|
if not pass_mgrs:
|
|
|
|
pass_mgrs = []
|
|
|
|
if not isinstance(pass_mgrs, list):
|
|
|
|
pass_mgrs = [pass_mgrs]
|
|
|
|
pass_mgrs.append(pass_dn)
|
|
|
|
mod = [(ldap.MOD_REPLACE, 'passSyncManagersDNs', pass_mgrs)]
|
|
|
|
conn.modify_s(extop_dn, mod)
|
|
|
|
|
|
|
|
# And finally grant it permission to write passwords
|
|
|
|
mod = [(ldap.MOD_ADD, 'aci',
|
|
|
|
['(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///%s";)' % pass_dn])]
|
|
|
|
try:
|
|
|
|
conn.modify_s(self.suffix, mod)
|
|
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
|
logging.debug("passsync aci already exists in suffix %s on %s" % (self.suffix, conn.host))
|
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
def setup_winsync_agmt(self, entry, **kargs):
|
|
|
|
entry.setValues("objectclass", "nsDSWindowsReplicationAgreement")
|
|
|
|
entry.setValues("nsds7WindowsReplicaSubtree",
|
|
|
|
kargs.get("win_subtree",
|
|
|
|
WIN_USER_CONTAINER + "," + self.suffix))
|
|
|
|
entry.setValues("nsds7DirectoryReplicaSubtree",
|
|
|
|
kargs.get("ds_subtree",
|
|
|
|
IPA_USER_CONTAINER + "," + self.suffix))
|
|
|
|
# for now, just sync users and ignore groups
|
|
|
|
entry.setValues("nsds7NewWinUserSyncEnabled", kargs.get('newwinusers', 'true'))
|
|
|
|
entry.setValues("nsds7NewWinGroupSyncEnabled", kargs.get('newwingroups', 'false'))
|
|
|
|
windomain = ''
|
|
|
|
if kargs.has_key('windomain'):
|
|
|
|
windomain = kargs['windomain']
|
|
|
|
else:
|
|
|
|
windomain = '.'.join(ldap.explode_dn(self.suffix, 1))
|
|
|
|
entry.setValues("nsds7WindowsDomain", windomain)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-11-10 16:08:22 -06:00
|
|
|
def agreement_dn(self, hostname, port=PORT):
|
|
|
|
cn = "meTo%s%d" % (hostname, port)
|
0000-12-31 18:09:24 -05:50
|
|
|
dn = "cn=%s, %s" % (cn, self.replica_dn())
|
|
|
|
|
|
|
|
return (cn, dn)
|
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
def setup_agreement(self, a, b, **kargs):
|
2008-11-10 16:08:22 -06:00
|
|
|
cn, dn = self.agreement_dn(b.host)
|
0000-12-31 18:09:24 -05:50
|
|
|
try:
|
|
|
|
a.getEntry(dn, ldap.SCOPE_BASE)
|
|
|
|
return
|
2009-04-23 07:51:59 -05:00
|
|
|
except errors.NotFound:
|
0000-12-31 18:09:24 -05:50
|
|
|
pass
|
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
iswinsync = kargs.get("winsync", False)
|
|
|
|
repl_man_dn = kargs.get("binddn", self.repl_man_dn)
|
|
|
|
repl_man_passwd = kargs.get("bindpw", self.repl_man_passwd)
|
|
|
|
port = kargs.get("port", PORT)
|
|
|
|
|
2010-11-17 09:41:41 -06:00
|
|
|
# List of attributes that need to be excluded from replication.
|
2010-11-23 09:35:49 -06:00
|
|
|
excludes = ('memberof', 'entryusn',
|
2010-11-17 09:41:41 -06:00
|
|
|
'krblastsuccessfulauth',
|
|
|
|
'krblastfailedauth',
|
|
|
|
'krbloginfailedcount')
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
entry = ipaldap.Entry(dn)
|
2008-09-11 11:56:55 -05:00
|
|
|
entry.setValues('objectclass', "nsds5replicationagreement")
|
0000-12-31 18:09:24 -05:50
|
|
|
entry.setValues('cn', cn)
|
|
|
|
entry.setValues('nsds5replicahost', b.host)
|
2008-09-11 11:56:55 -05:00
|
|
|
entry.setValues('nsds5replicaport', str(port))
|
0000-12-31 18:09:24 -05:50
|
|
|
entry.setValues('nsds5replicatimeout', str(TIMEOUT))
|
2008-09-11 11:56:55 -05:00
|
|
|
entry.setValues('nsds5replicabinddn', repl_man_dn)
|
|
|
|
entry.setValues('nsds5replicacredentials', repl_man_passwd)
|
0000-12-31 18:09:24 -05:50
|
|
|
entry.setValues('nsds5replicabindmethod', 'simple')
|
|
|
|
entry.setValues('nsds5replicaroot', self.suffix)
|
|
|
|
entry.setValues('nsds5replicaupdateschedule', '0000-2359 0123456')
|
0000-12-31 18:09:24 -05:50
|
|
|
entry.setValues('nsds5replicatransportinfo', 'SSL')
|
2010-11-17 09:41:41 -06:00
|
|
|
entry.setValues('nsDS5ReplicatedAttributeList',
|
|
|
|
'(objectclass=*) $ EXCLUDE %s' % " ".join(excludes))
|
2008-09-11 11:56:55 -05:00
|
|
|
entry.setValues('description', "me to %s%d" % (b.host, port))
|
|
|
|
if iswinsync:
|
|
|
|
self.setup_winsync_agmt(entry, **kargs)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
a.add_s(entry)
|
|
|
|
|
|
|
|
entry = a.waitForEntry(entry)
|
|
|
|
|
2008-11-10 16:08:22 -06:00
|
|
|
def delete_agreement(self, hostname):
|
|
|
|
cn, dn = self.agreement_dn(hostname)
|
0000-12-31 18:09:24 -05:50
|
|
|
return self.conn.deleteEntry(dn)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
def check_repl_init(self, conn, agmtdn):
|
|
|
|
done = False
|
|
|
|
hasError = 0
|
2009-08-11 16:08:09 -05:00
|
|
|
attrlist = ['cn', 'nsds5BeginReplicaRefresh',
|
|
|
|
'nsds5replicaUpdateInProgress',
|
|
|
|
'nsds5ReplicaLastInitStatus',
|
|
|
|
'nsds5ReplicaLastInitStart',
|
|
|
|
'nsds5ReplicaLastInitEnd']
|
0000-12-31 18:09:24 -05:50
|
|
|
entry = conn.getEntry(agmtdn, ldap.SCOPE_BASE, "(objectclass=*)", attrlist)
|
|
|
|
if not entry:
|
|
|
|
print "Error reading status from agreement", agmtdn
|
|
|
|
hasError = 1
|
|
|
|
else:
|
|
|
|
refresh = entry.nsds5BeginReplicaRefresh
|
|
|
|
inprogress = entry.nsds5replicaUpdateInProgress
|
|
|
|
status = entry.nsds5ReplicaLastInitStatus
|
|
|
|
if not refresh: # done - check status
|
|
|
|
if not status:
|
|
|
|
print "No status yet"
|
|
|
|
elif status.find("replica busy") > -1:
|
2008-05-05 13:03:51 -05:00
|
|
|
print "[%s] reports: Replica Busy! Status: [%s]" % (conn.host, status)
|
0000-12-31 18:09:24 -05:50
|
|
|
done = True
|
|
|
|
hasError = 2
|
|
|
|
elif status.find("Total update succeeded") > -1:
|
|
|
|
print "Update succeeded"
|
|
|
|
done = True
|
|
|
|
elif inprogress.lower() == 'true':
|
|
|
|
print "Update in progress yet not in progress"
|
|
|
|
else:
|
2008-05-05 13:03:51 -05:00
|
|
|
print "[%s] reports: Update failed! Status: [%s]" % (conn.host, status)
|
0000-12-31 18:09:24 -05:50
|
|
|
hasError = 1
|
|
|
|
done = True
|
|
|
|
else:
|
|
|
|
print "Update in progress"
|
|
|
|
|
|
|
|
return done, hasError
|
|
|
|
|
2008-11-12 16:09:46 -06:00
|
|
|
def check_repl_update(self, conn, agmtdn):
|
|
|
|
done = False
|
|
|
|
hasError = 0
|
|
|
|
attrlist = ['cn', 'nsds5replicaUpdateInProgress',
|
|
|
|
'nsds5ReplicaLastUpdateStatus', 'nsds5ReplicaLastUpdateStart',
|
|
|
|
'nsds5ReplicaLastUpdateEnd']
|
|
|
|
entry = conn.getEntry(agmtdn, ldap.SCOPE_BASE, "(objectclass=*)", attrlist)
|
|
|
|
if not entry:
|
|
|
|
print "Error reading status from agreement", agmtdn
|
|
|
|
hasError = 1
|
|
|
|
else:
|
|
|
|
inprogress = entry.nsds5replicaUpdateInProgress
|
|
|
|
status = entry.nsds5ReplicaLastUpdateStatus
|
|
|
|
start = entry.nsds5ReplicaLastUpdateStart
|
|
|
|
end = entry.nsds5ReplicaLastUpdateEnd
|
|
|
|
# incremental update is done if inprogress is false and end >= start
|
|
|
|
done = inprogress and inprogress.lower() == 'false' and start and end and (start <= end)
|
|
|
|
logging.info("Replication Update in progress: %s: status: %s: start: %s: end: %s" %
|
|
|
|
(inprogress, status, start, end))
|
|
|
|
if not done and status: # check for errors
|
|
|
|
# status will usually be a number followed by a string
|
|
|
|
# number != 0 means error
|
|
|
|
rc, msg = status.split(' ', 1)
|
|
|
|
if rc != '0':
|
|
|
|
hasError = 1
|
|
|
|
done = True
|
|
|
|
|
|
|
|
return done, hasError
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def wait_for_repl_init(self, conn, agmtdn):
|
|
|
|
done = False
|
|
|
|
haserror = 0
|
|
|
|
while not done and not haserror:
|
|
|
|
time.sleep(1) # give it a few seconds to get going
|
|
|
|
done, haserror = self.check_repl_init(conn, agmtdn)
|
|
|
|
return haserror
|
|
|
|
|
2008-11-12 16:09:46 -06:00
|
|
|
def wait_for_repl_update(self, conn, agmtdn, maxtries=600):
|
|
|
|
done = False
|
|
|
|
haserror = 0
|
|
|
|
while not done and not haserror and maxtries > 0:
|
|
|
|
time.sleep(1) # give it a few seconds to get going
|
|
|
|
done, haserror = self.check_repl_update(conn, agmtdn)
|
|
|
|
maxtries -= 1
|
|
|
|
if maxtries == 0: # too many tries
|
|
|
|
print "Error: timeout: could not determine agreement status: please check your directory server logs for possible errors"
|
|
|
|
haserror = 1
|
|
|
|
return haserror
|
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
def start_replication(self, other_conn, conn=None):
|
2008-02-05 11:23:53 -06:00
|
|
|
print "Starting replication, please wait until this has completed."
|
2008-09-11 11:56:55 -05:00
|
|
|
if conn == None:
|
|
|
|
conn = self.conn
|
2008-11-10 16:08:22 -06:00
|
|
|
cn, dn = self.agreement_dn(conn.host)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')]
|
|
|
|
other_conn.modify_s(dn, mod)
|
|
|
|
|
|
|
|
return self.wait_for_repl_init(other_conn, dn)
|
2008-05-05 13:03:51 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def basic_replication_setup(self, conn, replica_id):
|
0000-12-31 18:09:24 -05:50
|
|
|
self.add_replication_manager(conn)
|
0000-12-31 18:09:24 -05:50
|
|
|
self.local_replica_config(conn, replica_id)
|
|
|
|
self.setup_changelog(conn)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
def setup_replication(self, other_hostname, realm_name, **kargs):
|
0000-12-31 18:09:24 -05:50
|
|
|
"""
|
|
|
|
NOTES:
|
|
|
|
- the directory manager password needs to be the same on
|
2008-09-11 11:56:55 -05:00
|
|
|
both directories. Or use the optional binddn and bindpw
|
0000-12-31 18:09:24 -05:50
|
|
|
"""
|
2008-09-11 11:56:55 -05:00
|
|
|
iswinsync = kargs.get("winsync", False)
|
|
|
|
oth_port = kargs.get("port", PORT)
|
|
|
|
oth_cacert = kargs.get("cacert", CACERT)
|
|
|
|
oth_binddn = kargs.get("binddn", DIRMAN_CN)
|
|
|
|
oth_bindpw = kargs.get("bindpw", self.dirman_passwd)
|
|
|
|
# note - there appears to be a bug in python-ldap - it does not
|
|
|
|
# allow connections using two different CA certs
|
|
|
|
other_conn = ipaldap.IPAdmin(other_hostname, port=oth_port, cacert=oth_cacert)
|
|
|
|
try:
|
2010-02-19 12:29:14 -06:00
|
|
|
# For now we always require a password to set up new replica
|
2008-09-11 11:56:55 -05:00
|
|
|
other_conn.do_simple_bind(binddn=oth_binddn, bindpw=oth_bindpw)
|
|
|
|
except Exception, e:
|
|
|
|
if iswinsync:
|
|
|
|
logging.info("Could not validate connection to remote server %s:%d - continuing" %
|
|
|
|
(other_hostname, oth_port))
|
2008-11-10 16:08:22 -06:00
|
|
|
logging.info("The error was: %s" % e)
|
2008-09-11 11:56:55 -05:00
|
|
|
else:
|
|
|
|
raise e
|
2008-02-19 09:20:13 -06:00
|
|
|
|
2009-02-04 09:53:34 -06:00
|
|
|
self.suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(realm_name))
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-11-05 10:13:57 -06:00
|
|
|
if not iswinsync:
|
|
|
|
local_id = self._get_replica_id(self.conn, other_conn)
|
|
|
|
else:
|
|
|
|
# there is no other side to get a replica ID from
|
|
|
|
local_id = self._get_replica_id(self.conn, self.conn)
|
2008-10-29 12:37:15 -05:00
|
|
|
self.basic_replication_setup(self.conn, local_id)
|
2008-05-05 13:03:51 -05:00
|
|
|
|
2008-09-11 11:56:55 -05:00
|
|
|
if not iswinsync:
|
2008-10-29 12:37:15 -05:00
|
|
|
other_id = self._get_replica_id(other_conn, other_conn)
|
|
|
|
self.basic_replication_setup(other_conn, other_id)
|
2008-09-11 11:56:55 -05:00
|
|
|
self.setup_agreement(other_conn, self.conn)
|
2008-10-29 12:37:15 -05:00
|
|
|
self.setup_agreement(self.conn, other_conn)
|
2008-09-11 11:56:55 -05:00
|
|
|
return self.start_replication(other_conn)
|
|
|
|
else:
|
2008-11-12 13:01:59 -06:00
|
|
|
self.add_passsync_user(self.conn, kargs.get("passsync"))
|
2008-09-11 11:56:55 -05:00
|
|
|
self.setup_agreement(self.conn, other_conn, **kargs)
|
2008-11-12 16:09:46 -06:00
|
|
|
logging.info("Added new sync agreement, waiting for it to become ready . . .")
|
|
|
|
cn, dn = self.agreement_dn(other_hostname)
|
|
|
|
self.wait_for_repl_update(self.conn, dn, 30)
|
|
|
|
logging.info("Agreement is ready, starting replication . . .")
|
2008-09-11 11:56:55 -05:00
|
|
|
return self.start_replication(self.conn, other_conn)
|
2008-03-07 09:56:03 -06:00
|
|
|
|
|
|
|
def initialize_replication(self, dn, conn):
|
|
|
|
mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')]
|
|
|
|
try:
|
|
|
|
conn.modify_s(dn, mod)
|
|
|
|
except ldap.ALREADY_EXISTS:
|
|
|
|
return
|
|
|
|
|
|
|
|
def force_synch(self, dn, schedule, conn):
|
|
|
|
newschedule = '2358-2359 0'
|
|
|
|
|
|
|
|
# On the remote chance of a match. We force a synch to happen right
|
|
|
|
# now by changing the schedule to something else and quickly changing
|
|
|
|
# it back.
|
|
|
|
if newschedule == schedule:
|
|
|
|
newschedule = '2358-2359 1'
|
2008-10-03 15:07:08 -05:00
|
|
|
logging.info("Changing agreement %s schedule to %s to force synch" %
|
|
|
|
(dn, newschedule))
|
2008-03-07 09:56:03 -06:00
|
|
|
mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ newschedule ])]
|
|
|
|
conn.modify_s(dn, mod)
|
2008-10-03 15:07:08 -05:00
|
|
|
time.sleep(1)
|
|
|
|
logging.info("Changing agreement %s to restore original schedule %s" %
|
|
|
|
(dn, schedule))
|
|
|
|
mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaUpdateSchedule', [ schedule ])]
|
|
|
|
conn.modify_s(dn, mod)
|
2008-11-10 16:08:22 -06:00
|
|
|
|
|
|
|
def get_agreement_type(self, hostname):
|
|
|
|
cn, dn = self.agreement_dn(hostname)
|
|
|
|
|
|
|
|
entry = self.conn.getEntry(dn, ldap.SCOPE_BASE)
|
|
|
|
|
|
|
|
objectclass = entry.getValues("objectclass")
|
|
|
|
|
|
|
|
for o in objectclass:
|
|
|
|
if o.lower() == "nsdswindowsreplicationagreement":
|
|
|
|
return WINSYNC
|
|
|
|
|
|
|
|
return IPA_REPLICA
|