freeipa/install/tools/ipa-replica-manage

#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os

import ldap, re, krbV
import traceback
from urllib2 import urlparse

from ipapython import ipautil
from ipaserver.install import replication, dsinstance, installutils
from ipaserver.install import bindinstance
from ipaserver import ipaldap
from ipapython import version
from ipalib import api, errors, util
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipaclient import ipadiscovery

CACERT = "/etc/ipa/ca.crt"

# dict of command name and tuples of min/max num of args needed
commands = {
    "list":(0, 1, "[master fqdn]", ""),
    "list-ruv":(0, 0, "", ""),
    "connect":(1, 2, "<master fqdn> [other master fqdn]",
                    "must provide the name of the servers to connect"),
    "disconnect":(1, 2, "<master fqdn> [other master fqdn]",
                    "must provide the name of the server to disconnect"),
    "del":(1, 1, "<master fqdn>",
                    "must provide hostname of master to delete"),
    "re-initialize":(0, 0, "", ""),
    "force-sync":(0, 0, "", ""),
    "clean-ruv":(1, 1, "Replica ID of to clean", "must provide replica ID to clean"),
    "abort-clean-ruv":(1, 1, "Replica ID to abort cleaning", "must provide replica ID to abort cleaning"),
    "list-clean-ruv":(0, 0, "", ""),
}

def convert_error(exc):
    """
    LDAP exceptions are a dictionary, make them prettier.
    """
    if isinstance(exc, ldap.LDAPError):
        desc = exc.args[0]['desc'].strip()
        info = exc.args[0].get('info', '').strip()
        return '%s %s' % (desc, info)
    else:
        return str(exc)

def parse_options():
    parser = IPAOptionParser(version=version.VERSION)
    parser.add_option("-H", "--host", dest="host", help="starting host")
    parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
    parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
                      help="provide additional information")
    parser.add_option("-f", "--force", dest="force", action="store_true", default=False,
                      help="ignore some types of errors")
    parser.add_option("-c", "--cleanup", dest="cleanup", action="store_true", default=False,
                      help="DANGER: clean up references to a ghost master")
    parser.add_option("--binddn", dest="binddn", default=None, type="dn",
                      help="Bind DN to use with remote server")
    parser.add_option("--bindpw", dest="bindpw", default=None,
                      help="Password for Bind DN to use with remote server")
    parser.add_option("--winsync", dest="winsync", action="store_true", default=False,
                      help="This is a Windows Sync Agreement")
    parser.add_option("--cacert", dest="cacert", default=None,
                      help="Full path and filename of CA certificate to use with TLS/SSL to the remote server")
    parser.add_option("--win-subtree", dest="win_subtree", default=None,
                      help="DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix)")
    parser.add_option("--passsync", dest="passsync", default=None,
                      help="Password for the Windows PassSync user")
    parser.add_option("--from", dest="fromhost", help="Host to get data from")

    options, args = parser.parse_args()

    valid_syntax = False

    if len(args):
        n = len(args) - 1
        k = commands.keys()
        for cmd in k:
            if cmd == args[0]:
                v = commands[cmd]
                err = None
                if n < v[0]:
                    err = v[3]
                elif n > v[1]:
                    err = "too many arguments"
                else:
                    valid_syntax = True
                if err:
                    parser.error("Invalid syntax: %s\nUsage: %s [options] %s" % (err, cmd, v[2]))

    if not valid_syntax:
        cmdstr = " | ".join(commands.keys())
        parser.error("must provide a command [%s]" % cmdstr)

    return options, args

def test_connection(realm, host):
    """
    Make a GSSAPI connection to the remote LDAP server to test out credentials.

    This is used so we can fall back to promping for the DM password.

    returns True if connection successful, False otherwise
    """
    try:
        replman = replication.ReplicationManager(realm, host, None)
        ents = replman.find_replication_agreements()
        del replman
        return True
    except ldap.LOCAL_ERROR:
        return False
    except errors.NotFound:
        # We do a search in cn=config. NotFound in this case means no
        # permission
        return False

def list_replicas(realm, host, replica, dirman_passwd, verbose):

    for check_host in [host, replica]:
        enforce_host_existence(check_host)

    is_replica = False
    winsync_peer = None
    peers = {}

    try:
        conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
        if dirman_passwd:
            conn.do_simple_bind(bindpw=dirman_passwd)
        else:
            conn.do_sasl_gssapi_bind()
    except Exception, e:
        print "Failed to connect to host '%s': %s" % (host, str(e))
        return

    dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
    try:
        entries = conn.getList(dn, ldap.SCOPE_ONELEVEL)
    except:
        print "Failed to read master data from '%s': %s" % (host, str(e))
        return
    else:
        for ent in entries:
            peers[ent.getValue('cn')] = ['master', '']

    dn = DN(('cn', 'replicas'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
    try:
        entries = conn.getList(dn, ldap.SCOPE_ONELEVEL)
    except:
        pass
    else:
        for ent in entries:
            peers[ent.getValue('cn')] = ent.getValue('ipaConfigString').split(':')

    if not replica:
        for k, p in peers.iteritems():
            print '%s: %s' % (k, p[0])
        return

    # ok we are being ask for info about a specific replica
    for k, p in peers.iteritems():
        if replica == k:
            is_replica = True
            if p[0] == 'winsync':
                winsync_peer = p[1]

    if not is_replica:
        print "Cannot find %s in public server list" % replica
        return

    try:
        if winsync_peer:
            repl = replication.ReplicationManager(realm, winsync_peer,
                                                  dirman_passwd)
            cn, dn = repl.agreement_dn(replica)
            entries = repl.conn.getList(dn, ldap.SCOPE_BASE,
                                        "(objectclass=nsDSWindowsReplicationAgreement)")
            ent_type = 'winsync'
        else:
            repl = replication.ReplicationManager(realm, replica,
                                                  dirman_passwd)
            entries = repl.find_replication_agreements()
            ent_type = 'replica'
    except Exception, e:
        print "Failed to get data from '%s': %s" % (replica, convert_error(e))
        return

    for entry in entries:
        print '%s: %s' % (entry.getValue('nsds5replicahost'), ent_type)

        if verbose:
            print "  last init status: %s" % entry.getValue('nsds5replicalastinitstatus')
            print "  last init ended: %s" % str(ipautil.parse_generalized_time(entry.getValue('nsds5replicalastinitend')))
            print "  last update status: %s" % entry.getValue('nsds5replicalastupdatestatus')
            print "  last update ended: %s" % str(ipautil.parse_generalized_time(entry.getValue('nsds5replicalastupdateend')))

def del_link(realm, replica1, replica2, dirman_passwd, force=False):
    """
    Delete a replication agreement from host A to host B.

    @realm: the Kerberos realm
    @replica1: the hostname of master A
    @replica2: the hostname of master B
    @dirman_passwd: the Directory Manager password
    @force: force deletion even if one server is down
    """

    for check_host in [replica1, replica2]:
        enforce_host_existence(check_host)

    repl2 = None

    try:
        repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)

        type1 = repl1.get_agreement_type(replica2)

        repl_list = repl1.find_ipa_replication_agreements()
        if not force and len(repl_list) <= 1 and type1 == replication.IPA_REPLICA:
            print "Cannot remove the last replication link of '%s'" % replica1
            print "Please use the 'del' command to remove it from the domain"
            return False

    except (ldap.NO_SUCH_OBJECT, errors.NotFound):
        print "'%s' has no replication agreement for '%s'" % (replica1, replica2)
        return False
    except Exception, e:
        print "Failed to determine agreement type for '%s': %s" % (replica1, convert_error(e))
        return False

    if type1 == replication.IPA_REPLICA:
        try:
            repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)

            repl_list = repl2.find_ipa_replication_agreements()
            if not force and len(repl_list) <= 1:
                print "Cannot remove the last replication link of '%s'" % replica2
                print "Please use the 'del' command to remove it from the domain"
                return False

        except (ldap.NO_SUCH_OBJECT, errors.NotFound):
            print "'%s' has no replication agreement for '%s'" % (replica2, replica1)
            if not force:
                return False
        except Exception, e:
            print "Failed to get list of agreements from '%s': %s" % (replica2, convert_error(e))
            if not force:
                return False

    if repl2 and type1 == replication.IPA_REPLICA:
        failed = False
        try:
            repl2.set_readonly(readonly=True)
            repl2.force_sync(repl2.conn, replica1)
            cn, dn = repl2.agreement_dn(repl1.conn.host)
            repl2.wait_for_repl_update(repl2.conn, dn, 30)
            repl2.delete_agreement(replica1)
            repl2.delete_referral(replica1)
            repl2.set_readonly(readonly=False)
        except Exception, e:
            print "Unable to remove agreement on %s: %s" % (replica2, convert_error(e))
            failed = True

        if failed:
            if force:
                print "Forcing removal on '%s'" % replica1
            else:
                return False

    if not repl2 and force:
        print "Forcing removal on '%s'" % replica1

    repl1.delete_agreement(replica2)
    repl1.delete_referral(replica2)

    if type1 == replication.WINSYNC:
        try:
            dn = DN(('cn', replica2), ('cn', 'replicas'), ('cn', 'ipa'), ('cn', 'etc'),
                    ipautil.realm_to_suffix(realm))
            entries = repl1.conn.getList(dn, ldap.SCOPE_SUBTREE)
            if len(entries) != 0:
                dnset = repl1.conn.get_dns_sorted_by_length(entries,
                                                            reverse=True)
                for dns in dnset:
                    for dn in dns:
                        repl1.conn.deleteEntry(dn)
        except Exception, e:
            print "Error deleting winsync replica shared info: %s" % convert_error(e)

    print "Deleted replication agreement from '%s' to '%s'" % (replica1, replica2)

    return True

def get_ruv(realm, host, dirman_passwd):
    """
    Return the RUV entries as a list of tuples: (hostname, rid)
    """

    enforce_host_existence(host)

    try:
        thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
    except Exception, e:
        print "Failed to connect to server %s: %s" % (host, convert_error(e))
        sys.exit(1)

    search_filter = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
    try:
        entries = thisrepl.conn.search_s(api.env.basedn, ldap.SCOPE_ONELEVEL,
            search_filter, ['nsds50ruv'])
    except ldap.NO_SUCH_OBJECT:
        print "No RUV records found."
        sys.exit(0)

    servers = []
    for ruv in entries[0][1]['nsds50ruv']:
        if ruv.startswith('{replicageneration'):
            continue
        data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
        if data:
            rid = data.group(1)
            (scheme, netloc, path, params, query, fragment) = urlparse.urlparse(data.group(2))
            servers.append((netloc, rid))
        else:
            print "unable to decode: %s" % ruv

    return servers

def list_ruv(realm, host, dirman_passwd, verbose):
    """
    List the Replica Update Vectors on this host to get the available
    replica IDs.
    """

    enforce_host_existence(host)

    servers = get_ruv(realm, host, dirman_passwd)
    for (netloc, rid) in servers:
        print "%s: %s" % (netloc, rid)

def get_rid_by_host(realm, sourcehost, host, dirman_passwd):
    """
    Try to determine the RID by host name.
    """
    servers = get_ruv(realm, sourcehost, dirman_passwd)
    for (netloc, rid) in servers:
        if '%s:389' % host == netloc:
            return int(rid)

def clean_ruv(realm, ruv, options):
    """
    Given an RID create a CLEANALLRUV task to clean it up.
    """
    try:
        ruv = int(ruv)
    except ValueError:
        sys.exit("Replica ID must be an integer: %s" % ruv)

    servers = get_ruv(realm, options.host, options.dirman_passwd)
    found = False
    for (netloc, rid) in servers:
        if ruv == int(rid):
           found = True
           hostname = netloc
           break

    if not found:
        sys.exit("Replica ID %s not found" % ruv)

    print "Clean the Replication Update Vector for %s" % hostname
    print
    print "Cleaning the wrong replica ID will cause that server to no"
    print "longer replicate so it may miss updates while the process"
    print "is running. It would need to be re-initialized to maintain"
    print "consistency. Be very careful."
    if not options.force and not ipautil.user_input("Continue to clean?", False):
        sys.exit("Aborted")
    thisrepl = replication.ReplicationManager(realm, options.host,
                                              options.dirman_passwd)
    thisrepl.cleanallruv(ruv)
    print "Cleanup task created"

def abort_clean_ruv(realm, ruv, options):
    """
    Given an RID abort a CLEANALLRUV task.
    """
    try:
        ruv = int(ruv)
    except ValueError:
        sys.exit("Replica ID must be an integer: %s" % ruv)

    servers = get_ruv(realm, options.host, options.dirman_passwd)
    found = False
    for (netloc, rid) in servers:
        if ruv == int(rid):
           found = True
           hostname = netloc
           break

    if not found:
        sys.exit("Replica ID %s not found" % ruv)

    servers = get_ruv(realm, options.host, options.dirman_passwd)
    found = False
    for (netloc, rid) in servers:
        if ruv == int(rid):
           found = True
           hostname = netloc
           break

    if not found:
        sys.exit("Replica ID %s not found" % ruv)

    print "Aborting the clean Replication Update Vector task for %s" % hostname
    print
    thisrepl = replication.ReplicationManager(realm, options.host,
                                              options.dirman_passwd)
    thisrepl.abortcleanallruv(ruv)

    print "Cleanup task stopped"

def list_clean_ruv(realm, host, dirman_passwd, verbose):
    """
    List all clean RUV tasks.
    """

    enforce_host_existence(host)

    repl = replication.ReplicationManager(realm, host, dirman_passwd)
    dn = DN(('cn', 'cleanallruv'),('cn', 'tasks'), ('cn', 'config'))
    try:
        entries = repl.conn.getList(dn, ldap.SCOPE_ONELEVEL)
    except errors.NotFound:
        print "No CLEANALLRUV tasks running"
    else:
        print "CLEANALLRUV tasks"
        for entry in entries:
            name = entry.getValue('cn').replace('clean ', '')
            status = entry.getValue('nsTaskStatus')
            print "RID %s: %s" % (name, status)
            if verbose:
                print str(dn)
                print entry.getValue('nstasklog')

    print

    dn = DN(('cn', 'abort cleanallruv'),('cn', 'tasks'), ('cn', 'config'))
    try:
        entries = repl.conn.getList(dn, ldap.SCOPE_ONELEVEL)
    except errors.NotFound:
        print "No abort CLEANALLRUV tasks running"
    else:
        print "Abort CLEANALLRUV tasks"
        for entry in entries:
            name = entry.getValue('cn').replace('abort ', '')
            status = entry.getValue('nsTaskStatus')
            print "RID %s: %s" % (name, status)
            if verbose:
                print str(dn)
                print entry.getValue('nstasklog')

def check_last_link(delrepl, realm, dirman_passwd, force):
    """
    We don't want to orphan a server when deleting another one. If you have
    a topology that looks like this:

             A     B
             |     |
             |     |
             |     |
             C---- D

    If we try to delete host D it will orphan host B.

    What we need to do is if the master being deleted has only a single
    agreement, connect to that master and make sure it has agreements with
    more than just this master.

    @delrepl: a ReplicationManager object of the master being deleted

    returns: hostname of orphaned server or None
    """
    replica_names = delrepl.find_ipa_replication_agreements()

    orphaned = []
    # Connect to each remote server and see what agreements it has
    for replica in replica_names:
        try:
            repl = replication.ReplicationManager(realm, replica, dirman_passwd)
        except ldap.SERVER_DOWN, e:
            print "Unable to validate that '%s' will not be orphaned." % replica

            if not force and not ipautil.user_input("Continue to delete?", False):
                sys.exit("Aborted")
            continue
        names = repl.find_ipa_replication_agreements()
        if len(names) == 1 and names[0] == delrepl.hostname:
            orphaned.append(replica)

    if len(orphaned):
        return ', '.join(orphaned)
    else:
        return None

def enforce_host_existence(host, message=None):
    if not ipautil.host_exists(host):
        if message is None:
            message = "Unknown host %s" % host

        sys.exit(message)

def del_master(realm, hostname, options):

    enforce_host_existence(hostname)

    force_del = False
    delrepl = None

    # 1. Connect to the local server
    try:
        thisrepl = replication.ReplicationManager(realm, options.host,
                                                  options.dirman_passwd)
    except Exception, e:
        print "Failed to connect to server %s: %s" % (options.host, convert_error(e))
        sys.exit(1)

    # 2. Ensure we have an agreement with the master
    agreement = thisrepl.get_replication_agreement(hostname)
    if agreement is None:
        if options.cleanup:
            """
            We have no agreement with the current master, so this is a
            candidate for cleanup. This is VERY dangerous to do because it
            removes that master from the list of masters. If the master
            were to try to come back online it wouldn't work at all.
            """
            print "Cleaning a master is irreversible."
            print "This should not normally be require, so use cautiously."
            if not ipautil.user_input("Continue to clean master?", False):
                sys.exit("Cleanup aborted")
            thisrepl.replica_cleanup(hostname, realm, force=True)
            sys.exit(0)
        else:
            sys.exit("'%s' has no replication agreement for '%s'" % (options.host, hostname))

    # 3. If an IPA agreement connect to the master to be removed.
    repltype = thisrepl.get_agreement_type(hostname)
    if repltype == replication.IPA_REPLICA:
        winsync = False
        try:
            delrepl = replication.ReplicationManager(realm, hostname, options.dirman_passwd)
        except Exception, e:
            print "Connection to '%s' failed: %s" % (hostname, convert_error(e))
            if not options.force:
                print "Unable to delete replica '%s'" % hostname
                sys.exit(1)
            else:
                print "Forcing removal of %s" % hostname
                force_del = True

        if force_del:
            dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), thisrepl.suffix)
            entries = thisrepl.conn.getList(dn, ldap.SCOPE_ONELEVEL)
            replica_names = []
            for entry in entries:
                replica_names.append(entry.getValue('cn'))
            # The host we're removing gets included in this list, remove it.
            # Otherwise we try to delete an agreement from the host to itself.
            try:
                replica_names.remove(hostname)
            except ValueError:
                pass
        else:
            # Get list of agreements.
            replica_names = delrepl.find_ipa_replication_agreements()
    else:
        # WINSYNC replica, delete agreement from current host
        winsync = True
        replica_names = [options.host]

    if not winsync and not options.force:
        print "Deleting a master is irreversible."
        print "To reconnect to the remote master you will need to prepare " \
              "a new replica file"
        print "and re-install."
        if not ipautil.user_input("Continue to delete?", False):
            sys.exit("Deletion aborted")

    # Check for orphans if the remote server is up.
    if delrepl and not winsync:
        masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
        try:
            masters = delrepl.conn.getList(masters_dn, ldap.SCOPE_ONELEVEL)
        except Exception, e:
            masters = []
            print "Failed to read masters data from '%s': %s" % (delrepl.hostname, convert_error(e))
            print "Skipping calculation to determine if one or more masters would be orphaned."
            if not options.force:
                sys.exit(1)

        # This only applies if we have more than 2 IPA servers, otherwise
        # there is no chance of an orphan.
        if len(masters) > 2:
            orphaned_server = check_last_link(delrepl, realm, options.dirman_passwd, options.force)
            if orphaned_server is not None:
                print "Deleting this server will orphan '%s'. " % orphaned_server
                print "You will need to reconfigure your replication topology to delete this server."
                sys.exit(1)
    else:
        print "Skipping calculation to determine if one or more masters would be orphaned."

    # Save the RID value before we start deleting
    if repltype == replication.IPA_REPLICA:
        rid = get_rid_by_host(realm, options.host, hostname, options.dirman_passwd)

    # 4. Remove each agreement

    print "Deleting replication agreements between %s and %s" % (hostname, ', '.join(replica_names))
    for r in replica_names:
        try:
            if not del_link(realm, r, hostname, options.dirman_passwd, force=True):
                print "Unable to remove replication agreement for %s from %s." % (hostname, r)
        except Exception, e:
            print "There were issues removing a connection for %s from %s: %s" % (hostname, r, convert_error(e))

    # 5. Clean RUV for the deleted master
    if repltype == replication.IPA_REPLICA:
        try:
            thisrepl.cleanallruv(rid)
        except KeyboardInterrupt:
            print "Wait for task interrupted. It will continue to run in the background"

    # 6. Finally clean up the removed replica common entries.
    try:
        thisrepl.replica_cleanup(hostname, realm, force=True)
    except Exception, e:
        print "Failed to cleanup %s entries: %s" % (hostname, convert_error(e))
        print "You may need to manually remove them from the tree"

    # 7. And clean up the removed replica DNS entries if any.
    try:
        if bindinstance.dns_container_exists(options.host, thisrepl.suffix,
                                             dm_password=options.dirman_passwd):
            if options.dirman_passwd:
                api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                          bind_pw=options.dirman_passwd)
            else:
                ccache = krbV.default_context().default_ccache().name
                api.Backend.ldap2.connect(ccache=ccache)
            bind = bindinstance.BindInstance()
            bind.remove_master_dns_records(hostname, realm, realm.lower())
    except Exception, e:
        print "Failed to cleanup %s DNS entries: %s" % (hostname, convert_error(e))
        print "You may need to manually remove them from the tree"

def add_link(realm, replica1, replica2, dirman_passwd, options):

    for check_host in [replica1,replica2]:
        enforce_host_existence(check_host)

    if options.winsync:
        if not options.binddn or not options.bindpw or not options.cacert or not options.passsync:
            root_logger.error("The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement")
            sys.exit(1)
        if os.getegid() != 0:
            root_logger.error("winsync agreements need to be created as root")
            sys.exit(1)

    # See if we already have an agreement with this host
    try:
        repl = replication.ReplicationManager(realm, replica1, dirman_passwd)
        if repl.get_agreement_type(replica2) == replication.WINSYNC:
            agreement = repl.get_replication_agreement(replica2)
            sys.exit("winsync agreement already exists on subtree %s" %
                agreement.getValue('nsds7WindowsReplicaSubtree'))
        else:
            sys.exit("A replication agreement to %s already exists" % replica2)
    except errors.NotFound:
        pass

    if options.cacert:
        # have to install the given CA cert before doing anything else
        ds = dsinstance.DsInstance(realm_name = realm,
                                   dm_password = dirman_passwd)
        if not ds.add_ca_cert(options.cacert):
            print "Could not load the required CA certificate file [%s]" % options.cacert
            return
        else:
            print "Added CA certificate %s to certificate database for %s" % (options.cacert, replica1)

    # need to wait until cacert is installed as that command may restart
    # the directory server and kill the connection
    try:
        repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
    except (ldap.NO_SUCH_OBJECT, errors.NotFound):
        print "Cannot find replica '%s'" % replica1
        return
    except Exception, e:
        print "Failed to connect to '%s': %s" % (replica1, convert_error(e))
        return

    if options.winsync:
        repl1.setup_winsync_replication(replica2,
                                        options.binddn, options.bindpw,
                                        options.passsync, options.win_subtree,
                                        options.cacert)
    else:
        # Check if the master entry exists for both servers.
        # If one of the tree misses one of the entries, it means one of the
        # replicas was fully deleted previously and needs to be reinstalled
        # from scratch
        try:
            masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), (api.env.basedn))
            master1_dn = DN(('cn', replica1), masters_dn)
            master2_dn = DN(('cn', replica2), masters_dn)

            repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
            repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE)

            repl2 = replication.ReplicationManager(realm, replica2, dirman_passwd)
            repl2.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
            repl2.conn.getEntry(master2_dn, ldap.SCOPE_BASE)

        except errors.NotFound:
            standard_logging_setup(console_format='%(message)s')

            ds = ipadiscovery.IPADiscovery()
            ret = ds.search(server=replica2)

            if ret == ipadiscovery.NOT_IPA_SERVER:
                sys.exit("Connection unsuccessful: %s is not an IPA Server." %
                    replica2)
            elif ret == 0:  # success
                sys.exit("Connection unsuccessful: %s is an IPA Server, "
                    "but it might be unknown, foreign or previously deleted "
                    "one." % replica2)
            else:
                sys.exit("Connection to %s unsuccessful." % replica2)

        repl1.setup_gssapi_replication(replica2, DN(('cn', 'Directory Manager')), dirman_passwd)
    print "Connected '%s' to '%s'" % (replica1, replica2)

def re_initialize(realm, thishost, fromhost, dirman_passwd):

    for check_host in [thishost, fromhost]:
        enforce_host_existence(check_host)

    thisrepl = replication.ReplicationManager(realm, thishost, dirman_passwd)
    agreement = thisrepl.get_replication_agreement(fromhost)
    if agreement is None:
        sys.exit("'%s' has no replication agreement for '%s'" % (thishost, fromhost))
    repltype = thisrepl.get_agreement_type(fromhost)
    if repltype == replication.WINSYNC:
        # With winsync we don't have a "remote" agreement, it is all local
        repl = replication.ReplicationManager(realm, thishost, dirman_passwd)
        repl.initialize_replication(agreement.dn, repl.conn)
        repl.wait_for_repl_init(repl.conn, agreement.dn)
    else:
        repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
        agreement = repl.get_replication_agreement(thishost)
        repl.force_sync(repl.conn, thishost)

        repl.initialize_replication(agreement.dn, repl.conn)
        repl.wait_for_repl_init(repl.conn, agreement.dn)

    # If the agreement doesn't have nsDS5ReplicatedAttributeListTotal it means
    # we did not replicate memberOf, do so now.
    if not agreement.getValue('nsDS5ReplicatedAttributeListTotal'):
        ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd)
        ds.init_memberof()

def force_sync(realm, thishost, fromhost, dirman_passwd):

    for check_host in [thishost, fromhost]:
        enforce_host_existence(check_host)

    thisrepl = replication.ReplicationManager(realm, thishost, dirman_passwd)
    agreement = thisrepl.get_replication_agreement(fromhost)
    if agreement is None:
        sys.exit("'%s' has no replication agreement for '%s'" % (thishost, fromhost))
    repltype = thisrepl.get_agreement_type(fromhost)
    if repltype == replication.WINSYNC:
        # With winsync we don't have a "remote" agreement, it is all local
        repl = replication.ReplicationManager(realm, thishost, dirman_passwd)
        repl.force_sync(repl.conn, fromhost)
    else:
        repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
        repl.force_sync(repl.conn, thishost)

def main():
    if os.getegid() == 0:
        installutils.check_server_configuration()
    elif not os.path.exists('/etc/ipa/default.conf'):
        sys.exit("IPA is not configured on this system.")

    options, args = parse_options()

    # Just initialize the environment. This is so the installer can have
    # access to the plugin environment
    api_env = {'in_server' : True,
               'verbose'   : options.verbose,
              }

    if os.getegid() != 0:
        api_env['log'] = None # turn off logging for non-root

    api.bootstrap(**api_env)
    api.finalize()

    dirman_passwd = None
    realm = krbV.default_context().default_realm

    if options.host:
        host = options.host
    else:
        host = installutils.get_fqdn()

    options.host = host

    if options.dirman_passwd:
        dirman_passwd = options.dirman_passwd
    else:
        if not test_connection(realm, host):
            dirman_passwd = installutils.read_password("Directory Manager",
                confirm=False, validate=False, retry=False)
            if dirman_passwd is None:
                sys.exit("\nDirectory Manager password required")

    options.dirman_passwd = dirman_passwd

    if args[0] == "list":
        replica = None
        if len(args) == 2:
            replica = args[1]
        list_replicas(realm, host, replica, dirman_passwd, options.verbose)
    elif args[0] == "list-ruv":
        list_ruv(realm, host, dirman_passwd, options.verbose)
    elif args[0] == "del":
        del_master(realm, args[1], options)
    elif args[0] == "re-initialize":
        if not options.fromhost:
            print "re-initialize requires the option --from <host name>"
            sys.exit(1)
        re_initialize(realm, host, options.fromhost, dirman_passwd)
    elif args[0] == "force-sync":
        if not options.fromhost:
            print "force-sync requires the option --from <host name>"
            sys.exit(1)
        force_sync(realm, host, options.fromhost, options.dirman_passwd)
    elif args[0] == "connect":
        if len(args) == 3:
            replica1 = args[1]
            replica2 = args[2]
        elif len(args) == 2:
            replica1 = host
            replica2 = args[1]
        add_link(realm, replica1, replica2, dirman_passwd, options)
    elif args[0] == "disconnect":
        if len(args) == 3:
            replica1 = args[1]
            replica2 = args[2]
        elif len(args) == 2:
            replica1 = host
            replica2 = args[1]
        del_link(realm, replica1, replica2, dirman_passwd)
    elif args[0] == "clean-ruv":
        clean_ruv(realm, args[1], options)
    elif args[0] == "abort-clean-ruv":
        abort_clean_ruv(realm, args[1], options)
    elif args[0] == "list-clean-ruv":
        list_clean_ruv(realm, host, dirman_passwd, options.verbose)

try:
    main()
except KeyboardInterrupt:
    sys.exit(1)
except SystemExit, e:
    sys.exit(e)
except RuntimeError, e:
    sys.exit(e)
except ldap.INVALID_CREDENTIALS:
    print "Invalid password"
    sys.exit(1)
except ldap.INSUFFICIENT_ACCESS:
    print "Insufficient access"
    sys.exit(1)
except ldap.LOCAL_ERROR, e:
    print e.args[0]['info']
    sys.exit(1)
except ldap.SERVER_DOWN, e:
    print e.args[0]['desc']
except Exception, e:
    print "unexpected error: %s" % str(e)
    sys.exit(1)