preventing ldap principal to be deleted

ipa-server-install --uninstall command is calling server-del to delete replica. This scenario does not work since server-del is also deleting all principals from and ldap breaking ldap replication. As a result, only part of deletions are propagated to the other replicals leaving a lot of orphaned data there. https://pagure.io/freeipa/issue/7371 This patch won't fully fix the issue with left-over data but more data is cleaned up and only ldap principal is left thus ending in a better state. Issue will be fully fixed only when topology plugin is patched as well. The following pagure ticket is created to track topology plugin change: https://pagure.io/freeipa/issue/7359 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2018-01-30 16:38:16 +01:00 · 2018-01-30 16:38:16 +01:00 · 1235f5958d
commit 1235f5958d
parent 1c059fbf5c
1 changed files with 19 additions and 3 deletions
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@ -659,10 +659,26 @@ class server_del(LDAPDelete):
        delete server kerberos key and all its svc principals
        """
        try:
+            # do not delete ldap principal if server-del command
+            # has been called on a machine which is being deleted
+            # since this will break replication.
+            # ldap principal to be cleaned later by topology plugin
+            # necessary changes to a topology plugin are tracked
+            # under https://pagure.io/freeipa/issue/7359
+            if master == self.api.env.host:
+                filter = (
+                    '(&(krbprincipalname=*/{}@{})'
+                    '(!(krbprincipalname=ldap/*)))'
+                    .format(master, self.api.env.realm)
+                )
+            else:
+                filter = '(krbprincipalname=*/{}@{})'.format(
+                    master, self.api.env.realm
+                )
+
            entries = ldap.get_entries(
-                self.api.env.basedn, ldap.SCOPE_SUBTREE,
-                filter='(krbprincipalname=*/{}@{})'.format(
-                    master, self.api.env.realm))
+                self.api.env.basedn, ldap.SCOPE_SUBTREE, filter=filter
+            )

            if entries:
                entries.sort(key=lambda x: len(x.dn), reverse=True)